Select Page
Facebook collecting healthcare data

Facebook collecting healthcare data

As many of our previous blogs have highlighted, COVID-19 is severely impacting the tech world. Privacy regulations have been a hot topic for debate between governments, Big tech, and its users. 

 Facebook has joined the top companies taking advantage of user data in COVID-19 research. As well, Brazil’ LGPD sees pushback in its enforcing because of COVID-19. Opposite to Brazil, US senators are introducing a new privacy bill to ensure American’s data privacy remains protected.

 

Facebook collecting symptom data

 In the current pandemic climate, tech companies of all sizes have stepped up to provide solutions and aid to governments and citizens struggling to cope with COVID-19. As we’ve highlighted in our previous blog posts, Google and Apple have been at the frontlines of introducing systems to protect their user privacy, while inflicting change in how communities track the virus.

 Following closely behind, Facebook has introduced its attempt to work with user data for the greater good of COVID-19 research. 

 Facebook announced its partnerships with different American universities to begin collecting symptom data in different countries. Facebooks CEO and founder told the Verge that the information could work to highlight COVID hotspots across the globe, especially in places where governments have neglected to address the virus’s severity.

Facebook has been working throughout this pandemic to demonstrated how aggregated & anonymized data can be used for good. 

However, not everyone is taking to Facebook’s sudden praise for user data control. One article highlighted how the company is still being investigated by the FTC over privacy issues

Facebook’s long list of privacy invasions for its users is raising some concerns over not how the data is currently being used, but how it will be handled after the pandemic has subsided. 

 

Brazil pushes back privacy legislation.

At the beginning of this year, we wrote an article outlining Brazil’s first data protection act, LGPD. This privacy legislation follows closely to that of the EU’s GDPR and will unify 40 current privacy laws the country has. 

Before COVID-19s effect on countries like Brazil, many tech companies were already pressuring the Brazilian government to change LGPD’s effective date.

On April 29th, the Brazilian president delayed the applicability date of the LGPD to May 3rd, 2021. By issuing this Provisional measure, the Brazilian Congress has been given 16 days to approve the new LGPD implementation. 

If Congress does not approve of this new date by May 15th, the Brazillian Congress must vote on the new LGPD date. If they do not, the LGPD will come into effect on August 14th, 2020. 

Brazil’s senate has now voted to move its introduction in January 2021, with sanctions coming to action in August 2021. Meaning all lawsuits and complaints can be proposed as of January 1st, and all action will be taken on August 1st (source).

 

America introduces new privacy law.

Much like Brazil’s privacy legislation being affected by COVID-19, some US senators have stepped up to ensure the privacy of American citizens data.

The few senators proposing this bill have said they are working to “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.”

This bill does not target contact tracing apps like those proposed by Apple and Google. However, it does ensure that these companies are effectively using data and protecting it. 

The bill requires companies to gain consent from users in order to collect any health or location data. As well, it forces companies to ensure that the information they collect is properly anonymized and cannot be re-identified. The bill requires that these tech companies will have to delete all identifiable information once COVID-19 has subsided, and tracking apps are no longer necessary. 

The bill has wide acceptance across the congressional floor and will be enforced by the state attorney generals. This privacy bill is being considered a big win for Americans’ privacy rights, especially with past privacy trust issues between big tech companies and its users. 

Location data and your privacy

Location data and your privacy

As technology grows to surround the entirety of our lives, it comes as no surprise that each and every move is tracked and stored by the very apps we trust with our information. With the current COVID-19 pandemic, the consequences of inviting these big techs into our every movement are being revealed. 

At this point, most of the technology-users understand the information they do give to companies, such as their birthdays, access to pictures, or other sensitive information. However, some may be unknowing of the amount of location data that companies collect and how that affects their data privacy. 

Location data volume expected to grow

We have created over 90% of the world’s data since 2017. As wearable technology continues to grow in trend, the amount of data a person creates each day is on a steady incline. 

