As governments across the globe turn nearly all of their attention to finding the best ways to fight the Covid-19 pandemic, there will be an increasing temptation to harness the power of data in ways that we may find quite intrusive under normal circumstances. This is perfectly understandable, and one might argue that drastic times call for drastic measures. However, we must remain vigilant that we do not allow temporary measures taken during a crisis to become the status quo and erode our data privacy and civil liberties.
A good place to start this discussion is with contact tracing. You might have heard the term on the news or on one of the UK government’s daily briefings on coronavirus. The idea is fairly simple: if you know someone who is infected with a contagious disease, try to find all the people who have been recently in touch with the infected person. Then you take precautionary measures, such as quarantining the infected person and all those people who came into recent contact with them. If any of these other people were infected but have not yet developed symptoms or are potentially asymptomatic, then they don’t risk spreading the disease any further. This idea isn’t new and is in fact a well-established method for disease control.
What is new is the way in which governments have enhanced contact tracing using modern technology. The old-fashioned way involved simply asking the infected person to recall with whom they have been in contact over a certain period of time. This presents a few challenges. The first is simply that human memory is fallible. You might forget some people with whom you were in contact or you might misremember when you were last in contact with someone. The other issue is that, even if you had perfect memory, there are a lot of people you come in contact with that you don’t know. Although you may be able to give the names of family members, friends and co-workers to a health official, you may find it significantly more difficult to identify people that were on the same bus as you or were standing next to you at the supermarket and so forth. Technology comes to the rescue by allowing health workers to identify all of these people through your mobile phone.
GPS vs Bluetooth
There are different ways this can be done. The most obvious way would be to use the GPS functionality of the phone to keep track of your location at all times. This is by far one of the most intrusive ways of going about this. It requires sending all this personal data to a central database, where the government can then perform a lot of computations to figure out all the crossing paths between individuals.
The smarter way to do this is using Bluetooth technology. In a nutshell, every phone with Bluetooth enabled behaves like a beacon, and if you and someone else are in close proximity to one another, your phones exchange beacon identifiers. If someone gets sick, the individual can choose to report this on the contact tracing app and anyone who came in contact with that person gets a notification warning them of that fact. This has several advantages. Geolocation tracking, which can seem a bit creepy, is no longer necessary as everything is based on proximity to other phones, rather than based on your actual longitude and latitude. There is no need for a centralized database to compute the crossing paths of individuals. The beacon identifiers can be made anonymous, which helps with data privacy. And for added security, you can have the app change the beacon identifier every 15 minutes in order to prevent any cunning de-anonymization.
Around the world
Given this context and these different options, what are different governments around the world choosing to do? Singapore developed an app called TraceTogether that essentially uses the Bluetooth method described above.
Hong Kong is using WhatsApp and asking its quarantined citizens to constantly share their location.
South Korea uses a customized app that sounds an alarm to the user and alerts government officials.
Taiwan uses mobile phone masts to figure out where its citizens are. Israel has decided to simply geolocate all of its citizens.
Israeli Prime Minister, Benjamin Netanyahu announced on 14 March: “All means will be used to fight the spread of the coronavirus, including technological means, digital means, and other means that until today I have refrained from using among the civilian population”.
Iran developed a health app and encouraged its citizens to download it until a whistleblower showed that the app wasn’t just collecting the location of its users but also their name, gender, height, weight and mobile phone number. After the backlash, the Iranian Ministry of Health later disavowed the app and blamed the Ministry of ICT for its development.
China isn’t just tracking phones, they’re also using other forms of electronic surveillance including facial recognition software and drones to monitor where everybody is.
The issue is clearly not if this technology can be helpful in fighting the Covid-19 global pandemic — that answer is clearly ‘yes’. The question is whether this can be done safely in ways that will protect our data privacy and our civil liberties. As Kurt Opsahl, deputy executive director at the Electronic Frontier Foundation, said:
“Once you create things, they tend to stick around and get repurposed for other things. We need to make sure we’re building something that’s for a future we would want to live in, not enabling a technology that may seem like a good idea now but that would last longer than the crisis”.
Opsahl goes on to draw a parallel with the US Patriot Act, signed into law shortly after the 9/11 terrorist attacks in 2001. Once you have created those sorts of powers, it becomes difficult to take them back after the crisis has subsided.
Closer to home
What about closer to home: what’s going on here in Europe?
The German government has asked Deutsche Telekom to give geolocation data to the Robert Koch Institute, the government’s public health agency. However, the data is aggregated so that no individuals can be identified. This is not useful for contact tracing but is useful for other forms of epidemiological modelling and to see how social policies, such as encouraging people to stay at home, are performing in different geographical locations.
The British government is requesting similar access from its mobile carriers. The Investigatory Powers Act of 2016 would allow the UK government to demand that information and even do so in secret. Fortunately, they have chosen to take a more open, transparent approach with the public. In a recent coronavirus daily briefing, Matt Hancock, the Secretary of State for Health and Social Care, mentioned that the UK government was looking into the possibility of using smartphone enhanced contact tracing using Bluetooth, thus following the Singaporean model.
The Singaporean model whilst interesting and perhaps one of the better-done versions of this technology enhanced contact tracing, it is far from being perfect. As of 26 March, only 13% of the population has downloaded the app. From a data privacy and civil liberties perspective, it makes sense not to force people to download the app. The problem is that from an epidemiological perspective, experts believe that only if you get close to a download rate of 60% or above will the app have the desired impact on stopping the spread of the disease. Interestingly, Apple and Google are working together to make adoption easier. They are updating the Bluetooth software on iOS and Android devices in such a way that it will make it very easy for health officials to create Bluetooth based contact tracing apps that will work across both platforms. The two tech giants are not getting at all involved in how health authorities use that information and they are not forcing users to have the contact tracing functionality switched on. However, they are making it a little bit easier for such data to be available for anyone who does want to participate in this.
An exit strategy?
Many of us have been wondering what an exit strategy for the lockdown might look like. Since getting a safe and reliable vaccine could be 18 months or more away, it is likely that in the short to medium term, an easing of the lockdown might involve using these sorts of apps.
The combination of more widespread testing and a contact tracing app could be quite effective for fighting the virus. It could be that the UK government decides that the price for the freedom to leave your house is to download an NHS contact tracing app. However, that would definitely feel like an infringement of our data privacy and civil liberties. It’s also difficult to predict what unintended consequences further down the line might result from developing and deploying this technology. At the very least, if we were to go down this path, we would need to be extremely vigilant about the ethics of all this and that the technology is not abused. Where do you stand on the issue? Would you be happy to download a contact tracing app in exchange for a bit more freedom to go outside again?
Head of Data Science at Profusion