Privacy Compromises During COVID-19

Travis Good
May 10, 2020

In times of crisis, there’s a trade-off between personal rights and government powers. COVID-19 is opening up some very worthwhile debates about personal privacy, surveillance, and the public good. With so much uncertainty surrounding COVID, both from the start of it up until today, there are a lot of varying, strongly held opinions, about what the “right” thing to do.

COVID has accelerated trends - remote work, remote school, remote healthcare, and privacy and surveillance. Balancing the best interests of the populations and public health with individual privacy is being handled differently by different governments.

  • Cell phone data from mobile operators is being used in Europe. 
  • Iran, China, and Isreal are leveraging state-managed surveillance data and tools during the pandemic.
  • Singapore developed an application to collect and store citizen location and movement data.
  • Google and Apple are working together to share data between iOS and Android devices.

The reasons for all of these initiatives, whether private or public, is contact tracing. Contact tracing via mobile devices is extremely valuable to the containment of a spreading virus like COVID. It enables the quick identification of any contacts, both known and unknown, of a confirmed positive COVID patient. Leveraging mobile phones for contact tracing also enables the instant notification of those persons that have come in contact with the COVD patients. These contacts can be tested and quarantined to limit the spread of the disease.

The technology to conduct contact tracing, at scale, is readily available. Mobile operators have this information. Some governments have this information. Mobile apps have been developed for this purpose. And even Google and Apple are developing technology to enable this at the operating system level of mobile phones.

The privacy questions that arise from contact tracing are 1) voluntary vs mandatory, 2) is the data storage centralized, 3) is the tracing data combined with PII, and 4) when does contact tracing stop.

In some countries, like China and Iran, contact tracing is mandatory. Citizens are not given a choice about being tracked or how their data is used. In other countries, like the United States and Australia, contact tracing has thus far been voluntary. The major challenge with voluntary contact tracing is that it takes close to 60% opt-in to be effective.

Right now, some of the technologies, like those from Apple and Google, for contact tracing store all of the information on the user’s phone. This is not scalable, especially when it comes to notification and tracking of patient contacts. Centralized storage is much more effective for contact tracing but it opens up opportunities for abuse of data. Who owns and has access to this centralized datastore? It has a lot of value for both governments and businesses.

If the contact tracing data is centralized, is it combined with PII from the mobile devices? It is hard to imagine contact tracing data would not be linked to personal data about the individual.

And lastly, when does contact tracing end? COVID-19 is not going away this month or this year. And, COVID has opened our eyes to global pandemics. COVID will not be the last. Using contact tracing would enable governments to intervene early in any future global or regional pandemics.

All of these privacy questions are currently being debated. And different governments are handling them differently. Only time will tell the long term privacy implications for contact tracing and other surveillance put in place to slow the spread of COVID-19. The best thing for end-users to do is to try to stay informed about contact tracing and surveillance in their countries.