Surveillance Capitalism in the Times of Covid-19

Nothing to Hide


Surveillance Capitalism in the times of Covid-19, image by Sofia Prosper
Surveillance Capitalism in the times of Covid-19, image by Sofia Prosper

This post was originally published in the IUVIA blog Nothing to Hide, co-authored by Sofía Prósper and Genoveva Galarza (myself)

Technology positions itself as the solution for every trouble that societies, governments and corporations face today. It's the great panacea that came to save us all, never mind what kind of problem you have: there always be some technology to solve it. Or not, but who cares?

So what happens when our trouble is a global pandemic in the midst of the 21st century that has transcended borders, overloaded healthcare systems, messed up with governments and institutions and, by 8th of April, has claimed over 80,000 lives? Well, of course, the solution to control such a debacle is, again, technology, this time in the shape of mobile apps. What's the problem? some would ask. Well, the problems are the how, the who, the where and the when for each one of these apps. If we want to have a deep understanding of what is happening with these technologies, we need to review all the solutions that are currently deployed all over the world to tackle the Covid-19 spread. Each country has given a different answer.

China, South Korea and Taiwan

Permalink to “China, South Korea and Taiwan”

Maybe the wisest thing would be to start off with China, the place of origin of the pandemic. One of the most brutal traits of the way technology has been used in this country has been the lack of a free choice. The app to control the virus outbreak that has been launched by the Chinese government - and developed by Alibaba and Ant Financial - is, to start with, of mandatory download and use for all citizens. The app requires the user to sign up with their personal data and gives them an initial rating determined by their answers to a questionnaire about their current health condition, as well as the possible contacts with other sources of infection that they might have had in the recent past. From there the app - embedded in Alipay or WeChat - allows citizens to scan QR codes in certain controlled checkpoints and issues for them an "access clearance" in the shape of a colour code. Green: everything OK, go. Yellow and red: access denied, the user must be quarantined for seven or fourteen days. This information is, on the other hand, shared back with the government and used to regenerate the access codes of each individual, considering their contact with infected areas or people.

But, how can you impose something like this? How can anyone force you to download, install and use a mobile app? It is as simple as to pack cities and public spaces with mandatory controlled access points: Chinese cities, public transports and roads, everything was filled with QR code checkpoints in record time. To use the metro, the bus, to go to the park, to ride on shared bicycles, to access markets or shopping malls, residential areas... the only possible way not to use this app is to stay at home and to enjoy a huge pantry full of enough supplies for months. In summary: there's no choice.

The high effectiveness of this system is, in part, due to the fact that the Chinese government surveillance infrastructure network was already in place.

To the lack of freedom of choice we must add a worrying situation of centralized hypersurveillance - although local governments aren't forced to impose this app, it has been deployed in over a hundred cities. This situation, however, isn't new, and it's high effectiveness is, in part, due to the fact that the Chinese government surveillance infrastructure network was already in place. The app uses not only the data sent by the controlled access points designed for it, but also the information provided by the transport ministry, the railway service, the Civil Aviation Administration (CAA) and the National Health Commission.

Not far from there, South Korea also launches a mobile app that is immediately portrayed by the media as the transparent and non-authoritarian version of the Chinese approach. The system devised by the Korean is, to start with, of optional use, and it strongly depends on the voluntary participation of its citizens, something that, without a doubt, is a strong bet in eastern societies. This app has been key to de-clutter the telephone networks placed for medical assistance, as they allow the user to book their Covid-19 test and receive their results within 24 hours. However, the app registers their geolocation, which allows the government to observe if the user follows their imposed quarantine time.

South Korea Vice Health Minister Kim Gang-Lip said that "without harming the principle of a transparent and open society, we recommend a response system that blends voluntary public participation with creative applications of advanced technology." Transparency and open society are reassuring keywords for those who worry about the indiscriminate use of personal data. However, transparency can mean a lot of things, and in the case of this app, it comes along with terrifying violations of individual privacy. Apart from the surveillance over quarantine periods - of course punished with fines if those are not followed -, app users also receive frequent messages, sometimes with general information - "remember to wash your hands!" -, but also with specific details about other citizens that have been diagnosed positive for Covid-19. The example reported by The Guardian definitely chills our bones: "A woman in her 60s has just tested positive. Click on the link for the places she visited before she was hospitalized."

Apps dedicated to the control of the epidemic have the potential of behaving like a trojan horse with the excuse of a health emergency.

Even more radical is the Taiwan approach, which tracks telephone signals and alerts authorities when a quarantined citizen moves away from their home or shuts down their device. According to Jyan Hong-wei, Director General of Department of Cyber Security, those who activate the alarm will receive a visit from the police within 15 minutes.

