How can we protect privacy during a crisis like Covid-19, when “health surveillance” is on the rise around the world?

A couple of weeks ago, this blog looked at the use of smartphones to track people so that contact tracing can be carried out to slow the spread of Covid-19. Two weeks is a long time in a pandemic. Soon after, it emerged that many countries were going further, and using smartphone location to check that quarantined individuals were staying at home, and that people weren’t congregating in public. Countries adopting this approach include Canada, Poland, Taiwan and the EU. In the last few days, many more governments have joined in, including those of Ecuador, the UK, Singapore, Israel, Russia, Pakistan, Kenya, Bulgaria, South Africa and France. That astonishing escalation has alerted people to the larger risk here: that the coronavirus emergency will be used to introduce additional permanent surveillance, and to roll back hard-won privacy protections.

Already, emergency legislation is giving governments unprecedented powers. In the UK, the recently-enacted Coronavirus Act 2020 provides ministers, local councils, the police, and health professionals with strengthened powers to tackle the Covid-19 that have severe implications for civil liberties. The legislation will be in force for two years, reviewed every six months by the UK parliament. Hungary has gone even further, passing a law that gives the country’s prime minister, Victor Orban, the right to rule by decree, by-passing parliament altogether. Unlike the UK law, the one in Hungary does not specify a time limit on those powers. It also imposes jail terms of up to five years on “those hindering measures to curb the spread of the virus or spreading false information that could upset people or hinder the fight against the virus.”

Part of the problem is that even the staunchest defenders of privacy and human rights recognize that these are exceptional circumstances, and that it may be necessary to allow exceptional measures in order to tackle the pandemic and limit the number of deaths. Important provisos are that any such emergency powers must be the minimum needed, and that they should be rescinded completely once the crisis is over. Some warn that too much protection for privacy during this time could even end up harming privacy:

If our concern with privacy prevents urgent political action for the sake of public health surveillance, people will blame additional deaths on privacy itself. People will stop valuing privacy as a good, and any commitment to its preservation will become unfashionable.

Against that background, the digital rights organization Access Now has produced its “Recommendations on privacy and data protection in the fight against COVID-19”. The document provides a useful round-up of what is happening in this fast-moving area, with case studies, and specific guidance to help governments address the public health issues while ensuring that people’s rights are respected. Broadly speaking, its recommendations are similar to those offered by the EFF a few weeks ago. The latter called for any privacy intrusions to be necessary and proportionate; data collection to be based on science, not bias; emergency surveillance approaches to be rolled back once the pandemic has been contained; the use of “big data” to track virus spread to be clearly explained to the public; and for governments to ensure that due process is respected.

In the EU, another important consideration is the GDPR. Max Schrems and his noyb.eu organization have put together a preliminary analysis of the minimal requirements of the GDPR when applied to tracking people using smartphone apps. It also has a useful list of projects around the globe using personal data to combat coronavirus.

As the noyb.eu paper points out, tracking populations using mobile network data is not much help because it is not accurate enough to tell people whether they have been close to someone who is infected. Instead it focuses on the use of short-range technologies such as Bluetooth, WiFi, and NFC. This is precisely the approach taken by a new app from the Singaporean government called TraceTogether. It’s similar to the one discussed previously on this blog, but has the great virtue of being available now:

TraceTogether uses Bluetooth signals to determine if you are near another TraceTogether user. Your Bluetooth proximity data is encrypted and stored only on your phone. The Ministry of Health (MOH) will seek your consent to upload the data, if it’s needed for contact tracing.

If you had close contact with a COVID-19 case, TraceTogether allows the MOH call you more quickly, to provide guidance and care.

Singapore’s Ministry of Health is planning to open source the code so that others can adapt and build on it. The new Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project adopts a similar approach, and is also open source. Opening up the code in this way is good news, because it could allow other programmers to implement ideas for protecting privacy even more, for example this one, original in German. The basic improvement is to use a temporary ID for users, not a fixed one. When the user is near another user of the app, both smartphones store the two temporary IDs. If one of the users becomes infected, the smartphone uploads the anonymous IDs encountered recently to a central server, which can then alert the owners of the relevant smartphones, without possessing any personal information about them, using what is known as a push token.

As Yuval Noah Harari wrote recently: “We can choose to protect our health and stop the coronavirus epidemic not by instituting totalitarian surveillance regimes, but rather by empowering citizens.” Smartphone apps like TraceTogether and PEPP-PT that build in privacy as standard show how.

Featured image by fernandozhiminaicela.