Covid-19 pressures privacy as pandemic spreads globally
19 March 2020. By Dave Perera, Matthew Newman, and Hyung-jo Choi
Novel coronavirus is the first global pandemic to arrive in an era when nearly the entire population can be tracked in real time, thanks to the ubiquity of smartphones and social media. The question facing non-authoritarian governments is how heavily to draw on that trove of private sector data in a bid to limit the deadly disease.
Spurred by a variable sense of urgency and guided by privacy laws of diverging strength, authorities in Europe, Asia and the Americas have responded with different levels of invasiveness into the lives of citizens. From Brussels to Washington to Seoul, some countries are treading cautiously, while others have all but published online the names of confirmed cases.
Multinational tech companies haven't exactly responded with unbridled enthusiasm for calls to tap their data, torn as they are between an opportunity to recapture a reputation for being digital saviors and worries that revealing data will only confirm their inability to safeguard customers’ privacy.
Facebook has been in discussions with government officials about working on mapping the spread of the virus, affirmed Facebook CEO Mark Zuckerberg during a call today with reporters. But he was careful to push back on reports that the social media giant and its Silicon Valley brethren may release user data to governments.
"As far as I can tell, those reports are largely overstated," Zuckerberg said.
Google responded to an MLex inquiry with a statement that it also hasn't shared any location data — although the search engine behemoth is exploring how “aggregated anonymized location information” could help governments fight the strain of coronavirus, which causes the disease known as Covid-19.
“One example could be helping health authorities determine the impact of social distancing, similar to the way we show popular restaurant times and traffic patterns in Google Maps,” a company spokesman said. The work would “not involve sharing data about any individual’s location, movement, or contacts.”
— South Korea —
In South Korea, the government has published online the personal data of the patients confirmed with the infectious disease, sparking debates over whether a right to be informed takes precedence over a right of privacy.
South Korea’s Infectious Disease Control and Prevention Act stipulates that when infectious disease is spreading, the Ministry of Health and Welfare must disclose “information with which citizens are required to be acquainted for preventing the infectious disease, such as the movement paths, transportation means, medical treatment institutions, and contacts of patients of the infectious disease.”
As a result, the Health Ministry and the regional governments have been disclosing online not only patients’ movements, but also personal information such as age, the hospital they are admitted to, as well as the approximate location of their residence and from where they are suspected of contracting the disease. Citizens get real-time alerts through text messages when new cases are confirmed within the districts of their residence, with links to check the details of the patients.
To trace the movements, investigators analyze data such as credit card transactions, cellphone location data, CCTV footage and the telecommunication information of the patients. Ordinarily, it would be illegal to collect such information without consent. But the Personal Information Protection Act has an exception when such personal data is “urgently necessary for ensuring the public safety and security, including public health.”
The information disclosed by the government at times was enough to identify the exact identity of the patients, so some patients witnessed the details of their personal lives being exposed to the public.
Following mounting criticism, health authorities earlier this month distributed guidelines to the regional governments detailing the extent of information that can be made public.
Some government officials with access to such information were also found to have leaked documents containing sensitive data, like the names and exact occupations of the patients, an act not permissible even during a pandemic. A lawmaker representing the southeastern coastal city of Changwon, for instance, faces charges that he leaked such documents to his family.
Elsewhere in Asia, tensions are emerging between new privacy rules and the sudden need to access personal data in the Covid-19 crisis. The Singapore data-protection regulator clarified that as the government was responding to an emergency, "relevant personal data can be collected, used and disclosed without consent.” In Indonesia, where there is no comprehensive privacy regime yet, the government was criticized for releasing too much information on two early coronavirus cases, which led to individuals being identified.
In China, following the initial outbreak of Covid-19 in January, members of the public have had personal details leaked and published, leading to further personal harassment and invective. Information that was circulated included names, photos, home and work addresses, cellphone numbers and even ID numbers.
