Ethics and COVID-19, or is it COVID-1984?
I suppose, like many Americans, sheltering in place has given me pause to think about a post-COVID America (read: Compliance and the Coronavirus). As I hear pundits and experts alike pontificate on what can and should be done around everything from re-opening businesses to protecting us from a resurgence of the virus, the one area that I gravitated to was the notion of contact tracing, and specifically, it’s potential impact on personal privacy, and the balance of public health vs. personal privacy.
Data Protection & Consumer Privacy
Maybe I’m personally jaded because all day, every day, I work in a world where discussions of personal privacy are frequent and commonplace. In our industry, we have seen major shifts in respect for personal privacy from GDPR, the EU’s General Data Protection Requirements, and more recently, the CCPA of 2020 now in force (California Consumer Privacy Act), and even the resurgence of support for the New York Privacy Act.
Although my thoughts are impacted by all of these, I want to focus on the NYPA. In its original form as New York State Senate Bill S5642, it was widely championed as “even bolder than California’s.” The NYPA ultimately failed to pass last summer, but now has a lot of support to be reintroduced and in force by 2021.
As part of the EU’s and California’s legislation, the de-identifying or anonymizing of data became an important regulatory standard. This means that data must be completely stripped of its identifying aspects. To summarize the compliance requirements of GDPR, CCPA and NYPA’s attitude to collection of personal data, the personal data must be de-identified, and its re-identification must not be possible or encouraged.
Now the first part of that – the anonymizing of data – makes perfect sense and is vital to the spirit of the legislation. It’s that last little part that gives me pause – “re-identification must not be possible or encouraged.”
Online Surveillance
We all are living in a world so surveilled right now that all you have to do is visit a website for, say, camping gear after searching for it once in your browser, and instantly in every app that you use, you’re flooded with ads for camping gear for weeks or longer. Stating the obvious, your personal identity is tied to the search, and clearly there is value in that because companies pay massive amounts of money to find out exactly who you are and what you searched for. That means that the result – unknowing your specific search history – is clear encouragement to determine your identity and buy and sell that information to legitimate companies who want to advertise products that your browsing history suggests you may have interest in buying. Common sense stuff, right? In fact, many people have surrendered their perception of privacy when they use the web to shop and just assume their data is going to be captured and sold.
GDPR and CCPA, to their credit, are about not allowing that and re-establishing rights around data ownership back to the individual, and that is both moral and worthy. There is an underlying assumption of ethical behavior with the various stewards of this data. Trust is so often broken and violated historically, that this legislation was necessary. Simply stated, GDPR, CCPA, NYPA and a host of other national and international pieces of legislation either now in force, or proposed or being contemplated, are to establish privacy standards because the stewards of data don’t seem to be particularly inclined to, and to establish penalties for improper care and punitive measures for predatory behavior and bad actors.
I am reminded of the famous bad actor, Wille “Slick Willie” Sutton. Although he was a bank robber, Sutton had the reputation of a gentleman; in fact, people present at his robberies stated he was quite polite. One victim said witnessing one of Sutton’s robberies was like being at the movies, except the usher had a gun. Originally reported in The Saturday Evening Post, when asked why he robbed banks, Sutton simply replied, “Because that’s where the money is.”
Personal Data & Coronavirus
I have heard people say that data is the new gold. I disagree, data is fool’s gold – insight is real gold. So, where am I going with this? Data mining tools, brilliant data scientists, and powerful computers now hold the power to turn data into insight. Much like a gold mine, the more data, the more valuable. And in all these discussions I hear about contact tracing, I keep hearing that everyone’s mobile device is a personal tracking system that can be used to identify when you come in close contact to a coronavirus carrier, that powerful facial recognition software is now capable (and likely be used) to track millions of Americans.
In fact, there’s a good chance if you live in the US that at some point you’ve been watched, scanned, or analyzed by facial recognition technology — potentially without even realizing it. If you have a state-issued ID, an image of your face is already on file and mapped to your identity. With your face captured in a clear, forward position, your features can be easily measured and matched to data.
Across the country, government use of the technology is on the rise, identifying people by matching unique characteristics of their facial patterns to databases of images. Critics say it poses a serious threat to Americans’ privacy by enabling rapid and unwarranted monitoring of citizens. But until recently, the extent of facial recognition has been relatively private from the public. That is why it is so critical to understand the extent of the data capture, how it is being used, and how it is being protected.
Now contact tracing discussions have brought these data mining technologies to kitchen table conversations. And what guards our privacy from abuse of this treasure trove of what could be the largest “gold mine” of personal data ever found? Only the ethos of the stewards of the data, and the defensive mechanisms in place to shield the data from bad actors.
Protecting Against Bad Actors
Worried yet? You should be! Do you wonder why companies like Google and Apple were at the front of the line raising their hands to get in the game of mining data from the movements of people with Android or Apple phones? That’s right, the same Google, who abused public trust so blatantly they just about single-handedly were the driving force behind GDPR. Government agencies, global data centers, and some of the biggest and most well-known businesses have experienced very public data breaches exposing tens of millions of people’s private information to bad actors because they were not capable of protecting it.
And now, suddenly, we should trust these same people to exercise ethical behavior and competency to protect the data around every movement we make, what door’s we walk through, and who is sitting at the next table in the restaurant – talk about “encouraging” the theft and abuse of the data. It will be where the tech world’s Wille Sutton goes next, because in the world of data privacy and piracy, personal protection and exposure, that vault will be “where they keep the money.”
The ETHIX360 blog brings you weekly updates on all things human resources and compliance.
MEET THE AUTHOR
J Rollins is the co-founder and CEO of ETHIX360. J is a well known leader and innovator who has served on senior leadership teams ranging in responsibility from Chief Revenue Officer, Chief Marketing Officer, SVP of Product Strategy and Chief Operating Officer.
ABOUT ETHIX360
At ETHIX360, our goal is simple: to provide an affordable, flexible, and comprehensive answer to employee communication, policy management, corporate training and case management on issues related to corporate ethics, code of conduct, fraud, bribery, and workplace violence.
