Public health vs personal digital privacy amid Covid-19 spread
Health organizations and governments all over the world are using technology to communicate, track, monitor and predict the spread of COVID-19.
There are likely to be very few people who would object to the use of technology to track an infected person to ensure they maintain quarantine; I may even advocate such use, ESET reported.
However, unprecedented times should not result in any long-term removal of our privacy rights, especially in cases where legislation has been rushed through to allow the fulfillment of medically urgent needs for data collection or use, the report reads.
In some instances, data is being extracted from smartphones on an individual basis or en masse. In the current age of COVID-19 concern, data potentially relevant to tracking the disease is being gathered, or there are proposals to gather it, via several mechanisms.
Custom apps developed to enable communication between health care professionals and patients, to keep people informed with official communications and to provide a warning if an individual has been in close proximity to someone testing positive. There are other use cases mentioned below.
Mobile phone companies are being asked, or already have, subscribers' geotracking data, or already have, allowing the modeling of infection predictions based on actual phone subscribers’ movements.
Popular social media apps also track location, unless the member has elected not to share location data. There are stories circulating in the media that some governments have approached the leaders of social media companies to explore the opportunity of using their data to see if social distancing is effective.
At the start of the outbreak in China, the authorities there required citizens in Wuhan to provide personal information so that device tracking could be linked to individuals. The Guardian then reported that Taiwan used phone tracking to enforce self-quarantine, citing an example of automated text messages being sent when a quarantine-mandated individual left a geofenced perimeter.
Singapore's ministry of health made victims' personal information publicly available, which allowed developers to create maps and show locations, raising security fears for those concerned. In the last few days the authorities there have also released an app called TraceTogether that identifies, using Bluetooth, if you have been in close proximity to a coronavirus patient.
In Germany, UK, Austria, Belgium, Italy and South Korea, mobile operators have been reported to be sharing aggregated or anonymized location data with health authorities. In South Korea, data was also shared by credit-card companies. The European countries where personal data is protected by the General Data Protection Regulation are using an option to suspend the regulation in face of a civil crisis. Article 9 of the GDPR allows for processing of health and other usually sacrosanct data when necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
Despite the exceptions in regulations being used to share data with health and government authorities, the regulations that cover the protection of data should be adhered to. For example, the GDPR states that data must be encrypted when at rest and in transit, and these requirements are still mandatory.
In Israel, authorities approved new surveillance measures allowing citizens to be tracked by monitoring mobile phones. In contrast, Hong Kong tagged new arrivals to the region using wrist bands that log and transmit location data to authorities, maintaining the privacy of the individual’s phone.
An intriguing use of an app has been by the Polish authorities, requiring a quarantined individual to have an app released by the Ministry of Digital Affairs and for them to send a selfie with geo-metadata on a regular basis to prove compliance.
Several countries have passed emergency legislation to permit the use of personal data to combat the spread of the virus. For example, Italy lifted a restriction on the sharing of personal data when doing so was necessary for the performance of civil protection functions.
A few countries, including Russia and China, are using facial recognition technology to ensure that those identified as infected observe quarantine rules. The systems are collecting video through CCTV, drones and other camera-based systems.
Many of these initiatives demonstrate that innovative methods are being explored, and are in use, with governments, health professionals, technology and phone companies working together to combat the medical emergency facing the world. At the same time, privacy advocates are also being vocal about these issues. The BBC reports that in the UK a group identified as "responsible technologists" has urged for open disclosure of the UK government's plans to collect personal data through an app being created to tackle COVID-19.
ESET is a Slovak internet security company founded in 1992, now represented in 180 countries worldwide.