Zoom’s Boom Raises Confidentiality Concerns

Zoom’s Boom Raises Confidentiality Concerns

With stay-at-home orders in place across the globe, online video communication services have seen a skyrocket in use. In particular, the video platform Zoom is on a tear. The company’s shares are on the rise, and mobile app is currently #1 in the Apple app store. Families and friends use it to connect, and entire school systems rely on it to continue classes online. But with the increased use comes increased scrutiny.

According to the New York Times, the New York Attorney General is now looking into Zoom’s security practices. The letter, sent from the state’s Attorney General’s office, expresses concern “that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.”  Zoom’s privacy issues have also been noted by Consumer Reports, Forbes and Doc Searles.

Zoom for Telehealth and Legal Counsel

 Worries about Zoom’s privacy standards are of particular concern for industries that require confidentiality, such as medicine, therapy, and legal counsel.

Telehealth services have quickly become commonplace as more and more people are staying at home. The company does provide a HIPPA-compliant version of their services. However, the recent compliance waiver for telehealth allows health care providers to opt for the far cheaper but less secure version of the software. Now, many insurers are allowing health care providers to bill for telehealth visits. This has opened up the floodgates for patients to meet with doctors and therapists over Zoom.

Given the concerns over Zoom’s privacy practice, it is an open questions whether doctor patient confidentiality and attorney client privileges can be properly guaranteed. For example, Zoom boosts the use of end-to-end encryption, but recent reports show this is not entirely accurate. While Zoom does use end-to-end encryption in certain settings, video meetings use another form of encryption that does not restrict the company’s ability to access those communications.

And, of course, Zoom alone can’t stop the trolls from invading your zoom meetings, especially those you’ve shared publicly. Even the FBI is warning about zoom bombing. There are ways to limit that, though by being prudent with your Zoom settings.

Zoom Responds, but is it Enough?

In response to mounting concerns, Zoom updated their privacy policy over the weekend, stating that customer content will not be used for advertising and that videos are only retained if users request it.  This update is important and it is good to know that the brand of wine we are toasting each other with during our zoom happy hours won’t be sold to a digital marketer.  However, in a blog post about the changes, Zoom’s chief legal officer, Aparna Bawa, said that new policy only clarifies what information they collect, and does not change the companies practices. Zoom also removed code from their platform that sent data analytics to Facebook, after reports surfaced last week.

Despite these minor changes, it may not enough to protect user privacy and guarantee confidentiality for industries that require it.  Zoom is, indeed, booming and it’s hard to see it receding dramatically in a post-Covid world.  Let’s hope it takes all the reasonable steps it should to respect privacy along its ride.

Coronavirus and the Right to Privacy

Coronavirus and the Right to Privacy

 The coronavirus has unquestionably changed the way we live. It has also forced us into strange and, until just a few weeks ago, unthinkable ethical dilemmas. To visit loved ones is worth genuine ethical reflection. Modern nations, especially in the West, are built on an ethics of individual freedoms and the right to privacy. However, the current global health crisis is forcing us to rethink just how fundamental those ethics should be. While we already feel this with regards to the freedom of movement, we are just beginning to contemplate how the coronavirus can and should effect our right to privacy.

Contact Tracing and Enforced Quarantine

In order to limit the spread of the coronavirus, experts emphasize the importance of tracking every contact infected patients have had with others. Countries such as China, Singapore, South Korea, and Taiwan have all taken aggressive measure trace all potential contact infected people have had. These measures are widely considered to be a large reason why these countries have been successful in lowering the rate of transmission. However, the aggressive measures taken have come at the cost of individual privacies.

Taiwan and Singapore, for example, regularly post detailed information about everyone who test positive, including where they live and work, what train stations they have used, and what bars and restaurants they frequent. South Korea now has an app that allows users to track the exactly movement of those infected.

Countries are also using location data to enforce quarantine for those infected. Israel, for example, is now using data collection techniques previously used for counterterrorism efforts to identify anyone potentially exposed to the virus. The government uses this information to send text messages to those exposed ordering them to quarantine.

European and the U.S. Response

As the coronavirus spreads to Europe and the U.S., lawmakers are exploring the use of similar techniques. Italy now uses location data to monitor whether people are obeying quarantine orders. In the U.S., the White House is reportedly in conversations with tech companies to use anonymized location data to track the spread of the virus. HIPPA regulations are being waived to allow doctors and mental health providers to more freely use telecommunication to speak with patients. Companies in Italy, Austria, and Germany have also announced that they will provide location data to governments.

