Image for Data collection, privacy, and COVID-19
Avatar image of Victoria Henry
Canada Privacy Privacy Deficit Spy Agencies

Data collection, privacy, and COVID-19

How can the government protect privacy if cell phone tracking is used to combat COVID-19?

Extraordinary times call for extraordinary measures - but should those measures include tracking the movements of people through their cell phones?

In an effort to track and contain COVID-19 in their countries, some governments are turning to digital tracking and location data collection. But many people have serious privacy concerns about this approach, and worry that special powers which are bought in to address the pandemic will end up remaining in place permanently, as was seen in the U.S. following the 9/11 attacks. 

Some of the ways phone tracking is being used include:

  • To identify ‘hotspots’ where many people are gathering;
  • To track whether people have come into contact with infected people;
  • To monitor and enforce quarantine for people who are ill or who have been exposed.

In some European countries like Italy and Germany, mobile carriers are sharing aggregated location data with government to help them monitor whether people are complying with curbs on movement, and identify potential contact hot spots. 

In Singapore and the UK, apps are being used or proposed to detect whether people have come into contact with people who have been infected. Google and Apple are working on a similar voluntary app, which uses Bluetooth signals to detect other phones nearby. If a person tests positive for the virus, the data can in theory be used to find other people that person may have been in contact with - though there are serious concerns about whether Bluetooth contact is a reasonable approximation of the physical contact that spreads the virus

In Taiwan, the government is using cell phones to “geo-fence” quarantined people in their homes. The technology alerts authorities if the individual leaves their home or turns off their cell phone. Similarly, in Poland, the government has introduced an app which requires quarantined people to take and submit regular selfies to prove that they’re at home. People who do not comply are visited by the police. 

Each of these measures has different implications for our rights, but all involve trading away some privacy protections for the uncertain possibility of increased health protection. 

The big question for many in Canada right now is: Is Canada planning on bringing in any of these measures? The answer may depend on where you live. Alberta has announced plans to enforce quarantine compliance by app; it is unclear if other provinces will follow. Federally Trudeau hasn't ruled out using smartphone data to track locations and identify if people in Canada are complying with pandemic measures. 

This has left many people in Canada concerned about the possibility of overreaching invasive emergency measures, and for their potential to continue to undermine privacy after the crisis is over.

With that in mind, OpenMedia, alongside a number of Canadian experts and civil society organizations, is looking to pre-empt potential bad policies by putting forward seven key principles that should be in place if any of these measures are considered, to preserve our privacy and our democracy. 

1. Prioritize approaches to help people stay at home which do not involve surveillance
Use public education, financial assistance, and other options to help people stay at home and avoid infection.

2. Due process for adopting any new powers
Open public debate, as well as a proper legislative process, must happen before any new powers are bought in. Any new rules must be temporary, with scheduled review periods. Courts and the privacy commissioner must assess the legality, effectiveness and proportionality of any measures. And there must be full transparency both of any new rules, and any reviews. 

3. Consent must be favoured
Options that allow people the choice to volunteer their data must be strongly preferred to non-voluntary data collection.

4. Put strict limits on data collection and retention
Any data collected must be limited to what’s strictly necessary, and deleted as soon as it’s no longer necessary to contain the pandemic.

5. Put strict limits on use and disclosure
All data must be de-identified and anonymized. It must only be used for its stated purpose. And it shouldn’t be disclosed to anyone outside of the original scope, for example immigration authorities or commercial entities.

6. There must be oversight, transparency and accountability
Any new rules or technology adopted during this period must have independent oversight, and be fully transparent. There must also be options for recourse, should there be a data breach or violation of rights. 

7. Any surveillance efforts related to COVID-19 must not fall under the domain of security, law enforcement or intelligence agencies
The current pandemic situation is a public health crisis, not a matter of national security. Security, law enforcement and intelligence agencies must not be involved in any form of public health surveillance or data collection.

There’s no doubt that these are extraordinary times. And the pressure to adopt extraordinary measures in response to this situation is high. But we have to carefully consider the cost to our privacy, values and human rights. We must hear clearly from our government that our rights are prioritized and that these principles will be respected. 

For the full version of these principles, please visit http://openmedia.org/protect_rights_through_covid19/