By: Oscar Okwero, Cybersecurity Researcher – Forensics and Application security.
Corona virus has infected more than just individuals and their bodies. It’s also infected society, which is adapting drastically in order to reduce the number of lives the COVID-19 pandemic claims. Not only are governments adopting new economic and public health measures to fight the corona virus and its impact, but they’re harnessing big data in ways that, while potentially saving lives, will also reduce our privacy and civil liberties.
According to a report from Bloomberg, the UK government is asking mobile network operators to hand over customer roaming data, which would purportedly help it repatriate Brits stranded abroad as a result of the corona virus pandemic. Negotiations are still ongoing, but the possibility of the U.K. government having access to roaming data is ominous. Also, It’s already in the process of obtaining phone location data, ostensibly to monitor the effectiveness of the U.K.-wide lock-down. So its pursuit of other kinds of data worryingly suggests that it may use the corona virus crisis to expand its surveillance operations more generally. Storage of data concerning a person’s whereabouts and movements in the public sphere was found by the European Court of Human Rights to constitute an interference with private life. That the government may be intent on using the corona virus pandemic to extend its surveillance activities is also evidenced by earlier discussions and collaborations with mobile operators. In fact, Sky News revealed on March 19 that the U.K. government was already receiving anonymous smartphone location data from O2. This data is being used to evaluate whether people are following social distancing and lock-down guidelines. Still, observers may be simultaneously reassured and concerned to hear that ICO–the U.K.’s privacy watchdog–actually approved the government’s use of mobile data last week. Effectively, it stated that reducing the privacy of the U.K. population was justifiable, given the serious threat to public health posed by the corona virus, Data protection law enables the data sharing in the public interest and provides the safeguards for data that the public would expect.”
The international health regulation to which the 196 member countries are party to demands that the signatories act in tandem to prevent, contain and respond in health pandemics to protect citizens from the risks of a health pandemic. This involves collecting and disseminating relevant information as pertains the spread and control of a health pandemic. This together with the provisions of several Data privacy acts across the globe that allow governments to invade individual privacies in the public interest or national security have been the legal basis for many governments sparing no effort to undo the great strides made in individual privacy rights.
On Sunday the Home Secretary Amber Rudd called on “organizations like WhatsApp”, which is owned by Facebook, to make sure that they “don’t provide a secret place for terrorists to communicate with each other”. Rudd hinted at new legislation if they did not cooperate, despite the existing legislation already allowing the government to force such cooperation. The Investigatory Powers Act, made law in late 2016, allows the government to compel communications providers to remove “electronic protection applied … to any communications or data”. Take, for example, the United States’ 2001 Patriot Act, which was passed in response to the 9/11 attacks. The Patriot Act gave the government broad surveillance powers with little oversight, including demanding customer data from Telcos without court approval.
From a technological perspective, the corona virus pandemic is one massive test bed for surveillance capitalism. More specifically, it’s a test bed for new, much more large-scale forms of surveillance. Already, governments in Italy, Germany, Austria, China, South Korea and Taiwan have begun analyzing smartphone data so as to determine to what extent populations are really locking themselves down at home. Meanwhile, governments in the UK and the US are very close to rolling out similar surveillance measures, all in the effort to ensure that policies of mass behavior modification are successful. Perhaps health is more important than privacy and civil liberties. Obviously, you’d have absolutely no civil liberties, freedoms, or powers if you were deceased. However, the surveillance measures now being imposed on national populations risk permanently altering how much privacy and freedom we have as individuals.
And at this early stage in the life of the corona virus, it’s not clear or transparent that the health benefits they provide outweigh the price we’d have to pay in terms of civil liberties. “We could so easily end up in a situation where we empower local, state or federal government to take measures in response to this pandemic that fundamentally change the scope of American civil rights,” said Albert Fox Cahn of the Surveillance Technology Oversight Project, speaking to The New York Times. But even the surveillance of general activity levels is harmful to privacy and civil liberties. Firstly, data on general activities and activity levels will still enhance the ability of governments to manipulate and control populations, and this may not always be desirable. Secondly, it may enable mission creep, providing one slippery step towards even more invasive forms of data gathering and surveillance.
In China, government-installed CCTV cameras point at the apartment door of those under a 14-day quarantine to ensure they don’t leave. Drones tell people to wear their masks. Digital barcodes on mobile apps highlight the health status of individuals. While some of China’s measures appear extreme, nations around the world have taken the decision to boost their surveillance of individuals in a bid to help them fight the COVID-19 outbreak. “Corona virus is pushing us over the edge and … perhaps institutionalizing these systems and in addition, making general public to become more accepting of this more intrusive measure,” Maya Wang, a senior researcher on China at Human Rights Watch, told CNBC. In Singapore, the government rolled out an app called Trace Together. It uses Bluetooth signals between cell phones to see if potential carriers of the corona virus have been in close contact with other people. Over in Hong Kong, some residents were made to wear a wristband which linked to a smartphone app and could alert authorities if a person left their place of quarantine.
