COVID-19 AND PRIVACY

What surveillance might be possible in the future with Apple and Google backing of Bluetooth ‘contact tracking’ as their part in curbing COVID-19 spread?

Your smartphone may soon include new technology that could someday allow you to invite marketers to reach you with offers, or the government to seek data on where you’ve been — the result of today’s urgent desire to curb COVID-19.

Apple and Google said on Friday they will both adopt an open specification in their phone operating systems that will use Bluetooth signals to take note of other participating phones that recently passed within a few feet of you. 

“Contact tracing” has been around for a while, but the two tech giants said they would adapt it as a method for health authorities to alert people have been near a person who turns out to be infected with COVID-19.  But it is not hard to imagine other uses for the technology, once it is embedded — starting as early as summer — in every major phone operating system.

The design is based on open-source code developed by volunteers at a project called COVID-Watch, which says it is affiliated with Stanford University. Its website lists at least 16 contributors, by name. An FAQ page explains who they are and defines contact tracing. They say they are beta-testing an app.

Here’s how the Apple-published spec says it works, if you agree to turn it on:

1. Your phone keeps an encrypted record of every similarly-enabled phone that you pass close to — say 6-10 feet. 

2. If the owner of one of those phones is subsequently diagnosed with COVID-19, and agrees to have their health provider alert the system,  the system pings every participating phone, including yours.

3. If your phone finds a match in its stored database inside your phone of phones that have been near you, you get a message warning you may have been COVID-19 exposed, and what to do. 

Simple enough for that application.  But what else could it be used for? Imagine if rather than a person’s phone leaving a data point that you have passed near each other, that instead, a particular location sent a contact record.

• A store you’ve been near in the past could send you an offer 

• A government agency could seek authority to learn where you’ve been and when 

The joint Apple-Google news release, and related specifications (1), (2), (3),  described complicated methods of timing-out, rotating and encrypting phone IDs to enhance privacy. So, in theory, such uses would be impossible without end-user consent.

In their story on The Verge, Russell Brandom and Adi Robertson write that the contract-tracing method has potential weaknesses. “In crowded areas, it could flag people in adjacent rooms who aren’t actually sharing space with the user, making people worry unnecessarily,” they write. “It may also not capture the nuance of how long someone was exposed…”

Prior to the Apple-Google announcement, the American Civil Liberties Union published a white paper raising concerns about contract tracing.  And the Electronic Frontier Foundation has a current primer on it, too.

RELATED COVID LINKS:

• Big tech’s COVID-19 opportunity | Luca D’Urbino, Economist

• New Mexico using cell phone data to create social distancing models and considering more restrictive travel measures | Hollie Silverman, CNN

• Why data protection law is uniquely equipped to let us fight a pandemic with personal data | pdpEcho

• A new phone-tracing technology could tell if you’ve been exposed to the coronavirus — without sacrificing privacy. 130 researchers are offering it to countries for free. | Dave Mosher, Business Insider

• The surveillance profiteers of COVID-19 are here | Violet Blue, Engadget

• 110 organisations have set out eight conditions proposed for governments worldwide to adhere to if they are using surveillance technology to combat the pandemic. | Aimee Chanthadavong, ZDNet

• Coronavirus is halting US data privacy efforts across tech companies | Emily Jacobs, NY Post

• Senate scrutinizes data’s role in the coronavirus pandemic | Margaret Harding McGill, Axios

• Data Processing in Times of Coronavirus Disease 2019 (COVID-19): Guidance from EU and National Data Protection Authorities | Willeke Kemkers, National Law Review

• COVID19 Exposes the Shallowness of Our Privacy Theories | Prof. Jane Bambauer, Reason

• How Europe Is Bumping Against Privacy Laws in Coronavirus Battle |  Thomas Seal and Stephanie Bodoni, Bloomberg

• Lawmakers are raising concerns about Google’s coronavirus screening website that Trump announced, saying it could violate privacy laws | Aaron Holmes, Business Insider

• COVID-19: No Impact on July 1 Enforcement Date Set For California Consumer Privacy Act of 2018 (“CCPA”) | Tara Clancy and Paul Sweeney, K&L Gates

• Human rights groups warn governments of privacy laws when tracking COVID-19 | Aimee Chanthadavong, ZDNet

