Emergencies should not be a blank check

In the previous article in the #Antivirus series I reflected on the importance of governance in times of health emergencies to develop effective technological solutions, and highlighted the low impact of local experiences in the development of technologies and open data. This is due to their lack of sustainability over time, which results in precarious information to help mitigate the COVID-19 pandemic. In this second chapter, I will point out the importance of developing technological solutions and discuss the worrying measures of social surveillance and control regarding personal data in adverse contexts.

The protection of personal data and privacy also promote public health quality

In emergency times, people have been actively applying the best of their abilities to respond to the situation and propose solutions, and those responses are increasingly associated with digital technologies. Within this framework of actions, we see a growing number of agents (from the civil society, the technical community and the private sector) building and launching self-monitoring and reporting applications destined to the community, leading to active citizen participation.

Many of these technological solutions are unaware of privacy and personal data protection standards, when these considerations should form the basis for any development, since they are dealing with health data, that is, sensitive information. Following the recommendations of personal data experts, they should study and apply the guidelines for app development based on the personal data protection standards of the GDPR1. Some technological principles and considerations2 that should be implemented in these technological solutions are:

  • privacy and personal data notice must be accessible to users, including informed consent, purpose, data quality, confidentiality, security and identification of the person responsible for the treatment of personal data, among others
  • users must be able to choose and control privacy settings3
  • it must include privacy by design4
  • it should only store data necessary for its operation
  • sensitive databases must be encrypted
  • data must be dissociated
  • it must deliver anonymous transparency reports to citizens
  • it must publish in open data format
  • sensitive information may be delivered to the criminal system only by court order5
  • the user must be notified in the event that state institutions request their information
  • the user must be informed if their data is being transferred
  • testing instruments must be explained (what is a suspected case, what is a confirmed case, what is the methodology behind these definitions)

It has also been noted on a global scale the existence and continuous development of malicious programs (such as spyware and malware) that pose as coronavirus-related applications. Furthermore, an illegal market has been created that uses information stolen from poorly designed applications and web platforms for the purposes of espionage, blackmailing, and other crimes.

1) This lack of good practices in the treatment of sensitive data is evident in local proposals

The Rastreo COVID-19 (‘COVID-19 Tracking’) application, created by a group of young computer scientists, is an app that “registers contacts with other people and receives notifications when an infected person is confirmed”. In a first analysis, none of the aforementioned recommendations are being applied and, without the necessary legal safeguards, there is a high risk that this type of initiative will lead to abuses, such as information leaks, cybersecurity failures, sale of databases, disproportionate surveillance, or others.

This concern applies also to regional initiatives such as the Ñangareko Program of the Alto Paraná government, which uses a web platform for the distribution of food kits and the delivery of financial aid for people in a situation of vulnerability. In order to receive this aid, the person must fill out a form with personal data, which means that the platform is building a sensitive database of the entire vulnerable population of Paraná. A problem that can be found at first sight is that the platform does not count with a basic element of digital security as is a secure connection (https), which means that the exchange of information is done without encryption. Another problem is that this sensitive database is hosted on the servers of a company called host.com.py, when it should be hosted on state servers6. Moreover, it does not follow the recommendations listed above.

Another example of bad practice is the form of a supposed COVID-19 emergency census, which collects sensitive information without mentioning a person or entity responsible for the processing of personal data, and without the endorsement of the Paraguayan Ministry of Public Health. State institutions have reported that this is a fake census and asked the population not to register on non-official portals.

On the other hand, the citizen initiative autoreporte.org offers information on the symptoms of the disease, to try to avoid saturation of the primary care system of the Ministry of Health, and also provides statistical information.

And finally, we have the platform of the Ministry of Health, which has restricted access and is intended for internal use by the institution, as well as for people diagnosed with COVID-19. This platform will store personal data and sensitive data (like medical procedures and geolocation), in accordance with the instructions of the General Directorate of Health Surveillance.

