CONTACT TRACING: HEALTH FIRST, PRIVACY LAST?

 Previously, we shared our concerns about the implications of Contact Tracing and how this will affect the Privacy of US citizens and beyond. We also pointed out and made a call for solving the lack of a National Privacy Framework, to be formalized by Federal Regulations or Law, and not left up to private industry.  Interestingly, such a “Federalized” Privacy Framework was called for by over 50 CEOs of the Nation’s largest companies in a letter to Congress well before the notion of Contact Tracing came to the forefront of the public eye.  The time is now more urgent than ever to create and mandate a National Privacy Framework, and this Framework ought to put the power in the hands of We the People, not the Free Market, as the actual “owners” of that information.

The call to action by these industry-leading CEOs is profound, not in their prescient insight, but in the deafening silence from Congress.  Their outcry clearly illustrates the support by commercial heavyweights to adopt a uniform framework we can all use to deliver the right cybersecurity protections, achieve proper business outcomes, and now – adequately support the urgent imperative for Contact Tracing.  Most importantly, they also point out the need for you to maintain rights over your data, much like the European Union (EU) defined in the General Data Protection Regulation (GDPR).“We are also united in our belief that consumers should have meaningful rights over their personal information and that companies that access this information should be held consistently accountable under a comprehensive federal consumer data privacy law.”

As Contact Tracing moves closer to a necessary reality, it has, unfortunately become apparent that privacy concerns are quickly becoming a reality, and the government has done nothing to ensure the proper protection and use of our information.  Certainly, we support, respect, and understand the fine balance between regulation and Free Markets.  But information about us has become used and abused by the Free Market, as so clearly pointed out by Shoshana Zuboff in “Age of Surveillance Capitalism,” and we must make our voices loud to advocate for Common Sense control over our information.  The only realistic way to achieve control is with a National Privacy Framework, much like the EU’s GDPR.

Apple and Google have partnered to help Government entities worldwide by allowing their Contact Tracing API to be leveraged. If the words ‘Privacy’ and ‘Google’ in the same sentence give you cause for concern, know that you’re not the only one; lest we forget they were issued one of the biggest fines to date by the EU’s GDPR regulators in France for rampant privacy violations. While both companies vehemently denied they will take advantage of this privilege and will take measures such as preventing third-parties from accessing location data, the structure of this approach is inherently decentralized. Worse yet, without national, uniform guidance, and explicit requirements for Data Protection in the form of Law and Regulation, it’s being left up to the organizations to decide upon and implement the “proper” cybersecurity controls to ensure privacy.

Why does this matter? Well, with an invasive capability such as Contact Tracing, abuse of power would lead to intimate knowledge about any of us, including our location, habits, and social circles (i.e. contacts).  We must establish clear-cut guidelines, in the form of a Federal Privacy Regulation, and a governing authority to monitor for compliance of the guidelines to ensure proper use, care, and disposal of your personal information. Currently, we are going the exact opposite direction when we already have two separate private organizations offering two separate solutions to a slew of governing bodies and health organizations who are all driven by their own motives.

For example, the UK’s NHS branch determined they wanted to design their own app rather than rely on Apple or Google. However, their ‘lone wolf’ efforts have already gained unwanted publicity in the form of a report on their complete lack of compliance with GDPR requirements and an inside tip that the first version of the NHS app failed initial cybersecurity tests.

The largest issue we face with Contact Tracing from a decentralized standpoint is that no one can give a clear answer as to what’s tracked, what’s not, what’s anonymous, what’s considered sensitive, who has access to what data, how long that data will live, how it will be used, how it will be destroyed. Essentially, there is no accountability for access to our most intimate information. In addition to the inherent benefits this yields the free market (as outlined in the call to action), a National Privacy Framework would establish this accountability.  It would provide us, about whom the data is collected and monetized, the rightful control over how our data is used, how it’s managed, by whom, and for how long.  We ought to have a right to control our information and explicitly allow or deny its use – by our own determination – and not that of the Free Market entities.

Contact Tracing is creating all sorts of buzz in the media and beyond. Still our call to action remains the same: establish bulletproof requirements around Contact Tracing in general and establish a National Privacy Framework to govern the access to and use of our information. Even more specifically, it needs to be carved into stone that Contact Tracing is solely used for health pandemics and not for the gain of individual for-profit organizations and government entities.

It is not enough for us to simply assume that state-level officials and private sector company leaders will make decisions in the best interest of the population’s privacy. We must establish and enforce a nationally recognized, federally mandated privacy Framework for all organizations participating in Contact Tracing implementation that ensures our privacy takes precedence. Striving to create better ways to keep people healthy does not mean that people should have to give up privacy. As proven in history time and time again, the last thing we want to do is make irrational decisions during a crisis, only to surface on the other side, being horrified by what we have ultimately created. The time is now; our voices must be loud.

