A New Zealand woman went to a Subway restaurant for a regular purchase of a sub sandwich, but then went home to an unpleasant surprise: unwanted advances from the man who sold her the sub sandwich. How did he get her contact information to hit on her? During the course of her purchase, she had to write her personal information down on a contact tracing information list provided by the salami seller. The woman, who the media is calling Jess, described the situation to Newshub:
“I had to put my details on their contact tracing form which I didn’t think anything of. It asked for my name, home address, email address and phone number so I put all those details down.”
All in all, the salami seller reached out to her via a Facebook friend request, an Instagram follow request, an unsolicited Facebook messenger message and also a text message to her phone number. Needless to say, that was not what Jess wanted when she went to buy her sandwich. She told Newshub how the privacy violating event made her feel:
“I felt pretty gross, he made me feel really uncomfortable. He’s contacting me, I didn’t ask him to do that, I don’t want that. I’m lucky that I live with quite a few people because if that was me by myself at home – he knows my address you know – I’d feel really, really scared. Even now I feel a bit creeped out and vulnerable.”
According to Newshub, the salami seller has since been suspended by Subway.
This is what happens when privacy protections aren’t put in place for private information
Restaurants in New Zealand are required to keep logs of who comes in and out of their restaurant as mandated by COVID-19 Alert Level 2. The New Zealand government’s WorkSafe website informs restaurants that they need to:
“keep contact tracing records for all customers and workers.”
However, there is nothing in the alert notice that tells companies that they need to establish proper privacy protections for that contact tracing information – and we have now seen the results of that. Amnesty International in New Zealand recognized this as a potential problem back in April and called for further clarification on privacy protections for the contact tracing details that are being forcefully collected around the country. Advocacy and Policy Manager, Annaliese Johnston, commented:
“We are pleased to see that the Privacy Commissioner has been consulted on the development of this app and that it will be voluntary in New Zealand. But further assurances are needed including that any data collected can only ever be used for the purposes of eliminating COVID-19 in New Zealand. Additionally, the data collection must be time-bound in relation to the pandemic and the data must not used for any commercial or other purposes that could be discriminatory. It’s essential the public is assured that private information is secure and collection efforts are subject to independent oversight.”
This meddling, peddling salami seller could have been stopped even with non-independent oversight. That a restaurant decided to collect information via a paper form shows the type of bare level compliance with un-fleshed out rules that can be expected. That is to say, if a government doesn’t bake privacy into what they’re doing – such results can only be expected. What if it wasn’t the salami seller that swiped the contact details? What if it was another customer in line that simply memorized the written down name and contact information when he or she went to write his or hers down? Subway has since moved to a digital contact tracing app like is being used in other places in New Zealand and the risk of a rogue employee or customer stealing contact information for their own nefarious purposes should be going down – but the risk of that information being misappropriated at some point for non-COVID-19 tracking purposes still remains.