Privacy During a Pandemic

The recent pandemic has thrown a wrench in the progress made around the world in strengthening privacy rights.

While there is no question that social distancing and quarantining programs do a great deal of good in helping to “flatten the curve”, they are blunt tools that have profound, and oftentimes, devastating psychological, social, and economic impacts. The world cannot stay at home indefinitely, waiting on scientists to discover a vaccine or build out rapid testing procedures, or for society to develop “herd immunity.” Obviously, a medium-term solution needs to be developed.

One such solution is the development of contact tracing applications, which are being rolled out in countries around the world. The question we consider in this piece is how to develop  applications and processes, while still preserving the important gains in privacy and data protection that have been made thus far. The good news is that regulations such as the General Data Protection Regulation (GDPR) and recent guidance from regulatory bodies, may provide us with a framework for developing a sensible solution.

The State of Pre-Pandemic Privacy

While the GDPR technically applies to the data of EU residents, the practical implications of compliance have reverberated worldwide. We believe that it would be prudent for policymakers, health officials and technologists to consider the GDPR and related guidance from regulatory bodies, as a starting point when developing tools and policy for combating the spread of COVID-19.[1]

The GDPR provides allowances for the processing of personal data, including health data. The goal, of course, is to strike a reasonable balance between the rights of data subjects and legitimate uses of their data. Thus, the GDPR requires that any data processed must be “necessary” and proportional to fulfill a specific lawful purpose as defined by Article 6.

Examples of “lawful purpose” include consent, compliance with a legal obligation (Art. 6(c)), processing necessary “to protect the vital interests of the data subject or of another natural person,” (Art. 6(d)), processing to carry out tasks “in the public interest” (Art. 6(e)), or where the processor has a “legitimate interest.” (Art. 6(f)).”[2] Crucially, the GDPR gives wide latitude to Member States and regulatory bodies to introduce specific provisions or guidance when it comes to compliance around Art. 6(c) and (e), and specifically calls out the processing of personal data in the context of “monitoring epidemics and their spread.”[3]

In stark contrast with many other countries, data protection authorities and policymakers in Europe, including the European Data Protection Board (EDPB), European Commission, and European Parliament, have been responsive to these concerns, and have issued guidance and recommendations, with an eye towards development of a pan-European approach to balancing public health needs against the rights of data subjects.[4] The European Data Protection Supervisor also submitted comments outlining a number of safeguards for protecting  telecommunications data such as cell phone records.[5]

For example, on April 14, the EDPB issued guidance on data protection considerations for development of technical approaches to combatting COVID-19, including contact tracing and post-diagnosis “exposure notification” systems. Crucially, the EDPB noted that in the case of technical approaches, a “one-size-fits-all” solution is not practicable, and that solutions should be considered on a “case-by-case” basis, preferably in consultation with data protection authorities. Furthermore, development should be done accountably, keeping data minimization principles in mind. For software, the EDPB encouraged source code to be released “for the widest possible scrutiny by the scientific community” and that a Data Protection Impact Assessment (DPIA) should be conducted.[6]

The EDPB also stressed the importance of “voluntary adoption” of contact tracing technology, as opposed to compulsory governmental mandates. Interestingly, the guidance stopped short of extending this recommendation to the private sector. [7]

Finally, EDPB guidance notes that information about specific individuals with COVID-19 should not be disclosed, and that the data collected should be destroyed once it no longer fulfills its stated purpose (e.g., after an infected person tests positive for COVID-19 antibodies, or the virus is contained).

Contact Tracing As a Tool

Contact tracing has a long history of success, both in past epidemics, including Ebola, HIV and Tuberculosis, as well as current efforts against COVID-19. But traditional forms of contact tracing, which normally employ skilled healthcare workers and trained investigators, are time-consuming, manual affairs. Due to the sheer volume of COVID-19 cases (over 4 million cases reported worldwide as of this writing), relying on skilled personnel alone is no longer tenable.

As a workaround, countries around the world have begun hiring thousands to conduct manual contact tracing. While many jurisdictions promote that these individuals have been trained on how to perform contact tracing, it’s unclear whether there are consistent standards in place, what the training entails, if personnel are adequately vetted, or if privacy and data protection principles are being applied.[8]

For example:

  • Contact tracing in South Korea incorporates patient interviews as well as the use of medical records, cell phone GPS records, credit card transaction records, and closed-circuit television.[9] When someone tests positive for COVID-19, information is sent out to potential contacts, which may include an individual’s last name, sex, age, residence information and purchase history, as well as where they traveled to. According to a report in The Atlantic, “Even overnight stays at ‘love motels’ have been noted.”[10]
  • Singapore also used a combination of technology and manual tracing to effectively control outbreaks. Teams of people conduct interviews, obtaining information on patient whereabouts, contacts, and interactions for the last 14 days. They also corroborate this evidence against the ubiquitous CCTV networks that exist in the country. Those who had come in contact with a patient are also checked for the virus. The nation has also made use of TraceTogether, a mobile app that uses Bluetooth signals to determine when users are near each other.[11]
  • At least 41 states, Puerto Rico and the District of Columbia are recruiting nearly 40,000 contact tracers in the United States, or around 1 tracer for every 8,200 people. Some experts doubt this will be enough, and suggest the government should aim to hire between 100,000-300,000 contact tracers.[12]

Privacy considerations abound. Manual contact tracers are given access to a wide array of sensitive personal data about COVID-19 patients and their potential contacts. By necessity, contact tracing must include the collection of this sensitive personal information, as well as details on other underlying conditions of a particular individual. However, too much detailed information on individuals can lead to unwanted consequences like social ostracization, harassment, or targeting of vulnerable groups. This has already occurred in a number of situations. For example, an American army reservist was rumored to Patient Zero for COVID-19 in the US. Her personal information, including her home address and email was leaked and spread online by conspiracy theorists, leading to a wave of harassment and threats.[13] In the UK, a doctor was evicted from her home due to her landlord‘s fears of contracting the virus.[14] And in India, officials in New Delhi are selectively targeting Muslim groups for violating  bans on social gatherings, while ignoring similar gatherings by non-Muslims. [15] 

Still, even in a perfect world, manual tracing alone is unlikely to be enough. Some countries have begun to enlist the help of technology. From Australia to Taiwan, a growing number of systems are being developed by governments, health authorities and the private sector. For example:

  • Taiwan has taken a novel approach, with the public and government working together to develop digital tools for tracking the virus, achieving user-buy in via collaborative means.[16]
  • Russia has developed a Social Monitoring app for citizens who have tested positive for Covid-19, that obtains user call logs, location information, camera, storage, network and other information to ensure that users are quarantining.[17]
  • The Israeli government is working with the controversial NSO Group to develop software that would track infected persons by gaining access to citizens mobile data, without necessarily obtaining their consent.[18]
  • On April 10, 2020, Apple and Google released a technical specification for using Bluetooth Low Energy (BLE) technology for after-infection “exposure notification.” They also released a limited-use API to developers working with public health authorities for building contact tracing apps.
  • Similarly, a MIT-led effort known as Private Automated Contact Tracing (PACT), uses a similar approach to the Apple & Google BLE specification, but also allows patients to upload their digital IDs to phone broadcasts, allowing others to check a database to see if there are mutual matches.
  • A consortium of scientists and academic researchers in Europe have also developed an open protocol for proximity-tracing of COVID-19. The Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol ensures that personal data stays entirely on a user’s device, and that only specific, deanonymized data of affected, consenting users, is uploaded to allow for contact tracing. Officials from Switzerland, Austria and Estonia announced they plan to implement the DP-3T protocol.[19]

The Apple/Google, MIT, and DP-13 efforts are notable in that each include a number of ‘privacy preserving’ considerations, including rotating identification keys that expire after a fixed period of time, decentralized storage of personal information, and user consent. However, it is unclear based on this reading if any of these specifications can be useful for performing true contact tracing, or if they instead function as “exposure notification” tools for future contact with infected persons.

The question is, can we build technological solutions and policies that preserve a healthy balance of personal data while still providing an effective strategy to fight the virus? At the most extreme level, we have countries such as South Korea and Russia. While South Korea’s policies are bordering on a police state, it’s clear they work — with overall cases falling from a high of 7,362 on March 11, to just 1,654 as of April 28, a 77% decrease.[20]

By comparison, the privacy-preserving standards developed by Apple & Google appear to strike a better balance, but they have yet to be formally tested, as tools currently in development have yet to be released publicly. Moreover, the technology itself seems to be used for post-hoc exposure notification, rather than allowing for contact tracing of individuals prior to testing.

Both BLE and GPS also have a number of technical challenges and security vulnerabilities that can potentially limit their effectiveness for critical use-cases such as contact tracing and eventually social distancing and quarantine enforcement.[21] This may lead to a number of unintended consequences. If a COVID-19 patient fails to self-quarantine, and goes to a grocery store, for example, will there be a sudden flurry of mobile alerts, creating a new panic?

There will also be challenges around privacy and surveillance when it comes to enforcing stay-at-home orders for those identified through contact tracing. But we believe that technology can also play a part here. Some tools, like Taiwan’s ‘electronic fence’ already do this, by using cellphone triangulation to identify if a quarantined subject has left their home, or turned off their phone.

Many Americans have already begun challenging statewide stay-at-home orders, which are in some respects easier to enforce, as police can target anyone who appears to be violating the order. But how do you identify and enforce quarantining when normal day-to-day functions return for some, but not all of us?

Recommendations For Dealing With the New Privacy Normal

The GDPR, and related guidance offers the world a good starting point. But we all should at a minimum consider the following when it comes to further development of contact tracing standards:

  1. Decentralized Approach. When it comes to technological solutions, countries should favor decentralized approaches, in line with EDPB recommendations.[22] Personal data should be stored locally on people’s phones, and any information stored centrally should be limited and de-anonymized as much as possible. Additionally, once the pandemic subsides, any data kept on individuals should be deleted, or fully anonymized (assuming there is a legitimate public-health basis for keeping such information).
  2. Privacy By Design. Development of applications and standards should consider ‘privacy-preserving’ features whenever possible, similar to the proposals outlined by the DP-3T, PACT, and the Apple/Google partnership. Such standards could include randomly-generated keys or tokens that expire, limited (or no) device location collection, and user-controllable limitations on what data can be collected.
  3. Consent. Any digital contact tracing system should be voluntary. Earned trust is more effective than compulsion, especially given the legitimate concerns that many have about government and private-sector surveillance. For these systems to be effective, a large percentage of the population must opt-in.
  4. Purpose Limitations. Legally-binding guidelines about what information will be collected and how it will be used must be established. Similarly, decisions made as a result of contact tracing, or self-quarantining applications, should not include decision making based on solely automated means. Local and federal law enforcement agencies should be barred from accessing this information to pursue criminal matters not related to the epidemic, and employers should be limited in how much they can rely on any application in terms of making decisions on personnel matters.
  5. Transparency. Any applications or standards should be transparent. Making standards and software development open-source is essential. Not only will this make it easier to build robust, compliant tools, but it will also foster collaboration amongst localities, and increase user trust.
  6. Collaboration & Education. Developers should work with patients, policy makers, and public health and data protection authorities in developing the software, training, policy and procedures for performing contact tracing in a sensible, privacy-aware manner. Ideally, there would be regional collaboration and national standards for tracing efforts — perhaps coordinated through an existing group like the WHO or CDC.
  7. Oversight & Termination. Independent advisory boards (both at national and supra-national level) focused on privacy and civil rights should be established. These panels should be empowered to hold hearings and collect information, from documents and witnesses, to provide this oversight and review, and set turn-down dates for any data that does not have ‘epidemiological relevance.’[23]

We believe that the sensible recommendations outlined above will allow for effective, reasonable and privacy-aware solutions to be developed that balance individual privacy considerations with the common goal of combating the COVID-19 epidemic.

[1] Primarily Articles 6 and 9, and Recitals 41 and 46.

[2] GDPR, Art. 6.

[3] See also: GDPR, Recital 46. “Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”

[4] Dr. Gabriela Zanfir-Fortuna, of the Future of Privacy Forum, has a comprehensive summary of these EU-led efforts at: https://fpf.org/2020/04/30/european-unions-data-based-policy-against-the-pandemic-explained/.

[5] See: “Subject: Monitoring spread of COVID-19″ European Data Protection Supervisor, 25 March, 2020 at: https://edps.europa.eu/sites/edp/files/publication/20-03-25_edps_comments_concerning_covid-19_monitoring_of_spread_en.pdf.

[6] “EDPB Letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic.” 14 Apr. 2020, at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpbletterecadvisecodiv-appguidance_final.pdf.

[7] Id.