However, with privacy regulations such as the GDPR, it is unclear how aggressively European countries will be able to use personal information. The European Data Protection Board (EDPB) released a statement urging governments to continue to abide by privacy regulations in place. At the same time, however, the EDPB conceded that countries may suspend such regulations “when processing is necessary for reasons of substantial public interest in the area of public health.”

Consequences

Relaxing the right to privacy has garnered mixed responses by government officials and security experts. Many have pointed out that while the measures taken are extreme, personal information such as location data is highly effective in limiting the spread of the coronavirus. “We are stretched very thin in most states,” said the director of the Center for Global Health at Oregon State University, “so this kind of technology can help every state to prioritize, given their limited resources, which communities, which areas, need more aggressive tracking and testing.”

Others are concerned how this could endanger those whose information is made public. In South Korea, some have used information released by the government to identify infected individuals and attack them online. This has led officials to question how the government uses this information, worrying it will discourage others from getting tested for fear of being publicly exposed.

While nearly all countries have explained suspending the right to privacy is a temporary measure for the benefit of the public health, many worry it will have a permanent effect on how governments and countries view privacy concerns. After 9/11, for example, the U.S. used highly invasive surveillance measures that have since become common place among law enforcement agencies. According to the New York Times, privacy experts worry something similar could happen after the current crisis.

What restrictions we, as a society, can tolerate, and what effect this will have after the current crisis remains an open question. However, it may also involve a false choice.  There are technologies to both assist contract tracing and preserve anonymity.  Privacy by Design does not have to be put on pause as we develop these tools.  In fact, if we want to encourage wide adoption, it might be required.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Privacy in the Age of Coronavirus

Privacy in the Age of Coronavirus

One can argue about the steps taken so far with regards to the coronavirus, but perhaps no other report has had an impact on what the United States is now doing to curb the spread of the virus than the report published on March 16 by the UK’s Imperial College COVID-19 Response Team.  In plain, stark language, the report warns of the dangers of doing nothing and emphasizes that if we want to minimize mortality rate “combining all four interventions (social distancing of the entire population, case isolation, household quarantine and school and university closure) is predicted to have the largest impact.”

Key to this is case isolation and household quarantine, both of which are containment measures.  Containment requires, at minimum identification (you have to know who is symptomatic to make sure they are isolated and you have to know who the symptomatic were in contact with to make sure they are quarantined) and communication (you have to know whether you’ve been in contact with someone if you are to self-quarantine).

The technologies exist to help both identification and communication, but at a potential cost to privacy. There’s the impact on privacy to the symptomatic individual, those with whom they have been in contact, and even locations (towns, neighborhoods, stores) through which the person traveled.  These risks are not insubstantial. In the case of individuals, it could result in stigmatization, harassment, and even physical threats (if not harm); in the case of locations, it could result in severe economic losses and stigmatization itself.  The key to leverage technology with containment is to identify potential privacy risks and embed privacy practices into the technology to minimize those risks.

The MIT Media Lab is doing just this.  Yesterday, they released an open-source application called Private Kit: Safe Paths which uses your phone to track your location data and uses that to trace where symptomatic individuals have been and share that information to others so that they can determine whether they may have been in contact with those individuals.  And, the app does it in a privacy-preserving way.  The app works like this: it first logs your phone’s location data, but keeps it on your phone so that you retain possession of it.  If you are diagnosed, you have the choice to consent to sharing your location data with health officials who can make it public.  Ultimately, the app will share symptomatic location data with others without the middleman of a health authority so that one can see if they have been in recent contact with anyone who has been symptomatic.  It’s a powerful tool that has the potential to have a material impact on containment efforts.

Of particular interest, is the whitepaper MIT developed on this application that outlines the various privacy risks pertaining to containment and how Private Kit addresses them.  The report provides an instruction lesson to any organization conduct privacy risk assessments or evaluating privacy controls relative to GDPR or CCPA regulations or to better serve the needs of its constituents.

When confronted with the enormity of something like the coronavirus, its both critical and refreshing to know that we don’t have to throw out our rights to deal with it.  After all, in battling something like this virus, we are not only defending our selves, we are preserving the very freedoms that define who we are.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Beyond Compliance

Like the often quoted phrase, “A camel is a horse designed by committee”, compliance regulations often do more to over complicate issues than solve them.  At the same time, companies that just focus on meeting compliance standards can miss addressing the risks the compliance measures were designed to mitigate.

After all, Target Department Stores successfully passed a PCI audit two months before their massive breach in 2013.

Naomi Lefkovitz of the National Institute of Standards and Technology perhaps said it best when discussing privacy risk at a conference last month in Brussels.  “If you do something that upsets your customers from a privacy standpoint and then you tell them  ‘Well I’ve done everything correct under the law’ will they be any more satisfied?  Probably not.  That’s privacy risk in a nutshell.”