The Cyberspace Administration, China’s Internet regulator, was prompted in February to warn against any abuse of personal data for the purpose of epidemic control, urging that information can only be conducted by relevant health authorities.
Most recently, the city of Tianjin launched a regional campaign against the mishandling of personal data by apps related to Covid-19. This week, local authorities publicly reprimanded seven apps that had experienced data-processing problems.
— US —
A response of South Korean proportions — one that sees a governmental authority publishing the fairly detailed biographic data of coronavirus victims — is unlikely to occur in the US.
Personal health information is protected under a decades-old law, the Health Insurance Portability and Accountability Act, or HIPAA. The law allows health professionals to reveal patient data outside the bounds of confidentiality in cases of serious and imminent threats to safety. But it also demands that disclosed data be restricted to a minimum.
Publishing patients’ identifying information at this stage of the pandemic in any case would be counterproductive, said Deven McGraw, an Obama-era senior official in the Department of Health and Human Services HIPPA enforcement office.
“The spread is so rapid, that you have to assume that everyone might be infected, and take universal precautions, which is why we’re facing shelter-in-place orders,” she told MLex.
“Contact tracing,” the public health function of identifying individuals who have come into contact with a patient, is a response better suited to diseases without novel coronavirus’s two-week incubation period and propagation by asymptomatic carriers, she said.
That hasn’t stopped privacy advocates from worrying that coronavirus will result in a Big Tech data dump on the federal government, even if done in aggregate and for the purpose of tracking population movement trends.
“Location information can be incredibly revealing, and aggregate location information can also be disaggregated and personalized, depending on exactly what was shared,” said Greg Nojeim, a senior counsel at the Center for Democracy and Technology.
— Europe —
European governments and agencies are starting to tap location data from major mobile phone companies to help fight the spread of the Covid-19 pandemic.
At least one government's data-protection authority has approved the use of anonymized data, MLex has learned.
Vodafone, Europe’s largest mobile operator, said in a statement that it’s “willing to assist governments in developing insights based on large anonymized data” wherever it’s “technically possible, and legally permissible.”
The company has already produced an aggregated and anonymous heat map for Italy’s Lombardy region, a global coronavirus hotspot.
In Belgium, several telecom operators — Proximus, Orange and Telenet — have agreed to share part of their databases with a consultancy to help public authorities better fight the pandemic.
The Belgian government is studying the idea and is waiting for an evaluation by the country’s data protection authority, a spokeswoman for Philippe De Backer, Belgium’s federal telecom minister, said today.
In Germany, Deutsche Telekom said it has passed on anonymized customer cell phone data to the Robert Koch Institute, a federal agency and research institute responsible for disease control and prevention.
The German data is intended to model the spread of Covid-19. This data would be broken down nationwide, at the state level and down to the district and community level, a Deutsche Telekom spokesperson said.
The tracking of individual citizens or infected people shouldn’t be possible, the spokesperson added.
Under European Union privacy rules protecting the confidentially of communication on telecom networks, location data can only be used by telecom operators when it's made anonymous, or with individuals’ consent.
“The public authorities should first aim for the processing of location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data)," the European Data Protection Board, the umbrella group of the EU’s data-protection authorities, said in a statement March 16. This could enable the generation of "reports on the concentration of mobile devices at a certain location."
Assurances of using anonymized data haven't convinced Patrick Breyer, a privacy advocate and member of the European Parliament, who warned about the dangers of “mass surveillance” in the name of fighting Covid-19.
"Monitoring the movements of the entire population, supposedly anonymously, protects nobody from infection, but allows for unprecedented mass surveillance,” Breyer told MLex.
“The authorities will start using the data for other reasons and this exposes people to investigations for not following the authorities’ orders,” he said.
—With assistance from Amy Miller in San Francisco, Jet Damazo-Santos in Jakarta, Xu Yuan in Hong Kong, Toko Sekiguchi in Tokyo, and Laurel Henning in Sydney.