[8] “Contact Tracing Could be Key to Easing Social Distancing Rules,” NPR, 13 April 2020 at: https://www.npr.org/2020/04/13/833045473/contact-tracing-could-be-key-to-easing-social-distancing-rules?t=1588164153094

[9] “Test, trace, contain: how South Korea flattened its coronavirus curve”, The Guardian, 23 April 2020 at: https://www.theguardian.com/world/2020/apr/23/test-trace-contain-how-south-korea-flattened-its-coronavirus-curve.

[10] “Contact Tracing Could Free America From Quarantine”, The Atlantic, 7 April 2020 at: https://www.theatlantic.com/ideas/archive/2020/04/contact-tracing-could-free-america-from-its-quarantine-nightmare/609577/.

[11] ” ‘There’s an App for That’: Use of COVID-19 Apps in Singapore and South Korea,” Asia-Pacific Foundation of Canada, 27 April 2020 at: https://www.asiapacific.ca/publication/theres-app-use-covid-19-apps-singapore-and-south-korea.

[12] ” States Nearly Doubled Plans For Contact Tracers Since NPR Surveyed Them 10 Days Ago”, NPR, 28 April 2020 at: https://www.npr.org/sections/health-shots/2020/04/28/846736937/we-asked-all-50-states-about-their-contact-tracing-capacity-heres-what-we-learne.

[13] ”Exclusive: She’s been falsely accused of starting the pandemic. Her life has been turned upside down,” Business Insider, 27 April 2020 at: https://edition.cnn.com/2020/04/27/tech/coronavirus-conspiracy-theory/index.html.

[14] ”Coronavirus: NHS doctor ‘evicted from home due to landlady’s fears over COVID-19’”, Sky News, 26 March 2020 at: https://news.sky.com/story/coronavirus-nhs-doctor-evicted-from-home-due-to-landladys-fears-over-covid-19-11963799.

[15] ”India’s Muslims feel targeted by rumors they’re spreading Covid-19,” CNN, 24 April 2020 at: https://edition.cnn.com/2020/04/23/asia/india-coronavirus-muslim-targeted-intl-hnk/index.html.

[16] ” If We Must Build a Surveillance State, Let’s Do It Properly”, Bloomberg, 22 April 2020 at: https://www.bloomberg.com/opinion/articles/2020-04-22/taiwan-offers-the-best-model-for-coronavirus-data-tracking?sref=60g7QQE7.

[17] ”’Cybergulag’: Russia looks to surveillance technology to enforce lockdown,” The Guardian, 2 April 2020 at:https://www.theguardian.com/world/2020/apr/02/cybergulag-russia-looks-to-surveillance-technology-to-enforce-lockdown.

[18] “Coronavirus: Israeli spyware firm pitches to be Covid-19 saviour”, BBC News, 2 April 2020 at: https://www.bbc.com/news/health-52134452. “Israel is tracking phone location data to fight COVID-19, reports say”, CNET, March 17, 2020 at: https://www.cnet.com/news/israel-is-tracking-phone-location-data-to-fight-covid-19-reports-say/.

[19] See: https://www.swissinfo.ch/eng/digital-solution_contact-tracing-app-could-be-launched-in-switzerland-within-weeks/45706296(Switzerland); https://www.ots.at/presseaussendung/OTS_20200422_OTS0052/stopp-corona-app-weiterentwicklung-mit-hilfe-der-zivilgesellschaft (Austria); https://e-estonia.com/trace-covid-19-while-respecting-privacy/ (Estonia).

[20] “South Korea – Worldometer.” https://www.worldometers.info/coronavirus/country/south-korea/.

[21] See: ” Limitations of BLE in smart home,” DevelopX, 4 December 2017 at: https://developex.com/blog/limitations-of-ble-in-smart-home/; ”GPS Accuracy,” GPS.gov, at: https://www.gps.gov/systems/gps/performance/accuracy/.

[22] ” EDPB Letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic,” 14 April 2020 at: https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-letter-concerning-european-commissions-draft-guidance-apps_en. To date, Ireland, Germany, Austria and Switzerland have all spoken in favor of applying a decentralized approach.

[23] See: ” eHealth Network: Mobile applications to support contact tracing in

the EU’s fight against COVID-19. Common EU Toolbox for Member States” ver. 1.0, 15 April 2020 at: https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf.

 

 

 

 

 

 

 

 

 

 

 

 

 

The recent pandemic has thrown a wrench in the progress made around the world in strengthening privacy rights.

 

While there is no question that social distancing and quarantining programs do a great deal of good in helping to “flatten the curve”, they are blunt tools that have profound, and oftentimes, devastating psychological, social, and economic impacts. The world cannot stay at home indefinitely, waiting on scientists to discover a vaccine or build out rapid testing procedures, or for society to develop “herd immunity.” Obviously, a medium-term solution needs to be developed.

 

One such solution is the development of contact tracing applications, which are being rolled out in countries around the world. The question we consider in this piece is how to develop  applications and processes, while still preserving the important gains in privacy and data protection that have been made thus far. The good news is that regulations such as the General Data Protection Regulation (GDPR) and recent guidance from regulatory bodies, may provide us with a framework for developing a sensible solution.

The State of Pre-Pandemic Privacy

While the GDPR technically applies to the data of EU residents, the practical implications of compliance have reverberated worldwide. We believe that it would be prudent for policymakers, health officials and technologists to consider the GDPR and related guidance from regulatory bodies, as a starting point when developing tools and policy for combating the spread of COVID-19.[1]

 

The GDPR provides allowances for the processing of personal data, including health data. The goal, of course, is to strike a reasonable balance between the rights of data subjects and legitimate uses of their data. Thus, the GDPR requires that any data processed must be “necessary” and proportional to fulfill a specific lawful purpose as defined by Article 6.