A news article by the Ministry of Information and Communication Technology (MITIC), explained that “this application will, for the first time, cross the databases of Migrations (for those who entered the country), the National Police (which validates the personal data of citizens) and health data (of quarantine compliance), for sending medical reports”. The minister, Alejandro Peralta Vierci, further detailed that “these people will receive an SMS to connect to the application where they will certify their data, respond to a first medical report of their current clinical status and allow the registration of their geolocation. The General Directorate of Health Surveillance of the MSPBS [Ministry of Public Health] will have these data to make the control of people in quarantine more efficient”.

Although this platform is not available to the public and there is no personal data law, the publication of statistical and impact reports is suggested, since it uses databases with sensitive information. In addition to this, they should publish a privacy and personal data policy, as well as data protection protocols.

It is essential that each public or private initiative takes into account these privacy and digital security policies to protect the personal data that will be stored. A good example is the Massachusetts Institute of Technology (MIT), which developed a mobile application called Private Kit: Safe Paths that applies the principle of Privacy-by-Design and explains in detail how the processing of personal data will be carried out7

2) The fantasy field of people’s geolocation through apps or tracking through ISPs, and other privacy breaches to fight the pandemic

Institutional approaches that use contact tracking to determine new cases are based on medically approved evidence, but both the tracing of contacts and the presumption of illness have a huge impact on the person’s right to privacy8. Also, it is important to highlight that smartphone geolocation policies will track people’s phones, not the virus.

According to a NY Times article on mass surveillance in China9, people are required to use a software called Alipay Health Code (using the mobile wallet app Alipay, part-owned by e-commerce giant Alibaba), which assigns each person a color code (red, yellow and green) indicating their health status. This code defines what the person is allowed to do, such as going to malls or using the subway. The data used to define a person’s health status comes from the government, ISPs, the mobile application itself and the crossing of data from commercial and financial service companies. The type of software they use is unknown, as is the algorithm that classifies people. The article also claims that their analysts found the existence of a backdoor, through which the application shares information with the authorities.

In the case of South Korea10, the tracking of people is being carried out through their mobile phone’s geographical position, as well as recordings from security cameras and the history of credit card purchases. This tracing app is known as «Corona 100m».

According to an article by The Guardian 11, the mobile phone industry (through the international consortium GSMA) has explored the creation of a global data exchange system that could track people around the world, as part of an effort to curb the spread of COVID-19.

Another global effort at tracking people is Facebook’s project Disease Prevention Maps. These maps show variables such as mobility trends, information on confinement orders, contact tracing and the degree of ‘social connection’ between different regions. The project presents some similarities with the one announced by Google and Apple12, which records geolocation data from mobile phones to compile statistics on the mobility of people in countries or regions, with the aim of evaluating the effects of confinement and the degree of compliance. According to these companies, the data they publish is generic and anonymised.

As expressed by the international organization in defense of digital rights Access Now13, “location data is highly revealing. By simply following a person’s movement based on location data from a smartphone, you can deduce their home address and workplace, map their interaction with others, identify their doctor visits, infer their socioeconomic status, and more. Without proper safeguards, tracking and geolocation tools can enable ubiquitous surveillance”. For these reasons, the use of geolocation to help cope with the spread of the virus must be carried out in a manner that respects rights, promotes trust in governments and protects individual security, given the high risk of increasing state-sponsored mass surveillance14.

In Singapore, the government implemented a self-report app called TraceTogether that offers information related to COVID-19, the stock of pharmacies, health services, and also keeps track of the contacts that the person has come across, using Bluetooth instead of GPS. This solves the problem of establishing the relative distance in cases where people live in multi-story buildings: Bluetooth is accurate where the the GPS system would return erroneous data, showing crowds where there are none15.

According to a publication from the Center for International Governance Innovation16, atype of approach like that of China, South Korea or Singapore, which enablesthe mapping of its population in real time, does not guarantee that the information being collected will help in predicting the evolution of the pandemic.

