Category: COVID-19 and Privacy

The Story of Your Health Data, as Told by COVID Contact-Tracing

By Jeff Benson

First of two parts.

You wake one Friday with a cough — a dry cough that’s gotten worse after a restless night in bed.

Your breaths come as short, jagged pulls — and you don’t know whether that’s because you’ve contracted coronavirus or you’re paranoid.

You find a clinic where you can get tested, and the nurse advises to assume you have it — to go home and to avoid other people.

That shouldn’t be too hard: You’ve been a recluse for the past month. Well, mostly.

Four days later, you’re at home coughing in rhythm to “Here Kitty Kitty” by Tiger King when the telephone rings. It’s the clinic letting you know you weren’t paranoid: You’ve tested positive for COVID-19.

You think that’s it — but a few hours later, the phone rings again. The clinic has shared your status with the local public-health department. You see, not all of your medical data is private — and especially not during a public-health crisis.

Continue reading “The Story of Your Health Data, as Told by COVID Contact-Tracing”

Big Government, Big Tech Battle Over COVID Contact-Tracing

By Robert Bateman

Governments worldwide are rushing to develop “contact-tracing” mobile apps to help track the spread of COVID-19.

In the “spirit of collaboration,” Apple Inc. and Google are designing a framework upon which such apps can be developed. 

The framework uses Bluetooth Low Energy to anonymously log interactions between cellphones, and the tech firms claim it has “user privacy and security central to (its) design.”

But some governments’ plans for contract-tracing apps clash with what the Apple and Google framework will allow.

Politicians in France and, reportedly, the U.K. and Germany, have been urging Apple and Google to reduce their framework’s privacy protections. 

Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project (STOP), expressed concerns that the Apple-Google partnership had privatized the state’s role in epidemiological analysis.

“Apple and Google not only took it upon themselves to form this partnership without governmental approval,” Cahn told Digital Privacy News, “but they told governments that they will unilaterally disable the Application Program Interface (API) in jurisdictions that they think no longer need the level of tracking that it permits.”

Continue reading “Big Government, Big Tech Battle Over COVID Contact-Tracing”

Yearbook Companies Exploit FERPA Exemption to Collect Student Data

By Samantha Cleaver

When Cheri Kiesecker, co-chair of the advocacy organization Parent Coalition for Student Privacy in Colorado, ordered her son’s yearbook, she reviewed the privacy policy and was shocked at what she saw.

According to the privacy statement, Jostens Inc., like other yearbook companies, receives personal information from schools — and then combines that data with information from other sources to validate and update their databases.

They use the data collected for myriad purposes, including creating and promoting their products — and, as stated in their privacy policy, “for other purposes permitted under this Policy except as prohibited by applicable by law.”

Digital Privacy News reached out to Jostens for comment but did not receive a response.

The broad collection and use of data by Jostens are just two ways yearbook and other companies are collecting and using data under the U.S. Family Educational Rights and Privacy Act (FERPA) directory-information exemption.

FERPA, the 1974 law that governs student information, includes an exemption that allows schools to identify data as “directory information.”

That material then can be disclosed to outside organizations without explicit permission from parents or students.

Continue reading “Yearbook Companies Exploit FERPA Exemption to Collect Student Data”

World Privacy Forum Raises Concerns With Student Data Under FERPA

By Samantha Cleaver

Last summer, when 50.8 million children enrolled in public school in the United States, and 14.7 million more students arrived at postsecondary schools, their data went with them.

Student data, from addresses to photographs, is protected under the U.S. Family Educational Rights Privacy Act (FERPA).

In compliance, students, or their parents, must consent before a school discloses any identifiable information.

But what students and parents may not know is that, unless they opt out, FERPA also allows for some of that data to be released.

In 1974, when FERPA was written, a directory information exemption was put in place. Under this exemption, schools can designate information that can be made public without explicit parental consent.