 

Examples of “lawful purpose” include consent, compliance with a legal obligation (Art. 6(c)), processing necessary “to protect the vital interests of the data subject or of another natural person,” (Art. 6(d)), processing to carry out tasks “in the public interest” (Art. 6(e)), or where the processor has a “legitimate interest.” (Art. 6(f)).”[2] Crucially, the GDPR gives wide latitude to Member States and regulatory bodies to introduce specific provisions or guidance when it comes to compliance around Art. 6(c) and (e), and specifically calls out the processing of personal data in the context of “monitoring epidemics and their spread.”[3]

 

In stark contrast with many other countries, data protection authorities and policymakers in Europe, including the European Data Protection Board (EDPB), European Commission, and European Parliament, have been responsive to these concerns, and have issued guidance and recommendations, with an eye towards development of a pan-European approach to balancing public health needs against the rights of data subjects.[4] The European Data Protection Supervisor also submitted comments outlining a number of safeguards for protecting  telecommunications data such as cell phone records.[5]

 

For example, on April 14, the EDPB issued guidance on data protection considerations for development of technical approaches to combatting COVID-19, including contact tracing and post-diagnosis “exposure notification” systems. Crucially, the EDPB noted that in the case of technical approaches, a “one-size-fits-all” solution is not practicable, and that solutions should be considered on a “case-by-case” basis, preferably in consultation with data protection authorities. Furthermore, development should be done accountably, keeping data minimization principles in mind. For software, the EDPB encouraged source code to be released “for the widest possible scrutiny by the scientific community” and that a Data Protection Impact Assessment (DPIA) should be conducted.[6]

 

The EDPB also stressed the importance of “voluntary adoption” of contact tracing technology, as opposed to compulsory governmental mandates. Interestingly, the guidance stopped short of extending this recommendation to the private sector. [7]

 

Finally, EDPB guidance notes that information about specific individuals with COVID-19 should not be disclosed, and that the data collected should be destroyed once it no longer fulfills its stated purpose (e.g., after an infected person tests positive for COVID-19 antibodies, or the virus is contained).

 

Contact Tracing As a Tool

 

Contact tracing has a long history of success, both in past epidemics, including Ebola, HIV and Tuberculosis, as well as current efforts against COVID-19. But traditional forms of contact tracing, which normally employ skilled healthcare workers and trained investigators, are time-consuming, manual affairs. Due to the sheer volume of COVID-19 cases (over 4 million cases reported worldwide as of this writing), relying on skilled personnel alone is no longer tenable.

 

As a workaround, countries around the world have begun hiring thousands to conduct manual contact tracing. While many jurisdictions promote that these individuals have been trained on how to perform contact tracing, it’s unclear whether there are consistent standards in place, what the training entails, if personnel are adequately vetted, or if privacy and data protection principles are being applied.[8]

 

For example:

  • Contact tracing in South Korea incorporates patient interviews as well as the use of medical records, cell phone GPS records, credit card transaction records, and closed-circuit television.[9] When someone tests positive for COVID-19, information is sent out to potential contacts, which may include an individual’s last name, sex, age, residence information and purchase history, as well as where they traveled to. According to a report in The Atlantic, “Even overnight stays at ‘love motels’ have been noted.”[10]
  • Singapore also used a combination of technology and manual tracing to effectively control outbreaks. Teams of people conduct interviews, obtaining information on patient whereabouts, contacts, and interactions for the last 14 days. They also corroborate this evidence against the ubiquitous CCTV networks that exist in the country. Those who had come in contact with a patient are also checked for the virus. The nation has also made use of TraceTogether, a mobile app that uses Bluetooth signals to determine when users are near each other.[11]
  • At least 41 states, Puerto Rico and the District of Columbia are recruiting nearly 40,000 contact tracers in the United States, or around 1 tracer for every 8,200 people. Some experts doubt this will be enough, and suggest the government should aim to hire between 100,000-300,000 contact tracers.[12]

 

Privacy considerations abound. Manual contact tracers are given access to a wide array of sensitive personal data about COVID-19 patients and their potential contacts. By necessity, contact tracing must include the collection of this sensitive personal information, as well as details on other underlying conditions of a particular individual. However, too much detailed information on individuals can lead to unwanted consequences like social ostracization, harassment, or targeting of vulnerable groups. This has already occurred in a number of situations. For example, an American army reservist was rumored to Patient Zero for COVID-19 in the US. Her personal information, including her home address and email was leaked and spread online by conspiracy theorists, leading to a wave of harassment and threats.[13] In the UK, a doctor was evicted from her home due to her landlord‘s fears of contracting the virus.[14] And in India, officials in New Delhi are selectively targeting Muslim groups for violating  bans on social gatherings, while ignoring similar gatherings by non-Muslims. [15]

 

Still, even in a perfect world, manual tracing alone is unlikely to be enough. Some countries have begun to enlist the help of technology. From Australia to Taiwan, a growing number of systems are being developed by governments, health authorities and the private sector. For example:

 

 

  • Taiwan has taken a novel approach, with the public and government working together to develop digital tools for tracking the virus, achieving user-buy in via collaborative means.[16]
  • Russia has developed a Social Monitoring app for citizens who have tested positive for Covid-19, that obtains user call logs, location information, camera, storage, network and other information to ensure that users are quarantining.[17]
  • The Israeli government is working with the controversial NSO Group to develop software that would track infected persons by gaining access to citizens mobile data, without necessarily obtaining their consent.[18]
  • On April 10, 2020, Apple and Google released a technical specification for using Bluetooth Low Energy (BLE) technology for after-infection “exposure notification.” They also released a limited-use API to developers working with public health authorities for building contact tracing apps.
  • Similarly, a MIT-led effort known as Private Automated Contact Tracing (PACT), uses a similar approach to the Apple & Google BLE specification, but also allows patients to upload their digital IDs to phone broadcasts, allowing others to check a database to see if there are mutual matches.
  • A consortium of scientists and academic researchers in Europe have also developed an open protocol for proximity-tracing of COVID-19. The Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol ensures that personal data stays entirely on a user’s device, and that only specific, deanonymized data of affected, consenting users, is uploaded to allow for contact tracing. Officials from Switzerland, Austria and Estonia announced they plan to implement the DP-3T protocol.[19]

 

The Apple/Google, MIT, and DP-13 efforts are notable in that each include a number of ‘privacy preserving’ considerations, including rotating identification keys that expire after a fixed period of time, decentralized storage of personal information, and user consent. However, it is unclear based on this reading if any of these specifications can be useful for performing true contact tracing, or if they instead function as “exposure notification” tools for future contact with infected persons.

 

The question is, can we build technological solutions and policies that preserve a healthy balance of personal data while still providing an effective strategy to fight the virus? At the most extreme level, we have countries such as South Korea and Russia. While South Korea’s policies are bordering on a police state, it’s clear they work — with overall cases falling from a high of 7,362 on March 11, to just 1,654 as of April 28, a 77% decrease.[20]

 

By comparison, the privacy-preserving standards developed by Apple & Google appear to strike a better balance, but they have yet to be formally tested, as tools currently in development have yet to be released publicly. Moreover, the technology itself seems to be used for post-hoc exposure notification, rather than allowing for contact tracing of individuals prior to testing.

