Data Ethics in the Time of COVID-19
In the midst of a pandemic, do we need to exchange privacy for safety?
Around the world, governments are facing a harsh trade-off between data privacy and public health. Though quick access to data is important to fight the coronavirus outbreak in order to forecast infection trajectories, the risk of losing data privacy is highly controversial. For accurate surveillance and forecasting, governments would need as much varied data as possible, meaning many governments around the world are expending significant energy to obtain it.
However, many argue that giving them access to such a volume of personal data could have long-lasting consequences for our privacy. As Dr. Yong, a professor of Journalism and Communication at Peking University, noted “You might as well ask yourself, has history ever shown that once the government has surveillance tools, it will maintain modesty and caution when using them?” And this is the crux of the problem: will giving governments access to all of our personal and geographic data lead to greater loss of privacy in the long-term? We are already seeing examples of governments potentially violating privacy rights to collect data they claim is necessary to fight a pandemic, but has arguably been collected for other, less clear purposes. Whether or not these measures are doing more individual harm than public good is of debate.
The major reason many are resorting to mass surveillance is for a method called “contact tracing.” This is a widely-used method to help prevent the spread of a disease. At its core, this involves tracking every individual within a region with a known outbreak, to trace who has possibly come into contact with an infected person. It is a very effective way to limit the spread of an infection, but traditionally has been performed in person — not by mass surveillance, and certainly not using digitally-obtained personal data.
In the age of Big Data and machine learning, every individual is a beacon of information — and so are their smartphones. Countries all over the world are using various methods to track people’s whereabouts through their smartphones. While some countries like Belgium, Austria, and Germany are using aggregated, anonymised geographic data obtained from telecommunications companies, other parts of the world are choosing more direct methods to track people’s movements. Some nations have implemented laws in place that exempt them from adhering to data privacy laws in national emergencies.
Most of the countries that have been successful (so far) in containing their outbreaks — China, South Korea, and Singapore — have used strict surveillance measures to track and isolate infected persons. Those countries who were more lax in their tracking methods (e.g., Italy, Spain, and the USA), saw more rapid and widespread infections, quickly became new coronavirus epicentres.
Many nations have resorted to having their citizens download apps to enter personal information and allow them to be tracked digitally to ensure they are complying with the laws. The Polish government uses an app to ensure people required to be in quarantine stay in place for 2 weeks. Using the app requires you to register a selfie, and send occasional geo-located selfies when requested. Should you fail to submit a selfie within 20 minutes of the request, the police are notified and will go to your location to make sure you are still home.
An app isn’t always required to obtain this information; in South Korea for example, the government uses individuals’ phones, credit card records, and face-to-face interviews with patients, to gather geolocation data on its citizens for the purpose of contact tracing. The data is then used for a publicly available, retroactive map that allows anyone to check whether they may have crossed paths with a coronavirus patient. Moreover, they are using the same map data to send regional text messages (which can contain semi-personal information) to individuals about the possibility of having come into contact with a patient. Once concern is that in smaller communities, this personal information could potentially allow someone to be identified. In Taiwan, the government created an electronic “fence” that tracks mobile phone data and alerts the authorities if someone leaves their home when they are required to be quarantined. Authorities respond within 15 minutes of this alert being triggered; if your phone is off or runs out of battery, the police will visit your home.
Access to more data does not guarantee a decrease in infections. Iran, which has one of the higher rates of infection, adopted surveillance measures that violated national data privacy laws. In March, Iranian citizens were asked to download a government-endorsed app that claimed to be able to diagnose people by answering yes/no questions. The reality, however, was that people’s sensitive, personal information, and their real-time location data, was being sent to the government. The app’s prompt asking for permission was displayed in English — not Farsi — so the majority of people registering unknowingly gave the government permission to save their data. Moreover, anyone using older phones never received this prompt at all, completely unaware of how their data was being used. Shortly after its release, Google removed it from its app store. Around the same time, the Israeli Prime Minister approved new surveillance measures whereby Israel’s Security Agency does not have to obtain a court order to track individuals’ phones. While the new law claims all data collected must be deleted after 30 days, it is unknown whether this will be enforced. The Prime Minister himself declared this an invasive measure that infringes on people’s privacy, stating “We’ll deploy measures we’ve only previously deployed against terrorists.”
Meanwhile, here in the UK, an opt-in contact-tracing app similar to the one deployed in Singapore is being developed. Whereas the app in Singapore automatically identifies people who have been within 2 meters of a patient for more than 30 minutes, the UK app employs more anonymous tactics. Essentially, a user would self-report if they develop symptoms, which sends out an alert to people that have been in close proximity to them. If that person finds out they are positive for COVID-19, they would enter a unique code, which sends out an anonymous “red alert” to anyone who has been in close contact. While both the UK and Singapore apps use Bluetooth technology, the UK government believes their software adheres to strict ethical and security standards, despite tech giants stating otherwise. Only time will tell how effective this app will be at contact-tracing.
But with everything happening, what examples are these nations setting for future use of private data? Dr. Yong recommends adhering to three principles in seeking the right balance between privacy and public health. First, lawmakers who overstep privacy boundaries for the greater public must treat these occurrences as exceptions rather than norms, and must also be justified by human rights law. Second, lawmakers should ensure that basic civil rights will remain in the event privacy is weakened. And third, lawmakers should heavily restrict how they use any data collected during a crisis. It should not be used for any other purposes other than those stated, and should adhere to strict security standards.
How will your privacy be affected by contact tracing? And how will this experience affect how you approach data privacy in your own projects and the workplace?