Shhh - Not In Front Of The Television

A recent advertising campaign from Samsung promises: "TV has never been this smart." We may soon wonder how smart a TV can get before it is too smart for our own good.

"Smart TVs" can display Web content by directly accessing a home's Internet connection. Many of the high-end versions, including Samsung's, offer voice-recognition technology, allowing users to change channels, search for programs or adjust the TV volume by verbal command.

Samsung is not the first company to introduce voice controls for smart TVs, but it is the focus of a privacy group's current concern. The Electronic Privacy Information Center has asked the Federal Trade Commission to investigate after a close reading of the company's privacy policy revealed that third parties might be able to listen in using the TV's built-in microphone. The policy warns users that "if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition." (1)

While we probably don't have to worry about Skynet rising in our living rooms, Americans are rightfully wary of sweeping electronic intrusions. After the revelations about National Security Agency programs and privacy breakdowns at companies as diverse as Anthem and Target, it is understandable if some consumers are unsettled by the idea of an unnamed person listening in on conversations that happen to take place while the TV is on. And smart TVs are not the only culprit: Some video game consoles can be controlled by voice too, and Apple and Android mobile devices have made voice search an everyday part of many people's lives.

Nearly all of these devices let you turn the microphone off or disable voice recognition software. You can also disconnect your smart TV from the network so it won't transmit anything, though this means losing most of the benefits of owning a smart TV. And most devices that use voice controls require an initiating command before they start recording what you say at all, at least in theory.

For TV owners who choose not to disable voice controls, the Samsung policy still may not be cause for undue alarm. A Samsung spokeswoman, speaking to Chris Matyszczyk at CNET, explained that the third parties the policy indicates are contacted only during a requested voice command search; no voice data is retained or sold, she stressed. (1) But while this is reassuring, it requires customers to trust the company not to retain or sell collected data in the future.

TV buyers may be wary, especially if they are aware of the investigation LG triggered a few years ago when it came to light that viewing data from LG's smart TVs was collected even if the related setting was toggled to "off." (LG later released an update to fix the issue.) There has also been concern that Samsung's data, when transmitted, is not properly encrypted. Companies need not be malicious to compromise consumer privacy; they need only be sloppy.

Apple and Google have been careful to specify that data from smartphone voice search or services like Siri is anonymized, so the companies cannot trace a given query back to any particular user - in Google's case, ever, and in Apple's case, after six months connected to a randomly generated number. (2) But even without personal information attached, sensitive data sitting on a company's servers could be a problem. For instance, a dictation might contain legally regulated information, such as the precise time a company plans to file for an initial public offering. Scrubbing the name of the person who input the data may not be enough when the data itself needs protection.

There are a few ways the privacy concerns might eventually be resolved. A device maker may find itself held financially responsible if it obtains a certain sort of sensitive information - for instance, information about planned criminal activity - and fails to take responsible action. If and when this happens, that manufacturer is likely to promptly disable or eliminate voice data gathering capabilities. Wary competitors would likely follow suit rather than risk ending up in the same legal hot water.

It may not come to that, of course. Device makers may voluntarily limit where our data goes, or legislators may force them to do so. After all, gathering information as such is not the problem. Obviously, we realize that when we ask our smartphones for directions and traffic information, the phone must communicate the request to an outside server; voice recognition simply acts as a fingerless keyboard for inputting search queries. The phone itself doesn't "know" the answer. It relays your request to an app or a search engine and returns the answer to you.

Similarly, if I ask my smart TV to display a channel guide or play a particular program, I know it is obtaining the content from elsewhere. That is not a problem. In fact, it is probably why I purchased a smart TV in the first place. The problem is that consumers are not necessarily agreeing to let the TV maker store that data, ostensibly for product-improvement purposes, or share that data with third parties for marketing purposes.

If I search for a certain website on my MacBook, I don't expect Apple to be informed. I have no reason to expect this on my iPhone either, whether I use voice technology or my fingers to enter the site name. Companies need research to improve products, of course - but they can conduct this research in house, or use beta testers who know their usage is being monitored. There is no reason to turn the entire customer base into unpaid research assistants, even though such practices are now common.

The solution may eventually come from technological progress itself. One day, machines may have the storage and processing capacity to handle all voice commands locally, eliminating any need to transmit the spoken commands (or transcriptions of spoken commands) elsewhere. The more that can be wired into the hardware, the less need to move data or to involve third parties.

In the meantime, devices' programming should limit transmitted information to phrases that are recognized as some part of the unit's functionality. There is no need to record or transmit phrases such as "my husband is a pompous idiot." Our gizmos should be smart enough to tell the difference.

By Larry M. Elkin