One study reported that by 2025, the installation of worldwide IoT-enabled devices is expected to hit 75 billion. This astronomical number highlights how intertwined technology is into our lives, but also how welcoming we are to that technology; technology that people may be unaware of the ways their data is collected. 

Marketers, companies and advertisers will increasingly look to using location-based information as its volume grows. A recent study found that more than 84% of marketers use location data for their 

The last few years have seen a boost in big tech companies giving their users more control over how their data is used. One example is in 2019 when Apple introduced pop-ups to remind users when apps are using their location data.

Location data is saved and stored for the benefit of companies to easily direct personalized ads and products to your viewing. Understanding what your devices collect from you, and how to eliminate data sharing on your devices is crucial as we move forward in the technological age. 

Click here to read our past article on location data in the form of wearable devices. 

COVID-19 threatens location privacy

Risking the privacy of thousands of people or saving thousands of lives seems to be the question throughout this pandemic; a question that is running out of time for debate. Companies across the big 100 have stepped up to volunteer its anonymized data, including SAS, Google and Apple. 

One of the largest concerns is not how this data is being used in this pandemic, but how it could be abused in the future. 

One Forbes article brought up a comparison of the regret many are faced with after sharing DNA with sites like 23andMe, leading to health insurance issues or run-ins with criminal activity. 

As companies like Google, Apple and Facebook step-up to the COVID-19 technology race, many are expressing their concerns as these companies have not been deemed reliable for user data anonymization. 

In addition to the data-collecting concern, governments and big tech companies are looking into contact-tracking applications. Civilian location data being used for surveillance purposes, while alluded for the greater good of health and safety, raises multiple red flags into how our phones can be used to survey our every movement. To read more about this involvement in contact tracing apps, read our latest article

Each company has released that it anonymizes its collected data. However, in this pandemic age, anonymized information can still be exploited, especially at the hands of government intervention. 

With all this said, big tech holds power over our information and are playing a vital role in the COVID-19 response. Paying close attention to how user data is managed post-pandemic will be valuable in exposing how these companies handle user information.

 

Data sharing in a global pandemic

Data sharing in a global pandemic

As the world continues to brace the impact of Covid-19, data privacy remains a central concern in the development of working from home and containing the spread. Last week, Google released an anonymized dataset of location data outlining hotspots of group gatherings. In addition to this, UK officials are looking to introduce contact tracing applications. For those companies containing the spread within their offices, Zoom has risen as a trusted video conference app. However, in the last few weeks, serious privacy concerns have increased.  

Google releases location data.

On Friday, Google released its COVID-19 Community Mobility Reports. These reports are a collection of data from users who have opted in to sharing their location history with the search giant. This location history comes from Google maps, where the data is aggregated and anonymized. 

Google says that by releasing this data, public health officials are able to determine which businesses are most crowded. This helps to determine the type of grand scale decisions to be made in terms of curfews, stay-at-home orders, or which companies are necessary to remain open. 

The reports are open for public viewing, opening up the data of 131 countries with certain countries displaying regional data such as provinces or states. After selecting the country, Google creates a PDF file with the data for downloaded. 

Each PDF report contains six categories of location data. These include: 

  • Retail and recreation (restaurants, shopping centers, libraries, etc.)
  • Grocery and pharmacy (supermarkets, drug stores)
  • Parks (beaches, dog parks)
  • Transit stations (subways, bus and train stations)
  • Offices 
  • Residences 

(source

Creating these reports comes after weeks of requests from public health officials asking for applications to test a person’s contact with an infected patient. While Google’s data is unable to determine that these datasets may help cities or countries to determine preventive measures. 

Other countries have used similar, more aggressive technology using location data. At the beginning of March, we released an article about Korea’s efforts to stop the spreading by using people’s location to track if they leave their house or not. 

Another news article revealed Taiwan also participated in using location data to track its citizens. Even by going as far as calling phones twice a day to ensure citizens are not just leaving their house without their phone. 

Google released that its data will cover the past 48-72 hours, and has yet to determine when the data will be updated.

Contact Tracing Apps

Similar to the data released by Google, there is more pressure on governments to introduce contact tracing apps like the ones seen in Korea or Taiwan.

