Privacy, COVID and vulnerable communities in the golden city

elevenM’s Cassie Findlay brings a first-hand account of how privacy considerations are playing a role in shaping COVID-19 outcomes in parts of the US. 

It’s no secret that the city of San Francisco and the surrounding counties that make up the Bay Area are home to some of the most stark inequities in the world.  

Having just returned home after four and a half years living and working there, I can confirm that the evidence of staggering wealth existing side by side with extreme poverty and homelessness is everywhere, and it is shocking. Encampments dot the city streets in which people are lacking in basic sanitation and medical services. Solutions are often temporary and deployed only in response to residents’ complaints.  

Bringing a pandemic response into this mix was never going to be easy. The local and State governments’ response to the COVID crisis has, by overall US standards, not been too bad, but not necessarily for its most vulnerable people.  

A case in point can be found in the axing late last year of a testing program offered by the Google affiliate Verily, by the cities of Oakland and San Francisco. Introduced in March, the platform screens people for symptoms, books appointments, and reports test results. Unfortunately, from a privacy perspective, the design of the program added friction to the uptake of critical services in a pandemic.

In a letter to the California Secretary of Health, the City of Oakland’s Racial Disparities Task Force raised concerns about the collection of personal data on the platform amidst a crisis of trust amongst Black and Latinx communities in how their personal information might be used or shared by governments and corporations. Participants were required to sign an authorisation form that says their information can be shared with multiple third parties involved in the testing program, including unnamed contractors and state and federal health authorities. 

As explained by the Electronic Frontier Foundation’s Lee Tien to local public radio station KQED: “While the form tells you that Verily may share data with ‘entities that assist with the testing program,’ it doesn’t say who those entities are. If one of those unnamed and unknown entities violates your privacy by misusing your data, you have no way to know and no way to hold them accountable.”  

Given the need for better and more accessible testing for people experiencing homelessness, and the known severity of the impact of COVID on Black and Latinx communities, obstacles like this to testing uptake are concerning. Other testing services in Oakland and San Francisco have fortunately adopted approaches based on more direct engagement and building of trust in these communities, as opposed to defaulting to an app-based solution with the trust and privacy concerns that entails.  

This case shows just how much trust issues around the use of personal information can affect critical services to vulnerable communities, and it has valuable lessons for those of us working on the delivery of public services with technology. 

My key takeaways are: 

  • Consumers understand and take seriously the trade-offs involved in exchanging personal information for services, discounts and other benefits. 
  • We are moving beyond approaches to data collection that treat consumers as a homogenous group in terms of their willingness to share, but we can safely assume that unknown secondary purposes for their data will be always be regarded with suspicion. 
  • Success will increasingly depend on having a more nuanced picture of your ‘customers’, including their trust in your organisation or sector, whether it be commercial enterprise or public health services. 
  • Building a data governance strategy that can track and maintain a picture of your business, actors within the business including end users or customers, and evolving requirements — including less tangible ones like societal attitudes  is a great foundation for privacy policy and practice that respects diversity and can evolve as the landscape changes around you.

 

News round-up Jan 2021 — SolarWinds hack, the need for robust external security assurance, and a community demand for privacy

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

While the far-reaching consequences of the SolarWinds-FireEye-US Government hack are only just starting to be understood, a few stand-out lessons are emerging. In this round-up, we also observe oversight bodies in Australia starting to demand external assurance that organisations’ cyber security is robust. The rising swell from consumers demanding improvements in privacy protection also continues, with responses in kind by Apple, Microsoft, and the Australian Competition & Consumer Commission (ACCC).

News round-up Dec 2020 – Escalation in ransomware tactics, world-first privacy settlement and more

December 1, 2020

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

For what appears to be the first time, a privacy settlement has dictated the need for an organisation to consider gender-based privacy risks. We look at the implications of the settlement in this roundup. Believe or not, there’s been yet another escalation in ransomware extortion tactics, while we look at why the Government’s critical infrastructure security bill is causing tech companies to get hot under the collar.  

News round-up Nov 2020 – Privacy Act review, ICO fines British Airways £20m over data breach and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

Privacy is well and truly in the frame this month – not least because of the Government’s review of the Privacy Act. It’s a big deal and we’ll have a bit to say about it – starting with our summary below. As the number of COVID-19 cases ease, attention is now also shifting towards the privacy provisions of COVID-19 check-in services. And turning to cyber, if you felt ransomware wasn’t nasty enough, attackers have dug deep and found more evil to draw on.   

News round-up Oct 2020 — Update on ServiceNSW databreach, Twitter upping its security game, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

It’s in the nature of this game that there’ll always breaches and bungles, so increasingly it matters how you respond. And in our eyes, some recent response actions are worth commending. The NSW Government opened up on how it might have prevented the Service NSW breach, while Twitter laid out how it is upping its internal security game after a hack in July. We also explore if NAB’s step into the world of bug bounties sets a new bar for security maturity.