In South Korea, the government used records such as credit card transactions, smartphone location data and CCTV video as well as conversations with people, to create a system where confirmed cases were tracked. The result was a map that could tell people whether they had gone near a coronavirus carrier. On Thursday, the South Korean government launched an enhanced tool that it says can help track patients even more closely in near real time, in order to see where the disease was moving. Meanwhile, Israel’s security agency Shin Bet is using citizens’ cell phone location data to track where they’ve been so they can enforce quarantine controls and monitor the movements of those infected. Controversially, the data has been collected over the past few years and intended for counter terrorism purposes, the New York Times reported.
The newspaper said this data trove and the collection of it had not been previously reported. One of the most alarming measures being implemented is in Argentina, where those who are caught breaking quarantine are being forced to download an app that tracks their location. In Hong Kong, those arriving in the airport are given electronic tracking bracelets that must be synced to their home location through their smartphone’s GPS signal. Ontario police have access to a government database of people who have tested positive for the corona virus, including personal information like names, addresses, and birthdays, according to a Vice report. The Turkish government is tracking the locations of corona virus patients using their cellular data, and will automatically send warning messages if they are detected violating quarantine. All cellular companies operating in Turkey are cooperating with the government to provide this data, according to the state-run Anadolu Agency. Last week, a draft law was proposed that would mandate that social media platforms like Facebook, YouTube, and WhatsApp have a legal representative in Turkey that the government could pressure to take down content or ban accounts, according to Human Rights Watch. However, those parts of the draft were later withdrawn.
In the U.S., the government is talking to Facebook, Google and other tech companies about the possibility of using location and movement data from Americans’ smartphones to combat corona virus. But one of the big problems, according to the Electronic Frontier Foundation (EFF), a non-profit digital privacy advocacy group, is that collection of certain data like phone location hasn’t been proven to be effective in tracking the spread of the virus. “Because new government dragnet location surveillance powers are such a menace to our digital rights, governments should not be granted these powers unless they can show the public how these powers would actually help, in a significant manner, to contain COVID-19,” the EFF said in a blog post earlier this week. The organization argued that even the Global Positioning System, or GPS, on smartphones are only accurate to a 16-foot radius, according to official U.S. government information. Yet the Centers for Disease Control and Prevention (CDC) said the virus can spread between people who are in close contact with one another, which the body estimates is within 6 feet. To help track the movement of citizens, the mobile advertising industry is currently supplying data to local, state, and federal government organizations about the location of individuals, according to a report by the Wall Street Journal.
The major technology firms who have been often accused of invasion of privacy have also seen an opportunity to join the global response to the pandemic by availing their technologies for related efforts. For example, Facebook announced two initiatives related to using its Messenger app in order to communicate public health information. The first involves the social media giant connecting “government health organizations and UN health agencies with [Facebook’s] developer partners,” who will help said agencies use Messenger to share COVID-19 info with the public. Likewise, the second initiative will see Facebook organize a hackathon aimed at developing solutions “to issues related to the corona virus such as social distancing and access to accurate information.” Once again, these solutions revolve around the use of Messenger. More broadly, acting like a public service also means greater legitimacy, prominence and priority for what Facebook and other big tech companies do normally, when there isn’t a life-threatening pandemic sweeping the globe. And increasingly, what such companies have been doing is harvesting more and more of our data in a way that ultimately erodes our personal autonomy and agency.
Civil liberties and privacy advocates have taken note of this new phenomenon and are already raising concerns about the inherent risks to personal privacy that may result if proper caution and audit is not taken of the new controls being introduced as a response to Coovid19. “Protecting the health of communities and first responders is rightly a priority,” the Canadian Civil Liberties Association said in a letter to the Canadian government. “Providing personal health information directly to law enforcement, however, is an extraordinary invasion of privacy.” .More than 140 French cybersecurity and privacy experts signed a letter this week warning the public and authorities about the risks of an expected contact tracing app. “All these applications involve very significant risks with regard to respect for privacy and individual freedoms. One of them is mass surveillance by private or public actors,” the experts wrote. Security cameras in the Paris metro system are now capable of detecting whether people are wearing masks or not. Start-up DatakaLab, which built the technology, says it’s not meant for tracking individuals but instead for gathering data on mask adoption. The country’s public health authority also launched a smartwatch app that collects health data in an attempt to determine whether people are exhibiting signs of the corona virus.