Both BLE and GPS also have a number of technical challenges and security vulnerabilities that can potentially limit their effectiveness for critical use-cases such as contact tracing and eventually social distancing and quarantine enforcement.[21] This may lead to a number of unintended consequences. If a COVID-19 patient fails to self-quarantine, and goes to a grocery store, for example, will there be a sudden flurry of mobile alerts, creating a new panic?

 

There will also be challenges around privacy and surveillance when it comes to enforcing stay-at-home orders for those identified through contact tracing. But we believe that technology can also play a part here. Some tools, like Taiwan’s ‘electronic fence’ already do this, by using cellphone triangulation to identify if a quarantined subject has left their home, or turned off their phone.

 

Many Americans have already begun challenging statewide stay-at-home orders, which are in some respects easier to enforce, as police can target anyone who appears to be violating the order. But how do you identify and enforce quarantining when normal day-to-day functions return for some, but not all of us?

Recommendations For Dealing With the New Privacy Normal

The GDPR, and related guidance offers the world a good starting point. But we all should at a minimum consider the following when it comes to further development of contact tracing standards:

 

  1. Decentralized Approach. When it comes to technological solutions, countries should favor decentralized approaches, in line with EDPB recommendations.[22] Personal data should be stored locally on people’s phones, and any information stored centrally should be limited and de-anonymized as much as possible. Additionally, once the pandemic subsides, any data kept on individuals should be deleted, or fully anonymized (assuming there is a legitimate public-health basis for keeping such information).
  2. Privacy By Design. Development of applications and standards should consider ‘privacy-preserving’ features whenever possible, similar to the proposals outlined by the DP-3T, PACT, and the Apple/Google partnership. Such standards could include randomly-generated keys or tokens that expire, limited (or no) device location collection, and user-controllable limitations on what data can be collected.
  3. Consent. Any digital contact tracing system should be voluntary. Earned trust is more effective than compulsion, especially given the legitimate concerns that many have about government and private-sector surveillance. For these systems to be effective, a large percentage of the population must opt-in.
  4. Purpose Limitations. Legally-binding guidelines about what information will be collected and how it will be used must be established. Similarly, decisions made as a result of contact tracing, or self-quarantining applications, should not include decision making based on solely automated means. Local and federal law enforcement agencies should be barred from accessing this information to pursue criminal matters not related to the epidemic, and employers should be limited in how much they can rely on any application in terms of making decisions on personnel matters.
  5. Transparency. Any applications or standards should be transparent. Making standards and software development open-source is essential. Not only will this make it easier to build robust, compliant tools, but it will also foster collaboration amongst localities, and increase user trust.
  6. Collaboration & Education. Developers should work with patients, policy makers, and public health and data protection authorities in developing the software, training, policy and procedures for performing contact tracing in a sensible, privacy-aware manner. Ideally, there would be regional collaboration and national standards for tracing efforts — perhaps coordinated through an existing group like the WHO or CDC.
  7. Oversight & Termination. Independent advisory boards (both at national and supra-national level) focused on privacy and civil rights should be established. These panels should be empowered to hold hearings and collect information, from documents and witnesses, to provide this oversight and review, and set turn-down dates for any data that does not have ‘epidemiological relevance.’[23]

We believe that the sensible recommendations outlined above will allow for effective, reasonable and privacy-aware solutions to be developed that balance individual privacy considerations with the common goal of combating the COVID-19 epidemic.

[1] Primarily Articles 6 and 9, and Recitals 41 and 46.

[2] GDPR, Art. 6.

[3] See also: GDPR, Recital 46. “Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”

[4] Dr. Gabriela Zanfir-Fortuna, of the Future of Privacy Forum, has a comprehensive summary of these EU-led efforts at: https://fpf.org/2020/04/30/european-unions-data-based-policy-against-the-pandemic-explained/.

[5] See: “Subject: Monitoring spread of COVID-19″ European Data Protection Supervisor, 25 March, 2020 at: https://edps.europa.eu/sites/edp/files/publication/20-03-25_edps_comments_concerning_covid-19_monitoring_of_spread_en.pdf.

[6] “EDPB Letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic.” 14 Apr. 2020, at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpbletterecadvisecodiv-appguidance_final.pdf.

[7] Id.

[8] “Contact Tracing Could be Key to Easing Social Distancing Rules,” NPR, 13 April 2020 at: https://www.npr.org/2020/04/13/833045473/contact-tracing-could-be-key-to-easing-social-distancing-rules?t=1588164153094

[9] “Test, trace, contain: how South Korea flattened its coronavirus curve”, The Guardian, 23 April 2020 at: https://www.theguardian.com/world/2020/apr/23/test-trace-contain-how-south-korea-flattened-its-coronavirus-curve.

[10] “Contact Tracing Could Free America From Quarantine”, The Atlantic, 7 April 2020 at: https://www.theatlantic.com/ideas/archive/2020/04/contact-tracing-could-free-america-from-its-quarantine-nightmare/609577/.

[11] ” ‘There’s an App for That’: Use of COVID-19 Apps in Singapore and South Korea,” Asia-Pacific Foundation of Canada, 27 April 2020 at: https://www.asiapacific.ca/publication/theres-app-use-covid-19-apps-singapore-and-south-korea.

[12] ” States Nearly Doubled Plans For Contact Tracers Since NPR Surveyed Them 10 Days Ago”, NPR, 28 April 2020 at: https://www.npr.org/sections/health-shots/2020/04/28/846736937/we-asked-all-50-states-about-their-contact-tracing-capacity-heres-what-we-learne.

[13] ”Exclusive: She’s been falsely accused of starting the pandemic. Her life has been turned upside down,” Business Insider, 27 April 2020 at: https://edition.cnn.com/2020/04/27/tech/coronavirus-conspiracy-theory/index.html.

[14] ”Coronavirus: NHS doctor ‘evicted from home due to landlady’s fears over COVID-19’”, Sky News, 26 March 2020 at: https://news.sky.com/story/coronavirus-nhs-doctor-evicted-from-home-due-to-landladys-fears-over-covid-19-11963799.

