Public health vs. personal privacy: Choose only one?

Health organizations and governments all over the world are using technology to communicate, track, monitor and predict the spread of COVID-19. In recent years, data has proven to be a valuable resource – more valuable than oil in some instances – and the use of data to understand the movement of people and their interactions to help control the spread of infection during a global pandemic seems like an excellent use of technology. There are likely to be very few people who would object to the use of technology to track an infected person to ensure they maintain quarantine; I may even advocate such use.

However, unprecedented times should not result in any long-term removal of our privacy rights, especially in cases where legislation has been rushed through to allow the fulfillment of medically urgent needs for data collection or use. In some instances, data is being extracted from smartphones on an individual basis or en masse. In the current age of COVID-19 concern, data potentially relevant to tracking the disease is being gathered, or there are proposals to gather it, via several mechanisms:

• Custom apps developed to enable communication between health care professionals and patients, to keep people informed with official communications and to provide a warning if an individual has been in close proximity to someone testing positive. There are other use cases mentioned below.
• Mobile phone companies are being asked, or already have, subscribers’ geotracking data, allowing the modeling of infection predictions based on actual phone subscribers’ movements.
• Popular social media apps also track location, unless the member has elected not to share location data. There are stories circulating in the media that some governments have approached the leaders of social media companies to explore the opportunity of using their data to see if social distancing is effective.

Coping with COVID-19

At the time of writing, there are infections in 172 countries and regions around the world, some with devastating numbers of both infections and deaths. Each country is developing its own strategy to limit the outbreak and included in this is the differing use of technology and tracking data.

At the start of the outbreak in China, the authorities there required citizens in Wuhan to provide personal information so that device tracking could be linked to individuals. The Guardian then reported that Taiwan used phone tracking to enforce self-quarantine, citing an example of automated text messages being sent when a quarantine-mandated individual left a  geofenced perimeter.

Singapore’s ministry of health made victims’ personal information publicly available, which allowed developers to create maps and show locations, raising security fears for those concerned. In the last few days the authorities there have also released an app called TraceTogether that identifies, using Bluetooth, if you have been in close proximity to a coronavirus patient.

In Germany, UK, Austria, Belgium, Italy and South Korea, mobile operators have been reported to be sharing aggregated or anonymized location data with health authorities. In South Korea, data was also shared by credit-card companies. The European countries where personal data is protected by the General Data Protection Regulation are using an option to suspend the regulation in face of a civil crisis. Article 9 of the GDPR allows for processing of health and other usually sacrosanct data when necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.

Despite the exceptions in regulations being used to share data with health and government authorities, the regulations that cover the protection of data should be adhered to. For example, the GDPR states that data must be encrypted when at rest and in transit, and these requirements are still mandatory.

In Israel, authorities approved new surveillance measures allowing citizens to be tracked by monitoring mobile phones. In contrast, Hong Kong tagged new arrivals to the region using wrist bands that log and transmit location data to authorities, maintaining the privacy of the individual’s phone.

An intriguing use of an app has been by the Polish authorities, requiring a quarantined individual to have an app released by the Ministry of Digital Affairs and for them to send a selfie with geo-metadata on a regular basis to prove compliance.

Several countries have passed emergency legislation to permit the use of personal data to combat the spread of the virus. For example, Italy lifted a restriction on the sharing of personal data when doing so was necessary for the performance of civil protection functions.

A few countries, including Russia and China, are using facial recognition technology to ensure that those identified as infected observe quarantine rules. The systems are collecting video through CCTV, drones and other camera-based systems.

Many of these initiatives demonstrate that innovative methods are being explored, and are in use, with governments, health professionals, technology and phone companies working together to combat the medical emergency facing the world. At the same time, privacy advocates are also being vocal about these issues. The BBC reports that in the UK a group identified as “responsible technologists” has urged for open disclosure of the UK government’s plans to collect personal data through an app being created to tackle COVID-19.

Exceptional circumstances call for exceptional actions; the issue, though, is what happens when these circumstances have passed. Will governments return to the emergency legislation and revoke the additional rights to use personal data? Will organizations that received the data be required to delete it? Will individuals whose data was affected be notified that it was shared?

It’s our responsibility as technologists and privacy advocates to ensure that normality is restored and that we return to a world where privacy rights are respected and enforced once the current emergency is resolved.