The challenge with more robust state involvement will be to avoid enduring limitations to individual freedoms. Many fear that the extraordinary measures and emergency legislation governments have introduced to shut borders, enforce quarantine and track infected people may be the prelude to more autocratic and illiberal regimes. Human rights advocates have questioned the speed with which emergency bills were waved through without parliamentary scrutiny, and fear that some of these measures will become normalized over time.
Some fear that dictatorships are already emerging, such as in Hungary. Even before these draconian measures were introduced, fundamental human rights were already reported to be under strain in almost two-thirds of the 113 countries surveyed for the 2018 Rule of Law Index, with concerns over a universal surge in authoritarian nationalism and a retreat from international legal obligations. Even before the Covid19 pandemic, Kenyan authorities were reported to be monitoring the phone calls, text messages, and mobile money transactions of millions of its citizens. Regulators ordered mobile phone operators to allow access, according to the Nation, a Kenyan paper that has obtained a letter from the Communications Authority of Kenya to one of these operators. The CAK, responding to criticism, claims the initiative, a “device monitoring system” (DMS), is aimed only at blocking counterfeit phones from being used on mobile phone networks. On its Facebook page the agency said the DMS would not access the personal data of subscribers. The authority wrote to mobile phone service providers setting up dates for the plugging of the network snooping device. It would involve the third party company getting hooked up to all routers at the Service provider core data centers, effectively opening up private communication data to an entity other than those licensed to hold them and the government according to the newly enacted Data privacy act. A Letter addressed to one of the operators, asking it to authorize the third party to install the link that would open up SMS, call and mobile money transfer data to the third party as the plan takes shape read, “Kindly facilitate our principal contractor, M/S Broadband Communications Networks Ltd, to access your site and install the link at the data-centre or the mobile switching room.” The link should terminate close to the core network elements that shall integrate to the DMS solution “. Of bigger concern to the operators is that the company contracted by the authority, which does not legally bear the responsibility to protect customer confidentiality, will get a direct access to call data before transmitting it to the regulator, splitting responsibility between three parties and leaving users exposed to intrusion of privacy.
Privacy International, a London-based charity that investigates technology and privacy, found that military intelligence in Uganda bought FinFisher, an intrusive malware, from a German firm, Gamma International GmbH, after protests broke out in the aftermath of the disputed 2011 election. “FinFisher was the ‘backbone’ of a secret operation to spy on leading opposition members, activists, elected officials, intelligence insiders and journalists following the 2011 election which the incumbent President won. State Surveillance in Uganda. In Uganda the July 2010 bombings in Kampala in which 76 people were killed led to the swift passing of the Regulation of Interception of Communications Act. The Act gives powers to security officials to listen in on private communications if they suspect the communication is in aid of criminal activity but, as the evidence from ‘Operation Fungua Macho’ shows, often the targets are political rivals and dissenters or journalists and civil society workers, not criminals.
Covered entities would also be required to issue a “public report” at least once every 30 days. These reports would need to include: the aggregate number of individuals whose data the entity has collected, processed or transferred; the categories of data that were collected, processed or transferred; the purposes for which data was collected, processed or transferred; and those to whom it was transferred. Covered entities must also provide individuals with the “right to opt-out,” or an effective mechanism that allows them to revoke their consent. Upon receiving an opt-out request, a covered entity would have 14 days to stop collecting, processing, or transferring the covered data, or to de-identify it. The bill also contains clauses on deletion, de-identification and minimization. Entities would be required to delete or de-identify covered information when it is no longer being used for the purpose for which it was initially collected, processed or transferred. Entities would also need to minimize their collection, processing and transfers of data to “what is reasonably necessary, proportionate, and limited” to the initial purpose. To aid covered entities in these endeavours, the bill calls upon the U.S. Federal Trade Commission to issue “guidelines recommending best practices” for data minimization.
One of its final provisions would mandate that covered entities put in place cybersecurity protections, requiring them to “establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity” of the data covered by the law. While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important,” said Thune. “This bill strikes the right balance between innovations — allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread — and maintaining privacy protections for U.S. citizens.” “In the age of social distancing, we are leaning on technology more than ever to stay connected and obtain information,” said Blackburn. “It is paramount that as tech companies utilize data to track the spread of COVID-19, Americans’ privacy and security are not put at risk. Health and location data can reveal sensitive and personal information, and these companies must be transparent with their users.