[15] ”India’s Muslims feel targeted by rumors they’re spreading Covid-19,” CNN, 24 April 2020 at: https://edition.cnn.com/2020/04/23/asia/india-coronavirus-muslim-targeted-intl-hnk/index.html.

[16] ” If We Must Build a Surveillance State, Let’s Do It Properly”, Bloomberg, 22 April 2020 at: https://www.bloomberg.com/opinion/articles/2020-04-22/taiwan-offers-the-best-model-for-coronavirus-data-tracking?sref=60g7QQE7.

[17] ”’Cybergulag’: Russia looks to surveillance technology to enforce lockdown,” The Guardian, 2 April 2020 at:https://www.theguardian.com/world/2020/apr/02/cybergulag-russia-looks-to-surveillance-technology-to-enforce-lockdown.

[18] “Coronavirus: Israeli spyware firm pitches to be Covid-19 saviour”, BBC News, 2 April 2020 at: https://www.bbc.com/news/health-52134452. “Israel is tracking phone location data to fight COVID-19, reports say”, CNET, March 17, 2020 at: https://www.cnet.com/news/israel-is-tracking-phone-location-data-to-fight-covid-19-reports-say/.

[19] See: https://www.swissinfo.ch/eng/digital-solution_contact-tracing-app-could-be-launched-in-switzerland-within-weeks/45706296(Switzerland); https://www.ots.at/presseaussendung/OTS_20200422_OTS0052/stopp-corona-app-weiterentwicklung-mit-hilfe-der-zivilgesellschaft (Austria); https://e-estonia.com/trace-covid-19-while-respecting-privacy/ (Estonia).

[20] “South Korea – Worldometer.” https://www.worldometers.info/coronavirus/country/south-korea/.

[21] See: ” Limitations of BLE in smart home,” DevelopX, 4 December 2017 at: https://developex.com/blog/limitations-of-ble-in-smart-home/; ”GPS Accuracy,” GPS.gov, at: https://www.gps.gov/systems/gps/performance/accuracy/.

[22] ” EDPB Letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic,” 14 April 2020 at: https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-letter-concerning-european-commissions-draft-guidance-apps_en. To date, Ireland, Germany, Austria and Switzerland have all spoken in favor of applying a decentralized approach.

[23] See: ” eHealth Network: Mobile applications to support contact tracing in

the EU’s fight against COVID-19. Common EU Toolbox for Member States” ver. 1.0, 15 April 2020 at: https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf.

The forgotten few…

food-stamps-MGNOver 6M Americans filed for unemployment and in LA county there has been an recent increase in 54% of applications for food stamps. There are millions of women, Infants and children receiving federal assistance under the WIC program. There are over 42 millions Americans receiving tens of billions of dollars in food assistance from the government.  The economic impact due to the pandemic will only increase this market. The new stimulus package that was signed recently increases funding for the food assistance program. A target market size.

So, what do they all have in common?  They need to brave a visit to grocery store to buy food.  Why?  Because our great technology divide has categorized them as “have nots”.

If you are the privileged few who have a credit card, you can use online grocery shopping which has increased by 25% paying higher prices for the same goods waiting for a slot to open up.  You can also order online and drive to the store for a clerk to load your car without any physical contact.

But, if you are on a government support program using EBT (electronic benefit transfer), paying with a ATM card, check or cash, you are not at top of the retailers elite customer’s list.  You need to go to the store, stand in line and pay irrespective of your age.  The online delivery service is not for you.

So, what does a retailer do to help a customer.  First, enable customers with all tender types to order online and provide a “equal” service. Next, think out of the box.

Some of these “essential” business retailers are chasing “large basket” size with premium pricing without a social conscious. Having personally worked with low-income, underprivileged people on social projects, I don’t see a need for a “business case” to serve these under privileged people.  It took media attention for retailers to open special hours for seniors.  If one were to serve the seniors, the retailers would have delivered their groceries without having them come into the store.

Amazon and Walmart are trying to help these customers but, you don’t get all your food from Amazon or Walmart.  USDA has approved a few other retailers to accept online orders for these federal supported customers and is trying to aggressively promote these services.

Congress authorized a pilot program for online shopping six years ago, but it took years to get it off the ground as officials grappled with significant technical challenges.

Interesting statistics that less than 40% of Americans pay for groceries using a credit card.  The rest of population pays using their ATM card or cash for unbanked, checks if you have one or food stamps. In stores that cater to low income or unbanked, credit usage is very less. You don’t have a lot of Apple Pay users.

Members of Congress are trying to increase online grocery delivery using food stamps and Governors from various states are asking the agency to waive requirements for food stamp program.

We need to support our frontline workers like health care workers, grocery store employees, first responders but, we also have an obligation to keep seniors and low income folks who are on the food assistance program safe.

Give the low income population equal choices seeing that we all need to eat. Pause chasing high margin profit and serve local community.  There is a potential 100B market guaranteed by the government.

Don’t forget the cash and ATM card users as we call them pin debit customers.  Find a way for them to be part of online community.

What’s in your grocery bag?

During a shutdown or shelter at home, grocery stores and pharmacies are deemed essential services anywhere in the world. While there have been a lot of conversations about healthcare workers, grocery workers are not in people’s radar.  Some facts:

  • The top 5 grocery chains in the country have over 20,000 stores and employ millions of workers who touch your grocery
  • From the distribution center workers to store employees who stock the food to clerk who helps you checkout, your food is carefully handled
  • Just because you use delivery services like Instacart or Shipt, to avoid going into the store but, the personal shoppers are picking up the same groceries
  • Average grocery worker earns a little more than minimum wage
  • They are not trained to wear personal protective equipment

There have been a number of bonuses and perks offered by grocery chains as a token of appreciation but, the biggest help is to avoid making them sick.  These workers earn a little more than minimum wages, work overtime to make ends meet and last thing they want is to fall sick and make their family sick.

We need to feed ourselves and they are part of our food ecosystem.  From the unseen consumer packaged goods (CPG) to farmers and bakers to people we interact, let us say thank you.

We need to give a big shout for these grocery workers and if you feel generous, pay forward a bag of groceries for their families or take a pizza to them.

More importantly, practice social distancing when you are in the store and stop hoarding.  The more we clear the shelves to over stock our home pantry, the more you are putting these workers at risk.   Perishables do perish and charmin will still make toilet paper.

DO NOT SELL!

Over the past weekend, I was browsing tickets for my favorite NBA team “The Golden State Warriors”. Interestingly, while looking at the schedule on a website, a different website on my browser started to show availability of tickets for the championship games.  That was spooky.

