Tracking Covid-19 with Location Data - the Privacy versus Security Dilemma
Posted on 05/05/2020
With the lives of countless citizens around the world at risk, the appeal of location data in fighting the coronavirus pandemic is simple to grasp. Using position data to track population could boost government and research organisations’ ability to manage virus transmission and it could improve supply chain efficiencies in the distribution of food and PPE, for example. Although policymakers may need to curtail/limit human rights to combat the pandemic, the usage of (location) data to track the people at such a level has implications for data security and privacy.
Is it OK for Governments to do whatever it takes to contain the spread of the virus? What is the balanced response that a Government should take to save lives and preserve civil liberties? Extensive tracking initiatives have been deployed in several countries around the globe. While some people perceive good intentions, others have raised questions about how to reconcile public health protection and privacy as the pandemic spreads.
Let’s delve into how some governments are using location data to combat the spread of Covid-19.
In South Korea, private developers have used government data available online to create apps and websites that track the whereabouts of coronavirus patients. Data of all infected citizen is published in the “virus patient travel log“, a website where everyone can retrace the steps of infected individuals using tools such as GPS phone tracking, credit card records, surveillance video and old-fashioned personal interviews with patients. While the idea is to let the public know if they may have crossed paths with carriers, some see Big Brother.
The BBC News website reports that earlier this month, the Chinese government created and deployed an app that tells its consumers if they have been in direct touch with anyone with coronavirus. The ‘close contact detector’ tells users if they have been near a person who has been confirmed or suspected of having the virus. Using a Quick Response (QR) code downloaded on a person mobile phone, the tool allows authorities to more accurately and quickly find infected people. “From a Chinese perspective this is a really useful service for people. It’s a really powerful tool that really shows the power of data being used for good,” Hong Kong-based technology lawyer at the law firm DLA Piper Carolyn Bigg reports to the BBC.
Conversely, these measures are fuelling debate over privacy and the extent and uses of the data repository China is building on its citizens. “Of course, governments have the responsibility to protect public health and safety but these measures have to balance other rights as well, including privacy rights,” Maya Wang, China senior researcher at Human Rights Watch reports to Reuters.
In collaboration with a team of professionals, stakeholders, and geospatial agencies from around the world, Croatia-based GIS Cloud has developed the STOP Corona! App. Using almost real-time location intelligence and machine learning, this app gathers data via an online form with SSL encryption, and returns anonymised and aggregated symptom statistics in the form of heatmaps of disease hotspots.
The app creators pledge that any data collected is anonymised and shared only with local health authorities and the World Health Organization (WHO) to provide the level of location insights into predicted coronavirus outbreaks.
On the other hand, to track the coronavirus, Israel’s PM has authorised to tap on a secret trove of location data collected from Israeli telecom providers, in order to identify citizens who came into close contact with known virus carriers, and send them text messages instructing them to self-quarantine.
In the midst of the coronavirus pandemic, even security-conscious European governments asked telecommunications companies for telephone location data in the hope of understanding whether global social distancing measures, such as home-stay orders and company closures, have any impact on the spread of Covid-19.
Network providers in Italy, Germany and Austria, have shared aggregated and anonymised customer location data to support officials to map concentrations and movements of customers where Covid-19 has taken hold. To the contrary of countries such as China, Taiwan and South Korea, where smartphone location is used to track the movement of individuals who have tested positive or to enforce quarantine orders, this data fully complies with Europe’s privacy laws (GDPR).
While there is no suggestion the UK government will embrace draconian surveillance measures; the United Kingdom Information Commissioner’s Office (information and privacy authority) explained that if it helps to prevent the transmission of coronavirus, the government will legitimately access sensitive data from cell phones, including 20 million customers data from telecom provider BT to determine how citizens are compliant with government instructions to remain at home.
On May 3rd the Transport Secretary Grant Shapps has announced that the NHS will test a ‘Digital Contact Tracing’ on the Isle of Wight and later in the month roll it out nationwide. Pioneered in Singapore, DCT uses short-range Bluetooth connections to keep track of meetings between individuals and automatically send self-isolation instructions to everyone deemed to be a risk. The Justice Secretary, Robert Buckland, told MPs any tracing app designed to mitigate the spread of Covid-19 would be “functionally limited” to prevent a “mission creep”. The NHS states that the data log of how close someone is to others with the app also downloaded will be anonymous and stored on the phone. They will also be publishing the key security and privacy designs alongside the source code, to support a peer review approach. However, this article published in The Guardian a few days later state that “…app’s developers have built the system around a “centralised” platform following discussions with advisers including GCHQ’s National Cyber Security Centre”.
