Tracking COVID-19: Privacy, Health, and Private Power
Experience in several states across Europe shows that the individual sense of whether COVID-19 represents an emergency situation that requires drastic, temporary, behavioral changes and social distancing (#stayathome) appears to differ starkly and, to a certain extent, is dependent on cultural patterns of socializing. As fractions of society fail to follow confinement rules, they put lives at risk. Some governments are considering tracking citizens’ movements using location data, for example in order to spot when people gather in groups. Researchers at the University of Oxford’s Big Data Institute are aiming to combat COVID19 by converting a “surveillance” tool into something more tolerable in Western democracies. Participation is said to be voluntary: users consent to sharing their location data in order to be alerted when they might have met with someone infectious. Similarly, some crowd-sourced solutions begin to mushroom online. The voluntary nature could be conducive to preventing “surveillance state” feelings from appearing. Yet, will it be effective in convincing the unconvinced to stay at home and/or help to contain the spread of the virus?
The data that governments need to tap into our private life mostly lies in corporate hands. The private sector has become used to cooperating with government agencies in emergency situations and for standard law enforcement procedures. In order to prevent terrorism, there are certain instances under which companies such as internet service providers, share user data with the state – it usually is evaluated on a case by case basis. The process is quite standardized for routine law enforcement requests that refer to user data: an order must be in writing, refer to applicable law, be addressed to the designated person within the company and be issued by the legitimate authority. Obtaining evidence data is usually handled based on the European Telecommunications Standards Institute’s instructions within Europe. In other jurisdictions, similar standards exist to facilitate interoperability of data systems. Now, companies might face the dilemma of whether or not to comply with COVID-19 related government request for user data, in particular location data that might result in privacy infringements.
South Korea is often portrayed as having handled the pandemic relatively well. Among other tactics deployed by the government was the public tracking of confirmed COVID-19 patients, yet they also employed a large-scale diagnostic capacity: many people were tested, had their status confirmed and adapted their behavior accordingly. Across Asia, prior exposure to SARS appeared to have convinced the public to take combatting the COVID-19 virus more seriously. Opinions on whether the public display on the “Coronamap” in South Korea actually helped to contain the virus spread differ starkly, with the National Human Rights Commission of Korea raising deep concerns about the privacy effects.
So far, many of the COVID-19 tracking apps are privately-developed and voluntary by nature. Nevertheless, whether government imposed or privately governed, these apps gather sensitive data, that expose individuals to human rights risks, such as various forms of discrimination, without providing proper avenues of accountability. If governments decide that all citizens become subject to data-tracking by requiring the data from local service operators, would we all become suspects by default? Innocent until proven guilty used to be a cornerstone of democratic constitutions. In the past, governments have opted for preventive measures in the face of fighting terrorism. But how would such preventive measure for fighting the spread of COVID19 look? Would telecommunications and internet service providers be asked to match whether someone’s location data is identical to someone’s home address to detect whether they have left home? Would internet service providers need to disclose all gatherings based on mobile phone data of more than two people? And if so, wouldn’t people get creative and e.g. leave their phones at home? Talks between governments and telecommunication providers seem to be ongoing, with little information available in the public domain about what that tracking would exactly look like. So far, the majority of European governments appears to opt for “anonymized” location data to measure movement of people, rather than individually targeted tracking. At the same time, the US Centers for Disease Control and Prevention and National Institutes of Health appears to be considering the use of facial recognition technology, in cooperation with Clearview and Palantir.
Is this invasive, personalized tracking really the cure for the pandemic?
Revisiting the possible statistics from a medical perspective raises the question whether we can really measure what should be measured. Long incubation times of the virus of up to 14 days means there is no clear information how and what time exactly the virus had been spread or would have been spread from one human to another – and data is often only available with a delay of 12 to 24 hours. Data accuracy leaves a big question mark with regard to the appropriateness of government citizen tracking for fighting corona and what happens once the pandemic is, hopefully, over.
The uncertainty of governance issues around data usage to fight the spread of COVID19 has also lead to various calls about responsible frameworks, alas often using an “ethics” terminology, whereas the Business & Human Rights community would certainly be more in favor of rights-based language, such as privacy. The question arises whether it is more harmful than helpful to embark on unvisited territory at fast speed with COVID19 tracking apps. Upholding checks and balances when introducing such large-scale monitoring measures takes more time that decision—making bodies might allow in a crisis response mode. Also, “tech solutionism” might become easily outdated: With more and more countries putting strict lockdown measures in place, tracking apps might become obsolete as human interaction is reduced to a minimum.
Isabel Ebert is a Research Associate and PhD Candidate at the Institute for Business Ethics, University of St. Gallen, Switzerland. Her PhD under joint supervision of Prof. Florian Wettstein at the Institute for Business Ethics and Prof. Gina Neff, Oxford Internet Institute, University of Oxford, focusses on ethical questions regarding data disclosure by companies to governments. Since September 2019, Isabel is a visiting researcher at the Oxford Internet Institute.