Welcome to third-party behavioral profiling.  My data from the site with the schedules transferred my behavioral data to another site without my permission.

Come Jan. 1st, 2020, the GOLDEN state changes it all.  The new California privacy law CCPA targets websites and advertisers who transfer information without your permission along with other regulations that will disrupt the adtech ecosystem.

So, any company with over $25M in revenue or has over $50,000 consumer personal information records need to be ready.  Unicorns, marketplaces, gig economy companies, even advertisers dropping off cards at your doorstep need to be able act on a consumer request on what to do with their data.

Companies need to have a clear and conspicuous “Do Not Sell My Personal Information” link on their website. Companies should stop selling consumer information as soon as a consumer requests it.  Now, comes the definition of “selling”.  What if Facebook does not sell your data but, its advertisers use Facebook’s algorithms to target you.  Well, Facebook is monetizing your data indirectly so, does “sell” regulation apply here?

In addition to DO NOT SELL, companies should have the abilty to inform the consumer their practices in handling user data, explain consumers’ rights and list the categories of personal information that the company has collected, disclosed or sold within the previous year.

Now, there are 47 million residents in the golden state and while this number maybe small, their online activity at thousands of apps, websites who are not necessarily headquartered in California or even in the US, makes the law far reaching,

So, first step, make small change to your website to help consumer make a personal data subject request, identify how you collect, where you store and whom you share the data with so, you can gain trust of your customer.

Data Privacy Day 2019

One is the balance between privacy and innovation. How can we use data to gain insights into education (like which schools do the best job of teaching low-income students) or health (like which doctors provide the best care for a reasonable price) while protecting people’s privacy?Bill Gates

 “It’s not enough to give people control of their information, we have to make sure developers they’ve given it to are protecting it too.”Mark Zuckerberg

“We can do better’ on explaining privacy controls to users”Sundar Pichai

“In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours. Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.”Tim Cook

 “My own point of view is that it’s a fantastic start in treating privacy as a human right,” – Satya Nadella

Data Privacy day 2019 has more significance as we start a movement to gain control of our digital lives.  There has been an increased awareness to be socially responsible in handling our personal data among the tech heavy weights.

Navigating privacy waters is not easy as lines blurry with explicit and implicit consent.  Regulations can help provide boundaries but, like any regulation, there are more grey areas and when it affects our personal lives, they become black and white.

In 2000, DoubleClick was sued for violating consumer privacy laws.  In the end, it got sold to GOOG for $3.1B.  GOOG went on to pay fines for privacy violations over the years but, it did not change our perception of GOOG services.  Remember OnStar, the lifesaving feature in GM vehicles which turned out to be a privacy nightmare.

In the world of cybersecurity, we expect care takers of our digital data to prevent bad guys from stealing it but, when the care takers misuse our data due to complex legal consents, who is the real thief?

Working in the world of cybersecurity and data privacy for decades, I have never seen simplicity as a #1 requirement in products and services. IT maybe time to take legal teams within enterprises are main drivers of privacy and start educating developers, entrepreneurs, product designers on being more transparent on privacy.

We will need to continue to share data responsibly to make our lives easier but, let us start to demand more of our data caretakers.

Facebook Fallout

In 2014, approximately 300,000 individuals were compensated to take part in psychological surveys meant to provide revealing data about the possible course of the 2016 presidential election. However, tens of millions did not see a dime. Why? Well, they had no idea. Aleksandr Kogan, the head researcher, took information not only from the people paid to download his application and complete the surveys, but their friends and family too.

Word began to spread in March of 2018 that the English data-mining firm that hired Kogan, Cambridge Analytica, had gotten ahold of 87 million Facebook user profiles without any consent.

Did Facebook know anything about this? Here is where things get a little fuzzy. Yes, Facebook knew. The social media giant allows outside developers to construct and run their applications through the platform. So, when Kogan presented his “This Is Your Digital Life” application, Facebook gave the go ahead. In doing so, Kogan was granted permission to collect data on friends of paid participants if their Facebook privacy settings made it accessible.

So, why the drama? It sounds like Kogan had all the permission he needed, right? Kogan believes so, especially since his terms authorized commercial use. Facebook on the other hand, claims Kogan lied by handing the information he gathered over to Cambridge Analytica. In 2015, after recognizing the gravity of the situation, Facebook quietly demanded all the data received through Kogan’s application be destroyed. It’s now 2018 and the New York Times for one thinks Cambridge Analytica is still playing finders keepers. In response, the data firm has been adamant that any and all information from Kogan has been deleted. Meanwhile, Facebook isn’t even sure what they have.

Facebook users are not happy. Investors are not happy. Congress is not happy. And Mark Zuckerberg, Facebook’s founder and CEO has not been exactly handling the scandal with much grace. People have gone so far as to deem him robotic or socially inept, mocking his halfhearted interviews and awkward congressional testimonies.

In any business, reputation matters. When you’re in the business of ensuring personal data is kept private, it may matter even more. Facebook has broken the trust of its users, supporters, even the government, and has got the numbers to show for it. Initially after the Times broke the story earlier this year, Facebook’s stock fell 18 percent in the immediate ten days following. Fast forward to the present, well about two weeks ago, on July 26, Facebook’s stock took an even bigger dive. The company lost 120 billion dollars in one hour, making it the biggest single day market-cap loss in the history of the US stock market.

Now, what’s the most important thing to have in a relationship? I’m going to go with trust, and I think millions would agree.

Don’t Leave Home Without It

charles-deluvio-469646-unsplash

The slogan “don’t leave home without it” from American Express in 1975 seems to have a new meaning today. We don’t leave home without our mobile phone. It appears that technology is en route to making the little plastic cards we swipe and insert daily, almost entirely obsolete. Apple Pay and Google Pay have created secure, frictionless payment experiences that make it okay to forget your wallet at home.

These systems allow for contactless transactions with just your finger. Your cards are tokenized and virtually stored, making for quick, convenient purchases through mobile, in-store, or online.

Google Pay began as Google Wallet back in 2011 which later developed into Android Pay in 2015. At the beginning of January this year, Google Pay was released, unifying those two previous platforms. Apple Pay, aside from improved, additional features, has remained consistent since its release in 2014. The number of Android users is almost double that of iOS (Apple’s operating software) users, reported as 1 billion to 470 million, according to Lily Newman of slate.com.

