The ongoing COVID-19 pandemic is forcing us to reconsider how much personal freedom we are willing to give up to fight the virus. With limitations on who we see, where we go and for how long, being the new normal. Along with confinement and social distancing measures, states have turned to big tech and our highly digitalised societies to attempt to track and contain the virus. “Tracking apps” have been multiplying across the world, utilising virus testing data with mobile phone locations to get a clearer picture of who has the virus, where they have been and who they have been in contact with.
There is a catch: It is vital these apps are done right. Priorities in times of crisis change and extraordinary measures are often warranted. However, it is in these times that we must be the most careful. We must remember that after the crisis, policies we have taken will have consequences, potentially setting dangerous precedents. It is primordial that these applications do not irreversibly encroach on individual data privacy rights and become a gateway for unwarranted surveillance and discrimination.
Not all Apps are Created Equal
What exactly are tracking applications? In short, these are mobile software apps which aim to assist “contact tracing”; the process of working backwards from an infected person to identify people he or she has been in contact with to break the chain of infection. These apps track users and informs them if they have been in the vicinity of an infected person, prompting them to quarantine. There are generally two ways in which the data is collected, either through GPS and cellphone data or through bluetooth “handshakes”. There are then two models - centralised and de-centralised - which differ in where the data is stored. In a central government database in the first case, and on the user’s phone in the second. These different models raise different levels of privacy concerns.
The decentralised-Bluetooth apps are designed to be more privacy friendly than their GPS-centralised counterparts. These apps broadcast an anonymous and encrypted ID and create a log of interactions with other phones on which the app is installed. This data remains on the phone until a person who has tested positive for COVID-19 consents to sharing that information, after which a notification is sent to all other Anonymous ID’s with which that phone has interacted. In the more centralised model this list is uploaded and matched on a central government server, as is the case for the Australian tracking app “Covidsafe” or India’s “Aaroya Setu”.
Countries like South Korea or Israel have opted for more aggressive and intrusive surveillance methods to track the movement of their population. In Israel, cellular data usually used for counter-terrorism measures is used to track and alert COVID cases and their contacts. South Korea uses a mixture of cellular data and surveillance technology to track the movements of COVID cases and publicly broadcast their movements sending alerts to avoid those areas. In China, citizens must scan QR codes before entering public spaces and services. According to the colour then displayed on their app (Green, Orange, Red) they may or may not access said service or space. Such practices have raised privacy concerns among experts and human rights group around the world, arguing this is a slippery slope to normalising surveillance of society at large in the future.
All Data is Sensitive Data
Among the chief justifications for developing and using these applications is that the only data collected is your location data. In truth, location data, even if anonymous and isolated from other contextual data, is still very sensitive. This recent New York Times enquiry shows how much can be inferred about a person’s life only through collecting their mobile location data and how this data can be instrumentalised against them. With little investigation, your professional activity, daily schedule, marital status, health condition and close relations can be discovered. This is information few would be comfortable sharing. Therefore, even apps which utilise anonymous IDs must be held to extremely high privacy standards. In South Korea for example, individuals have been able to discover the identity of infected people who’s path were shared through the governments scheme. These people where subsequently publicly shamed online.
Due to the sensitive insights location data can provide, it is primordial these apps respect some basic tenets: Users must have absolute clarity over what data is collected, by whom, who gets to see it, and what happens to it after the crisis. A strong legislative framework must also guarantee these apps do not outlive the pandemic.
The Real Risk : Eroding Privacy Rights
Some of the apps developed do not come close to fulfilling these requirements. India’s “Aaroya Setu” is one such example. The app has received backlash from some who fear an increasing erosion of democracy in the country. The Indian government has been more than opaque about what data is collected by the app, what is done with it, and who in the government has access to it. The app’s dual use of bluetooth and GPS location makes it more invasive than most other apps of its kind. India’s muslim population, who has recently suffered crackdowns from an increasingly nationalist government, is fearful that this empowers the government with unprecedented snooping abilities.
In fact, India lacks a legislation framework or oversight mechanism which guarantees that the data will not be repurposed after the pandemic (the country’s data and privacy laws date back to the late 1800’s). Without these guardrails, fears of this becoming a surveillance tool, not unlike those employed in China, are growing. Indian author Arundhati Roy summed this up stating : “Pre-corona, if we were sleepwalking into the surveillance state, now we are panic-running into a super-surveillance state.”
One must not look too far to understand this anxiety. The 9/11 crisis created the atmosphere under which policies such as the Patriot Act granted the United States unprecedented spying abilities domestically and internationally. Abilities of which the full extent was only understood in 2013 with Edward Snowden’s revelations.
Europe has some of the most robust data privacy laws in the world. Indeed, with the General Data Protection Regulation (GDPR), the European Union sought to become a model to follow regarding individual data rights. However, with Europe hosting some of the most hard-hit countries by the virus, discussions are underway for the deployment of tracking apps in many European countries (UK, France, Germany).
EU member states have the possibility of making these apps work to their advantage, without compromising on privacy. In fact, anything short of radical transparency regarding the apps risks eroding the work done until now regarding data privacy. For these apps to be legitimate in Europe, it is vital they be voluntary. Indeed, in the EU’s European Data Protection Board’s (EDPB) guidelines for the development of these apps, it is highlighted that these apps must be voluntary and that “individuals who decide not to or cannot use such applications should not suffer from any disadvantage at all”. However, voluntary apps have seen little uptake, even in Singapore where only about 20% of the population has dowloaded “SafeTogether”- the city-state’s COVID tracking app. If EU countries develop these apps following a privacy-by-design approach, they might instil in EU citizens the necessary trust which will see the 60% uptake experts say is necessary for these apps to produce results.
If countries with the strongest privacy regulations fail to uphold them in their development of apps to contain the virus, this will only embolden less privacy-inclined states and risks enabling yet another technology to be used as a tool of authoritarian power.