Continue reading “World Privacy Forum Raises Concerns With Student Data Under FERPA”

Health Data, Even at a Privacy Loss, Proves Invaluable in Emergency Rooms

By Samantha Stone

The global COVID-19 pandemic has brought thousands of people to hospital emergency rooms, where the urgent pace and the need for information are at odds.

After the first critical hours, patients are stabilized and doctors then can review health histories from electronic medical records (EMR).

But what is the nature of that information? How wide and how deep is the data reservoir that doctors can plumb for guidance? Is the patient’s full history stripped bare?

“If you’re part of a treatment team, legitimately, then you can have access to the record,” Dr. Eric Howell, chief operating officer at the Society of Hospital Medicine and a Johns Hopkins University clinician, told Digital Privacy News.

Continue reading “Health Data, Even at a Privacy Loss, Proves Invaluable in Emergency Rooms”

IRS Stimulus Website Plagued by Privacy, Security Issues

By Rob Sabo

Linda Elkington Huotari was excited when she logged into the new IRS website “Get My Payment” and learned she was eligible for direct deposit of her coronavirus stimulus check.

Huotari, who lives in Sherwood, Ore., had already filed her 2018 and 2019 tax returns, so the Internal Revenue Service had her correct banking information.

Two weeks have passed, however, and Huotari has yet to see any funds under the Coronavirus Aid, Relief and Economic Security Act (CARES) deposited into her checking account.

She’s actually one of the lucky ones who successfully navigated Get My Payments to track the status of her payment.

“I’ve received my refunds from 2018 and 2019, but no stimulus funds — and there’s no reason why,” Huotari told Digital Privacy News.

Tens of millions of Americans have received stimulus checks via direct deposit, but millions more have encountered difficulty navigating Get My Payment.

The most-common issues are users receiving an error message stating “payment status not available” — and not having any way to provide correct banking information.

More alarming, security and data-privacy experts told Digital Privacy News, is the lack of safeguards and critical site vulnerabilities that potentially leave millions of consumers who accessed the site prone to data intrusion and cyberfraud.

“Get My Payment was launched a mere five days after the IRS announced it was being developed,” said Mandee Rose, editor at TheVPNShop.com. “Had efforts toward developing the site started sooner, the IRS would have had time to make sure cybersecurity and online privacy measures were properly implemented.”

Continue reading “IRS Stimulus Website Plagued by Privacy, Security Issues”

FBI Expects Surge in Romance Scams as COVID Puts More People Online

By Linda Childers

Carla Brennan (not her real name), a divorcee in San Francisco, wasn’t looking for love when she recently joined an over-40 singles group on Meetup.com, a platform that allows people to organize in-person events for those with shared interests.

Yet shortly after registering, Brennan heard from “Alan,” a structural engineer who claimed he had just moved to the Bay Area and was smitten by her photo and witty bio, she told Digital Privacy News.

Their messages soon turned to cellphone calls and e-mails. Alan, Brennan said, was articulate, attentive and thoughtful.

However, he soon became her worst nightmare: a romance scammer who swindled her out of more than $40,000.

“No one who knows me would ever believe I’d fall for a con, but my mom was very ill at the time and I was in a vulnerable place,” Brennan, in her early 60s, told Digital Privacy News. “Alan made me believe in him, and in us — and it all turned out to be a lie.”

Continue reading “FBI Expects Surge in Romance Scams as COVID Puts More People Online”

Employee COVID Antics Online Could Erode Privacy When Back to Work

By Joanne Cleaver

First of two parts.

Lizet Ocampo is internet famous as the boss who recast herself as a potato for a Friday virtual office meeting and then couldn’t figure out how to un-potato herself for Monday’s staff teleconference.

After a staffer shared the images online earlier this month, gaining nearly a million likes, Ocampo made the most of her turn as a star tuber, joking about the unexpected downsides of working from home.

But the real test of her humor will come when she and her staff eventually return to on-site work for People for the American Way, a liberal advocacy group in Washington.

