COVID-19 Highlights the Tricky Balancing Act Between Data and Privacy
When it comes to collecting data, privacy should always remain top-of-mind.
The global outbreak of COVID-19 has highlighted the uneasy relationship between big data and privacy. As governments and major tech companies try to contain the spread of the coronavirus by tracking where people have been and with whom they’ve been in contact, civil liberty groups are worried that a dangerous precedent is being set.
Civilians are also worried about how personal data is being used. As recently as November 2019, the Pew Research Centre published a study that showed the majority of Americans believe “their online and offline activities are being tracked and monitored by companies and the government with some regularity”. And it’s not a situation they feel comfortable with; the majority also reported feeling “concerned about the way their data is being used by companies or the government”.
But how do governments balance their citizens’ rights to privacy with COVID-19 relief efforts? It’s a contentious debate, and one which will continue to rage for the foreseeable future.
The Great Data Debacle
As one of the world’s largest data providers, DefinedCrowd takes the privacy seriously. According to Fernando Miguel Pinto, Engineering Manager and Data Protection Officer at DefinedCrowd, the company is “fully compliant with the requirements of the European Union General Data Protection Regulation (GDPR) and with the requirements of the California Consumer Privacy Act (CCPA)”.
“Besides adhering to these regulations, we have also developed and deployed a set of internal security and data privacy measures and procedures that ensure only the people with proper authorization and business justification are able to access some of this information. The development of these measures formed part of our effort to become ISO 27001 certified, which we achieved last year. We also utilize data encryption at rest and in transit, and data masking, among other strategies, to make sure user data is kept private at all times.”
However, it is strategies similar to these that are causing the Great Data Debacle. In terms of tracking people’s movements and their contacts in order to contain the spread of COVID-19, where should the data be stored and who should have access?
Tech Tracing Gathering Steam
Governments around the world are deploying apps that use Bluetooth “handshakes” to determine who an infected person has been in contact with. From Israel to Singapore, Australia to North Macedonia, governments are employing technology to help with the onerous and labor-intensive task of contact tracing.
But while apps like North Macedonia’s StopKorona! give their users full control over data, allowing them to choose to send their location history to the Ministry of Health, other apps are more prescriptive in their scope.
China has made it mandatory for its citizens to download tracking software to their phones, which, according to the New York Times does more than dictate whether a person should be quarantined. “It also appears to share information with the police, setting a template for new forms of automated social control that could persist long after the epidemic subsides,” reported the news site on March 1, 2020.
Meanwhile, in South Korea the government has created and released a publicly accessible map that shows the movement of those infected with the coronavirus. People can use the map to ascertain if they have come into contact with an infected person.
According to the Guardian, the government is also sending text messages which warn the public of a newly infected case. A link takes the user to a website that lists all the locations the patient visited before testing positive.
In India, phone hacking companies are pitching proposals to the government to forcibly break into a phone to ascertain where a person has gone, and with whom he or she has met.
According to Reuters, Israeli firm Cellebrite is used by law enforcement agencies to break into the phones of suspected criminals. The firm is pitching the same capability to “help authorities learn who a coronavirus sufferer may have infected”.
Although this is usually done with consent, Cellebrite advised Delhi police that in legally justified cases, they can access this data without consent. According to the Reuters report, they “do not need the phone passcode to collect the data”.
Digital Tracking Makes Sense
“From a practical point of view, contact tracing apps make sense, said Daan Baldewijns, Director of Solutions Architecture at DefinedCrowd. ‘Relying on people’s memories is certainly not a foolproof method of tracking the spread of a highly infectious and potentially deadly disease,” he said.
“Digital tracking is a far more reliable means of tracing whom an infected person has been in contact with and when that contact occurred. I can understand why governments are keen to roll out this strategy, however, it is also concerning for many people because the potential for abuse does exist.”
