How responses indicate views of individual privacy
As the World Health Organisation finally confirms that the Covid-19 virus outbreak has crossed the threshold into global pandemic status, we can expect to see governments around the world reacting to take steps to protect their populations. Already, on March 11, the US suspended travel from much of Europe; more directly affected states have put in place internal movement restrictions, predicated on the age-old approach to disease control – stop people moving, stop the spread; quarantine and, more or less, let nature take its course.
What is fast getting interesting from a privacy ethics perspective is how states have and will use technology and the data they hold or can develop to manage the behaviour of their citizens – and also how technology can assist in overcoming some of the problems caused by movement restrictions.
Ground Zero
Perhaps unsurprisingly, given that it was home patient zero and still has, by an order of magnitude, far more cases and deaths than any other country, China has enacted very strict rules on disease control – backed by a significant increase in deployment of surveillance technology.
Scanning into office and apartment buildings to allow detailed movement tracking; CCTV monitoring to detect (non)use of face-masks or elevated temperatures; increased monitoring of social media posts to detect ‘misinformation’; encouraging of informing on neighbours who may be ill, but not declaring it.
It’s easy to say that these are predictable uses of technology in a state which paces a very different emphasis on personal privacy than in Liberal Democracies – something which should (and probably will) be the longer of a much longer piece of work at some stage. And it will certainly be interesting to see whether, now deployed, China rolls these enhance controls back, post-pandemic.
It will be even more interesting, given the furore over Heathrow airport’s ‘failure’ to deploy temperature scanning on an incoming flight from Milan, how far more democratic governments feel they want to go in deploying similar methods to police their populations as the pandemic worsens.
Two borders away, we have seen a different, but perhaps in a sense no less invasive, use of technology. As well as mass-testing, smartphone notifications have been widely distributed to show the movements of known infected people – which has led to some significant issues, one individual identified as having potentially been visiting a red-light area, whereas they were actually in a nearby restaurant.
While the alerts have purportedly been anonymised, it’s not atypical – or unexpected really – that a proportion of individuals have been able to be identified, especially where there is a more prurient interest.
In each of these countries, governments have deployed existing technologies to exert social control in an effort reduce the levels of transmission – apparently with some effect in both cases, but certainly with impacts on rights and freedoms of their citizens. In both cases, the flavour of response echoes existing views of privacy, technology and interaction of both with the state and social control.
Similar patterns are evident in Hong Kong (surveillance, publishing of details of cases online and Singapore (surveillance to track individuals, accompanied by hefty fines). In these cases too, populations have historically tended to be more accepting of state control for the ‘greater good’, than for example the more libertarian populations of Europe and North America.
A growing risk
It’s fair to say though, that the Western Liberal Democracies have only just begun to be tested in their response – infection and mortality rates (numbers, if not necessarily percentages of those infected) have only really just begun to nudge most governments to start reacting in a more active way.
Staying in the APAC region, Taiwan instigated movement controls very early, and also put in place fines for spreading misinformation, while utilising combined health, immigration and customs data sets – having learnt from the SARs outbreak – and massively increased production of effective facemasks. This combination of data and physical controls has, at this point, kept a tight rein on the outbreak in comparison to mainland China – without resorting to hugely privacy invasive measures.
However, while the lessons from Taiwan can and should be learnt, it’s also worth noting that they have certain advantages – having learnt from SARs, they are also an island and have been able to exert effective border controls. Europe in particular is already well-past that point – leading us back to the question of how far Western governments will feel they should and can go.
Trading off individual rights and freedoms in the face of national crises isn’t a new concept – in fact, it’s part of the social contract between government and people that, at times of war for example, the government will defend its citizens, and that there may be an impact on individual rights ‘for the duration’.
But it’s also fair to say that the state of the art in terms of social engineering and population control via use of data has somewhat moved on in the last decade or so – the ability to surveil citizens has never been greater, and, since 9/11, the deployment of surveillance against civil populations has also grown hugely as evidenced by programmes such as PRISM, or deployment of technology such as full body-scanners at airports.
In pre-GDPR days, information security teams used to talk about ‘reducing the expectation of privacy’ in employees using the network. So we are, perhaps, no less inured to the idea of sacrificing privacy rights for security than in other jurisdictions – if less openly and obviously than elsewhere.
Big data and machine learning
Of course, despite the risks, there are cast-iron cases for using personal data for combating Covid-19. As seen in Taiwan and China, capturing detailed case histories and modelling the spread of the virus can assist in developing preventative measures, and also in deploying scarce health resources to where they will be most effective.
There are a number of ethical choices wrapped up even in that. Firstly, do we deploy resource to help the most sick, when the mortality rate is significantly higher and resource may be less effective, or to prevent spread of the disease? Not an privacy ethics choice, admittedly, except where it is founded on data – data which, perhaps, is not complete, given the likely level of under-detection at this stage.
Would that lead perhaps to mis-deployment? The UK government has already been criticised for under-reacting and not understanding ‘classic public health’- after taking a position based on modelling. (We do not, of course, understand the full logic of the decision).
Unintended benefits/consequences
As well as the macro-level, micro-decision-making, business by business will also have data protection ramifications. We are already seeing a growth in capture of health-related information by employers, and requests for confirmation of non- work-related travel details.
Likewise, with operators like Microsoft and Google offering to provide the collaboration software for free to low-level licence users, we are likely to see a vast increase in deployments of cloud tools to enable home-working – all of which entail privacy and information security challenges; but which could, if rolled out successfully, affect a long-term shift which would, for example, reduce travel overall and therefore also help to tackle the climate crisis.
At local democracy level, decision-making is not vested in executive powers – only by committee; so will the lower tiers grind to a halt due to the antiquated strictures around meetings, or will there be challenges that create a new – and perhaps more modern, family-friendly, alternative.
We still have a way to go on this journey – we are, in the UK at least, only just entering ‘phase two’ – the so-called Delay phase. The manner of country’s, and business’ responses will be led by their own cultures and capabilities. We must be cautious though, that the crisis is not used to permanently erode civil liberties and individual privacy – while also looking for the silver linings where we can.
Sources:
Privacy. Data. Ethics. 