Covid-19 tracking app requires “greater justification”

Covid-19 tracking app requires “greater justification”

A Covid-19 tracking app might be a key part of halting the spread of the pandemic, but  there remain privacy concerns about the project.

A new legal report has stated that any centralised system for contact tracing would lead to “significantly greater interference with users’ privacy and require greater justification”, although a decentralised system – while potentially less effective – would be more proportionate and lawful.

According to The Guardian:

It is not yet known whether use of the app would be mandatory or voluntary. “A mandatory smartphone app would be a significant measure, both legally and culturally,” the lawyers said. “Our view is that there would need to be a clear and detailed legal basis for a mandatory system, set out in specific legislation.”

 

Sharing data held by healthcare organisations and private companies to assist in combating the Covid-19 pandemic may create “a number of legal problems… resulting in potential illegality”, the legal opinion says.

 

“Given the nature of the data likely to be shared, the government will need to undertake a data protection impact assessment (DPIA) prior to the processing of any personal data,” it adds. “The results of that DPIA should be made public. Those steps may be in progress, but we are not aware of them having been completed thus far.”

 

On plans for immunity certificates, the report adds: “Such a step would engage a number of fundamental rights under [human rights] and EU/UK legislation concerning the right to privacy and protection of personal data. Any proposals would require very substantial evidential justification to show that they are necessary and proportionate. We are unsure if such evidence could be provided.”

You can read the full article from The Guardian by clicking here.

The issue with making the Covid-19 tracking app voluntary, however, is that it may also render it ineffective. A study has found that 56% of the UK population, amounting to approximately 80% of all smartphone users, must use it if the virus is to suppressed.

This could be problematic. When a similar Covid-19 tracking app was introduced in Singapore, only 12% of the population made use of it, leading to another lockdown on 7th April after another spike in cases.

Carrying out a DPIA is a requirement for any new system, and the government should be open and honest about how it intends to store and process the data which is collected.

With the app due to be trialled this week on the Isle of Wight, it’s clear that there are still many privacy concerns surrounding it which need to be addressed. But with the Welsh chief medical officer recently stating that people would be willing to give up some of their freedoms to tackle the pandemic, it remains to be seen whether these concerns will be addressed.

Zoom – Privacy and Security Issues

Zoom – Privacy and Security Issues

As the coronavirus crisis affects the world, there has been a sharp rise in working from home and, as a result, the use of video conferencing platforms such as Zoom. But Zoom has also come under fire for numerous privacy and security issues.

As reported by Help Net Security, some of these issues include:

  • A non-transparent and sketchy privacy policy
  • The attendee attention tracker feature
  • The incorrect claim that Zoom meetings/webinars were capable of using end-to-end encryption
  • The iOS client sending user device information to Facebook (because of the Facebook SDK used)
  • UNC link issue that could result in attackers stealing users’ passwords and run malware
  • Two vulnerabilities that could be used by attackers with local access take over a Zoom user’s Mac, as well as tapping into the device’s webcam and microphone. Exploitation of one of these is possible because Zoom uses a shady installation technique also used by some macOS malware. (In a similar vein, last year Zoom stopped installing a hidden web server on Macs that helped with frictionless installation of the tool)
  • A feature that provided info on Zoom meeting participants (pulled from LinkedIn)
  • Zoombombing (i.e., trolls crashing and disrupting Zoom meetings), additionally exacerbated by lax privacy and security choices made by users and vulnerabilities that allow for the creation of tools like zWarDial, which automates Zoom meeting discovery (The tool hasn’t been publicly released.)

All of these issues raise the question of how safe it is to use Zoom. However, it is important to note that since coming under increased scrutiny in the last few weeks, Zoom has been working to address many of these issues, as Help Net Security has reported:

Since then most of these problems have been addressed: the attendee attention tracker feature and the LinkedIn data sharing feature have been permanently removed, most of the vulnerabilities have been fixed, the Facebook SDK info sending code has been removed, the privacy policy updated be more clear around what data the company collects and how it is used.

 

Most importantly, Zoom Video Communications’s CEO Eric Yuan publicly pledged that, for the next 90 days the company will temporarily stop working on new features and shift all their engineering resources to focus on trust, safety, and privacy issues.

 

He apologized for the company failing short of the community’s privacy and security expectations, said that many of the issues were due to the fact that Zoom was built primarily for enterprise customers (large institutions with full IT support).

You can read the full article from Help Net Security here.

It’s a positive step to see a company working towards better security and privacy measures, but although Yuan has argued they “did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home”, the problems should nonetheless have been addressed before.

The chief question here is whether it’s safe to use Zoom. You should always be careful about using any platform on which you can share data, and on the whole, there are more secure services available.

Are you concerned about data privacy issues during the coronavirus crisis? Contact us today to get our expert, professional advice.

Data Protection and Coronavirus – ICO Guidance

Data Protection and Coronavirus – ICO Guidance

The Information Commissioner’s Office (ICO) has issued guidance around data protection and coronavirus, recognising the “unprecedented challenges” we face during the pandemic.

On the whole, the ICO is taking a commonsense approach. They state that measures taken should be proportionate: “if something feels excessive from the public’s point of view, then it probably is.”

Here’s a short summary of the guidance provided by the ICO on data protection and coronavirus:

  • The ICO understands that data protection standards may not be as high during this time because resources are being diverted away from compliance work. Organisations won’t be penalised if they need to adapt their usual practices.
  • Data protection laws do not prevent people working from home, which many will do during the pandemic. The same security measures should be considered for homeworking as at the workplace.
  • Staff should be informed about cases of coronavirus at your organisation. Individuals do not need to be named, however; provide no more information than is necessary.
  • There’s no need to collect significantly more health data about your employees. While you have an obligation to protect their health, you should not collect more information than you need and can take a commonsense approach to this.
  • Rather than attempting to handle things internally, a better approach may be to ask people to consider and follow government advice – for example, calling the NHS on 111 if they have visited a badly affected country or are showing symptoms of the virus.
  • It’s fine to share employee health data with the authorities if necessary – although it’s unlikely you’ll need to do so.

You can read the full guidance from the ICO here.

This is certainly a difficult time for people and organisations, but on the matter of data protection and coronavirus, it’s important to be sensible. Don’t take unnecessary measures; make sure that your response is proportionate.

If you have any more questions about this or any other subject relating to data protection, get in touch with us today and our consultants will provide all the advice you need.