As the world turns to
technology to track and contain the COVID-19 pandemic, could this spell the end
of digital privacy rights?
Health organizations and
governments all over the world are using technology to communicate, track,
monitor and predict the spread of COVID-19. In recent years, data has proven to
be a valuable resource – more valuable than oil in some instances – and the use
of data to understand the movement of people and their interactions to help
control the spread of infection during a global pandemic seems like an
excellent use of technology. There are likely to be very few people who would
object to the use of technology to track an infected person to ensure they
maintain quarantine; I may even advocate such use.
However, unprecedented
times should not result in any long-term removal of our privacy rights,
especially in cases where legislation has been rushed through to allow the
fulfillment of medically urgent needs for data collection or use. In some
instances, data is being extracted from smartphones on an individual basis or
en masse. In the current age of COVID-19 concern, data potentially relevant to
tracking the disease is being gathered, or there are proposals to gather it,
via several mechanisms:
· Custom apps developed to enable communication
between health care professionals and patients, to keep people informed with
official communications and to provide a warning if an individual has been in
close proximity to someone testing positive. There are other use cases mentioned
below.
·
Mobile phone
companies are being asked, or already have, subscribers’ geotracking data, or
already have, allowing the modeling of infection predictions based on actual
phone subscribers’ movements.
·
Popular
social media apps also track location, unless the member has elected not to
share location data. There are stories circulating in the media that some
governments have approached the leaders of social media companies to explore
the opportunity of using their data to see if social distancing is effective.
Coping with COVID-19
At the time of writing,
there are infections
in 172 countries and regions around the world, some with devastating
numbers of both infections and deaths. Each country is developing its own
strategy to limit the outbreak and included in this is the differing use of
technology and tracking data.
At the start of the
outbreak in China, the authorities there required citizens in Wuhan to provide
personal information so that device tracking could be linked to individuals.
The Guardian
then reported that
Taiwan used phone tracking to enforce self-quarantine, citing an example of
automated text messages being sent when a quarantine-mandated individual left a
geo-fenced perimeter.
Singapore’s ministry of
health made victims’ personal information publicly available, which allowed
developers to create maps and show locations, raising security fears for those
concerned. In the last few days the authorities there have also released an app
called TraceTogether that identifies, using Bluetooth, if you have been in
close proximity to a coronavirus patient.
In Germany, UK, Austria,
Belgium, Italy and South Korea, mobile operators have been reported to be
sharing aggregated or anonymized location data with health authorities. In
South Korea, data was also shared by credit-card companies. The European
countries where personal data is protected by the General
Data Protection Regulation are
using an option to suspend the regulation in face of a civil crisis. Article 9
of the GDPR allows for processing of health and other usually sacrosanct data
when necessary for reasons of public interest in the area of public health,
such as protecting against serious cross-border threats to health.
Despite the exceptions in
regulations being used to share data with health and government authorities,
the regulations that cover the protection of data should be adhered to. For
example, the GDPR states that data must be encrypted when at rest and in
transit, and these requirements are still mandatory.
In Israel, authorities
approved new surveillance measures allowing citizens to be tracked by
monitoring mobile phones. In contrast, Hong Kong tagged new arrivals to the
region using wrist bands that log and transmit location data to
authorities, maintaining
the privacy of the
individual’s phone.
An intriguing use of an app
has been by the Polish authorities, requiring a quarantined individual to have
an app released by the Ministry of Digital Affairs and for them to send a
selfie with geo-metadata on a regular basis to prove compliance.
Several countries have
passed emergency legislation to permit the use of personal data to combat the
spread of the virus. For example, Italy lifted a restriction on the sharing of
personal data when doing so was necessary for the performance of civil
protection functions.
A few countries, including
Russia and China, are using facial recognition technology to ensure that those
identified as infected observe quarantine rules. The systems are collecting
video through CCTV, drones and other camera-based systems.
Many of these initiatives
demonstrate that innovative methods are being explored, and are in use, with
governments, health professionals, technology and phone companies working
together to combat the medical emergency facing the world. At the same time,
privacy advocates are also being vocal about these issues. The BBC reports that in the UK a group identified as
“responsible technologists” has urged for open disclosure of the UK
government’s plans to collect personal data through an app being created to
tackle COVID-19.
Exceptional circumstances
call for exceptional actions; the issue, though, is what happens when these
circumstances have passed. Will governments return to the emergency legislation
and revoke the additional rights to use personal data? Will organizations that
received the data be required to delete it? Will individuals whose data was
affected be notified that it was shared?
It’s our responsibility as
technologists and privacy advocates to ensure that normality is restored and
that we return to a where privacy rights are respected and enforced once the
current emergency world is resolved.
