Without A Trace: The Risks And Rewards Of Privacy Post-COVID

~11 min read

As financial services have gone digital over the years, each step forward has required three things: affordability, access, and trust. Of these, trust is perhaps the least well-understood; how do users know when to trust an app to handle their money, pay their bills, or steward their personal data? Trust in digital services is intensely personal, but it’s also acutely attuned to its particular cultural and political context. What engenders trust in the citizens of a given part of the world is not necessarily effective elsewhere, and institutions play by different rules depending on their role in a given society. For this reason, the ramifications of the COVID-19 crisis on data and privacy are unfolding in divergent ways at the regional level, with long-standing attitudes toward authority underpinning the various strategies emerging across the world.

Prior to the COVID-19 pandemic, countries could be broadly classified into three types with respect to who was ultimately trusted with user data. In collectivist Asia, for example, it was government; in capitalist America, it was the private sector; and in the European Union, the newly implemented General Data Protections Regulation (GDPR), which standardized data privacy law across the EU, sought to return control of data from companies back to users themselves.

But now, all over the world, social responsibility is balanced against individual liberties as a global pandemic renders fellow citizens the potential threat.

“In the past, privacy law was about your rights as a citizen vs the government. Then, 20 years ago, we started thinking about your rights with your employer and companies you deal with. Now, not necessarily for the first time, it is integrating those three things — you in relation to companies, the government, and people.”
Kirk Nahra, U.S. privacy and data security lawyer

Emergency measures implemented during the crisis have waived certain privacy laws and created massive surveillance programs. But the data measures put in place (though extraordinary in their implementation and novel in many senses) are in fact continuations of pervading attitudes, pre-existing industry practices, and, in autocratic countries, deepening social control. The data collection operations underway to combat COVID-19 are arguably not transformative, but rather serve as a defining example of life in the digital age.

Contact Tracing: The New O2O

The sudden demand for mass surveillance comes at a fraught moment in the privacy debate. To justify mass data collection practices, adtech firms champion aggregation and anonymization practices that claim to protect the identities of individuals while gathering sufficient data to create sophisticated consumer portfolios. Critics, however, question the claim that any data set of user information can be both precise and anonymous. Without sufficient safeguards, anonymized data can be de-anonymized by matching it with other data sets in order to identify individuals. In December, The New York Times opinion section published a series on location tracking in which it reviewed anonymized metadata from one of dozens of location data companies in the United States. They found, as one expert explained, that “really precise, longitudinal geolocation information is absolutely impossible to anonymize.” With the help of publicly available information, like home addresses, the Times was able to identify and track the movements of notable figures using supposedly anonymized data. Telcos have been selling such location data to third party data brokers for years. Although aggregated results are more easily anonymized, there remains the issue of who possesses the original data set, which can be hacked or abused.

Despite growing concerns surrounding the ability to keep such data anonymized, anonymization is a key component to nearly all data collecting measures employed against COVID-19’s spread. The CDC and governments in the U.S. are receiving metadata from the mobile advertising industry to better map out the movement of people during the crisis. In the UK, tech firms are processing large volumes of confidential UK patient information and creating outbreak models from it. As long as daily new infections and deaths keep climbing, and every citizen is deemed both suspect and potential victim, maintaining data anonymity may prove a secondary concern.


Apps Of All Stripes

As countries seek to end lockdowns and slowly reopen their economies, the most prevalent use of digital data will be contact tracing apps. According to digital rights group Top10VPN, there are now 43 contact tracing apps available around the world to monitor and stop the spread of COVID-19, with more in the pipeline. How regimes reconcile the tension between individual privacy and public exposure is what differentiates these respective apps from each other, and approaches to contact tracing diverge along several dimensions:

Which data will be collected?

GPS tracking can help governments form maps of citizens’ movements to better understand the effectiveness of confinement measures (and in certain cases, to better enforce them). GPS is indeed an appropriate tool for understanding social movement on a macro level. But when it comes to contact tracing, GPS is an imperfect oculus; in theory, GPS can be accurate within one meter, but more typically 5 to 20 meters — obviously an unsuitable range to determine whether someone has been within two meters of an infected person.

Generally, GPS is regarded as a more invasive, less effective approach, but it’s used by 64% of extant contact tracing apps as reported by Top10VPN. Israel, for example, has employed a GPS tracking system that surveils all citizens, pinging cellphones, cross-referencing data, and alerting them if they have been potentially exposed to someone with COVID-19. The use of such imprecise information has predictably led to cases in which individuals are erroneously forced to quarantine despite maintaining proper social distancing.

