An already embattled and over-stretched Brazilian health system received another blow this month when it was revealed that the personal data of millions of Covid-19 patients had been exposed. The leak laid bare intimate personal details such as the home address, medical history and social security number of around 16 million coronavirus patients, including those of president Jair Bolsonaro and at least seven ministers and 17 state governors.
Unfortunately, this is anything but an exception. Similar leaks of Covid patient data have occurred in Wales, Iran and the United States. A particular cause for concern have been the Covid tracking apps proliferating worldwide, with a study looking at 100 such apps discovering that a whooping 85 per cent of them allowed data leaks, 71 per cent having at least one major vulnerability, and a shocking 91 per cent of the apps in the study failing one or more cryptographic tests.
These findings are particularly important in the light of the heated political discussion about the use of tracing apps since the pandemic’s onset. Experts have already classified the Covid-19 pandemic as the “largest-ever cybersecurity threat”, while the unprecedented use of digital technology has precipitated novel data governance and privacy challenges, causing concerns about accountability of data controllers, data flows and the degree of access of national authorities to the data in Europe.
The Blind Messenger
While the use of technology is seen as a “liability” in this context, new innovative tech solutions also hold the key to the very problems of privacy compliance that technology creates. Tech startups like Manetu for example, whose Consumer Privacy Platform (CPM) is a “zero-knowledge platform”. This means Manetu itself cannot access the data, which is only available to verified customers. This solution of using a “blind messenger” to transmit data effectively eliminates the middleman of data flow and, with it, a major potential weakness in the chain.
Using machine learning to identify, organise and encrypt personal data, Manetu is one of the first end-to-end automated enterprise privacy management platforms and its usefulness has not gone unnoticed. In September, Manetu was boasting 250,000 user identities on their platform, reaching 4.5 million in November.
As it is often the case for start-ups, the real struggle for Manetu will come in getting notoriously late adopters like state actors and large companies to use its platform. But privacy regulations passed by various legislatures across the world might soon make Manetu a necessity when dealing with sensitive personal data.
In November of this year, Californians voted to pass Proposition 24, also known as the Consumer Privacy Rights Act (CPRA), an expansion of the state’s privacy laws which is meant to curb the power of Facebook and Google by reducing their ability to track user data via third parties. Despite being passed at the state ballot, Proposition 24 will effectively apply to the entire United States because of the state’s huge influence on the tech industry. The European Union, with its ever-evolving GDPR regulations is in a similar situation.
With new law set to come into effect in July 2021, companies in California have been scrambling to find technologies to comply with new data privacy laws. The passing of Proposition 24 shifted the way Silicon Valley deals with privacy and the accepted wisdom now regards external, end-to-end, automated solutions as the best way in which to follow CPRA’s directives.
Because of the considerable gap in digital literacy between lawmakers and the tech industry they should be regulating, the issue of privacy was never given the proper priority in the decades since the ascension of the Internet. Recent developments in Europe and California show that this is beginning to change, but the pace at which governments and large companies update their stance on privacy is still too slow.
The horrendous leak in Brazil is only the latest in a deluge of serious privacy mishaps across the globe which are laying bare the vulnerability of patient data. Businesses and government agencies the world over need to reconsider their data safety and compliance – only those who do will thrive beyond this testy period.