One of the first cases of COVID-19-related digital contact tracing by a content platform was that of Uber, when authorities used the location history of a potentially infected person to trace his possible contacts in Mexico, which included two Uber drivers17. Contact tracing helped finding and warning 240 people who had traveled with the two drivers presumed to be infected, but it lso had the negative effect of Uber temporarily suspending their accounts. The increasingly private dimension of disaster response involves a fundamental risk, namely that we are unaware whether decisions such as the one made by Uber are appropriate or not. The way for the law to assess a specific problem is to consider whether a legitimate and proven approach was used, whether the measures taken were necessary to achieve the objective, and whether the damage that the measures cause are proportionate to the magnitude of the problem they intend to solve. In the Uber example, the company was presumably acting in the public interest, but its travel ban turned out to be legally ineffective as it affected 240 people without really knowing if they were at risk.

Tracking social contacts to find potentially infected people is one of the possible uses of sensitive data, but to guarantee its effectiveness and legality, the tracking must be carried out within the framework of a specific suspicion, through scientifically approved tests, and using institutional mechanisms.

According to a report by the UN Human Rights Office18, human rights experts urged States to “avoid overreach of security measures in their response to the coronavirus outbreak” and reminded them that “emergency powers should not be used to quash dissent”. The experts expressed that “While we recognize the severity of the current health crisis and acknowledge that the use of emergency powers is allowed by international law in response to significant threats, we urgently remind States that any emergency responses to the coronavirus must be proportionate, necessary and non-discriminatory”.

Al Sur, a consortium of Latin American civil society organizations that works in defense of digital rights (of which TEDIC is a member), issued a statement19 expressing a similar concern: “The use of digital technologies to combat this pandemic cannot be excluded from an examination of necessity and proportionality regardingthe potential effects on our fundamental rights.”

Considering that health systems are approaching the limit of their capacity to contain and treat COVID-19, special care must be taken to avoid the use of pseudoscientific or techno-solutionist mechanisms, as they can hinder the effective modeling of the pandemic and unnecessarily confuse both the Ministry of Health and the people.

3) Transparency in sensitive health information: a virus that does not discriminate and people who do

In an interview for Última Hora, the General Director of Health Surveillance, Guillermo Sequera, stresses that gathering the geolocation information of citizens generates a false sense of security and also stigmatizes the sick person:

People want to know where the affected person is. We don’t realize that by doing so, I am stigmatizing them and I could be the bearer, I am going to get sick and I will make those around me sick. The virus is circulating, let’s take precautions everyone. […] It occurs in all the world and it’s an ethical problem. Now the ethical discussion is the confidentiality of the data and the stigmatization of the case.

The Singapore government maintains an open database of cases, with personal (albeit unnamed) information, location history and other up-to-date information. In these kind of situations, it should be borne in mind that when all this information is combined with elements such as panic, scarcity or despair, bias problems may surge which could eventually lead to dangerous and unforeseen consequences.

The publication of georeferenced information on infections in countries like Paraguay, unlike what happens in Singapore, generates a very dangerous side effect for people’s lives: death threats and ‘escraches’ (public persecution20) arising from the stigmatization of people with COVID-19 21.

Within this framework, the Ministry of Health highlighted that the international treaties on human rights ratified by the country are in force, as well as the right to privacy (Constitution of Paraguay, art. 33) and the Resolution S.G. Nº 146/2012, which states:

Article No. 4: “Health personnel have the obligation to respect and protect the right to privacy of people, therefore it is strictly prohibited in health facilities to film or photograph users without their consent (…)

Article No. 6: “(…) all health personnel are obliged to respect the confidential nature of the information and data of all persons who receive health care or come to receive information and guidance in a health service center and, therefore, to guarantee professional secrecy.

The general population does not possess the instruments to adequately manage a response to this type of crisis, and fear and discrimination can often give way. For example, people do not seem to understand that the main determinant of COVID-19 mortality is the low capacity of health systems to cope with so many people being infected in such a short time, and this type of distorted gaze can lead to popular support for surveillance and social control measures, which could be used later in a different context and negatively affect individual and collective rights.

Social control: worrying technological surveillance in the hands of corrupt or authoritarian states

The primary concern regarding the use of health surveillance technologies is not the technology itself, but how it is deployed. The control that it enables in the social sphere usually eludes the guarantees incorporated in our institutional structures, which are vital in times of prolonged emergency. In contexts with a high degree of institutional transparency and citizen trust, independent controls are carried out over the exercise of authority, with a strong support for state policies. However, in contexts with a high degree of corruption, as is the case in Paraguay22, the use of these technologies and the implementation of these social control mechanisms poses a great risk for the entire population.

