It’s customary for governments to use time of crisis to implement more invasive surveillance technology. Before pandemic, this trend picked up globally with 2001 terrorist attack.
Even though real numbers of deaths are lower than in 1970s (in 2017 it was 0.05% of total deaths), terrorism was covered extensively by media and in turn gave a mandate to impose new measures to spy on general population.
With the pandemic upon us, there is excellent opportunity for state surveillance expansion. Technology could be an invaluable help, but could do more harm than good. Governments have tendency to keep the tools and data, after the state of emergency. Legality, necessity, and proportionality principles should be always in place, especially in these trying times.
There’s an app for that
As governments across the world are grappling with the strained healthcare and economic crisis, “contact tracing” is one of the means to control the outbreak. Basically, it’s tracking the persons who came into contact with coronavirus. While I’m not denying this as a way to analyse the spread of Covid-19, there are few things to consider. Starting with efficacy of this approach and other problems with accuracy (people on different floors, behind walls etc.). If it’s not properly safeguarded, we’ll lose even more privacy.
Should it be mandatory? Who should control the data collection and processing? This technology should be used to preserve anonymity and when it goes back to “normal”, we ought to have safeguards to roll back the invasive technology.
In China it was mandatory to install the app. It shows QR codes with status of health (green, yellow or red). The algorithm behind it is opaque. Users have complained that their codes flicker from green to red, or vice versa, without any explanation. South Korean authorities have sent out SMS’s with the movements of infected people and sensitive data (with behaviours like shaming and harassment reported). The smartphones are used to check if quarantine is maintained. Iran lured it’s citizens to install app called AC 19, who would suppose to determine if they had coronavirus, in fact it is, tracking location in real time and much more private data. Similarly, Israeli Prime Minister Benjamin Netanyahu issued emergency regulations allowing digital monitoring of coronavirus patients’ smartphones by security service Shin Bet, using means that were not disclosed. It’s also tracking details of all calls made by coronavirus patients as well as credit history, with no answers who will be responsible for data deletion after the outbreak. (parliament approval was bypassed, but at least there is a time limit).
Singapore, who isn’t exactly leader of democratic freedoms, released it’s app TraceTogether installed voluntarily by over one million people, protected people’s privacy using Bluetooth technology. It doesn’t track users over time and was to be open sourced. (Privacy legislation in Singapore was revised in 2014 and entails that the processing of data about individuals requires their consent).
EU problems and solutions
In Europe, state surveillance expansion is harder due to GDPR. There is an initiative called Pan-European Privacy Preserving Proximity Tracing also Bluetooth based. Pan-European approach seems to be the most reasonable one, yet many countries within EU are working on their own apps. Ireland, Norway, Austria, Germany, list goes on. According to Bloomberg, Palantir – private American company (with ties to US intelligence agencies like CIA), is in talks with authorities in France, Germany, Austria and Switzerland to provide data analytics software. UK already has a deal with Palantir, with declaration – “Palantir is a data processor, not a data controller, and cannot pass on or use the data for any wider purpose without the permission of NHS England.” Authorities use of data from telecoms in EU is also becoming new norm in countries like Austria, Germany, Italy or Slovakia.
Let’s analyse some hurdles.
The app need to be installed by at least 60 per cent of the target population, according to Oxford researchers — to be effective. The growing competition on the market would risk fragmenting tracked population. Another issue is interoperability.
Also, if the mobile location data were to be used by authorities and stay within the law need to be anonymised. According to Yves-Alexandre de Montjoye, a data scientist at Imperial College:
“The original data is pseudonymised, yet it is quite easy to reidentify someone. Knowing where someone was is enough to reidentify them 95% of the time, using mobile phone data. So there’s the privacy concern: you need to process the pseudonymised data, but the pseudonymised data can be reidentified. Most of the time, if done properly, the aggregates are aggregated, and cannot be de-anonymised.”
Big Data vs. Big Brother
If the private businesses were in charge of data collection and processing, well those companies’ tools were built for exploitation and abuse as @violetblue wrote. Tech companies haven’t been a champions of privacy and they would obviously gain from the situation. It would also be hard to caught them red handed as the software is proprietary. On the other hand, they already have the technology ready and some of them have been fighting about consumers privacy (to get PR points, but nonetheless).
Transparency about what the app does, what data is being collected,where it is processed and the expiration date is necessary for people to give up sensitive information.
The possibilities of things go wrong are aplenty. Aforementioned errors in exact location, could wrongly render people’s status in quarantine, tracking is only effective above certain threshold. Making app installs mandatory will be met with backlash and people can always leave smartphones at home (not to mention people without one). Then others may believe they are safe as there are no red dot on their phone.
The data collection and sunset clauses (when emergency measures should be withdrawn) are important part of regulation. There is a saying “data is the new oil” and private companies may try to use it in new ways, especially in the chaos of implementing the systems. Databases will be prone to hacking and/or used by governments to suppress activists and dissidents in even more efficient manner. Data from the smartphones (location data, metadata – who did you contact and when), combined with face recognition cameras is perfect surveillance apparatus. All this is needed o be taken into consideration while acting swiftly.
Possible results of those shifts is hard to predict, yet it’s important to keep watchful eye on the state surveillance expansion, especially as people try to keep families safe and are ready to relinquish privacy for safety.
Changes are coming. More EU countries are releasing emergency acts, which are giving broad rights to the governments. For example, it’s been reported that the German health ministry had drafted changes to a law called the Infection Protection Act. It allows, among other things, the tracking of people who were in contact with those infected with the coronavirus.
In Poland, from 1st of April, for people under quarantine installation of the app is mandatory, data is collected for 6 years and includes: ID, names, telephone number, address, photo, location.
Challenging times ahead.