States of emergency

Permalink to “States of emergency”

When it comes to countries with conflict situations, individual freedom and rights are in greater danger: apps dedicated to the control of the epidemic have the potential of behaving like a trojan horse with the excuse of a health emergency. This could be the case of AC19, the app deployed by the Iranian government and developed by Smart Land Strategy, the same company that developed other instant messaging apps which were removed from Google Play for collecting, without consent, user data for the Iranian intelligence agencies. Similarly, Israel has been in the eye of the storm for trying to use, over the civilian population and with the purpose of tracking the virus propagation, technology only previously used to spy on Palestinian militants. Although Netanyahu publicly assured that this "carries a certain degree of privacy violation", this doesn't seem to worry much when it comes to tackle a public health emergency as the one we are living now. However, these radical advances over individual liberties are certainly worrisome, specially in a country where the emergency state declared in 1948 during the Arab-Israeli war is still effective today.

Emergencies are convenient, and crisis periods are extremely fruitful to make decisions and pass laws that step over human rights and individual freedom. The writer and activist Naomi Klein speaks about this in her book "The shock doctrine" in terms of economic policy making: while societies are immersed in a state of shock and confusion, it's possible to enforce policies that, in any other moment, would be extremely unpopular.

Europe and its GDPR

Permalink to “Europe and its GDPR”

The arrival of the virus into the European Union has brought along the conversation about the use of technology for the control of the epidemic in the context of a relatively new General Data Protection Regulation (GDPR). The GDPR has been subjected, for the first time and globally to the whole of the European Union, to the harshest test: an extremely urgent situation in which the 27 countries of the union are assuming an enormous risk, both for their public health and for their economies. Is the GDPR strong enough to keep protecting our fundamental right to protect our privacy?

Emergencies are convenient, and crisis periods are extremely fruitful to make decisions and pass laws that step over human rights and individual freedom.

The case of Spain and the self-diagnosis app deployed by the Community of Madrid (developed by CARTO, ForceManager and Mendesaltaren, and with the support of Telefónica, Ferrovial and Google) can help us answer to this question, both from the perspective of policy on data protection and the assurances that GDPR grants us, and from the perspective of ethics. After its launch, on March 18th, 2020, the app Coronamadrid alerted professionals, particulars and communities that work on privacy issues, who raised their voices in an attempt that was understood, by many, as an unfounded boycott campaign in social media.

The first concern came from a detailed review of the first version of its privacy policy. In order to understand it fully it is necessary to first understand how the GDPR protects our rights during exceptional situations, such as the epidemic we are currently going through. The Spanish Data Protection Agency had already published, on March 12th, a full report analysing the collection and processing of personal data in the context of the virus outbreak, with the purpose of acting as a guideline for public institutions and corporations. On this report, the SDPA clearly states that in such extreme situations, "the processing of personal data [...] still need be done in accordance with the personal data regulation [...], so all its principles still apply". These principles include that the data shall be processed lawfully, fairly and in a transparent manner, collected for a unique specified, explicit and legitimate purpose, and kept limited to what is necessary in relation to the purpose, and as highlighted by the SDPA, "without confusing convenience with need".

In such extreme situations, the processing of personal data still need be done in accordance with the personal data regulation, so all its principles still apply.

The Community of Madrid expressly manifested that the purpose of this app was that one of providing the population with a system for self-diagnosis and, that way, release the congestion of the lines and services of the public health system. But analysing the personal information that this app requires from the user (name and surname, ID number, date of birth, telephone, sex, address and postal code, geolocation data and sanitary information relative to the symptoms associated to the virus) it's evident that this blatantly violates the principle of data minimisation, seriously exceeding the necessary information for the purpose given to this app.

The biggest concern is that the specified purpose might not be, in a future scenario and probably not in a premeditated way, the unique purpose for the gathering of this data, violating this way another of the fundamental principles of the article 5 of the GDPR. It's worth mentioning that, according to this regulation, there are three additional purposes that might always be added to the specified one, as noted in the article 5.1.b of the GDPR: "further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes". However and as explained in the article 89, these side purposes require the data to be further processed in order to assure the users' privacy with anonymisation or pseudonymisation, and always respecting the principle of data minimisation.

We need to contractually compel private companies to not make for-profit use of the data that we, pressed down by the exceptional nature of the situation, have willingly given away. We need the guarantee that this is not going to happen.

The principle of purpose limitation also wobbles when we observe who will have, as stated by the privacy policy, full access to the collected data. The list is potentially endless; apart from logically including the healthcare system and its professionals, it also adds the state security forces, national and international authorities, collaborating companies and all their possible outsourced firms. Do we want the data that we give for public services to be in the hands of private companies instead of in the premises of our public administrations? Where will that information remain when the state of alarm comes to an end? As users, we need to contractually compel private companies to not make for-profit use of the data that we, pressed down by the exceptional nature of the situation, have willingly given away. We need the guarantee that this is not going to happen.