Google Pay works with Android operating systems, while Apple Pay works solely with Apple products. In a survey conducted by PYMNTS.com, individuals were asked about how frequently they use Google (Android as of 2017) Pay and to compare it to swiping a physical card. All of these following statistics are taken from December of 2017.

Almost half of the users asked, 49.1%, use it “every chance” they get, 39.7% “whenever they remember”, 10.8% “rarely consider using mobile pay”, and 0.5% “stopped trying to use mobile pay”. When compared with swiping an actual card, the “ease of use” of Android Pay had 49.5% say it was “much better”, 47.2% “about the same, and 3.3% “much worse”. “Speed at checkout” with Android Pay was marked by 53.3% as “much better”, 43.0% as “about the same”, and 3.7% as “much worse”. Convenience showed the highest ratings with 57.5% stating Android Pay was “much better” than a physical card, 39.7% as “about the same”, and 2.8% for “much worse”. “Security” was almost even with 50.5% believing digital was “much better”, 48.1% “about the same”, and 1.4% “much worse”.

The exact questions were asked of Apple Pay users at the end of 2017 as well. A small 17% of users claimed they use Apple Pay “every change they get”, 44.2% “when they remember”, 35.4% “rarely consider using Apple Pay, and 3.4% simply have “stopped trying”. In terms of “ease of use”, 32.5% answered Apple Pay was “much better”, 5.3% for “about the same”, and 62.1% said it was “much worse”. Regarding “speed at checkout”, 37.2% replied Apple Pay was “much better”, 4.9% “about the same”, and 57.9% for “much worse”. “Convenience” of Apple Pay was marked with 41.6% stating it was “much better”, 5.2% saying it was about the same, and 53.2% “much worse”. As a matter of “security”, 33.3% believed Apple Pay was “much better”, 4.7% “about the same”, and 62.0% thought “much worse”.

Android Pay, now Google Pay, when compared to the Apple Pay reports, showed stronger results from its users, with them displaying significantly more confidence in their digital wallet. Both digital wallets however, have in common the legitimate comfort in security. Despite the uncertainty of users, which can be shown from the numbers previously discussed, the setup of these platforms actually allows for safer transactions. Merchants are never able to collect your card information, instead it is “tokenized”. This tokenization means your information is shown with an arbitrary code rather than revealing sensitive data. So, how prominent have these digital wallets actually become? With over 700 million iPhone users and approximately 1 billion Android users, markets worldwide are more widely accepting these forms of payment, most notably in the Asia-Pacific sector. A closer look from Jackie Dove at Tom’s Guide, also reveals these innovative systems have surpassed 5 million accepting locations.

Statistic: Number of smartphone users worldwide from 2014 to 2020 (in billions) | Statista
Find more statistics at Statista

Statistic: Availability of Apple Pay, Samsung Pay and Android Pay in global regional markets as of 1st quarter 2017 | Statista
Find more statistics at Statista

So, as bizarre as it may seem leaving your physical wallet, multiple cards, cash, and coins all at home, some people are making the change. The surveys from PYMNTS.com clearly indicate some apprehension from users, but this could potentially be a transition period where breaking old habits can just mean some natural discomfort. As merchants and consumers become more familiar with these new systems, the processes are bound to work more smoothly, right? Well, with Apple Pay, some think it has already reached its peak. Karen Webster of PYMNTS.com reports, “the inconvenient Apple Pay truth is that not enough consumers see the value in it, so 19 out of every 20 people who could use it don’t even bother anymore.” How do you feel about digital versus tangible? We all know practice makes perfect; and don’t we all want what’s safest and most secure when it comes to our money and personal information?

Cleaning the Aisles.

Retail powerhouses, Alibaba and Amazon, grew from similar roots. Both e-commerce giants were started by individuals obsessed with technology disruption. Now, they dominate the world’s largest economies, China and the United States, building ecosystems of services around the mutual mindset that the customer is the center of their universe.

In comparison, in terms of revenue reports, as of August of last year, Amazon is the clear breadwinner, outweighing Alibaba 177.9 billion (USD) to 23.82 billion (USD). Per share, Amazon made $314.52 versus Alibaba’s $10.52. More in depth metrics however, such as operating margins and quarterly earnings progress, reveal Alibaba had substantially more impressive numbers. Alibaba held a 32.68% operating margin compared to Amazon’s 2.31%. In terms of quarterly earnings, Alibaba had a staggering 94.50% growth to Amazon’s -77.00%. This can be attributed to more than just the lower trading costs. Amazon’s price-earnings ratio is 326 while Alibaba is at 37.11.

Alibaba is already operating in a much larger market, double that of the United States, with China being the largest. For approximately 20 hours a week, there are 560 million internet users within the country. Out of that number, Alibaba has 350 million active customers responsible for skyrocketing sales across not one, but two of their retail sites.

These two companies, when dissected, are operating with two different business models. Amazon began as a B2C business, business to consumer whereas Alibaba started off as a B2B, business to business. Now, Amazon is operating a marketplace involving more third-party transactions. Alibaba has expanded from B2B to both business to consumer and consumer to consumer, which has widely broadened their playing field.

Despite the different business models, both are impacting the world’s retail environment dramatically. Alibaba is using modern technology with pop-up stores including their online payment system, electronic price tags, facial recognition, and even the ability to virtually try on items. Jack Ma, co -founder of the Alibaba group, has made it apparent that the company is taking on a “retail as entertainment” approach, by curating an experience rather than just simply business.

On the other side of the game, Amazon, most recently, is changing the way Americans buy groceries. With the recent acquisition of Whole Foods and an immediate stock jump of 27%, it is safe to say, people are on board. Jeff Bezos, Amazon’s CEO, has expressed his goal to cut prices while maintaining a commitment to high quality products. In-store benefits and transformed POS systems are “just the beginning” according to the head honcho. What does he mean exactly? Well, maybe the recent unveiling of the Amazon Go store with its Just Walk Out technology can give us a clue. Yes, Amazon has created a store where customers can literally just walk out, no lines, no cashiers. Oh, the possibilities.

These ecosystems created by these two companies give the brick and mortar stores no choice, but to embrace technology and rise to their level. Most, however, are playing catchup with incremental innovation. Both companies are blurring the walls of these brick and mortar stores with online commerce.

Disruption is here and happening, next we will bring you the retailer whose aisles are being cleaned out by Amazon or Alibaba.