Mayo? Mustard? Creep who takes your sandwich order plus the personal details you handed over for contact tracing?
That’s not what I ordered, said a woman in Auckland, New Zealand, whose trip to a Subway fast-food shop led to a restaurant worker reaching out to pester her on Facebook, Instagram, Messenger and via text.
As the local news outlet Newshub tells it, the worker has been suspended after the woman – who, understandably enough, declined to give her name and was only identified as “Jess” – complained to the restaurant chain.
Jess told Newshub that Subway required her to put her contact details on a contact-tracing form so as to place her food order. She didn’t think anything about it: we all want to stop the spread of the pandemic, after all. The form asked for her name, home address, email address and phone number, all of which she put down.
She’s feeling pretty queasy about that Subway visit now, after the guy who took her order used Jess’s contact information to repeatedly, persistently hit her up:
I felt pretty gross. He made me feel really uncomfortable.
He’s contacting me. I didn’t ask him to do that. I don’t want that.
I’m lucky that I live with quite a few people because if that was me by myself at home—he knows my address, you know?—I’d feel really, really scared. Even now I feel a bit creeped out and vulnerable.
Who can blame her? There are good reasons why we should hand out our personally identifying information (PII) as sparingly as possible. When crooks, lechers and governments get our details, it sets us up to be preyed on by a rogues’ gallery of horny creeps, burglars, rapists, surveillance-happy governments, targeted-advertising outfits run amok, spear phishers, spammers, and other physical and/or virtual stalkers.
More to the point, there are good reasons why companies and governments should be paying excruciating attention to how to protect privacy as countries and states gradually retreat from lockdown and institute ways to do so safely. At this point, it’s all over the map.
That was evidenced by a survey done last month by PwC, which has developed a contact-tracing app to help employers identify workers who may have been exposed to the virus. The survey found that, as of April, governments around the world had issued more than 60 directives regarding protecting data privacy while responding to the pandemic.
You may well ask how you do contact tracing without collecting people’s PII. Countries have certainly asked, and, fortunately, they’ve found what will hopefully turn out to be an approach that leaves people’s privacy intact. Late last month, Germany embraced a coronavirus tracking tool from Apple and Google that implements a decentralized Bluetooth-based approach instead of the more invasive location-tracking proposed in other tracing technologies.
The approach – called Exposure Notification – relies on Bluetooth to keep data local on people’s phones instead of being stored in a centralized database that could be used for mass state surveillance or to track people. It’s supported by Apple and Google as well as by various European countries.
Where does a process of tracing people by having them hand over their PII in a form fit into all this?
We don’t know much about the form, but it sounds like it was paper, as opposed to digital, given that Subway told Newshub that starting on Wednesday, it will have installed a new digital contact tracing system at all restaurants.
Guests will electronically enter their details, and the information will be held securely, for the sole purpose of contact tracing. Newshub reports that the information “can only be accessed in response to government contact tracing requests.”
It should go without saying that there are plenty of ways to screw up when it comes to securing stored digital data. Just because Subway is switching to digital and away from what I assume was its previous, analog data storage doesn’t mean that employees won’t be able to use customers’ PII in place of a dating app.
Kind of like, say, when police use their access to personal data – think state driver’s license databases – to snoop on fellow officers, public safety personnel, and justice professionals. A court case was recently settled over abuse of such access when a jury awarded Minnesota police officer Amy Krekelberg $585,000, including $300,000 in punitive damages from two defendants who pawed through her personal data to ogle her photograph, address, age, height, and weight after she allegedly rejected their romantic advances.
Subway told Newshub that it’s spoken to Jess and that the employee has been suspended, pending the outcome of an investigation. The employee will reportedly be “disciplined” if the investigation finds that they misused personal data.
Newshub spoke with Privacy Commissioner John Edwards, who said that businesses should only be custodians of the information they’re given for public health purposes. Doing otherwise could leave the public with a strong distaste for handing over their details, he said:
It’s absolutely essential that businesses treat this information exclusively for pandemic management. If they let it be abused by staff members it’s going to undermine the whole system, and that can put people at risk.