Last but not least we were scandalized to read that, as an answer to how long will this data be stored, the privacy policy replied an ambiguous "as long as necessary", incurring another violation of the fundamental principles in the protection of our right to data privacy: the right to storage limitation detailed in the article 5.1.e of the regulation.

We are lucky to see results: thanks to a critical analysis of this kind of abusive privacy policies by communities and press, the conversation sparks and it encourages - or forces - the companies involved in the development of this software to ask themselves questions that, perhaps because of the urgency of the situation, weren't on the table before. That is why by March 24th we saw published the second version of this privacy policy that, very cautiously and with visible counselling of privacy professionals, now successfully addresses some of the issues described above.

The corporate initiative and our reaction

Permalink to “The corporate initiative and our reaction”

Of course Google also offers help in the shape of data with their recently launched project called "COVID-19 Community Mobility Reports". This tool allows to consult PDF formatted mobility reports from more than 130 countries, where one can see a variety of charts to understand the change trends of people's mobility towards different categories of places, such as shops, cafes and restaurants, supermarkets and pharmacies, parks, stations, work and residential areas. Each report holds data aggregated by country, as well as the same data broke down by states, autonomies or provinces in some countries, such as Spain, USA, the Netherlands or Italy. This project has been developed with the same technology that allows Google Maps to show us traffic jams or the concurrence of people in shops or pubs.

As a point in favor of the privacy policy of this project (as well as other products by Google), it uses what they call "differential privacy", which anonymizes data by adding artificial noise to the dataset, which makes it practically impossible to identify specific individuals from the data sets. The intention of this project is also theoretically creditable, as it aims to help the different health authorities by contributing data that can be useful while making critical decisions.

It is apparently not seen as a problem that a private corporation, whose sovereignty does not fall into the population's hands, has had no obstacles in anonymizing and publishing private data without following, for example, the principle of data mininmisation.

However, Google's endeavour reveals a serious incoherence in the collective imaginary about data privacy. While DataCOVID, the mobility study that the INE (National Statistics Institute, Spain) is currently working on, has sparked the social alarm and a number ridiculous reactions (like the alerting claim that "the government has legalized geolocalization"), it is apparently not seen as a problem that a private corporation, whose sovereignty does not fall into the population's hands, has had no obstacles in anonymizing and publishing private data without following, for example, the principle of data mininmisation. The scope for Google's data collection is way wider and unlimited in time ("while you use their services") than that of governments and other institutions that have developed specific data analysis for the concrete purpose of this epidemic. Why are we more outraged by a government (which we can democratically replace) that makes a study with a limited and defined purpose than by an international corporation that spies on us day after day for anything that can be profitable?

Singapore: an example of good practices

Permalink to “Singapore: an example of good practices”

The last case we want to share is the one of Singapore, that has come forward with a different approach. Instead of replying to the question about where is the population all the time, they try to reply to something way more relevant: who has been in contact in the past with this person that is currently ill? how to trace an origin and a scope for the virus transmission? The app TraceTogether, designed by the team of Digital Services from the Government Technology Agency, parts from two principles very different to the Chinese and Korean approaches: first, all the data is stored locally inside the phone, and second, they use the device's bluetooth instead of the GPS. The idea is that, for this purpose, using bluetooth technology is much more trustworthy, straight-forward, and respectful with the user's privacy.

TraceTogether is pretty simple. Everyone that downloads the app will be asked to set their phone number: this is the only personal information that the government will receive and store, and it will be used to contact users if necessary in an agile and efficient way. Once the app is installed and configured, the user will be asked to enable their bluetooth at all time, so that the device can register anonymised IDs of all the devices that pass nearby and that also have the app installed. When the Ministry of Health detects a new Covid-19 infection, the patient will be required to provide access to the registry of anonymous IDs that have been registered to be in close contact. These devices will then be informed so that the users can self-quarantine. This also allows authorities to track the chain of contagions, find the source and determine effectively the reach of the virus.

Added to the fact that there is no geolocalization nor collection of persona data, Singapore is planning to open-source the code of TraceTogether so that other countries can also use this technology. This app, which respects the principle of minimisation of data described and enforced by the GDPR, is also much more efficient that other approaches due to their decision to use bluetooth, a technology that can register contacts at few meters, precisely the distance at which the virus can be transmitted. Using GPS can instead be troublesome by not considering difference in height, which means that a whole building can be put under quarantine when a case of Covid-19 has taken place only on one floor. In their manifesto, the development team is clear about their intention: "COVID-19 and other novel viruses do not respect national boundaries. Neither should humanity's response. In a globalised world, with high volumes of international travel (until very recently), any decentralised contact tracing solution will need mass adoption to maximise network effects. We believe that TraceTogether and its sister implementations should be inter-operable, and that's what we're building towards."

