
Woman stalked by sandwich server via her Covid-19 contact tracing info - el_duderino
https://nakedsecurity.sophos.com/2020/05/14/woman-stalked-by-sandwich-server-via-her-covid-19-contact-tracing-info/
======
rckoepke
> [The sandwich company named] Subway required her to put her contact details
> on a contact-tracing form so as to place her food order. She didn’t think
> anything about it: we all want to stop the spread of the pandemic, after
> all. The form asked for her name, home address, email address and phone
> number, all of which she put down.

I'm putting this here because some people may erroneously assume that this
story is relevant to bluetooth/cellphone contact tracing.

~~~
creaghpatr
Adding here also that the stalking in this article was of the personal
harassment nature, not 'stalking' to contact them about potential COVID
exposure.

It would be a nuisance to have to sign in at restaurants, especially with a
physical address.

~~~
GavinMcG
That's what "stalking" means. I sure hope no one's expanding the term to mean
"contact tracing".

~~~
ardy42
> I sure hope no one's expanding the term to mean "contact tracing".

I think this guy just did downthread:
[https://news.ycombinator.com/item?id=23179458](https://news.ycombinator.com/item?id=23179458)

~~~
dependenttypes
This is not necessarily the case. I took it to mean that Google, Apple, and
the govt all have employees, some of them rouge, just like subway.

------
greendave
> We don’t know much about the form, but it sounds like it was paper, as
> opposed to digital, given that Subway told Newshub that starting on
> Wednesday, it will have installed a new digital contact tracing system at
> all restaurants.

That sounds great. Now instead of having to worry only about the employees at
the particular restaurant, you have to worry about whether Subway has properly
secured their system from everybody with internet access (including all of
their employees).

If the price of a Subway sandwich includes giving PII to Subway, I'll pass.

~~~
libria
I'm sure the validation process is just "form written on". You could probably
write down 867-5309 and walk out w/ your sandwich.

------
mrfusion
Washington state is requiring restaurants to record the info of customers.
Lots of potential for abuse like this.

~~~
kjakm
That's insane! Why would they do that? And why would people hand that info
over?

~~~
pjc50
Because getting told when you were eating at the same restaurant as someone
with a contagious disease could be life-or-death information?

(Mind you, I've no intention of going to restaurants until the infection rate
is much lower!)

~~~
thoraway1010
Why not just use the double blind google / apple tech for this? The govt
requiring this level of data seems unnecessary.

~~~
thomaslord
To my knowledge there's no implementation of that tech. I think it's
definitely not an ideal system to have it be all pen and paper, but there
isn't a clear "just turn it on" solution they're ignoring here either.

------
jbattle
I'd trust this system if it were double-blind. The government issues an
identifier to me (separate from SSN). I feel OK giving that number to
restaurants. If there is a reason to initiate contract tracing, the restaurant
hands its list of identifiers over to the appropriate government agency, which
cracks open its vault of identifier --> contact information

Seems no less open to misinformation than the current system but gives vastly
more protections to personal information. Doesn't even seem that hard to set
up in the grand scheme of things.

~~~
amlop
> The government issues an identifier to me (separate from SSN). I feel OK
> giving that number to restaurants.

Wow, can anyone imagine reading this in the beginning of 2019? The
totalitarians come out in huge numbers recently.

It was once considered totalitarian to be asked at the East German border if
one had any "contraband" (books or magazines that were frowned upon).

Now at the U.S. border one can be asked if one has any "contraband".

Next we all get a government id to pass on to private businesses. How about a
"social credit" score, China style?

~~~
jbattle
I can't tell if you are trolling. I'll assume good faith.

We show ID to enter bars. We show ID to buy certain products. I provide
identifying information when I pick up tickets at will call. Some items (like
houses, cars, guns) you have to register the purchase with a government
authority

Asking about contraband was totalitarian because they were trying to control
what information people had and made certain thoughts/books verboten.
Customs/border patrol has asked for ... ever? what you are bringing into the
country.

I'm not saying the government would get an automatic transcript of every
purchase I've made. I'm saying individual restaurants could collect a list of
unique but meaningless numbers on a piece of paper or wherever they want. If
the restaurant gets tagged as a place where COVID is believed to be spread,
then the government now has a way to contact everyone who had visited the
store.

~~~
ac2u
>I'm not saying the government would get an automatic transcript of every
purchase I've made

You make the assumption here that governments don't trend towards looking for
ways for that information to be automatically supplied in future in the name
of "efficiency".

Honestly, the history of the 20th century should be the closed book final
assessment on why it's permanently a bad idea for governments to collect files
on people.

~~~
jbattle
Given how long governments have kept records (domesday book, bablylon) and how
few governments have slipped into totalitarian hellscapes, I'm not as worried
about this as you are.

I'm more concerned about the patriot act & etc because a lot of those
survelliance programs are actively centralized.

The system I outlined would work XX% as well if it were entirely optional and
if it were managed by independent agents. You could sign up with "ID Corp", or
a credit union, or whatever. And they could keep your records.