Unfortunately, the tools and tactics of social control that are developed for dealing with a public health crisis such as that of COVID-19, are still used even when the state of emergency has ended. An example of this is South Korea, where the social license for the use of call logs granted during a previous emergency has been reused for traffic analysis on later occasions 23. The digital tools, tactics, and capabilities that we develop during this crisis are expected to be used in future attempts at manipulating markets, borders, and politics.

In recent years, companies and technology platforms have used their machinery to conduct experiments during some humanitarian crises, with the implementation of artificial intelligence, big data and machine learning24. At present, a whole surveillance industry is being generated around the current pandemic, which can be seen, for example, in the rapid development of technologies for facial recognition, to the point where they can recognize a person even when they are using a mask25. While epidemiological surveillance is carried out within the limits of medical ethics, the technologies that enable personal surveillance do not comply with scientific protocols, nor do they have mechanisms to prove their quality or their contextual applicability with a focus on human rights.

Furthermore, since these platforms are built as a “black box”, that is, without the possibility of an audit, we have no way of understanding the underlying equity or the rights at stake, the due process that they may violate, or assessing the legitimacy of the actions of certain governments. State control, as a substitute for legitimacy, is an extremely dangerous shape that power takes in times of disasters or emergencies.

Experts in medical ethics emphasize that there is no need to obtain someone’s health status through a mobile tracking and surveillance app when the person can communicate effectively and safely what is happening to them and take actions in accordance with professional guidance. In the same line, there is no need to ‘surveil’ the population through indirect technologies, when there is the possibility to communicate with and trust state institutions.

Oftentimes, great tragedies inspire regulatory changes and the restructuring of powers. Some of the more relevant international biomedical ethics laws and institutions were founded after World War II, based on the findings of the Nuremberg Doctors’ trial and the subsequent Belmont Report. While the effects of the COVID-19 outbreak cannot be compared to the scale of mortality of World War II, it is worth reflecting on how deep a health crisis should be in order for us to build a universal public health system that can solve the problems of the population and that we can trust.

Frequently, the line between disease surveillance and population surveillance is easily blurred, and the consequences arising from the use of technology are overlooked and often deeply disturbing.

Conclusions

These two articles have focused on analyzing the uses and abuses of technological interventions aimed at responding to this global emergency, unprecedented in terms of speed. Systems and technologies that deal with second-order effects (public communication, economic stimulus, law enforcement) are intentionally excluded. Instead, I delve into the extraordinary measures and experiences deployed in response to the coronavirus (on a global and local scale) from a technological point of view, including real-time geolocation and the use of algorithmic models and mobile apps developed specifically for the quarantine.

The urge to ‘do something’ that technology communities have shown at this time of crisis is inspiring, however, this kind of approach does not take into consideration that the solutions must be structural and comprehensive. For this to happen, it is important to gather the support of groups of experts in various disciplines, as well as putting together governance groups to guarantee that the chosen path serves every sector.

Paraguay is no stranger to this trend in the use of technologies, but it has several structural shortcomings preventing it from being able to generate solutions that guarantee the rights of its citizens. TEDIC warns about the absence in Paraguay of a comprehensive law on the protection of personal data that requires all sectors to safeguard and protect personal data. Given this lack of local regulations, we urge initiatives that use technology to deal with this emergency situation to take into account the standards of European regulations on personal data (GDPR), in order to achieve greater competitiveness and ensure proper respect for the right to privacy (art. 33 of the Constitution of Paraguay) and other fundamental rights.

It is neither new nor politically radical to suggest that, when governments make use of exceptional powers, the constitutional and contractual controls must include strong supervision, sunset clauses and provisions for dispute settlement.

Lastly, it is important to emphasize that, when talking about the implementation of technologies that involve the treatment of sensitive personal data, the debate should focus on privacy, as well as on the control that is exercised over the population and its impact on fundamental rights, both in the present and in the future.