In the UK, researchers have begun compiling papers to discuss how privacy can be handled and mishandled in these tracing apps.

One researcher, Dr. Yves-Alexandre de Montjoye, created a whitepaper outlining eight questions to understanding how privacy is protected in these types of potential apps. 

These eight questions include: 

  • How do you limit personal data gathered by the app developers?
  • How do you protect the anonymity of every user? 
  • Does the app reveal to its developers the identity of users who are at risk? 
  • Could the app be used by users to learn who is infected or at risk, even in their social circle? 
  • Does the app allow users to learn any personal information about other users? 
  • Could external parties exploit the app to track users or find out who’s infected? 
  • Do you put in place additional measures to protect the personal data of infected and at-risk users?
  • How can users verify that the system does what it says? 

(source

As governments move quickly to contain the spread of Covid-19, actions like contact tracing apps are becoming seriously considered for introduction. However, patient privacy should not disappear. As the world braces for an even more significant influx of Covid-19 cases, it is in the hand of government officials and big tech to work together to contain the spread while maintaining data privacy.

Zoom faced with data sharing lawsuit

A few weeks ago, we released an article outlining small privacy concerns about introducing Zoom into the work from home environment. Since that article, Zoom has not only increased in popularity but insignificant privacy concerns as well. 

On March 26, Vice news released an article detailing Zoom’s relationship with Facebook. 

Vice reported that Zoom sends analytic data to Facebook, even when a Zoom user doesn’t have a Facebook. While this type of data transfer is not uncommon between companies and Facebook SDK, Zoom’s own privacy policy leaves its data-sharing out.

The article report that Zoom notifies Facebook when a user opens its app as well as specific identifying details for companies to target users with advertisements through. 

Zoom reached out to the news article stating they will be removing the Facebook SDK. However, it wasn’t long before the video-conferencing company was hit with a lawsuit. 

But the privacy concerns don’t just come from data-sharing. The past few weeks have seen numerous reports of account hacking, allegedly not offering end-to-end encryption, password stealing, leaks, and microphone/camera hijacking

And these claims are only just starting to roll in. As Zoom projects to the top of one used video-conferencing technology during this work-from-home burst, the next few weeks could see thousands of data privacy broken.

IoT and everyday life; how interconnected are we?

IoT and everyday life; how interconnected are we?

The Internet of Things (IoT) is a term spanning a variety of ‘smart’ applications. This ranges from things like smart fridges, to smart cities. This idea of ‘smart’ or IoT is the connectedness between everything and the internet. 

It’s hard to grasp the amount of data one person creates each day and understanding where IoT fits into that. And with this new era of ‘smart’ everything, the realm of knowledge is pushed even farther away. 

To understand just how much our smart technologies follow our everyday behaviours, let’s focus on only one person’s use of a smartwatch. 

But first, what are the implications of a smartwatch? This wearable technology gained its popularity starting in 2012, giving users the ability to track their health and set fitness goals at the tap of their wrist. Since then, smartwatches have infiltrated all sorts of markets, from the ability to pay using the watch, take phone calls, or update a Facebook status.

The technology in our lives has become so interconnected, de-identifying our data, while achievable, on a grand scale, is seemingly complicated. Take the smartwatch, our unique footprints, recreated each day are logged and monitored through the small screen on our wrist. While the data created is anonymized to an extent, it’s not sufficient

But why not? After all, technology has moved mountains in the last decade. To better understand this connectedness of our data, let’s follow one person’s day through the point of view of just their smartwatch. 

Imagine Tom is a 30-year-old man in excellent health who, like the rest of us, follows a pretty general routine during his workweek. Outside of the many technologies that collect Tom’s data, what might just his smartwatch collect? 

Let’s take a look. 

Every morning, Tom’s smartwatch alerts him at 7:30 am to wake up and start his day. After a few days of logging Tom’s breathing patterns and heart rate, and monitoring his previous alarm settings, Tom’s smartwatch has learned the average time Tom should be awake and alerts Tom to set a 7:30 alarm each night before bed. 

