Privacy, COVID and vulnerable communities in the golden city

elevenM’s Cassie Findlay brings a first-hand account of how privacy considerations are playing a role in shaping COVID-19 outcomes in parts of the US. 

It’s no secret that the city of San Francisco and the surrounding counties that make up the Bay Area are home to some of the most stark inequities in the world.  

Having just returned home after four and a half years living and working there, I can confirm that the evidence of staggering wealth existing side by side with extreme poverty and homelessness is everywhere, and it is shocking. Encampments dot the city streets in which people are lacking in basic sanitation and medical services. Solutions are often temporary and deployed only in response to residents’ complaints.  

Bringing a pandemic response into this mix was never going to be easy. The local and State governments’ response to the COVID crisis has, by overall US standards, not been too bad, but not necessarily for its most vulnerable people.  

A case in point can be found in the axing late last year of a testing program offered by the Google affiliate Verily, by the cities of Oakland and San Francisco. Introduced in March, the platform screens people for symptoms, books appointments, and reports test results. Unfortunately, from a privacy perspective, the design of the program added friction to the uptake of critical services in a pandemic.

In a letter to the California Secretary of Health, the City of Oakland’s Racial Disparities Task Force raised concerns about the collection of personal data on the platform amidst a crisis of trust amongst Black and Latinx communities in how their personal information might be used or shared by governments and corporations. Participants were required to sign an authorisation form that says their information can be shared with multiple third parties involved in the testing program, including unnamed contractors and state and federal health authorities. 

As explained by the Electronic Frontier Foundation’s Lee Tien to local public radio station KQED: “While the form tells you that Verily may share data with ‘entities that assist with the testing program,’ it doesn’t say who those entities are. If one of those unnamed and unknown entities violates your privacy by misusing your data, you have no way to know and no way to hold them accountable.”  

Given the need for better and more accessible testing for people experiencing homelessness, and the known severity of the impact of COVID on Black and Latinx communities, obstacles like this to testing uptake are concerning. Other testing services in Oakland and San Francisco have fortunately adopted approaches based on more direct engagement and building of trust in these communities, as opposed to defaulting to an app-based solution with the trust and privacy concerns that entails.  

This case shows just how much trust issues around the use of personal information can affect critical services to vulnerable communities, and it has valuable lessons for those of us working on the delivery of public services with technology. 

My key takeaways are: 

  • Consumers understand and take seriously the trade-offs involved in exchanging personal information for services, discounts and other benefits. 
  • We are moving beyond approaches to data collection that treat consumers as a homogenous group in terms of their willingness to share, but we can safely assume that unknown secondary purposes for their data will be always be regarded with suspicion. 
  • Success will increasingly depend on having a more nuanced picture of your ‘customers’, including their trust in your organisation or sector, whether it be commercial enterprise or public health services. 
  • Building a data governance strategy that can track and maintain a picture of your business, actors within the business including end users or customers, and evolving requirements — including less tangible ones like societal attitudes  is a great foundation for privacy policy and practice that respects diversity and can evolve as the landscape changes around you.

 

News round-up Nov 2020 – Privacy Act review, ICO fines British Airways £20m over data breach and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

Privacy is well and truly in the frame this month – not least because of the Government’s review of the Privacy Act. It’s a big deal and we’ll have a bit to say about it – starting with our summary below. As the number of COVID-19 cases ease, attention is now also shifting towards the privacy provisions of COVID-19 check-in services. And turning to cyber, if you felt ransomware wasn’t nasty enough, attackers have dug deep and found more evil to draw on.   

News round-up May 2020 — Ransomware formally registered as business risk and security report on cyber attackers

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

In our latest round-up, we get a fresh angle on some familiar threats. The rise of ransomware over recent years has seen it elevated as a formally registered business risk, while new research seeks to explain why phishing continues to work so well. A new security report also gives us insight into what’s motivating cyber attackers, and into one of the fastest growing reasons that data breaches are occurring.

News round-up April 2020 — Privacy and security issues with COVID-19

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

COVID-19 is creating a heady and swirling vortex of news, information and disinformation. In this edition we cut through to the key privacy and security issues of the pandemic, including the Government’s contact tracing app and the new risks and scams that security leaders need to be thinking about. We also check in on how cybercriminals are attending to business-as-usual.

Key articles:

ACSC issues FUD-busting COVID-19 WFH guide

Summary: In light of new and more pronounced cyber security vulnerabilities brought on by the workforce’s wholesale transition to working from home, the Australian Cyber Security Centre issued its own official guidance.