• Why data protection law is uniquely equipped to let us fight a pandemic with personal data | pdpEcho

• COVID-19 Will Someday Fade Away. The Wireless Location Data Practices Being Embraced To Track It Probably Won’t. | Karl Bode, TechDirt

• ANA Finds In-House Teams Becoming Even More Important Than Agencies Post-Pandemic | Joe Mandese, MediaPost

• Enlisting tech to fight coronavirus sparks surveillance fears | Niv Elis and Maggie Miller, The Hill

• Watch: Are We Vesting Too Much Power in Governments and Corporations in the Name of COVID-19? With Edward Snowden. | Glen Greenwald, The Intercept

• Sacrifice privacy for public good, says UK’s leading computer scientist | Hannah Boland, Telegraph

• Personal Information & Data Protection in China – Looking Towards 2020 | Lexology

• How the cellphones of spring breakers who flouted coronavirus warnings were tracked | Donie O’Sullivan, Mercury News

• Can You Find Me Now? Location Privacy and the Coronavirus Pandemic | Jenny Colgate, Rothwell Fig

• SHORT AND LONG TERM PRIVACY CONSIDERATIONS TO NAVIGATE OUR NEW REALITY | Céline Guillou and Chiara Portner, Hopkins Carley

• You Should Be Thinking About Privacy and Security Right Now! | Robert Braun, Cybersecurity Lawyer Forum

NEWS AND COVID-19 (See QUOTE OF WEEK, below)

• The Fate of the News in the Age of the Coronavirus | Michael Luo, The New Yorker
• REPORT: It’s Not Just the Content, It’s the Business Model: Democracy’s Online Speech Challenge | Nathalie Marechal & Ellery Roberts Biddle, Ranking Digital Rights 
• U.S. Local News Outlets Need Government Rescue: Lawmakers, Trade Groups | Reuters via NYTimes
• Media Groups Call on Congress to Support Local News, Local Media Amid Coronavirus Crisis | News Media Alliance
• More than 45 Press-Freedom, Social-Justice Groups Call on Congress to Fund Journalism and Treat Local News as Essential Service During Pandemic | Timothy Karr, FreePress.net  (LETTER)

CCPA WEEK FIFTEEN

By April 21, CCPA ver. 2.0 must have 623,000 valid signatures; a deep-dive look by Protocol at the politics of privacy shows what’s at stake for Mactaggert

A deadline of April 21 is looming that could have a huge impact on privacy regulation in California and the United States. That’s the date by which supporters have to show they have at least 623,000 valid signatures on petitions to put a proposed California Privacy Enforcement Act on the November ballot in that state. (Annotated version)

A lengthy story by the news website Protocol provides an unusually detailed look at the lobbying and deal-making  the fresh initiative on the California ballot in November to change the California Consumer Privacy Act (CCPA) just months after it takes effect. The new initiative is 51 pages.

The story by Issie Lapowski, published Feb. 6, quotes CCPA initiator Alastair Mactaggert and says that he is being courted by Google, Facebook, Microsoft, the advertising industry, and others seeking changes in CCPA. Entitled, “Inside the closed-door campaigns to rewrite California privacy law, again,” Lapowski says one thing Mactaggert is unyielding on — the idea of consent.

“A whole bunch of businesses didn’t love our definition of ‘consent’ because now consent really means you actually want to give your consent. Too bad. We kept it in,” said Mactaggert of the ballot initiative.

The reason Mactaggert has leverage is this — with the original CCPA in 2019 Mactaggert’s ballot initiative so freaked out data brokers and the ad-tech world that they agreed instead to support legislative passage and enactment of a privacy-weaker CCPA in exchange for Mactaggert agreeing to withdraw the privacy-intense ballot initiative.  Mactaggert said at the time he didn’t want to go through a bruising, multi-million-dollar public lobbying campaign over the initiative.

Mactaggert has the same leverage this time — because polls show an overwhelming majority of California voters would approve a privacy-focused ballot initiative. Once the April 21 signature deadline is passed, Mactaggert can horse-trade again until June 25 — the deadline after which the initiative could not be pulled from the November ballot.