Before ever having to tell his watch which time he gets up in the morning, his watch already knows. 

Similar to his smartwatches alarm system, this watch knows and labels the locations of 6 specific places that Tom spends most time in the week. Tom didn’t have to tell his watch where he was and why; based on the hours of the day Tom spends at this location, with his sleeping patterns and other movements, his watch already knows. 

Not only are these places determined from his geographical location, but from the other information, his watch creates. 

When Tom is at the gym, his sped-up heart rate and lost calories are logged. When Tom goes to his local grocery store or coffee shop, Tom uses his smartwatch to pay. At his workplace, Tom’s watch records the amount of time spent at the location and is able to determine the two main places Tom spends his time is between his home location and his work. 

Based on a collection of spatial-temporal data, transactional data, health data and repeated behaviour, it is easy to create a very accurate picture of who Tom is.

Let’s keep in mind that this is all created without Tom having to explicitly tell his smartwatch where he is or what he is doing at each minute. Tom’s smartwatch operates on learned behaviours based on the unique pattern Tom creates each day.

This small peak into Tom’s life, according to his watch, isn’t even much of a “peak” at all. We could analyze the data retained by his smartwatch with each purchase, each movement of location or only by the data pertaining to his health. 

This technology is seen in our cars, fridges, phones and TVs. Thus, understanding how just one device collects and understands so much about your person is critical to how we interact with these technologies. What’s essential to understand next is how this data is dealt with, protected and shared. 

The more advanced our technology gets, the easier it is to connect a person based on the data the technology collects. It’s important more than ever to understand the impacts of our technology use, what of our data is being collected, and where it is going. 

At CryptoNumerics we have been developing a solution that can de-identify this data without destroying its analytical value. 

If your company has transactional and/or spatio-temporal data that needs to be privacy-protected, contact us to learn more about our solution.

Facial recognition, data marketplaces and AI changing the future of data privacy

Facial recognition, data marketplaces and AI changing the future of data privacy

With the emerging Artificial Intelligence (AI) market comes the everso popular privacy discourse. Data regulations that are being introduced left and right, while effective, are not yet representative of the growing technologies like facial recognition or data marketplaces. 

Companies like Clearview AI are once again making headlines after receiving cease-and-desist from big tech, despite there being no current facial recognition laws they are violating. As well, Nature released an article calling for an international code of conduct for genomic research aggregation. Between both AI and healthcare, Microsoft has announced a $40million AI for health initiative.  

Facial recognition company hit with cease-and-desist  

A few weeks ago, we released a blog introducing the facial recognition start-up, Clearview AI, as a threat to privacy.

Since then, Clearview AI has continued to make headlines, and most recently, has received cease-and-desist from Big Tech companies like Google, Facebook and Twitter. 

To recap, Clearview AI is a facial recognition company that has created a database of over 3 billion searchable faces, scrapped from different social media platforms. The company has introduced its software in more than 600 police departments across Canada and the US. 

The company’s CEO, Hoan Ton-That, has repeatedly defended its company, telling CBS

“Google can pull in information from all different websites, so if it’s public, you know, and it’s out there, it could be inside Google search engine it can be inside ours as well.”

Google then responded, saying this was ‘inaccurate.’ Google says they are a public search option and give sites choices in what they put out, as well as give opportunities to withdraw images. All options Clearview does not provide, as they go as far as holding images in their database after it’s been deleted from its source.

While Google and Facebook have both provided Clearview with a cease-and-desist, Clearview has maintained that they are within their first amendment rights to use the information. One privacy attorney told Cnet, “I don’t really buy it. It’s really frightening if we get into a world where someone can say, ‘The first amendment allows me to violate everyone’s privacy.’” 

While cities like San Francisco have started banning facial recognition, there are currently no federal laws addressing it as an issue, thus allowing more leeway for companies like Clearview AI to create potentially dangerous software.  

Opening up genomic data for researchers across the world

With these introductions to new health care initiatives, privacy becomes more relevant than ever. Healthcare data contains some of the most sensitive information for an individual. Thus the idea of big tech buying and selling such personal data is scary.