Notas:

  1. General Data Protection Regulation of the European Union: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
  2. Protection of personal data in public databases in Paraguay [in Spanish]: https://www.tedic.org/wp-content/uploads/2017/09/La-protección-de-Bases-de-Datos-en-Paraguay_Documento-Final.pdf
  3. Good Practice guide for App development [in Spanish]: http://www.jus.gob.ar/media/3075908/guiabpsoftware.pdf
  4. The importance of security in the digital economy [in Spanish]: https://www.tedic.org/la-importancia-de-la-seguridad-en-la-economia-digital-ciberseguridad/
  5. Who defends your data? [in Spanish]: https://qdtd.tedic.org/
  6. Since the publication of this article, the program has been extended nationwide and its website is now hosted on a government website with a secure https connection
  7. Apps Gone Rogue: Maintaining Personal Privacy in an Epidemic: https://arxiv.org/pdf/2003.08567.pdf
  8. Phones Could Track the Spread of Covid-19. Is It a Good Idea?https://www.wired.com/story/phones-track-spread-covid19-good-idea/
  9. In Coronavirus Fight, China Gives Citizens a Color Code, With Red Flags https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html
  10. South Koreans are using smartphone apps to avoid the novel coronavirus https://qz.com/1810651/south-koreans-are-using-smartphone-apps-to-avoid-coronavirus/
  11. Mobile phone industry explores worldwide tracking of users https://www.theguardian.com/world/2020/mar/25/mobile-phone-industry-explores-worldwide-tracking-of-users-coronavirus
  12. Google and Apple Reveal How Covid-19 Alert Apps Might Look: https://www.wired.com/story/apple-google-covid-19-contact-tracing-interface/
  13. Recommendations on privacy and data protection in the fight against COVID-19 https://www.accessnow.org/cms/assets/uploads/2020/03/Access-Now-recommendations-on-Covid-and-data-protection-and-privacy.pdf
  14. The European Data Protection Board (EDPB) on the processing of personal data in the context of the COVID-19 outbreak: https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_en
  15. TraceTogether – behind the scenes look at its development process: https://www.tech.gov.sg/media/technews/tracetogether-behind-the-scenes-look-at-its-development-process
  16. The Digital Response to the Outbreak of COVID-19 https://www.cigionline.org/articles/digital-response-outbreak-covid-19
  17. Uber temporarily suspends 240 accounts in Mexico over coronavirus fears https://www.theverge.com/2020/2/3/21120643/uber-coronavirus-mexico-accounts-suspension
  18. COVID-19: States should not abuse emergency measures to suppress human rights – UN experts https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=25722&LangID=E
  19. Civil society asks from governments in Latin America and the Caribbean that digital technologies applied to the COVID-19 pandemic respect human rights [in Spanish]: https://www.tedic.org/sociedad-civil-pide-a-gobiernos-de-america-latina-y-el-caribe-que-tecnologias-digitales-aplicadas-ante-la-pandemia-covid-19-respeten-los-ddhh/
  20. Family of Covid-19 patient receives threats [in Spanish]: https://www.ultimahora.com/familia-paciente-covid-19-recibe-amenazas-n2875197.html
  21. Woman infected with #COVID19 recounts her experience of diagnosis and retaliation by citizens [in Spanish]: https://twitter.com/SomosGEN/status/1247329375399358469
  22. According to International IDEA, Paraguay ranks second to last in transparency in the region. See: The state of democracy in the world and in the Americas, 2019 Report: https://www.idea.int/publications/catalogue/summary-global-state-of-democracy-2019?lang=en
  23. Creepy Or Comforting? South Korea Tracks Smartphones To Curb MERS https://www.npr.org/sections/goatsandsoda/2015/06/10/413183459/creepy-or-comforting-south-korea-tracks-smartphones-to-curb-mers
  24. Scientists Crunch Data to Predict How Many People Will Get Coronavirus https://www.wsj.com/articles/scientists-crunch-data-to-predict-how-many-people-will-get-coronavirus-115844798
  25. Even mask-wearers can be ID’d, China facial recognition firm says https://www.reuters.com/article/us-health-coronavirus-facial-recognition/even-mask-wearers-can-be-idd-china-facial-recognition-firm-says-idUSKBN20W0WL