Key articles:

Australians want more control over privacy, survey shows

Summary: Privacy is a major concern for 70% of Australians while 87% want more control and choice over the collection and use of their personal information, a new study shows.

Key risk takeaway: As businesses roll out services that are increasingly data-driven, one of the more salient findings of the survey was that privacy is now the leading consideration when individuals choose an app or program to download, ahead of quality, convenience and price. Concerns around collection practices – particularly around the purpose for which data was collected – was another prominent finding. These views reinforce the importance of approaches such as privacy-by-design and practices such as Privacy Impact Assessments (PIA), which seek to “bake in” good privacy practices early into the development of new projects or initiatives. The Office of the Australian Information Commissioner this month also issued guidance for agencies on how to screen for potentially ‘high privacy risk’ projects to determine whether a PIA is required under the agencies’ privacy code.

Tags: #privacy #communityattitudes #privacyimpactassessments  

 

Service NSW hack could have been prevented with simple security measures

Summary: The personal data of 186,000 customers and staff were leaked after a cyber-attack on Service NSW in April that compromised the email accounts of 47 employees.

Key risk takeaway: We covered the news of this attack in our May roundup – our focus here is on Service NSW’s response. Transparency, responsiveness and empathy for affected customers are core principles of a trust-building response. Service NSW has attracted criticism for taking four months to notify affected customers, illuminating a key challenge in translating these principles into reality. In the wake of a breach many organisations lack the capabilities to quickly identify and assess the data types involved and, more pertinently, the extent of likely harm for affected customers – resulting in lengthy delays to notification. That appears to have been the case here, with Service NSW describing that much of the breached data was in unstructured form (eg. in emails, handwritten notes, forms and scans). Encouragingly, head of Cyber Security NSW Tony Chapman demonstrated commendable transparency in his responses around root causes, citing the preventative roles multi-factor authentication and reduced email-based data sharing could have played. Some may argue these concessions are like shutting the gate after the horse has bolted – another perspective is that these disclosures demonstrate an understanding of what is required to prevent recurrence of similar incidents in the future.

Tags: #databreachresponse

 

Woman dies during a ransomware attack on a German hospital

Summary: In what is being described as the first possible death directly linked to a cyber-attack, a woman has died after a German hospital couldn’t accept emergency patients due to a ransomware attack.

Key risk takeaway: In seeking to illuminate why cyber security matters, we often describe the potential impacts of cyber incidents. Large financial, reputational and operational impacts are serious enough, but for organisations in the health sector, impacts to the wellbeing of individuals (to the point of death) are sadly also very much on the cards. Do incidents like this – where human life is at stake – complicate advice to “never pay ransoms”? It’s hard to say, but seems fair to observe that there’s mixed views in some quarters, with some organisations reserving the right to make a risk-based judgement. In this scenario, even the attackers tweaked the ‘conventional’ rules of extortion – when told they had impacted a hospital treating emergency patients, they withdrew the ransom demand and provided a decryption key. Sadly, it was too late for the impacted woman. This incident follows ransomware attacks on a Thai hospital and on one of Chile’s biggest banks, resulting in the shutdown of all its branches, with disruptions lasting over a week.

Tags: #ransomware

 

NAB crowdsources cyber security with bug bounty program

Summary: NAB is the first of the Big Four banks to include a bug bounty program in its security strategy

Key risk takeaway: We’ve previously written that bug bounties are increasingly seen as a sign of a mature approach to security. The foray of a major Australian bank (traditionally more conservative) into the world of “crowdsourced security assurance” is arguably further evidence of the mainstreaming of these approaches, and a step we wager took some hearty advocacy by the security team to get sign-offs from legal-types and executives. Given the global cyber security skills shortage, bug bounties can offer organisations access to a broader and internationally-based pool of security talent to test and assure key systems. A key consideration is to see bug bounties not as a replacement but a complement to existing capabilities within a layered security strategy.

Tags: #bugbounty #layereddefence

 

Twitter prepares for US election with new security training, penetration tests

Summary: Ahead of the US election Twitter has been bolstering its internal security and privacy controls, including by requiring staff to complete additional training, deploying hardware security keys to employees, and engaging in penetration tests and privacy impact assessments.

Key risk takeaway: Here’s something of a blueprint for hardening systems in the wake of a phishing-based breach. After suffering such a breach in July, Twitter has stepped up a range of protections – most notably around employees – by increasing training requirements, enhancing checks on employees with key systems access and rolling out “phishing-resistant security keys”. A mix of baseline security/privacy training for all staff coupled with more targeted and dynamic learning content for specific role types (as Twitter appears to be pursuing) also reflects the strategies that we are increasingly seeing being pursued in the local market. Also of note is Twitter’s push to ensure appropriate privacy measures are implemented before projects launch: in the first six months of 2020 Twitter completed more than 300 privacy impact assessments compared with 100 PIAs in 2018.

Tags: #securityawareness