When focusing on cybersecurity or data privacy, the key is to understand what your risks are.  In many cases those risks will involve other parties and you need to determine the impact that an incident will have on them when you determine how to and where to take preventive action.

“Focus on your customers and your employees and the business will take care of itself,” is another often quoted phrase.  If you do that as you put together your cybersecurity and data privacy practices, compliance and the rest of the business will take care of itself, as well.

 

Reducing the Privacy Trust Deficit

A while back, when I ran an Insurance brokerage, a good friend of mine who owned a mid-size company said, “you know Doug, when it comes to insurance the one thing I’ve learned is that the insurance carriers are only out to [bleep] us.”  I can only imagine what CEO clients who weren’t my friends were saying.

However, when you are selling an intangible, like insurance, you are immediately starting with a trust deficit between you and your prospect.  And it’s that deficit you need to overcome before you can hope to make a sale.

Privacy is an intangible, as well.  You can’t see it.  You can’t touch it.  It’s a concept, a concept that is closely tied to our sense of ourselves and the freedom to express and “own” our identity as we choose.  And, like other intangibles, companies have a trust deficit which they need to overcome if they want to establish strong customer relationships.

The need to bridge the trust deficit is a theme coming from a recent survey on consumer attitudes towards privacy that Deloitte has just released.  As the article states, over two thirds of consumers believe their data is used primarily for target marketing and over half believe the data is shared with third parties.  And, ironically, despite increasing privacy legislation, only 22% of companies are aligning their privacy requirements with business strategy.

This is an epic fail on two fronts:  1) misalignment of privacy compliance with strategy will inevitability result in the sub-optimal compliance measures which open the organization to regulatory action; 2) misalignment of privacy with strategy keeps the organization from taking advantage of a huge opportunity to leverage privacy as an asset to develop stronger customer relationships and propel growth.

For companies that want close the Privacy Trust Deficit, increase market share and improve operational and regulatory compliance, they can start with four steps:  1)  Define the company’s desired relationship with its customers; 2)  Outline privacy requirements as minimally defined by regulation and maximally defined by the company’s desired relationship with its customers; 3) Create a customer data and engagement map which defines how,, why and what the company does with its client data; 3)  Express each point of the data and engagement map in terms of a repeatable behavior with a quantifiable outcome that both leverages and enhances privacy and customer value; 4) Communicate and be transparent of the privacy-related behaviors the company is doing at the same time it is doing them.

Applying these steps will help align privacy with business strategy, minimize the privacy trust deficit and enable the organization to take market share from it’s competitors who view privacy as a compliance objective as opposed to a strategic opportunity.

 

How Social Loneliness Could Effect Privacy Practices

How Social Loneliness Could Effect Privacy Practices

Social media was designed to connect people. At least, that’s what those behind these sites never stop of telling us. They’re meant to create, as Mark Zuckerberg says, “a digital town square.” Yet, as it turns out, the effect social media has on us seems to actually be going in the opposite direction. Social media is making us less social. 

Last year a study by the University of Pittsburgh and West Virginia University was published showing links between social media use and depression. And now the same team has released new study that takes things a step further. The study found that not only does social media lead to depression, but actually increases the likelihood of social isolation. According to the study’s findings, for every 10% rise in negative experience on social media, there was a 13% increase in loneliness. And what’s more, they found that positive experiences online show no link to an increase in feelings of social connections.  

These two studies make clear what we may already feel: the form in which social media connects us ends up leaving us more isolated. And, as strange as it may sound, this could have a profound impact on how we view our privacy. At root, privacy involves the maintenance of a healthy self-identity. And this identity doesn’t form in a vacuum. Instead, it is shaped through our relationship to a community of people. 

So, to the extent social media is isolating, it is also desensitizing to our notions of ourselves and to the world which surrounds us. When we lose a sense of boundaries in relation to community then anything, including the value of  privacy, can go out the window.  

And this can turn into a vicious cycle: the lonelier you feel, the more you’re likely to seek validation on social media. Yet, the more you seek that validation, the more that sense of loneliness rears its head. And often seeking this type of social validation leads to privacy taking a back seat. Earlier we wrote about an increase in the success of romance scams, which is just one example of how a sense of loneliness can have the effect of corroding privacy practices.  

While these studies don’t exactly mean we should go off the grid, it’s clear that to understand and value ourselves, we need at times to detach from technology. And, from a business perspective, there are lessons to be learned here too. While technology can make communication more convenient, that shouldn’t translate to having every conversation through a digital platform. Pick up the phone. Have lunch with a customer. Talk to them instead of selling themHaving more personalized conversation will not only translate to stronger business relationships but may even have an effect on the value placed on privacy as well.