Privacy in the Time of Corona: Control the Virus, Not the People

With the pandemic in full swing, toughening measures aimed at containing the coronavirus raises numerous privacy-related concerns among citizens across the world. While our technical teams focus primarily on cybersecurity when working from home and on how to adequately protect ourselves online, it is worth taking a look at privacy in relation to measures designed to curb the transmission of the virus by tracking our mobile devices.

With the pandemic in full swing, toughening measures aimed at containing the coronavirus raises numerous privacy-related concerns among citizens across the world. While our technical teams focus primarily on cybersecurity when working from home and on how to adequately protect ourselves online, it is worth taking a look at privacy in relation to measures designed to curb the transmission of the virus by tracking our mobile devices.

 

In an effort to control the virus and its spread and to limit the contacts through which it spreads, it might easily happen that citizens in fact become more controlled than the virus itself. The European Union is calling on Member States to primarily use anonymised and aggregated data on mobile devices and their movement (by the way, a collection of Community Mobility Reports has been provided by Google, which many users trust to track their movements); however, despite the desire for a harmonised approach, Member States can interpret such guidance differently. In many countries, apps are thus being created (a more detailed analysis can be found on this link) that differ widely in their protection of the privacy of individuals. The differences lie mostly in the collection and storage (as well as type) of data, purposes of the collection and, last but not least, the sharing and transfer of data to third parties.

 

In this context, a group of European researchers has developed the PEPP-PT app, where phones “recognise” each other via a Bluetooth connection, and only an anonymised ID is transferred between the devices. If certain conditions are fulfilled (following an epidemiologically significant contact), the user is informed that there has been a contact, but it is not specified where and with whom this contact occurred. A similar app has been developed in Singapore, the difference being that the user ID is linked to the user’s phone number, meaning anonymization is not provided. There, a security mechanism has been put in place to ensure that the data is collected and used only in the context and for the duration of the epidemic. Meanwhile, in the US and the UK, apps have been developed to collect information about the symptoms, mainly in order to spread knowledge and assess the risk. These apps collect both special category data (concerning health) and contact details that enable the identification of an individual. They facilitate research on the virus, but not its containment. An Israeli app collects the users’ geolocations, while the Polish have gone a step further – in addition to geolocation, their government app collects photos of the citizens (upon request), and all this is linked with a set of contact details. This is the official app to be used when quarantine is ordered. The user is supposed to be able to refuse using the app, but this would result in sporadic visits of police officers during their home quarantine. This is contradicted by disconcerting unofficial information on “forced cooperation” of citizens, as the authorities have been reported to have created user profiles on their own for users with confirmed infections in some cases.

 

The least criticised apps are those that anonymise the data (such as the user ID, which can no longer be linked with the data belonging to an identifiable user), those that are used on a voluntary basis (not using them has no negative implications for the individual) and those that store the data on the device without transferring it or storing it on a server.

 

At the time of writing (12 April 2020), 1,212 persons have tested positive for SARS-CoV-2 in Slovenia, of which 152 have recovered, 95 are hospitalised, and 55 have died (source: National Institute of Public Health and Government Communication Office). This means there are 910 people with confirmed infections who are located outside of hospitals and would be subject to monitoring. This is less than 0.05% of the 2,094,060 citizens residing in the country, as recorded by the Statistical Office of the Republic of Slovenia. Any measures affecting all citizens because of less than 0.05% of the population should be well thought out and, above all, proportionate.

 

The biggest and most burning issue in this context is how to ethically and appropriately balance the aim of protecting public health and security with the right of individuals to privacy and personal integrity. Europe is well on track in this respect, as the PEPP-PT international researchers’ initiative has no intention of allowing the health crisis to undermine the privacy standards that earlier generations fought to secure.

Cookie - Analitics
They are used to record the website's obscurity analysis and provide us with data to provide a better user experience.
Cookie - social
Cookies required for plug-ins for sharing content from social media sites.
Cookie - chat
Cookies allow you to sign up, contact and communicate through the communication plug-in on the page.
Cookie - marketing
They target targeted advertising based on past user's activity on other sites.
What are cookies?
By visiting and using the site, you consent to the use and recording of cookies.OK Learn more about cookies