~~~
ac2u
>and how few governments have slipped into totalitarian hellscapes

Just because it's improbable doesn't mean we shouldn't protect against tail
risks. Not taking meaningful tail risk protection is why we're in the covid-19
problem we are now.

>I'm not as worried about this as you are.

I wouldn't want to be presumptions of your background, but have you talked
with many people from countries where they or their parents were victims of
state bullying via secret police that kept files on them?

>I'm more concerned about the patriot act & etc because a lot of those
survelliance programs are actively centralized.

I don't think what we're talking about is any different in the long run.

>The system I outlined would work XX% as well if it were entirely optional and
if it were managed by independent agents.

I'm actually not opposed to a temporary system of tracking like this in order
to stamp out coronavirus. However, it needs to have iron-clad provisions in
law to make it time limited, along with laws that mandate that independent
international observers witness data audits and subsequent destruction of said
data. Unfortunately, when governments legislate provisions, they're usually in
the form of "we promise to be very good" platitudes.

------
wickerman
But here's the thing: this kind of personal data is used daily by many
companies. There's a table in a bank/telco/etc where they have your full name,
your ID number, your address, your age. Any worker who has access to this
(thousands of people who need that kind of access to do their jobs and to
provide you with services) could've done something similar.

Recruiters are particularly stalkey sometimes with the way they keep calling
your personal number without warning. While I don't understand if Subway
really needs to share that much data with the person who makes your sub, the
reality is that there's nothing privacy laws can do to stop some creep who
works somewhere that deals with data from stalking one of their customers.

Edit: the case might be here that Subway doesn't really need to handle that
kind of PII, but that should be on principle I think. The creep using that
kind of data is a bit incidental.

~~~
thoraway1010
Temp agencies are actually the WORST. If you do hiring and they get your cell
phone number you are hosed.

------
newscracker
This kind of abuse has happened even before COVID-19 and contact tracing. The
issue here is not just the guise of contact tracing used to collect
information. Many businesses collect customer information insidiously
(sometimes with offers to win a prize or for a discount). Once they collect it
(usually phone and email), all bets are off on employees misusing the
information.

In this case, it’s beyond anyone’s imagination as to why the home address
would be collected. There was absolutely no need for that except someone who
imagined it to be a well thought out solution (solution for what I don’t
know).

------
gruez
>Newshub spoke with Privacy Commissioner John Edwards, who said that
businesses should only be custodians of the information they’re given for
public health purposes. Doing otherwise could leave the public with a strong
distaste for handing over their details

Is this some sort of official government program? The response by the privacy
commissioner ("should") suggests that there won't be any legal consequences
for businesses that misuse the data.

~~~
valuearb
It’s a burden the government is imposing on businesses, ideally you want a
high legal bar before suing for misuse or you will create noncompliance. A
rogue employee should not be one.

For example, let’s assume you add a bunch of requirements to implementation,
say specific encrypted terminals. Now restaurants can’t get those for months.
What will they do, close? Ignore it all together?

We are in a pandemic, the main focus should be collecting the contact tracing
information while still feeding people. If this were to last years we can also
solve all privacy concerns, but it’s really hard to do in two months.

~~~
c22
They already made businesses close with no recourse. Why is it crazy to
require businesses to follow specific procedures if they want to re-open? Why
shouldn't those procedures be designed to protect the public?

~~~
valuearb
It’s not crazy to have specific procedures, but think about unintended
consequences. The procedures need to be achievable in the real world, not so
burdensome they can’t or won’t be followed.

Maybe a better example, let’s say NZ institutes a $50,000 fine per each
occurrence of misuse of personal information collected per their requirements.
Now a small business owner could find out they are facing a $250,000 fine and
bankruptcy because of one horny employee violating their specific trading
instructions. What restaurant would ever take that risk?

If the government wants to force businesses to collect personal information,
it better be prepared to provide secure means of collecting and communicating
that information to them. And it should indemnify the businesses for any
liability from release of that information that’s not willful or intentional.

If the business faithfully follows the rules, punish the perpetrator, not the
business owner.

------
throwawaysea
Sorry but having to share my contact info at a business is a step too far for
me, and is a breach of individual liberty that I am not willing to participant
in. Apart from privacy concerns like in the linked article, I think it is also
the kind of normalization of authoritarian mechanisms that we just do not
need. Some may call this a slippery slope fallacy, but to them I say that
slippery slopes / boiling the frog are an effective way to go from a minor
breach of liberty to something more dangerous, all with the public's support
along the way.

------
Fezzik
It sounds like the NZ government is requiring businesses to do this, without
much guidance as to how businesses do it, so that seems like error #1. Or am I
misunderstanding? The article mentions Subway is moving to a secure computer
system to retain the information... that does not seem much better.

