Anyone viewing their Google Maps Timeline for the first time gets one of two feelings: Dread at the thought of how much information the company collects about their every move, or elation as they realise they can go back and see what they were doing not just on any given day, but during any given minute.
Governments struggling to control the spread of COVID-19 have been quick to catch on to these possibilities. This data could help them track other patients that a newly diagnosed sufferer had been in contact with. In aggregate, it could help identify high-risk areas where people are gathering. It could also have other, more invasive uses.
This weekend, the Wall Street Journal reported that US government officials are using location data from millions of cellphones to understand citisens’ movements and how they’re affecting the spread of the disease. That data, which sources have said is stripped of personally identifying information, shows how community hubs like shops and parks are still drawing crowds. The data can also show how well the population at large is following requests to stay indoors. A lot of this data comes from advertising companies that gather it as a matter of course, the paper said.
Other countries are taking a soft approach to using location data for the public good. Singapore’s voluntary TraceTogether app uses Bluetooth for proximity tracking. When two users’ phones come near each other, they send each other a message containing a timestamp, their Bluetooth signal strength, their phone’s model, and a temporary identifier. The phones store that information. Should a user test positive for the virus, they can upload their data to the Ministry of Health, which will decode it and use it to identify others that they may have infected.
In Israel, the Health Ministry has reportedly released an app that uses voluntary data to shield citisens from exposure while protecting their privacy. It notifies people when they have come into contact with infected citisens, but it keeps all this data on the users’ devices. The government makes this work by sending anonymous data on infected citisens’ movements to users’ phones.
Ireland’s government revealed plans for a voluntary tracking app that seems to work on the same basis as Singapore’s software. Expect to see that within ten days, said officials at the country’s Health Service Executive over the weekend.
While many such efforts are voluntary, some countries have sourced the data without users’ explicit consent. For example, Israel’s voluntary initiative only happened after the government there passed regulations allowing the Israeli police to track the cellphones of COVID-19-positive individuals using its anti-terrorism Shin Bet cellphone location tracking system.
The UK is said to have joined Germany, Austria, Spain, Belgium, and others in Europe to source anonymised location data directly from telcos. Following China, Europe was the hardest hit by the spread of the virus in early March. Governments are using the data to determine how much people are moving around and congregating, according to reports.
Is this legal? The European Data Protection Board (EDPB), established under GDPR, has issued a statement about the processing of data during the health crisis. It says:
Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.
Adding that these conditions apply when processing is necessary for reasons of substantial public interest in the area of public health:
Under those circumstances, there is no need to rely on consent of individuals.
That doesn’t mean it can play fast and free with personal data though. Authorities must rely on data protection techniques, it adds. GDPR includes anonymisation among those techniques, although as researchers and activists have demonstrated in the past, you can still reconstruct peoples’ identities from anonymous data sets.
Other countries make people an offer they can’t refuse. Poland has launched a phone app for people under mandatory 14-day quarantines after returning from travel abroad. They must take photographs of themselves several times each day to prove they’re not outside, spokespeople said. If they fail to install the app, the police may show up at their door for a random check. The app reportedly uses both location tracking and facial recognition tech.
This all raises an important question: How much should civil rights, especially privacy, be eroded when dealing with a threat as pernicious as COVID-19? In an open letter, a group of technology and medical professionals led by EFF distinguished technology fellow Dr Peter Eckersley stops short of recommending direct governmental data-gathering but calls for help from mobile operating system vendors. Singling out Apple and Google, it says that they should build it directly into the mobile operating system on an opt-in basis:
Users who opt in could be notified in a non-identifiable way if they had been in the same spaces as subsequently identified cases, in order to enable self-quarantine, monitoring, early detection and prevention of tertiary cases. If such a feature could be built before SARS-CoV-2 is ubiquitous, it could prevent many people from being exposed.
What do you think about the use of location tracking data to help combat the spread of COVID-19, and to monitor self-isolation practices during the outbreak? Should this be mandatory? If it saves just one life, isn’t it worthwhile?
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.