Last week, Nature, an international journal of science, released that over 800 terabytes of genomic data are available to investigators all over the world. The eight authors worked explicitly to protect the privacy of the thousands of patients/volunteers who consented to have their data used in this research.

The article reports the six-year collection of 2,658 cancer genomes between 468 institutions in 34 different countries is creating an open market of genome data. This project, called the Pan-Cancer Analysis of Whole Genomes (PCAWG), was the first attempt to aggregate a variety of subprojects and release a dataset globally.

A significant emphasis of this article was on the lack of clarity within the healthcare research community on how to protect data in compliance with the ongoing changes to privacy legislation.

Some issues in these genomic marketplaces are in the strategic attempts to not only comply with the variety of privacy legislation but also in ensuring that no individual can be re-identified using this information. Protecting patient data is not just a legislative issue but a moral one. 

The majority of the privacy unclarity came from questions of what vetting should occur before gaining access to information, or what checks should be made before the data is internationally shared.

As the article says, “Genomic researches urgently need clear data-sharing rules that are harmonized across jurisdictions.” The report calls for an international code of conduct to overcome the current hurdles that come with the different emerging privacy regulations. 

The article also said that the Biobanking and BioMolecular Resources Research Infrastructure (BBMRI-ERIC), had announced back in 2017 that it would develop an EU Code of Conduct on Health-Related Data. Once completed and approved, 

Microsoft to add another installment to AI for Good

The ability to collect patient data and share in an open market for researchers or doctors is helping cure and diagnose patients at a faster rate than ever before seen. In addition to this, AI is seen as another vital tool for the growing healthcare industry.

Last week, Microsoft announced its fifth installment to its ‘AI for Good’ project, ‘AI for Health.’ This project, similar to its cohorts, will support healthcare initiatives such as providing access to cash grants, AI tools, cloud computing, and Microsoft researchers. 

The project will focus on three different AI strategies, including: 

  • Accelerating medical research
  • Increase the understanding of mortality to guard various global health crises.
  • Reducing health injustices 

The program will be emphasizing supporting individual non-profits and under-served communities. As well, Microsoft released in a video their focus on addressing Sudden Infant Death Syndrome, eliminating Leprosy and diabetic retinopathy-driven blindness in partnership with different non-for-profits. 

AI is essential to healthcare, and it has lots of data that companies like Microsoft are utilizing. But with this, privacy has to remain at the forefront of the action. 

Similar to Nature’s data, protecting user information is extremely important and complicated when looking to utilize the data’s analytical value, all while complying with privacy regulations. Microsoft announced that it would be using Differential Privacy as its privacy solution. 

Like Microsoft, we at CryptoNumerics user differential privacy as a method of anonymization and data value preserving. Learn more about differential privacy and CryptoNumeric solutions.

 

Join our newsletter


Facial Recognition added to the list of privacy concerns

Facial Recognition added to the list of privacy concerns

Personal data privacy is a growing concern across the globe. And while we focus on where our clicks and metadata end up, there is a new section of privacy invasion being introduced: the world of facial recognition. 

Unbeknownst to the average person, facial recognition and tracking have infiltrated our lives in many ways and will only continue to grow in relevance as technology develops. 

Companies like Clearview AI and Microsoft are on two ends of the spectrum when it comes to facial recognition, with competing technologies and legislations fight to protect and expose personal information. Data privacy remains an issue as well, as products like Apple’s Safari are revealed to be leaking the very information it’s sworn to protect. 

Clearview AI is threatening privacy as we know it.

Privacy concerns due to facial recognition efforts are growing and relevant.

Making big waves in facial recognition software is a company called Clearview AI, which has created a facial search engine of over 3 billion photos. On Sunday, January 18th, the New York Times (NYT) wrote a scathing piece exposing the 2017 start-up. Until now, Clearview AI has managed to keep its operations under wraps, quietly partnering with 600 law enforcement agencies. 