Key risk takeaway: Security leaders in businesses right across the economy are responding to working arrangements and circumstances radically different to those for which they devised their risk mitigation strategies and activities. For the many professionals working from home, the ACSC’s tips include being aware of COVID-19 related cyber threats and scams (see next story), adopting strong passphrases and use of multi-factor authentication. Security teams also need to account for the different risk profile that results from a highly distributed workforce working in non-corporate environments. Risks to manage more closely include user adoption of unsanctioned video conferencing platforms and ensuring users connect to networks securely. Other emerging considerations include the need to revisit security provisions in technologies hastily purchased during the pandemic and sharpening governance over “shadow IT”, as workers install and use their own (non-sanctioned) applications to continue to perform their duties in non-standard conditions.

Tags: #securityhygiene #securityawareness #securityriskassessment

 

Continued widespread reports of COVID-19 malicious scams

Summary: Authorities and businesses around the world are observing a massive surge in internet scams related to the coronavirus pandemic. Says one security professional: “I’ve never seen this volume of phishing. I am literally seeing phishing messages in every language known to man.”

Key risk takeaway: It’s the pandemic edition of the usual refrain – humans are the critical front-line in defending against cyber-attacks. Businesses must take strong steps to make their employees aware of the explosion in COVID-19 themed scams and phishing attacks, which are being deployed to drop malware, steal information and facilitate financial fraud. Thousands of new coronavirus-themed web domains, which are used as phishing sites and to spread malware, are being registered every day. The Australian Signals Directorate is muscling up for the fight, as are US law enforcement authorities and even an army of volunteer cyber defenders.

Tags: #securityawareness

 

Australia launches COVIDSafe contact tracing app

Summary: The Australian Government launched an app to support health professionals perform contract tracing on individuals that test positive to coronavirus. The Government app faced intense scrutiny over the app’s handling of privacy and security considerations.

Key risk takeaway: The public’s heightened expectations of privacy and transparency in new technologies and services – particularly those involving sensitive information (such as health status) – are brought to the fore in the public conversation surrounding the COVIDsafe app. The Government’s previous mis-steps in adequately addressing privacy and security considerations in technology deployments (eg. Census, My Health Record) have demonstrably impacted this rollout, reflecting the importance of service providers building trust over an extended period. A privacy impact assessment on the app – which made 19 recommendations, the bulk of which were accepted – has helped in some part to ameliorate some of the privacy concerns (read elevenM’s Melanie Marks view of some of these privacy risks here). An auxiliary consideration for organisations will be how they deal with employee queries about the app, particularly in relation to installing it on work-issued mobile devices.

Tags: #privacy #privacyimpactassessment

 

Zoom bolsters software security in latest move to reassure users

Summary: Video conferencing platform Zoom has faced intense criticism over poor security and privacy practices, leading to “do not use” edicts from everywhere from governments to major corporations.

Key risk takeaway: When your startup’s moment finally comes, will a complacent attitude to privacy and security be your undoing? Widespread self-isolation has certainly been a godsend for video conferencing platforms like Zoom. But despite a massive surge in users, Zoom’s reputation has taken a thorough battering. Like Standard Chartered has done overseas, we’re aware of major Australian organisations issuing guidance to staff to refrain from using Zoom, especially for official business. Zoom has had to move fast to issue mea culpas and patch security and privacy holes. For major developers of digital services and budding start-ups alike, a more efficient and less painful strategy is to bake in good practices through approaches such as privacy-by-design and secure coding.

Tags: #privacybydesign #securecoding

 

IT services behemoth Cognizant suffers attack by Maze ransomware

Summary: While we’re all pre-occupied with COVID-19, one group (sadly) is carrying on as though everything is normal: ransomware gangs. In the past month foreign exchange business Travelex, insurer Chubb and technology consultancy Cognizant were all revealed to have been hit with ransomware.

Key risk takeaway: Ransomware might be overshadowed now by that other virus, but by no means has it gone away. We wrote in February of the havoc Maze ransomware gangs were already wreaking in 2020. And the fact that cybercriminals are now offering discounts on their services should remind us all that they’re determined to be a viable force throughout and beyond the pandemic. The Cognizant incident – in addition to reminding us of the importance of endpoint protection and detection tools, highlights a couple of considerations. First, the incident affected Cognizant clients, illuminating the issue of supplier risk. Organisations should consider quickly disabling system access for any infected supplier. Second, the particularly aggressive public extortion strategy used by Maze attackers – in which sensitive data is stolen before being encrypted, and its public release threatened if the victim doesn’t pay the ransom – highlights the need for a clear public communications strategy for cyber incidents.

