Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

3/26/2020
11:15 AM
50%
50%

Technology Empowers Pandemic Response, But Privacy Worries Remain

As technology companies and the medical community work to find ways to track and test for the virus, privacy might fall by the wayside.

In late January and early February, a study of influenza had the ability to reveal whether subjects in the Seattle area were infected by the novel coronavirus. But medical privacy rules scuttled the idea until researchers, on February 25, decided to go ahead and test anyway. They discovered that COVID-19 had already contributed to the deaths of two people.

In China, Singapore, and Israel, government officials used citizens' cell phones to track who may have had contact with infected individuals, a capability the European Union is considering as well. Market intelligence service Unacast has used its system of tracking citizens — originally to determine mobile users' music preferences — to produce scorecards of how well the citizens of nations, regions, and cities were social distancing to reduce spread.

The different ways that nations approach the problem of the coronavirus pandemic often conflicts with privacy rights, says Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professional (IAPP). 

"There is a balance between the usefulness and effectiveness of measures and the ability to protect privacy and civil liberties, and China weighed in very heavily on one side," he says. "They sacrificed privacy and civil liberties — of course, they did not have much to begin with — to reinforce the public health interest. The US will have to find its own place on the scale."

Natural and human disasters typically redraw the lines between civil liberties and security. Following the September 11 terrorist attacks, the US government curtailed many privacy provisions to try to enhance security. Most experts, in hindsight, believe the government went too far, and some of the privacy protections have been restored. 

The rush to find ways to use technology to combat COVID-19 has given governments visibility into the spread of the novel coronavirus but will likely result in citizens sacrificing privacy — at least for the time being. The pandemic poses a different threat, one that could have a lasting impact on medical and personal privacy, according to Cindy Cohn, executive director of the Electronic Frontier Foundation (EFF).

"We must be sure that measures taken in the name of responding to COVID-19 are, in the language of international human rights law, 'necessary and proportionate' to the needs of society in fighting the virus," she said in a post. "Above all, we must make sure that these measures end and that the data collected for these purposes is not repurposed for either governmental or commercial ends.  

Yet privacy rules have arguably delayed the response to the coronavirus pandemic. The Seattle Flu Study, for example, had already been surveilling influenza infection rates in the city when researchers heard of the spread of the novel coronavirus. The medical researchers offered in late January to start testing for coronavirus, but medical privacy and ethics rules prevented them from extending the effort beyond its original scope and notifying participants of their status, according to The New York Times, which broke the story.

The researchers eventually expanded testing on their own initiative weeks later and were shut down by state officials, but not before confirming that the disease had spread to the Seattle area. On March 22, the group got permission to restart testing and was retasked as the Seattle Coronavirus Assessment Network, or SCAN.

"Everyone who takes part in this effort will help us understand how coronavirus is spreading in the Greater Seattle area," the group now states on its website. "We are increasing capacity and responding to public health priorities as they come up."

Market intelligence firm Unacast has used its ability to track mobile users to create scorecards for the social-distancing efforts of citizens of different regions. The commonwealth of Massachusetts, for example, gets an "A" for its efforts, while Hawaii garnered a "D" grade.

Efforts to monitor potential infected citizens will likely run afoul of privacy rules but can pay dividends, says Ambuj Kumar, Fortanix CEO and co-founder of encryption firm Fortanix. He points to two apps that show the possibilities if privacy issues are resolved: One is China's Alipay Health Code app, which tracks citizen movements and uses a color code to restrict the movement of people as a more authoritarian solution. Singapore used a different app, TraceTogether, which records movements within two meters of other people to determine whether people were exposed to the virus. 

New techniques, such as privacy-preserving data analysis, could allow extremely private data to be tracked from multiple sources without exposing an individual’s private data.

"It’s unlikely that more open democracies with established privacy laws will be able to implement similar systems without additional privacy protections," he says.

The EFF has warned that in fighting the epidemic technologists should consider the privacy consequences. 

We need to "make sure that we both take advantage of how technology can help us now and, equally importantly, that we emerge from this time with our freedom and democracy as strong, if not stronger, than when we went in," the EFF's Cohn said, adding that "we also need to be vigilant so that we come out the other side of this crisis with a society we want to live in and hand down to our kids. We can — and must — do both."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7822
PUBLISHED: 2020-08-04
DaviewIndy has a Heap-based overflow vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
CVE-2020-7823
PUBLISHED: 2020-08-04
DaviewIndy has a Memory corruption vulnerability, triggered when the user opens a malformed image file that is mishandled by Daview.exe. Attackers could exploit this and arbitrary code execution.
CVE-2020-6012
PUBLISHED: 2020-08-04
ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems.
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.