By taking the photo of one person and submitting it into the Clearview software, Clearview spits out tens of hundreds of pictures of that same person from all over the web. Not only are images exposed, but the information about where they were taken, which can lead to discovering mass amounts of data on one person. 

For example, this software was able to find a murder suspect just by their face showing up in a mirror reflection of another person’s gym photo. 

The company is being questioned for serious privacy risk concerns. Not only are millions of people’s faces stored on this software without their knowledge, but the chances of this software being used for unlawful purposes are incredibly high.

The NYT also released that the software pairs with augmented reality glasses; someone could take a walk down a busy street and identify every person they passed, including addresses, age, etc. 

Many services prohibit people from scraping user’s images, including Facebook or Twitter. However, Clearview has violated said terms. When asked about its Facebook violation, the CEO, Mr. Ton-That disregarded, saying everybody does it. 

As mentioned, hundreds of police agencies in both the U.S and Canada allegedly have been using Clearview’s software to solve crimes since February of 2019. However, a Buzzfeed article has just revealed Clearview’s claim about helping to solve a 2019 subway terrorist threat is not real. The incident was a selling point for the facial recognition company to partner with hundreds of law enforcement across the U.S. The NYPD has claimed they were not involved at all. 

This company has introduced a dangerous tool into the world, and there seems to be no coming back. While it has great potential to help solve serious criminal cases, the risk for citizens is astronomical. 

Microsoft at the front of facial recognition protection

To combat privacy violations, similar to the concerns brought forward with Clearview AI, cities like San Fransisco have recently banned facial recognition technologies, fearing a privacy invasion. 

Appearing in front of Washington State Senate, two Microsoft employees sponsored two proposed bills supporting the regulation of facial recognition technologies. Rather than banning facial recognition, these bills look to place restrictions and requirements onto the technology owners.

Despite Microsoft offering facial recognition as a service, its president Brad Smith called for regulating facial recognition technologies in 2018.

Last year, similar bills, drafted by Microsoft, made it through Washington Senate. However, those did not go forward as the House made changes that Microsoft opposed. The amendments by the House included a certification that the technology worked for all skin tones and genders.

The first of these new Washington Bill’s looks similar to the California Consumer Privacy Act, which Microsoft has stated it complies with. This bill also requires companies to inform their customers when facial recognition is being used. The companies would be unable to add a person’s face to their database without direct consent.

The second bill has been proposed by Joseph Nguyen, who is both a state senator and a program manager at Microsoft. This proposed bill focuses on government use of facial recognition technology. 

A section of the second bill includes requiring that law enforcement agencies must have a warrant before using the technology for surveillance. This requirement has been met with heat from specific law enforcement, saying that people don’t have an expectation of privacy in public; thus, the demand for a warrant was unnecessary. 

Safari exposed as a danger to user privacy.

About data tracking, Google’s Information Security team has released a report detailing several security issues in the design of Apple’s Safari Intelligent Tracking Prevention (ITP). 

ITP is used to protect users from tracking across the web by preventing third-party affiliated websites from receiving information that would allow identifying the user. The report lists two of ITP’s main functionalities:

  • Establishing an on-device list of prevalent domains based on the user’s web traffic
  • Applying privacy restrictions to cross-site requests to domains designated as prevalent

The report, created by Google researchers Artur Janc, Krzysztof Kotowicz, Lucas Weichselbaum, and Roberto Clapis, reported five different attacks that exploit the ITP’s design. These attacks are: 

  • Revealing domains on the ITP list
  • Identifying individual visited websites
  • Creating a persistent fingerprint via ITP pinning
  • Forcing a domain onto the ITP list
  • Cross-site search attacks using ITP

(Source)

Even so, the advised ‘workarounds’ given in the report “will not address the underlying problem.” 

Most interesting coming from the report is that in trying to address privacy issues, Apple’s Safari created more significant privacy issues.

As facial recognition continues to appear in our daily lives, recognizing and educating on the implications these technologies will have is critical to how we move forward as an information-protected society.

To read more privacy blogs, click here

 

Join our newsletter