Tags: #solvingransomware #crisiscommunications #crisiscommunications

News round-up March 2020 — COVID-19 influence on cyber security, privacy and digital risk

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

First and foremost, we wish all our clients and friends the best in these challenging times. We hope your families are well and that your businesses are finding a way to move forward through the current crisis.

Given the present saturation of COVID19-related news, we considered avoiding the topic altogether in this edition of the news roundup, as a way to help our readers step back from the crisis and dip back into business as usual.

The reality, as we’re all appreciating, is that our collective response to the pandemic is unprecedented. It dominates all spheres of our lives – work, home, socialising, shopping and parenting. “Business as usual”, as it used to be, doesn’t really exist at this moment.

So in this month’s round-up, which takes a slightly different form, we look at how COVID-19 is influencing the spheres of cyber security, privacy and digital risk.

 

Key themes:

Security and privacy at the heart of changed ways of working

COVID-19 has heralded an unparalleled change in working conditions, most strikingly marked by large volumes of staff working from home, in accordance with social distancing and isolation guidelines issued by authorities.

Working from home isn’t new, but the scale is unprecedented. IT and security teams have scrambled to ensure that the sizeable increase in numbers of staff working remotely – including many that haven’t done it before – doesn’t translate to an unpalatable increase in security and privacy risks.

Recommendations have been widely published online to promote secure working from home practices, including use of secure networking tools such as VPNs and access controls such as multi-factor authentication. Some also see the current circumstances as an opportunity to introduce stringent IT architectures that will promote greater security long after the crisis subsides.

While technical measures are critical, we can’t underscore how important it is for organisations to also speak to their staff. Issue clear advice about the need to maintain secure practices when working from home, and the continuing importance of protecting the information of customers and of the organisation. As executives increase their conversations with staff at this time about how their companies are handling the crisis, security and privacy teams must also strive to have security and privacy priorities included in these communications.


The highs and lows of humanity

The image of people fighting off the elderly for toilet paper crystallises how the pandemic has, sadly, illuminated some of the worst in human behaviour.

So it was in the cyber realm. Very quickly after the pandemic took hold, authorities observed a spike in COVID-19 themed phishing and scam emails. Also discovered were coronavirus health-apps laced with malwarehijacked routers steering users to malicious COVID-19 sites and the disrupting of online services that the public will increasingly come to rely on.

The expansion of cybercrime infrastructure – such as the registering of new domains, and burgeoning pool of potential money mules – further suggests we could face these new risks for a sustained period.

All the more reason for businesses to start educating their staff now, not least because a state of heightened fear, anxiety and constant desire for new information likely increases susceptibility to threats such as phishing.

For a while, it did seem that cyber-criminals might have an attack of conscience, with some peddlers of ransomware vowing to lay off health care companies. A series of hospital-related attacks showed that to be a false dawn.

While there may be no honour among cyber thieves, there is valour in our industry worth celebrating. Many security researchers are volunteering to support healthcare providers fighting hackers, while a number of security vendors are providing free tools to help their customers be more secure. Some professionals have even set up an online cyber school for flustered home-schooling parents to help teach their kids cyber security.


Cyber workers are essential

As healthcare staff fight valiantly on the frontlines of this pandemic, it’s not unlikely that many of us in professions far removed from hospitals and health clinics are second-guessing how important our jobs are today.

Of course, PM Scott Morrison has declared that all workers are “essential” workers. But for those wanting something more specific , US President Trump also issued guidance this month on exactly what roles make up the essential critical infrastructure workforce.

A number of cyber security roles were defined the list, including workers performing cyber security functions at healthcare facilities and energy providers. The inclusion of these roles in this list affirms that cyber security functions play a critical role in the functioning of society, even in the event of a pandemic-related lockdown.

A stoush between public health and privacy?

If the importance of cyber security was re-affirmed in the previous section, privacy may have taken a backseat, at least momentarily. Various governments, seeking to arm themselves with the information needed to contain the pandemic, have turned quickly to our personal data.

In some countries, like the US, this at least kicked up an ethical conversation. In other jurisdictions, like SingaporeTaiwan and Israel, the public health imperative appears to have overridden any appetite for discussion.

But one should never be too quick to declare privacy dead. Privacy was built for this. Principles such as necessity, proportionality, reasonableness and transparency are more important than ever for governments that will need to maintain public trust throughout a sustained state of emergency.

One of the first tasks for privacy advocates on the other side of this crisis will likely be to ensure that privacy concessions made in the name of necessity are rolled back as the emergency subsides (as signaled here). Beyond that, there will also be an opportunity to re-assess and refine prevailing attitudes to privacy and seek to reframe conversations where the discussion is framed as a choice between privacy and health.