Will they let her live it down, or will her accidental acclaim take the starch out of her professional reputation?

Workplace privacy has been shredded as millions of Americans suddenly started working from the uneasy convenience of their homes, gaining unexpected glimpses into one another’s bedrooms and kitchens — not to mention pets, kids and spouses.

Privacy won’t snap back as onsite work resumes, however. Employees will need to reclaim their workplace privacy, if not remnants of dignity, as they start to filter back.

Human resources executives are figuring out how to combine standard guidance from existing government regulations with new instructions from public-health officials.

Continue reading “Employee COVID Antics Online Could Erode Privacy When Back to Work”

Zoom’s Problems Point to Pitfalls in Writing Your Own Encryption

By Shelley M. Johnson

Zoom’s video conferencing platform took off during the COVID-19 social distancing as millions of people stayed home — but it has faced a bevy of problems, from “Zoombombing” to sharing user information with Facebook and leaking data to LinkedIn.

The Zoombombing hacks exposed an inherent security flaw in Zoom Video Communications Inc.’s platform: Programmers in China wrote their own encryption code for the platform, using a security standard far more vulnerable than the widely accepted AES-256 encryption method approved by the U.S. government.

Zoom also had a weakness in its global transmission network that left its communications susceptible to intruders. 

These steps were not very wise, Michelle Hansen, a cybersecurity expert and professor at the University of Maryland Global Campus, told Digital Privacy News.

The comedy of security errors soon made Zoom users realize they had to take precautions into their own hands.

Continue reading “Zoom’s Problems Point to Pitfalls in Writing Your Own Encryption”

Telemedicine Necessary With COVID-19, But Not Without Privacy Risks

By Susan Kreimer

Image: Maryland ophthalmologist Dr. Renee Bovelle conducts a telehealth visit from her office.

Some of Dr. Renee Bovelle’s patients feared their pink eye and allergies could be signs of COVID-19. But the Maryland ophthalmologist could only treat them by video conferencing — “telemedicine” — because of mandatory social distancing.

The technology allows doctors to manage most health conditions remotely while reducing risk of exposure to coronavirus. The practice brings heightened concerns of patient confidentiality and digital privacy.

“Now that we’re in this digital age, the burden of responsibility to protect the patient’s healthcare data rests on the shoulders of physicians and healthcare organizations,” Bovelle, who also holds a master’s degree in cybersecurity, told Digital Privacy News.

The global pandemic compels doctors to eliminate most office appointments and conduct more virtual visits, even as telemedicine raises the potential for eavesdropping on conversations and tapping into electronic databases that contain patient information.

Computers and cellphones are prime targets for hackers seeking to capitalize on a new wave of unpredictability in these socially distant times, experts tell Digital Privacy News.

“The general public is obviously relying on their medical professionals,” said Robert Siciliano, a cybersecurity analyst at Protect Now in Boston. “It is ultimately up to that medical professional that they and their clients are going to be protected.”

Continue reading “Telemedicine Necessary With COVID-19, But Not Without Privacy Risks”

Tenants Don’t Have to Tell Landlords If They Got Stimulus Money

By Joanne Cleaver 

Your landlord can ask about the emergency income you might receive from the federal government to make it through the COVID-19 crisis, but you don’t have to tell. 

The pandemic doesn’t erase your privacy rights as a tenant or as an individual, Alice Kwong, co-chief counsel of housing law at Legal Services of New Jersey (LSNJ), told Digital Privacy News.

“Just because the landlord asks about your stimulus check, you have no legal requirement to answer that question,” she said.

LSNJ is a nonprofit that helps state residents with urgent legal matters, which often involve tenants’ rights. Most states have similar organizations, which can help local renters understand how the laws of their states might apply to their relationships with their landlords. 

As the coronavirus pandemic inflicts widespread unemployment, reduced working hours, massive small-business closures and other economic pain, governments at all levels have responded with economic help and expanded legal protection for tenants.

