Keep calm, and your privacy

Businessman on his phone while wearing a mask in the city during COVID-19 pandemic

This article was co-authored with Nishan Chelvachandran1.

Pandemic!

Emergency!

Hack COVID-19!

As the novel coronavirus has evolved from an emerging threat to a clear and present danger on a global scale, governments have begun to use our digital footprints as a tool to flatten the curve. But as these governments trade the public’s data privacy to reduce the spread of COVID19, are they taking enough time to consider some important questions that will have long term ramifications?

Surveillance via contact tracing technology

Today, contact tracing via mobile device usage is being applied so we can track and trace the steps of COVID-19 infected patients. But we can also conclude on an epidemiological level how our behaviors, economic practices, and societal constructs influence the speed of the infection, and whom and what areas are most at risk. The use of location data can be useful both for academics and researchers involved in pandemic research, as well as first responders and front-line agencies planning and delivering resources.

But as much as this crisis helps accelerate long overdue shifts in technological and innovation processes, this unprecedented event also becomes a catalyst for an irreversible data privacy and agency shift, that – due to a sense of urgency – is being initiated under undefined ethical frameworks and civic regulations.

Looking across the globe, we can compare the approaches of countries and the mechanisms they have implemented in the fight against novel coronavirus. In some countries, like China, state surveillance of citizens is an acceptable norm. China has recently managed to monitor and contain the COVID-19 epidemic for the time being, using innovative and decisive solutions such as creating cloud data for hospitals; an admirable feat.  

Many countries are similarly using cutting edge technologies to track the spread, starting with data sharing and analysis. In order to minimize and prevent the loss of life to COVID19, countries that up until now carried the torch for digital rights and strict regulations are adopting  surveillance strategies. While it is sensible to use all available tools to combat the national and global threat of the virus, its use should be applied with prudence and based on long-term strategic thinking. 

In the interest of public safety…

a person about to enter their personal information into a social media mobile application

What once was a dystopian nightmare scenario occurring in a distant future or a world beyond the borders of the European Union’s General Data Protection Regulation (GDPR),  many countries are now openly using technology as surveillance measures on their citizens. Even European countries that have championed these regulations use the GDPR exemption clause in cases that are “in the public interest” – and run the risk of making such regulations obsolete if not carefully thought through.

Under the term ‘contact tracing’, governments deploy intelligence agencies, telecommunication companies, and tech platforms to track and trace mobile devices’ positions to track the steps of their owners and understand whom they have been in proximity to. Such collaboration seemed like an improbable action on the battlefield of data regulation merely months ago. Social media platforms such as Facebook were reluctant to monitor political propaganda or hate speech, and Apple’s ongoing refusal to collaborate with the U.S. government to hack suspected terrorists’ phones has frustrated officials.

The European Union’s GDPR was created with civic rights in mind but included a loophole enabling governments to override them in favor of public interest. Some would argue that in European democracies, citizenship holds a level of trust to their states, in that being governed by consent, politicians have the best interests of citizens at hand and the temporary suspension of legislation and governance frameworks for the greater good is acceptable. 

The idea of allowing real-time responses by governments is not too dissimilar to the analogy of battlefield medicine, where speed in treatment takes precedence, no matter how messy or unconventional the course. However, those loopholes require a clear framework that does not exist even when business is as usual. Instead, we are seeing every country using its own discretion on whether to join data surveillance practices or waive them. 

Latvia has exercised its right to be exempted from obligations in the ECHR (European Convention of Human Rights), granting citizens privacy and data protection rights. At the same time, Slovakia passed a law last month to use telecom data to ensure people abide by quarantine laws. If you consider the aspiration for GDPR to become a standard, why is it not applied across the European board equally, even in a non-emergency situation? The argument is that, as users are readily giving their data out to social media and communications platforms, then there should be no issues for government agencies to also have the same level – if not complete access to – this aggregated data. 

At the time of this writing, the EC published a set of recommendations framing a “common toolbox” for the use of technology and data to combat the COVID-19 crisis. While it has been hailed by some as a relief to the concerns of those in the cybersecurity sector, on closer examination of these recommendations, it should be pointed out that much of the recommendations refers to each Member State’s legal frameworks, and use of data and surveillance deemed appropriate for the public good. In essence, rather than providing the framework or methodology for the use of targeted and direct surveillance, the recommendations act as an institutional security blanket to reassure the member states that there are appropriate loopholes and clauses in place to enact surveillance measures lawfully. They do this by either gaining some form of consent, or acting in the public interest.

The COVID-19 pandemic is a real-time stress test on our legal and societal constructs.

How private is our data?

Here is the real catch. The EC wants telecom companies to provide the actual aggregated data, and not just have access to the insights which the companies offer from the information. The reassurance was given that government agencies “anonymize” the data to ensure privacy. Look beneath the surface and you’ll find that other cybersecurity experts will say this is not the case. 