While GPS measures location, Bluetooth simply measures proximity between devices, which improves precision and protects privacy. Perhaps to protect user privacy, Apple and Google are using Bluetooth for their upcoming tracking app. In this app, each device is granted an anonymous key that cycles every 15 minutes to preserve privacy. The signals of nearby phones are picked up at 5-minute intervals, and connections between devices are stored in a database. Once a person has been infected, the app will only share keys from the specific period in which they were infected.

Bluetooth technology still faces considerable, however; currently, the app and Bluetooth must be kept on at all times, and it can’t tell if a wall or barrier stands between people. Most crucially, such technology requires a critical mass of the population to voluntarily download and use the app at all times to be effective. An Oxford study suggested that at least 60% of the population would need to use such an app to effectively track and control the virus. Singapore had been lauded for its Bluetooth-enabled TraceTogether app, used in tandem with its manual tracing regime and high testing rates to control the disease. However, even with high smartphone penetration, a small, cooperative populace and centralized authority, only about one in five Singapore residents had downloaded the app. In recent weeks, infections started to spike after an outbreak among migrant workers — rendering such tracing efforts pointless, as it would be nearly impossible to keep up with community spread.

Where is data stored?

A centralized database is far easier to manage and sort during a crisis, but it also makes sensitive information prone to hacking or abuse by the collecting body. Of the 27 contact tracing apps with known database set ups (others have yet to be publicly disclosed), only 8 employ decentralized databases, whereas 19 have centralized databases — many of which are government-run.

In the case of the Apple/Google app, it is the mobile devices themselves which perform the cryptographic calculations; central servers only maintain the database of shared keys, rather than the interactions between said keys. The drawback to this privacy-conscious model is the lack of information it provides to epidemiologists. Only by linking different sightings of a device with different users would authorities be able to use it effectively on a society-wide scale — which would compromise privacy.

What to do with the information?

According to Top10VPN, 28% of contact tracing apps so far have no privacy policy enumerated, meaning that there have been no clear boundaries set for how the stored data could actually be used. While it’s too early to know what risks are associated with this data, in the most egregious case to date, Iran launched an app that claimed to diagnose coronavirus through a series of yes-or-no questions. But rather than offering a proper diagnosis, the app enabled the Iranian regime to gather large swaths of citizen data and track their movements in real time.


Collectivism, Culture, Virus, Virtue

In Asia, laws and social norms alike leave a grey area for the use of data. South Korea, for instance, actually had a digital contact tracing regime prepared before COVID-19. After the 2015 MERS outbreak, South Korea passed regulations which required districts to publish information pertaining to infected people, including: travel routes; which public transit they took; which hospitals treated them; whether they wore masks; and even their age and gender. South Koreans are routinely informed if there has been an infected case within 100 meters of their location. Such detailed mapping, combined with extensive manual contact tracing efforts and high levels of testing, have helped South Korea prevent full-blown community outbreaks. As The New Yorker described recently, despite the invasion of privacy inherent in such a process, the South Korean citizenry decided after the 2015 MERS outbreak that radically transparent “virtuous surveillance” was the best option. The South Korean surveillance apparatus also makes use of credit-card payment information, travel and medical records, and health information to track the travel history of every resident.

Elsewhere in Asia, anti-COVID measures have sometimes ignored individual liberties for the social good. Hong Kong gives a wristband to anyone entering the country that they must calibrate with the country’s StayHomeSafe app, geofencing quarantined residents. Taiwan has utilized what it calls an “electronic fence” which tracks mobile phone data and alerts authorities if someone who is quarantined leaves their home. Some parts of India are stamping the hands of airport arrivees and monitoring reservation data from airlines and trains to ensure that those people don’t travel.

Not surprisingly, China was the first to employ digital tracking to battle COVID-19, and it also employed some of the most invasive measures in their design. Software installed in citizens’ phones tracks their movements and classifies individuals with a color code indicating their contagion risk, even regulating their ability to enter public spaces. The government has avoided disclosing exactly what information determines the individual health status for over 1 billion citizens, but reports have suggested that digital payment data from AliPay and WeChat Pay were used by authorities to ascertain if someone was buying fever medicine, for example. Though unsurprising, this would certainly signify a creep in the Chinese surveillance apparatus. Reportedly, Alibaba and Tencent — with speculated ties to the Chinese government — have resisted efforts by authorities to obtain consumer data during the pandemic, but this may be due to a view that privacy protections are vital for a future expansion into Western markets. If surveillance entreaties by Chinese authorities ultimately prove successful, there is precedent in events like the Beijing Olympics and Tibetan protests that "emergency" surveillance measures could become permanent.

