Important News about COVID-19! That e-mail came from the Virginia EZ-Pass. In the past two weeks, if you are anything like me, you have been receiving hundreds of e-mails from vendors, suppliers, and third parties from Outback steak house to 1-800-CONTACTS telling you about their policies, plans or procedures for the coming zombie apocalypse that is COVID-19. What it really is a reflection of is how many different organizations currently collect, store and maintain your personal information, and how little interaction you had to have with them for them to have collected that information. Maybe you had dinner in a restaurant. Maybe you downloaded an app six years ago. Maybe you bought tickets to an event (that’s how the Myrtle Beach Pelicans got my e-mail address and contact information). What would have been, in prior times, a fleeting relationships — no more than a glance, has now become a permanent marriage between you and a minor league baseball team because you had the temerity to want your tickets e-mailed to you. Now they have your name, your address, your phone number, and maybe some portion of your credit card number stored somewhere. They know which Pelicans games you have been to, whether you actually went to the game, how many people went, and with shared marketing agreements, they may also know that you went to an Aberdeen IronBirds game, a Bowie Baysox game, a DelMarVa Shorebirds game, and your favorite major league teams as well. There simply is an awful lot of personal data about you shared among an awful lot of entities. And you have no control over it. Truth is, for the most part, neither do they.
In the wake of GDPR, European company websites began informing customers that they use cookies to collect information, and attempted to get consent from their customers to collect and share information by cookie. What resulted is a whack-a-mole series of clicks requiring users to click through an array of consents, notifications and settings just to read an article in, for example, the Independent. Even then, if you don’t consent to the unlimited use of cookies, you have to click through a maze of settings to tell them, “hey– I just want to read the damned article!!” The Independent kinda sorta tells you the entities with whom they share some or all of your data, with amorphous names like “22 Across” or “AAX LLC” or “Captify Technologies.” Indeed, the vendor list of entities with whom the Independent shares information lists more than four dozen entities like that — nameless, faceless data brokers or data analysts, whom in turn may share personal or aggregated data with others.
Is this really necessary?
One of the reasons we have so many breaches, and why these breaches reach so many people is the fact that we collect and store so much information — much of it needlessly. Sure, collecting data helps keep the Internet free by permitting targeted advertisement. But data has a life-cycle. The fact that I liked bell bottom jeans and Nehru jackets (kids, ask your parents — no wait, ask your grandparents) in 1973 doesn’t mean that that’s what I am wearing now (it doesn’t mean I’m not wearing that — I’m in self-imposed quarantine, so how would you know?) Purge data you don’t need. It lessens the risk of reportable data breaches. And we need a much better mechanism for people to enforce some form of “right to be forgotten.” Not about the big stuff like that felony assault back in ‘68 — but about the trivial stuff like that Pelicans game. Spring cleaning for data.
Good Data. Bad Data.
During the COVID-19 crisis, there are epidemiologists and others seeking personal information, personal health information, and other information for the protection of public health. This includes IoT thermometer manufacturers using data to predict COVID-19 hot spots, cell and app developers using location data for alerting, COVID-19 testing labs using apps and SMS to notify people about lab results. In a data-driven environment, we actually do need to collect this data — some of which may be HIPAA privacy data. We very much can, and very much should be collecting and using this data for public health purposes. We very much can, and very much should be collecting and using this data for public health purposes. Did I mention that we should be using this data for public health purposes? But we should — to the extent possible and feasible — collect and disseminate the data with both public health and privacy in mind. For THIS virus, there’s no need to “name and shame” individuals impacted (or countries, for that matter). Rather, we are interested in the progression of the disease. On the other hand, I WOULD like to know if my medical professional has tested positive and decided to ignore the warnings to stay at home. Balance. The good thing is that most regulations provide exactly that balance. Those interpreting them however, often do not.
As Kipling noted, “If you can keep your head when all around you are losing theirs and blaming it on you” … “you’re probably missing something…” OK, not Kipling, but you get the idea. Responding to this crisis is like responding to any other crisis. First, take a deep breath. Then, take your own pulse. Try to make informed, rational decisions. Both on security and privacy. And now that you are stuck at home, it’s a good time for some spring cleaning. Throw out those old “Cosby” sweaters (bad associations in many ways). Ditch that disco ball. And get rid of that unneeded personal data. Meanwhile, I need to see what Taco Bell thinks of the COVID-19 crisis, so let me check my e-mail.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.