Researchers at Imperial College London revealed in a study in 2019 that there is a way to re-identify 99.98 percent of individuals using 15 demographic characteristics in location data. Identities can be revealed through reverse engineering multiple aggregated data-sets, despite being “anonymized”. And so, with work still ongoing to find a robust mechanism to provide data anonymity whilst maintaining analytical value, it is legislation, governance and methodologies that ensure the measures we take are proportionate and in keeping with general consent. 

We are not far from the aftershock of the 2016 Cambridge Analytica scandal, a UK-based data analytics company with borderless global reach, which combined seemingly isolated data points, captured through misappropriated means, and loopholes in data privacy policies, in order to profile users and use strategic communication as a political steer. 2020 is seeing the next election cycle in the United States, where fake news, misinformation, and “strategic communications” based on user profiles and information is very much one of the driving mechanisms and tools utilised to steer public opinion. 

With this in mind, perhaps the thought of the state having a better and easier ability to connect the dots, both reactive and proactively, is a little more real, and a little less sci-fi thriller. The application of contact tracing is a prophet bird for more sophisticated real-time data capturing methods. As we expand the use of spatial and ubiquitous computing, we are also enabling an easy path for behavioral and cognitive data mining during our everyday interactions with any digital platform, or when we simply move around our homes or walk in our streets. 

How to use data for emergency preparedness

Rear view of a surgeon putting on a surgical mask in an operating room in a hospital

Using a similar medical analogy, when a patient in a hospital emergency room is declared to be “coding”, a process is initiated whereby appropriately trained staff mobilize to perform their critical function. The situation seems chaotic, but as any medical professional would corroborate, it is a situation that is rehearsed, with drills, and training, and a well-defined framework that is created from scientific and evidence-based research and data.

The COVID-19 pandemic is a real-time stress test on our legal and societal constructs. It highlights the many failings that countries have in preparedness, be it in response and physical resourcing, or business practices not having the robustness, resilience or agility to bear such strain. In the short term, we may not have a choice but to pick the low hanging fruit and utilize exemptions or suspend current mechanisms to facilitate affirmative action. However, we must ensure that we do not overlook what we are doing and the potential consequences. 

Critical questions that policymakers should be answering include:

1. How deep do these data pools go? 

2. How long and by whom is this data stored? 

3. How do we ensure that inappropriate data is not mined during and post COVID-19?

4. How do we ensure that the data that is mined will never be used for commercial or government use on any non-COVID-19 applications?

In our longer-term thinking, the core learning about data privacy is that we failed to form a framework that defines ethical standards and procedures that can withstand stress tests. The second core learning relates to the application of big data systems. Here, we failed to put in place collaborative and effective data-sharing systems: Systems that support the work of critical key workers and front line first responders in medicine, education, social care, logistics, environmental, municipal and vital infrastructure services. 

We need the “code” methodologies of medicinal practice, where in times of emergency, we have well versed and consented methods to respond to and proactivity deal with the situation. Such methodologies will continue to enshrine the ethical and moral values of our society and citizens. We must use the COVID-19 pandemic as a blueprint on how we tackle other global crises: the climate crisis, existing diseases such as malaria, and dengue fever, and future viruses we may encounter.
If we truly want to protect our future and the future for the next generations, we must listen to the voices of the future like Autumn Peltier, from the Wiikwemkoong First Nation on the protection of water: “When we stand together as one, we are one voice and one nation, and together as one we are stronger.”

  1. Nishan Chelvachandran is an Impact Entrepreneur, Fellow of the RSA, cybersecurity adviser, strategist, published author, and former UK police officer, with years of experience built on bespoke operational activity in the UK Public Sector. Nishan specializes in the areas of Operational Digital Transformation, Digital Intelligence Forensics, Cybercrime, Cyberoperations and CyberWar, Counter-Terrorism, Surveillance and Intelligence. He is the founder and CEO of Iron Lakes; a human-centric impact tech consultancy based in Finland. He has contributed drafting of the IEEE standards on Ethically Aligned Design, and the P7000x series of ethics in Autonomous and Intelligent systems. An advocate for the implementation of the UN SDG’s through real work implementation and projects, he leads with AI Commons, a Global Collaboration working to scale and democratize the use of AI and Data solutions globally, for the common societal good

About Futurithmic

It is our mission to explore the implications of emerging technologies, seeking answers to next-level questions about how they will affect society, business, politics and the environment of tomorrow.

We aim to inform and inspire through thoughtful research, responsible reporting, and clear, unbiased writing, and to create a platform for a diverse group of innovators to bring multiple perspectives.

Futurithmic is building the media that connects the conversation.

You might also enjoy
Illustration of Michael Geist
Podcast episode 24: COVID-19 and our digital rights Pandora’s box