What he said. Readers, what are your organizations doing to protect employee, citizen and/or customer privacy as we try to negotiate this pandemic? Please do feel free to share in the comments section below, and please do stay as safe as possible, both from viruses and from other, data-related dangers.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Cassandra
It’s supported by Apple, Google and other European countries.
At long last; Apple and Google are recognised as the states they are – not sure they are European? ;-)
Paul Ducklin
Reworded it for clarity, thanks!
Mindless Bureaucratic
I work with regulated data and would be in deep trouble 6 ways from Sunday if any data were improperly disclosed – There are half a dozen state and Federal regulations with punitive measures for screwing up. Suddenly states, in their bureaucratic wisdom, mandate we divulge the very same PII to eat at a restaurant we are otherwise legally blind to protect. Sounds ripe for a massive class-action lawsuits.
Lisa Vaas
If it were in the US, I’m sure the lawyers would be lining up. I’m not familiar with how litigious things get in NZ, though. Anybody want to chime in?
Greg
Kiwis generally don’t ‘lawyer up’ on things as if there is an accident we have a fund that covers injury etc called the ACC to avoid litigation. However ,this is a definite privacy breach and if this was my daughter being stalked you would want to see some penalty put in place due to the side-effects of the harassment.
Jonathan
I feel like a moron for thinking sandwhich server was a new type of server technology I had not heard about. Is this some exotic form of edge computing? Is this a new IoT stack? oh wait….
Marie
One word: NO.
I will eat at home for the rest of my life before I comply with this BS.
Tony King
One of the keys to protecting privacy is to not collect (or provide) more information than is necessary for the task at hand. In this case.why on earth would they need more than name and phone number? In the event health officials needed to trace Jess and she didn’t answer her phone, one call to the phone company would give them all the other information and there’s no opportunity for scumbags at the shop to misuse her data.
Chris O
Dissapointing reaction from Subway. Employee will be ‘disciplined’. Isn’t that usally corporate code for “we have to say we’re doing something to try and protect our image, but in reality we want this to go away with as little fuss as possible so if anyone keeps asking us about this we’ll send the employee on a 5 minute course called ‘Next time you stalk a customer please don’t get caught’.”
This isn’t a little oopsie or a genuine mistake, it’s a horribly nasty breach of trust and privacy. Should be instant dismissal and criminal charges.
Paul Ducklin
As the article points out, the worker has been suspended for investigation. That’s a fair way to start off, don’t you think?
Truthsayer
Yes. Remember the principle of unintended consequences. You don’t want problematic customers causing trouble for employees either.
Chris O
Yes, definitely. Poor wording on my part, wasn’t intending to suggest dismissal without due process. I’m probably just reading too much into their statement, but I guess I’m a bit fed up of weasely-worded corporate statements intended to sound good but leaving plenty of wiggle room for them actually to do very little.
Mike P.
So much of this does not make sense to me. Is this the *same* New Zealand that has less than 2000 confirmed cases with only 21 deaths? And some sort of half-baked (and that’s being overly generous, I think) bureaucratic “wisdom” has dictated that business must implement **their own** system for collecting and retaining customer’s PII?? When Subway was recording this information on paper, were all the customers sharing the same pen to fill the form out? I do not know when this incident actually occurred, but at its peak NZ was logging less than 100 cases per day. The premise of recording any of this information with an almost non-existent case load seems like a hyper-overreaction to me. I can tell you if this were me, I would either refuse to divulge the data or if *forced* to do so in order to be served – none of the data would be real.
Cassandra
That last sentence says it all! Petty bureaucrats need to apply a thought experiment to any petty rule similar to the actual response of many customers.
When faced with a rule (or KPI or target) that looks stupid what question do most of us at least ponder? “How can I subvert this rule/measure/whatever?”
Giving fake information seems such an obvious way to subvert this rule, that the rule would seem pointless even counter-productive – just adding hay to the haystack that is hiding the needle!