Many municipalities and states have suspended evictions, ensuring that even tenants who cannot pay their rent will not be homeless during a huge public-health crisis. 

By Thursday, more than 22 million Americans had filed for unemployment help, the U.S. Labor Department reported, and millions of businesses had reduced hours, paychecks, or both.

Continue reading “Tenants Don’t Have to Tell Landlords If They Got Stimulus Money”

Where Does Unacast’s Social Distancing Data Come From?

Company’s ‘Scoreboard’ Popular Amid COVID-19 Pandemic

By Jeff Benson

Since data company Unacast introduced its “Social Distancing Scoreboard” at the end of last month, seemingly every local news station has used it to gauge how their state and county is doing relative to other areas. (Nevada, for instance, is near the top with a B+, while North Carolina gets a D.)

You might think Unacast developed its rankings from a close analysis of the country’s myriad public cameras, which extend from the Vegas Strip to Fifth Avenue in New York.

However, though highly visible, surveillance cameras didn’t factor into Unacast’s scores. The cellphone in your pocket did.

Unacast is a Norwegian startup that’s now based in Manhattan. The company procures location data — the kind that smartphones are so good at collecting — and repackages it into insights for retailers who want foot-traffic data and marketers who want your money.

Its newest venture ostensibly isn’t a money-making exercise, but it’s certainly generating positive publicity for an industry that’s faced increased scrutiny since a December 2018 expose by The New York Times on location-tracking apps.

Unacast is now using location-tracking data to fight COVID-19 and “help public-health experts, policymakers, academics, community leaders and businesses in retail and real estate gain accurate insights into current public behavior,” according to a news release announcing the scoreboard.

It’s got a lot of info to play with.

Continue reading “Where Does Unacast’s Social Distancing Data Come From?”

Privacy Safeguards in Apple-Google Platform Could Be Abused, Experts Say

By Jeff Benson

Google and Apple’s COVID-19 platform announced Friday may be privacy-centric — but that doesn’t mean it can’t be abused, experts tell Digital Privacy News.

The tech giants behind the world’s two largest mobile-phone operating systems, Android and iOS, said in a rare joint announcement that they would build a Bluetooth-based platform to trace coronavirus. 

The system would enable phones within Bluetooth range to share data and log interactions.

If someone using the system tests positive for COVID-19 and chooses to submit their diagnosis to the system, users they’ve come in contact with will receive a notification (if they’ve opted into the system).

Apple and Google are only creating the bones; developers and public-health agencies would create applications and solve logistical hurdles.

Cellphone users, Apple and Google say, would explicitly have to opt into the system and individual users’ test results would not be shared with other people or the companies.

Still, a lot of things could go wrong.

Continue reading “Privacy Safeguards in Apple-Google Platform Could Be Abused, Experts Say”

‘What a Nightmare’

Belongings, Privacy Issues Pile Up With COVID-19 Deaths

By Tammy Joyner

An elderly man died of COVID-19 in a New York City hospital last week. His ICU nurse then folded his sweater, gathered his loafers and other belonging and placed them in a plastic bag.

What took place next prompted the nurse, whom Digital Privacy News is not naming, to take to social media:

I asked where to put (his) things. A coworker opens the door to a locked room; labeled bags are piled to the ceiling. My heart drops. It’s all belongings of deceased (patients), waiting for a family member to someday claim them …

The post illustrates a grim scenario taking place postmortem in hospitals nationwide.

As coronavirus death tolls rise, so do privacy risks, particularly identity theft and fraud as purses, wallets, wedding rings, driver’s license, credit and insurance cards, and other personal effects of victims pile up. 

“Anytime we have large numbers of people displaced, injured, killed or die, identity theft becomes an issue, so does financial fraud,” Rob Douglas, a nationally recognized identity-theft expert in Steamboat Springs, Colo., told Digital Privacy News.

“Financial criminals sweep in and take advantage of the chaos to gather any information they can and impersonate the victims and steal their assets.”

Continue reading “‘What a Nightmare’”