Does combating the novel coronavirus require us to relinquish privacy? China has succeeded in rapidly containing local transmission of the novel coronavirus. They have done this by increasing the scope of its already extensive network of surveillance technologies. This includes a smartphone app that restricts travel and access to public transportation based on an individual’s coronavirus testing status.
Meanwhile, South Korean authorities are using a combination of surveillance-camera footage, smartphone location data, and credit-card purchase records. This is to identify recent contacts of individuals who have tested positive for the virus. While widespread testing efforts are the primary credit for the country’s success in containing the virus. Some argue that the testing’s success is only due to the pairing with the intrusive surveillance program that identified who to test.
Balancing privacy with public health
The massive scale and devastating effects of this pandemic demand a thorough and thoughtful discussion of how to balance individual privacy. As well as civil liberties against the critical information these technologies can provide. However, moving too quickly to draw lessons from countries that have relied on extensive surveillance as part of their containment programs risks the same kind of uncritical acceptance of the expansion of large-scale surveillance that emerged after 9/11. At a minimum, we need to ask what data do these technologies collect. Also, how accurate is it, and what can authorities do with it? Not all information is useful in this fight.
Answering those questions requires a close analysis of how these technologies work with the information health experts and other authorities need to slow the spread. Set priorities for response efforts, or take other measures. For example, these programs use cell phone location data to identify people who may have come in contact to the virus. But, as Susan Landau notes, cell phone location data generally is not precise enough on its own to identify whether a person came within the six-foot radius. Health experts estimate 6ft to be the virus transmission range.
Data Privacy During the Pandemic
Aggregation of multiple data points can provide much more precise information, as evidenced by South Korea’s program. But that aggregation raises additional privacy concerns and public safety risks. South Korea recently revised its program to limit public disclosure of patient-tracking data. This after the detailed information it provided was used to identify and attack several COVID-19 patients online.
The South Korean example shows that even modest changes to how data is collected and used can mitigate privacy and civil liberties risks without unduly limiting the effectiveness of these programs. Also, countries like the US and South Africa have announced efforts to use aggregated, anonymized data. This could help combat the spread of the virus with far less impact on privacy. A new non-profit group of privacy researchers in Europe recently released a contact-tracking app designed to meet the region’s stringent privacy standards.
Tradeoffs and difficult decisions
Anonymizing data, and other measures to mitigate privacy risks, are imperfect at best. Even minimally intrusive measures require hard decisions about what tradeoffs are acceptable and how to effectively deploy and enforce safeguards. The good news is that many communities already have developed creative and effective tools for doing just that. Oakland, Seattle, and several other cities and counties in the US have adopted surveillance ordinances. These require privacy impact assessments and citizen oversight of intrusive tracking technologies. Also, states like Ohio and Indiana have used ad hoc processes to evaluate and develop privacy-protective policies. These are for specific technologies like facial recognition.
These laws and policies were designed for less urgent times and won’t easily be applied to evaluating the use of surveillance measures in the fight against COVID-19. However, they provide models for engaging communities and experts while making these difficult decisions. COVID-19 should accelerate—not end—the discussion over privacy and surveillance.
By Professor Brian Ray is a former member of the Ohio Attorney General’s Facial Recognition Task Force and is the Professor Alan Miles & Judge Betty Willis Ruben Professor of Law at Cleveland-Marshall College of Law, where he directs the Center for Cybersecurity & Privacy Protection.
Priority Application Deadline
December 14, 2021
Fall Session Starts
January 10, 2022
Cybersecurity Week Webinar
October 19, 2021 12:00 pmWebinar Registration