Legislators, politicians and journalists have been pushed to the edge of a cliff, but we are still on time to correct this trajectory that is uncontrollably driving us to a radical loss of freedom and rights.

So why, if we know about the existence of solutions such as the one from Singapore, working and efficient solutions, open-source and thus auditable, why are European governments (let's aim near) developing solutions way more intrusive and that excessively violate our privacy? Why is the European Union, cradle of the GDPR, the most protective law in matter of privacy all over the world, asking a telecom company for each of its member states the geolocation data of mobile phones? While it's possible to take more transparent approach, one that is also more efficient and less invasive of our personal freedom, Europe seems to be taking - saving the distances - one more similar to the one in China or South Korea. Legislators, politicians and journalists have been pushed to the edge of a cliff, but we are still on time to correct this trajectory that is uncontrollably driving us to a radical loss of freedom and rights. We can still reverse this situation, we can still learn to handle crisis so that, when we face new dangers, we don't have to choose between loosing privacy and freedom for some fictional security.

Concluding

Permalink to “Concluding”

How can we correct this trajectory? There are many different ways to provide tech-based solutions to a problem like this but not all of them are ethical, good and respectful with our rights. Hence we want to offer a humble list of the requirements that we, as data privacy advocates, consider essential in these technology solutions:

  1. First of all, every developed solution should be open-sourced, that is, the source code must be available for its study, modification and for being used freely. This will enforce apps to be transparent and auditable.
  2. The data generated by the user should, to the extent possible, be encrypted and stored locally in the user's device.
  3. The principle of data minimisation should be instinctively incorporated from the very first data collection design phases. "Just in case we need it in the future" must never be a reason for collecting any data.
  4. Any tech-based solutions must be designed for a unique and transparent purpose, clearly stated in their privacy policy. They must never be opportunist.
  5. Any data that might allow patients to be re-identified must be stored separately to the rest of the information so that the access to those is minimised.

Covid-19 pandemics will come to an end, but not without leaving us submerged in a profund crisis that will go beyond public health and transform the economy, our society, technology and the way we interact with it. Every crisis has the potential to generate change and allow the enforcement of abusive policies over a society that is immersed in chaos and commotion.

However, every crisis has also the potential to make us understand, revise, lay ethical foundations and rebuild. Every crisis has the potential to give us an invaluable space to make choices, exercise our sovereignty and demand the institutions to work for us, protect our rights and freedom. It is now in our hands to not underestimate the importance of our right to privacy and stop authoritarianism and corporate control from taking what is sovereignly ours.


References

Permalink to “References”
  1. "Hungría aprueba una ley que permite a Orbán alargar indefinidamente el estado de alarma por la pandemia". elpais.com
  2. "How China is using QR code apps to contain Covid-19". technode.com
  3. "China's Coronavirus App Uses Mass Surveillance to Tell Citizens If They Could Be Infected". newsweek.com
  4. "Spying concerns raised over Iran's official COVID-19 detection app". zdnet.com
  5. "Dos modelos de gestión de crisis luchan por dominar Europa: el chino y el coreano". eldiario.es
  6. "Governments around the world are increasingly using location data to manage the coronavirus". theverge.com
  7. "'More scary than coronavirus': South Korea's health alerts expose private lives". theguardian.com
  8. "Phone location data could be used to help UK coronavirus effort". theguardian.com
  9. "Should Location Data Be Used in Battle Against COVID-19?". bankinfosecurity.com
  10. "Israel takes step toward monitoring phones of virus patients". apnews.com
  11. "Trudeau leaves door open to using smartphone data to track Canadians' compliance with pandemic rules". cbc.ca
  12. "Alemania prepara una app contra el coronavirus capaz de monitorizar el pulso o los patrones de sueño". eldiario.es
  13. "Política de Privacidad de la aplicación Covidapp, versión 1.0"
  14. "Política de Privacidad de la aplicación Covidapp"
  15. "COVID-19 Digital Rights Tracker". top10vpn.com
  16. "Protecting Civil Liberties During a Public Health Crisis". eff.org
  17. "La emergencia viral y el mundo de mañana. Byung-Chul Han, el filósofo surcoreano que piensa desde Berlín". elpais.com
  18. "La ingeniosa 'app' de Singapur para frenar el coronavirus que España debería crear ya". elconfidencial.com
  19. "El Gobierno iniciará el rastreo de móviles con CCAA y operadoras para combatir el virus". elconfidencial.com
  20. "Coronavirus: Singapore develops smartphone app for efficient contact tracing". straitstimes.com
  21. "Yuval Noah Harari: the world after coronavirus". ft.com