MORE CCPA

• Three ways digital marketers can convert California’s privacy law into an opportunity | Raashee Gupta Erry, AdAge

• California AG Issues Significant Changes to Draft CCPA Regulations as of March 2020 | Jeewon Kim Serrato and Susan Ross, Norton Rose Fulbright

• http://twitter.com/johnnyryan/status/1248501132541870080

• CCPA Enforcement on Track for July 1, 2020: Breaking Down the Latest Revisions to CCPA Proposed Regulations | Crowell Morley

• California  Attorney General  Releases Third Draft  of CCPA Regulations | Herzog Fox & Neeman

• Consumer Reports Opposes Efforts to Delay CCPA Enforcement Due to COVID-19 | Jonathan Schenker, Alejandro Cruz and Peter Nelson, Patterson Belknap

• The California Consumer Privacy Act is HERE: Are You Litigation Ready? | Hunton Andrews Kurth

SURVEILLANCE AND PRIVACY

• Americans want an internet bill of rights to protect their online data | Eileen Brown, ZDNet

• RESEARCH: Most consumers worry about online privacy but many are unsure how to protect it | Lance Whitney, TechRepublic

• Most consumers worry about online privacy but many are unsure how to protect it | Lance Whitney, TechRepublic

• Most consumers worry about online privacy but many are unsure how to protect it | Eileen Brown, ZDNet

PRIVACY BUSINESS

• Zoom banned from New York City schools due to privacy and security flaws | Ainsley Harris, Fast Company

• Security and Privacy Implications of Zoom | Bruce Schneier

• Privitar Closes $80 Million Series C Funding Round Led by Warburg Pincus | BusinessWire

• Privitar raises $80 million to let companies use big data without compromising privacy | Paul Sawers, VentureBeat

• Privitar raises $80 million to let companies use big data without compromising privacy | Ingrid Lunden, TechCrunch

• AT&T’s CNN buys privacy-minded recommendations startup Canopy | Joan Solsman, CNET

• OPINION: Consumer privacy an opportunity for companies | Vinnie Schoenfelder writing at IAPP

• Fraud prevention startup working on anonymous peer-to-peer verification network | Esther Shein, TechRepublic

• Trustworthy and reliable: why making data privacy a priority leads to stronger customer relationships | Ashley Diffey, SecurityBrief

ADVERTISING AND TECH 

Three accounts detail why Twitter made a bad choice on privacy — it was costing serious advertising dollars 

Twitter isn’t commenting in detail on a fresh change it’s made to boost advertising revenue at the expense of consumer privacy choice. An Aug. 5, 2019, change Twitter made in settings — relatively obscure to users — apparently had a big effect on the platform’s advertisers. This week, two stories and a blog post by the Electronic Frontier Foundation, explain.

“Twitter has removed a privacy feature that allowed all users to stop sharing some private information with advertisers,” writes Jacob Kastrenakes at The Verge. Twitter said the change helps it to “continue operating as a free server” by helping prove to advertisers that its ads are being seen.  “The availability of ad data has had a big impact on Twitter’s earnings in the past,” Kastrenakes wrote.

Twitter’s privacy practices on this point will now give European Union residents more privacy than in the United States and the rest of the world, because of the General Data Protection Regulation (GDPR), wrote Garrett Sloane, at Advertising Age. 

The 2019 change, a bug fix, wasn’t appreciated by advertisers, wrote Bennett Cypers, of the Electronic Frontier Foundation. “And Twitter announced a substantial hit to its revenues after fixing the bugs,”

MORE AD TECH

• Cookie consent still a compliance trash fire in latest watchdog peek | Natasha Lomas, TechCrunch

• Media Math lays off 8% of staff, citing COVID-19 impact || George Slefo, AdAge

• Facebook CPMs Crash, Fall To All-Time Low | Joe Mandese, MediaPost

• Chrome Is Rolling Back SameSite Security Changes Because Of Coronavirus | Allison Schiff, AdExchanger

• Teads Curbs Revenue Guarantees as Ad-Tech Industry Braces for Cuts | Ronan Shields, AdWeek

• How the Ad-Tech Supply Chain Is Being Compressed and Evolving | Ronan Shields, AdWeek

• MediaMath Lays Off 8% of Staff Amid Coronavirus Concerns | Ronan Shields, AdWeek

• What Is Advertising Technology (Adtech)? Definition, Ecosystem, Programmatic, & Trends | Indrajeet Deshpande, Martech Advisor