Democracy, Data, Pandemic, Privacy

In the U.S., on the other hand, authorities are collecting data from the advertising industry to get an idea of where people are gathering. The U.S. relief bill also included $500 million for the CDC to build a “surveillance and data collection system” using advertising metadata. The ad companies, which are sometimes criticized for their lack of transparency, are not actually changing any of their collection practices in response to the crisis — rather, their existing operations are being further legitimized by the U.S. government. And this isn’t particular to the U.S.; companies with dubious records such as U.S. big data firm Palantir, Israeli spyware maker NSO and Italian surveillance company Cy4gate are offering their services to countries across the world. But the fact remains that this emergency comes at a critical time for data privacy in the U.S., where a national data privacy law limiting the actions of private companies is conspicuously absent.

Through the GDPR, the European Union has reined in data collection endeavors, but COVID-19 comes just after the new regulations have begun to take root. The GDPR, the EU’s sweeping new data privacy law implemented in 2018, says companies can collect personal data only for a specific reason, and must obtain individuals’ consent for how it will be used, prohibiting “coerced” or “hidden” consent practices common in other regions. Telcos are still collecting metadata, but it has to be properly anonymized or deleted.

(Proposed contact tracing app, Germany and U.K.)

In the COVID context, the GDPR contains emergency provisions which allow flexibility on responsible data collection during an outbreak.Although all member countries are bound to GDPR regulations, several states have taken somewhat divergent views on observing its guidelines. With the exception of Poland’s digitally monitored enforcement of quarantines, invasive measures have so far been relatively minor, with explicit expiration dates for collection efforts (though it is still early in the pandemic for countries like Hungary, where Prime Minister Orban can now rule by emergency decree during the crisis).

The EU must now reconcile its focus on personal control of user data with the public health demands of the crisis. As the EU’s data protection watchdog calls for a single coronavirus app, the European Commission has leaned on telcos to provide fuzzy metadata for coronavirus modelling, akin to the United States.
While the EU’s privacy regime is bending (though not yet breaking), the privacy-conscious citizenry of Europe will make it even more difficult to approach the critical mass needed for such tracing apps to be effective. In Austria, the Bluetooth-enabled app is voluntary, can be deleted, and no central database exists. Though privacy experts have expressed approval of the app’s design, the country’s wary citizenry have been slow to adopt the app nonetheless. Will the GDPR’s privacy regime be diminished or fractured to strengthen digital tracking measures, or does it endure at the cost of foregone contact tracing opportunities, and potentially a faster recovery?

The Unknown & The Unknowable

There may ultimately be no need for a zero-sum tradeoff between useful data collection and effective data protection. Emerging privacy enhancing technologies (PETs) offer a solution to the centralized hoarding of consumer data. PETs use different computational and mathematical approaches to extract data without jeopardizing the privacy and security of this information. One method already in use is "differential privacy", wherein statistical noise is added to the inputs to prevent the unmasking of information through overlapping data sets; Google is reportedly employing this technique for its coronavirus mobility maps. Another emerging but pertinent method is called "zero-knowledge proofs". It comprises a series of cryptographic algorithms that can “test” to “verify” that a computational statement is correct, without revealing any data behind it. Blockchain security company Hacera, in partnership with IBM, Oracle, and Microsoft, has already adopted this technique to create a distributed and verifiable data hub, MiPasa, to collect, validate, and leverage COVID-19 data in Honduras, with the possibility of expanding the blockchain-powered app to facilitate segmented shopping schedules for locked-down populations. National health institutions in the U.S., Canada, Europe, and China have contributed to the project.

Such methods are complex, often developmental, and undeniably less useful to information-hungry companies and governments. It is unlikely privacy rights will emerge from this pandemic unaffected. For data-reliant industries like digital financial services (which are increasingly embracing PETs for their own data collection purposes) the ramifications are uncertain. On the one hand, as pressures mount on Chinese companies like Tencent to adhere to Western privacy standards even during the crisis, the interconnected nature of digital realms ties each region’s fates a little closer to each other. But without global coordination during the crisis, it is likely that data privacy across regions will increasingly gravitate towards the predilections of their respective political and cultural situations — in most cases to the detriment of privacy for individuals, with lasting risk to the post-COVID world.

© Mondato 2020

Image courtesy of Sergio Souza
Click to subscribe and receive a weekly Mondato Insight directly to your inbox. 
Author image
Mondato is a boutique management consulting firm specializing in strategic, commercial and operational support for the Digital Finance & Commerce (DFC) industry.
Washington DC Website