What happens to the extensive surveillance apparatus once the crisis passes? What will be the steps to dismantle it?
With the unprecedented spread of the COVID19 disease across the world and the spiralling death count, technology giants like Google and Facebook are stepping up their efforts to help the governments contain the outbreak. Earlier this month, The Washington Post reported that Google and Facebook are in talks with the US government to aid in the fight against the pandemic by sharing aggregated and anonymised location data of users gleaned from smartphones. Following the US, these companies have also announced that they are in talks with the UK government and some telecom companies for sharing similar data to combat the disease in the country.
The idea is that using aggregated and anonymised data, health officials can see if people are actually maintaining social distancing. For example, if there are many people visiting a particular place and travelling together, officials can use data to help them find shelter or help them reach their home.
A more invasive measure that public health officials use is contact tracing, where actual or suspected patients can be monitored using location data and be sent messages urging them to get tested and contain the infections. A contact tracing alert generally includes the infected person’s age, gender, and a detailed record of their movements bolstered from additional databases like credit card companies. At the moment, China, Taiwan, South Korea, Singapore and Israel have enacted emergency measures to enable contact tracing from mobile phones.
So far, Google and Facebook have said that they aren’t giving out exact user location data to governments. Google said that it did receive many requests to enable contact tracing, but did not have the appropriate data for the same. However, for these tech giants, not having appropriate data doesn’t mean that they don’t have the capability to do so. Google does keep a detailed history of user GPS location data (users can disable the same and can opt out of it).
Meanwhile, Facebook CEO Mark Zuckerberg has pointed out that the company has developed a Disease Prevention Map as part of its Data For Good initiative, which uses aggregated and anonymised location data to track people’s movement in the event of a disaster. These maps were created by pairing with existing public, proprietary, and user generated datasets. So far, these maps have been used by public health officials to increase vaccination drives in Malawi and create a risk model for cholera outbreaks in Mozambique. Google, on the other hand, has started a project with its sister company Verily where users can volunteer to share medical data with researchers and pharmaceutical companies. For now, the project is still in the beta phase and asks users to fill out a questionnaire asking about their health condition. Using the inputs, it will redirect them to three testing sites in the San Francisco Bay Area.
Undoubtedly, these tools will help policymakers and researchers calibrate their efforts to ensure that people are adhering to social distancing norms. However, privacy hawks point out the old concerns with the extent of surveillance with modern digital technologies.
Even though technology companies say that they will ensure a user’s anonymity, it has been shown repeatedly that users have been re-identified with advances in technology and data collection. For example, a 2018 study showed that anonymised data collected from wearable activity trackers fed into a machine learning algorithm were successfully re-identified. The anonymised data used in the study removed location and protected health information (which includes name, phone number, email address, etc). The study showed that 94.9% of 4,720 adults and 87.4% of 2,427 children were successfully re-identified with a set of participants.
But what is more worrying about the COVID19 pandemic, is the fact that governments themselves are willingly giving up more sensitive information about patients and potentially infected persons. The science magazine Nature points out that numerous apps and websites have sprung up that publish information from government websites on individuals who have tested positive for the virus including travel history, the hospital that they are being treated in, age, gender, nationality, family relationships with other persons infected, local clusters, etc. For example, COVID19 SG is a website which spools information and data from Singapore’s Ministry of Health.
Closer home in India, states like Karnataka and Telangana have started to publish information about international passengers who have been asked to quarantine themselves. Though these dashboards do not mention passengers’ names, virtually every other information regarding them has been published including home address, passport number, and travel itinerary.
Privacy researchers say that the specificity of the information of each case that is published is what worries them — a person with COVID19 or people in quarantine could be easily identified and their right to privacy compromised. The loss of privacy in these scenarios would lead to social stigma. This might even deter people from getting tested, as their information would be made public if they test positive. At a broader level, these lists can be abused where e-commerce companies might create negative lists and refuse delivery to these addresses fearing risk of infection, a crucial service at this hour when most shops are shut.
More invasive measures of tracing and tracking people have been introduced in Hong Kong where passengers arriving from international terminals are being given a wristband and are required to download an application which tracks their location to ensure that they are being quarantined. The wristband will geofence a user and will send out an alert to government officials if it finds that they have stepped out of their homes. The Karnataka government now requires people in quarantine to send a selfie every hour to a government application to prove that they are staying home, failing which they would be moved to a mass quarantine facility.
These are extraordinary times that require extraordinary measures to contain the damage by COVID19. But as more panic spreads, there will be an increased push to give up privacy for a safer future. This was demonstrated in a recent webinar hosted by the Department for Promotion of Internal Trade and Industry (DPIIT) where a number of luminaries from the tech startup ecosystem brainstormed solutions for containing the disease. One of the measures discussed was leveraging prescriptions at pharmacies to identify at-risk populations (the elderly, people immunocompromised conditions, respiratory disorders, etc). Prescriptions are considered sensitive personal data due to the large number of identifiers in them, but the participants felt that it was necessary to suspend privacy needs for the greater good.
This need to ignore privacy extends beyond medical data. As the webinar continued, there were requests made to re-enable the Aadhaar eKYC to “jump start the fintech ecosystem.” Aadhaar eKYC was barred following the Supreme Court judgement which said that Aadhaar cannot be used by private companies as it exposes personal information unnecessarily to them. Yashish Dahiya, CEO of PolicyBazaar, argued that revenue for his group company Paisabazaar, had dropped to nearly zero as his staff was unable to complete physical KYC for loan products during the lockdown period announced by Prime Minister Narendra Modi, thus the need for Aadhaar eKYC. This demonstrates an opportunism to benefit their business models while ignoring larger privacy concerns using Aadhaar data.
Governments and companies believe that it is necessary for privacy to be suspended to tackle the effects of the virus, both from a public health and economic perspective. But what happens to this extensive surveillance apparatus once the crisis passes? What will be the steps to dismantle it? Major technology companies of the world have built their vast fortunes by not taking enough measures to protect users’ privacy so as to feed their advertising businesses. How willing are governments and companies to not breach individual privacy?
This pandemic has been termed a black swan event, the first one since 9/11. The US government, in its aftermath, increased warrantless mass surveillance through the National Security Agency (NSA) under the pretext of security and deterrence from future attacks. Later investigations show that mass surveillance did little to achieve those goals. Instead, what worked was traditional investigative methods, tips from informants, and targeted intelligence operations. Similarly, for the public healthcare system, traditional methods need to be bolstered like increasing the number of doctors and hospitals, stocking enough equipment and supplies for future epidemics and pandemics, free testing facilities, etc. Increasing healthcare capacity will help in preventing undue privacy invasions and find an optimal balance between individual rights and the larger public interest.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PREV