Woman stalked by sandwich server via her COVID-19 contact tracing info

Mayo? Mustard? Creep who takes your sandwich order plus the personal details you handed over for contact tracing?

That’s not what I ordered, said a woman in Auckland, New Zealand, whose trip to a Subway fast-food shop led to a restaurant worker reaching out to pester her on Facebook, Instagram, Messenger and via text.

As the local news outlet Newshub tells it, the worker has been suspended after the woman – who, understandably enough, declined to give her name and was only identified as “Jess” – complained to the restaurant chain.

Jess told Newshub that Subway required her to put her contact details on a contact-tracing form so as to place her food order. She didn’t think anything about it: we all want to stop the spread of the pandemic, after all. The form asked for her name, home address, email address and phone number, all of which she put down.

She’s feeling pretty queasy about that Subway visit now, after the guy who took her order used Jess’s contact information to repeatedly, persistently hit her up:

I felt pretty gross. He made me feel really uncomfortable.

He’s contacting me. I didn’t ask him to do that. I don’t want that.

I’m lucky that I live with quite a few people because if that was me by myself at home—he knows my address, you know?—I’d feel really, really scared. Even now I feel a bit creeped out and vulnerable.

Who can blame her? There are good reasons why we should hand out our personally identifying information (PII) as sparingly as possible. When crooks, lechers and governments get our details, it sets us up to be preyed on by a rogues’ gallery of horny creeps, burglars, rapists, surveillance-happy governments, targeted-advertising outfits run amok, spear phishers, spammers, and other physical and/or virtual stalkers.

More to the point, there are good reasons why companies and governments should be paying excruciating attention to how to protect privacy as countries and states gradually retreat from lockdown and institute ways to do so safely. At this point, it’s all over the map.

That was evidenced by a survey done last month by PwC, which has developed a contact-tracing app to help employers identify workers who may have been exposed to the virus. The survey found that, as of April, governments around the world had issued more than 60 directives regarding protecting data privacy while responding to the pandemic.

You may well ask how you do contact tracing without collecting people’s PII. Countries have certainly asked, and, fortunately, they’ve found what will hopefully turn out to be an approach that leaves people’s privacy intact. Late last month, Germany embraced a coronavirus tracking tool from Apple and Google that implements a decentralized Bluetooth-based approach instead of the more invasive location-tracking proposed in other tracing technologies.

The approach – called Exposure Notification – relies on Bluetooth to keep data local on people’s phones instead of being stored in a centralized database that could be used for mass state surveillance or to track people. It’s supported by Apple and Google as well as by various European countries.

Where does a process of tracing people by having them hand over their PII in a form fit into all this?

We don’t know much about the form, but it sounds like it was paper, as opposed to digital, given that Subway told Newshub that starting on Wednesday, it will have installed a new digital contact tracing system at all restaurants.

Guests will electronically enter their details, and the information will be held securely, for the sole purpose of contact tracing. Newshub reports that the information “can only be accessed in response to government contact tracing requests.”

It should go without saying that there are plenty of ways to screw up when it comes to securing stored digital data. Just because Subway is switching to digital and away from what I assume was its previous, analog data storage doesn’t mean that employees won’t be able to use customers’ PII in place of a dating app.

Kind of like, say, when police use their access to personal data – think state driver’s license databases – to snoop on fellow officers, public safety personnel, and justice professionals. A court case was recently settled over abuse of such access when a jury awarded Minnesota police officer Amy Krekelberg $585,000, including $300,000 in punitive damages from two defendants who pawed through her personal data to ogle her photograph, address, age, height, and weight after she allegedly rejected their romantic advances.

Subway told Newshub that it’s spoken to Jess and that the employee has been suspended, pending the outcome of an investigation. The employee will reportedly be “disciplined” if the investigation finds that they misused personal data.

Newshub spoke with Privacy Commissioner John Edwards, who said that businesses should only be custodians of the information they’re given for public health purposes. Doing otherwise could leave the public with a strong distaste for handing over their details, he said:

It’s absolutely essential that businesses treat this information exclusively for pandemic management. If they let it be abused by staff members it’s going to undermine the whole system, and that can put people at risk.

What he said. Readers, what are your organizations doing to protect employee, citizen and/or customer privacy as we try to negotiate this pandemic? Please do feel free to share in the comments section below, and please do stay as safe as possible, both from viruses and from other, data-related dangers.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.