By Damayanthi Jakubowski (Privacy Consultant and Owner of Privacy101.org)
COVID-19, a novel Coronavirus Disease, has shaken the world to its core. In a matter of weeks, the issue of health has become everyone’s priority, pushing many other essentials to the side. To quickly help curtail the spread of the virus, various mobile technologies are being used by the governments of several countries. Perhaps because of the sense of urgency, the issue of privacy does not always seem to be at the forefront of everyone involved. However, especially in times of crisis, it is of the utmost importance to not abandon our civil liberties. Protecting our privacy should remain a focus for everyone.
Several governments around the world have started using individuals’ geolocation data gathered from local telecommunications providers and from companies such as Google and Facebook to identify how population groups move within a certain region. This data can provide essential information, especially to check whether population groups are obeying a stay-at-home order. However, although an individuals’ name, address, and other identifying information is generally stripped from these types of datasets provided by telecommunications providers, without additional privacy protections, it has been proven to be considerably easy to re-identify the individual. (1)
Governments soon started coming up with other innovative ideas to monitor COVID-19 and its victims. The Chinese government introduced the “health-check app” through which users enter their symptoms and which subsequently displays a red, yellow, or green code. The red code indicates that the individual has a high chance of being infected with COVID-19 and that he or she will have to be quarantined for 14 days. Germany launched an app (Corona Datenspende) which automatically monitors certain symptoms linked to COVID-19. By downloading the app to a Fitbit or an Apple Watch, an individual’s pulse rate, ECG data, stress level, temperature, blood pressure, weight, height, gender, and age are collected. It then provides this data anonymized, but with the users’ zip code, to the German government.
Germany’s neighbor, the Netherlands, is in the process of creating two separate apps. One app will show whether the user was near another individual infected with COVID-19, and through the other app, the user will be able to easily connect with his or her doctor to receive COVID-19 related treatment information. Across the ocean, in the United States, Google and Apple decided to collaborate and develop new technologies aimed at facilitating the sharing of data between healthcare organizations.
When implementing new mobile technologies to fight the COVID-19 pandemic, it’s essential that governments take into consideration their own privacy laws to help protect their citizens’ privacy. However, as of this writing, China does not have a privacy law but focuses on cybersecurity instead. While a cybersecurity law helps protect health data, it does not necessarily also protect the privacy of the individuals whose data are being collected. Those in Europe, on the other hand, benefit from the recent implementation of the General Data Protection Regulation (GDPR), which provides them with comprehensive and thorough data protections. In the U.S., while the Health Insurance Portability and Accountability Act (HIPAA) provides privacy protections to certain health data, there are some important exceptions to the HIPAA Privacy Rule which permit the limited sharing of protected health information for “the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions,” among other reasons. 45 CFR 164.512(b)(1)(i).
Whether there is a privacy law in place, governments and organizations should ask themselves some important questions to ensure they are protecting individuals’ privacy at all times: What personal (health) data is critical to collect when fighting COVID-19? Will we use a central database to store data, and who will have access to this database? How long will we keep data for, and how exactly will we delete it? Is the use of mobile technologies really as secure as assumed? Will app use be mandatory, and if so, how will enforcement take place? What happens if minority groups are disproportionately affected by COVID-19, and how could the app negatively influence relations between people?
Individuals, on the other hand, will have to make their own privacy decisions before they decide to download an app: What if I have COVID-19 symptoms but do not have the actual virus, do I still want to be tracked? Could my health data ever be used against me? What control measures do I have over the data that is being collected? Can I withdraw consent or delete the data myself?
Previous crises have shown that drastic threats can lead to drastic privacy-violating measures, and COVID-19 certainly is a threat the world has never experienced before. However, individuals, governments and organizational leaders now also have a unique opportunity to create a world in which safety, security and individual privacy go hand-in-hand. Asking ourselves the right privacy questions, before using mobile technologies during this COVID-19 crisis, should be an important first step.
(1) Xu, F., Zhang, P., Tu, Z., Fu, X., Li, Y., Jin, D. (2017). Trajectory Recovery from Ash: User Privacy is NOT Preserved in Aggregated Mobility Data. Computers and Society: Cryptography and Security. Retrieved from https://arxiv.org/abs/1702.06270; Narayanan, A., and Shmatikov, V. (2019). Robust de-anonymization of large sparse datasets: a decade later. Princeton.edu. Retrieved from https://www.cs.princeton.edu/~arvindn/publications/de-anonymization-retrospective.pdf