The abuse of data can be far reaching. Authorities can track who opponents or dissidents are meeting with or monitor your driving speed. Data can be sold to interested parties like insurance companies, who would use it to monitor your activities, or advertising agencies. Today, there is no more valuable commodity than data.
Centralized or Decentralized?
It seems everyone is in agreement that tracking the spread of the coronavirus through digital means is vital to containing its spread. However, there is no such agreement on how to store the data, or who should access it.
In the EU, the Pan-European Privacy Preserving Proximity Tracing Initiative (PEPP-PT) is planning to release software code that can be used to develop apps that will help track transmission chains of COVID-19.
PEPP-PT will store collected data in a central server, giving health authorities central control over the data.
In contrast, Apple and Google have collaborated in a landmark project to develop a contact-tracing API, which they plan to release to software developers building apps for public health agencies. This technology is decentralized, which means users can choose to share their information with authorities by consenting in the app.
The problem for some is that centralized apps like the PEPP-PT won’t work properly on an iPhone because for the Bluetooth tracking to work, the device would need to be unlocked with the app running in the foreground.
France’s Digital Minister, Cédric O, has called for Apple and Google to change this in order for PEPP-PT technology to function as envisaged.
“We’re asking Apple to lift the technical hurdle to allow us to develop a sovereign European health solution that will be tied our health system,” O said in an interview with Bloomberg News.
However, Apple refused to do so, resulting in Germany announcing on April 26 that they would adopt a decentralized approach to tracing, abandoning the PEPP-PT alternative.
“This app should be voluntary, meet data protection standards and guarantee a high level of IT security. The main epidemiological goal is to recognize and break chains of infection as soon as possible,” said Chancellery Minister Helge Braun and Health Minister Jens Spahn in a joint statement.
Apple wasn’t alone in its disapproval of a centralized approach to data storage. An open letter from hundreds of scientists published on April 20 warned that a centralized approach would “allow unprecedented surveillance of society at large”.
Although France and Britain still favor centralization, many of PEPP-PT’s collaborators have pulled out, citing its methodology and its “slowness to open up its work to wider scrutiny.”
The iPhone will integrate with decentralized protocols like The Decentralized Privacy-Preserving Proximity Tracing (DP-3T) project, which has been backed by Switzerland, Austria and Estonia.
Millions Being Tracked Around the World
Although scientists and civil liberty organizations have criticized the ethos of tracking people’s locations, citizens around the world have seemingly had a change of heart about the amount of data they would be willing to share.
Australian Health Minister Greg Hunt reported that within 16 hours of the launch of CovidSafe, 1.8 million people had downloaded the app, a figure that represents 7% of the country’s population. India’s Aarogya Setu app reached 50 million users in just 13 days, making it the world’s fastest downloaded app.
This is despite the fact that Internet Freedom Foundation (IFF) and other groups have raised concerns over the app’s compliance with globally held privacy standards. According to the Indian Economic Times, the IFF observed in a report that the app’s privacy policy “does not specify which departments or ministry or officials will be the ones accessing the data,” with “a lack of specificity adding to concerns of overreach”.
Privacy or Life?
Digital surveillance will remain controversial. To some, the idea of the government tracking your every move seems like something out of a dystopian movie. To others, digital contact tracing is vital to containing the virus in the absence of a vaccine, allowing us to get back to some semblance of normal.
According to a Telegraph article published on April 4, “more than two thirds of the UK population would back the use of CCTV footage, mobile phone data and credit card records in a mass ‘contact tracing’ exercise to prevent a second wave of coronavirus infections.” Over 70% were happy with the idea of giving officials sweeping access to personal data to help authorities trace the chain of transmission. Meanwhile, an ORB International survey also found that 86% of respondents were willing to “sacrifice their human rights to help prevent the disease”.
The question becomes: how much privacy would you be willing to concede to save lives? And should governments look at developing a surveillance ecosystem to deal with future crises? The point remains: COVID-19 has changed the fabric of society and how we will operate going forward. Mobile surveillance may have just become one more factor in our new normal.