Google is collaborating with the University of Southampton and the European Centre for Disease Prevention and Control (ECDPC) to analyse the relationship between travel patterns and transmission rates of the virus within different countries, while also providing insight into the effectiveness of lock downs. By collecting data from geo-enabled applications like Google Maps in an anonymised format, “We are looking at inner-city movement across the EU and what it means for controlling Covid-19,” said Nick Ruktanonchai, an infectious disease epidemiologist and lecturer at the University of Southampton, to Bloomberg. “With the location data, we are testing different scenarios and simulating what might happen if countries don’t end their lock downs in a coordinated way. It’s about buying time. We want to make sure a big second epidemic doesn’t happen months down the line.”
In view of all these activities around the tracking of location data and the deployment of sophisticated AI to gather spatial intelligence, when do the benefits outweigh the concerns in employing surveillance methods?
Individual Vs Aggregate Data Patterns
Without being too technical, the many solutions employed in the examples above involves two types of data. Aggregated data, which is often anonymous and individual movement data, which is pinged to one’s mobile phone ID. Both of these data types can be analysed with statistical or predictive algorithms to understand Hotspots of aggregation and the patterns of individuals’ Movement.
Is this data useful? And which one is more appropriate to use in the context of this crisis?
Understanding hotspots of aggregation has been used in crime prevention and disease modelling for a long time. Generally, it is not 100% representative of the whereabouts of the population at large because, for example, not everyone has a mobile phone to be tracked, but it can provide insight to authorities on whether social distancing efforts are actually working. For example, by monitoring neighbourhoods where people congregate at a recurring day, time and place such as parks or beaches as reported by the UK media in recent weeks. These geospatial insights would help to focus law enforcement activities with considerable time and cost savings.
Aggregated and anonymous data can also be used to understand movement patterns. For example, in the Italian province of Lombardy authorities are using aggregated and anonymised customer location data to map out how many citizens are following a strict lockdown. The data shows that movements exceeding 300-500 meters have decreased by about 60% since February when the first case was uncovered. All of this is very interesting but is it useful? In the context of a government willing to impose coercive methods of compliance, this data can be used to enforce stricter checks or even predict future hotspots. But can we guarantee that the data is fully anonymised? A report from the New York Times’ One Nation, Tracked debunked the myth that by removing personal identifiers from location data it is possible to make it anonymous.
Finally, how useful is it to track individual data? The examples of China and Israel show that precise location data can inform, at a very granular level, whether individuals have come in contact with someone who has shown positive to the test and, in the case of South Korea, trace the whereabouts of an infected person to inform those that might have come in close contact. Assuming that we in the UK, or liberal Europe, decide to give up on our civil liberties for fear of the pandemic, and build an app that collect individual data and store it in a central database, how can we ensure that the app is widely installed? According to research by the University of Oxford, any contact-tracing app would need to be used by more than half the total population to be effective. After all, Singapore’s TraceTogether, has currently achieved just 17% uptake.
While achieving 60% uptake of the app “has the potential to substantially reduce the number of new coronavirus cases, hospitalisations and ICU admissions” says Christophe Fraser, the report’s senior author, privacy concerns may impede a wide adoption of such tools.
Location data is a powerful tool to support decision making at a time of global crisis. Although Covid-19 has shown that at a time of national emergency It is possible to enact draconian measures to safeguard public health and safety to the detriments of other rights, accurate location data harvested at scale and analysed with predictive algorithms may help in the fight against the coronavirus outbreak. But what assurances do we have that it is not used to weaken human rights and democracy?
The Ada Lovelace Institute, an independent think tank that focuses on issues around data and AI argued that any future contact-tracing app must “encourage privacy-by-design in technical implementations and must choose privacy-preserving protocols to underscore technical measures”, Exit through the App Store? report said. “Technical and legal infrastructure built during this pandemic may be difficult to dismantle once it is over unless proper safeguards are in place.” It continued “Open debate and scrutiny must be encouraged, to increase trust and raise public awareness of the complexity of the issues.”
As responsible stakeholders in the geospatial domain, what measures can we take to support policy makers to enact legislation that deal with data-privacy in a manner that outweigh the benefits of fighting the next pandemic with the concerns of one’s privacy?
Luca Budello is a Knowledge Transfer Manager responsible for KTN’s Geospatial Insights Special Interest Group. His background is in environmental science, specialising in earth observation, spatial modelling, natural resource management, and biodiversity monitoring with positions held both in academia and industry.
He also holds an MPhil in Environmental Science from the University of Cambridge specialising in remote sensing technologies, and has professional training on Entrepreneurship and the Environment from the Oxford’s Smith School.