Subscribe to Outbreak, a daily newsletter roundup of stories on the coronavirus pandemic and its impact on global business. It’s free to get it in your inbox.
Our modern conception of civil liberties was largely developed following one of humanity’s worst crises, the Second World War—its horrors spurred the drafting of the Universal Declaration of Human Rights. Now, in our greatest crisis since then, some see a threat to one of that document’s key elements: the right to privacy.
Fighting the coronavirus pandemic means getting an idea of who is infected and the opportunities those people had to unwittingly pass on the virus to other people.
For that reason, countries including China, South Korea, Iran, and Israel have deployed technological tracking measures, largely based on tracking the movements of people’s phones, and a host of surveillance companies—from the secretive data-mining outfit Palantir to the controversial Israeli spyware firm NSO Group—are offering their services to governments around the world.
Even some privacy advocates are pushing to use tracking tech in the fight against the outbreak, albeit with the subjects’ permission. Earlier this month, medical professionals, epidemiologists, and technologists signed an open letter urging Apple and Google to tweak their mobile operating systems so users could get notifications when they had been in the same space as a confirmed carrier—the signatories included Peter Eckersley, a distinguished technology fellow at the digital rights–focused Electronic Frontier Foundation, and Tristan Harris, a former Google ethicist who has become a notorious critic of Big Tech’s anti-privacy practices.
But alarm bells are ringing, too.
Controversial tracking
The Israeli situation is causing particular concern because of its context. Prime Minister Benjamin Netanyahu is facing corruption charges and may soon lose his job, as—following the third election in one year—rival Benny Gantz has been tasked with forming a government. This week, Netanyahu’s cabinet approved emergency powers that, along with shutting down the Knesset (Israel’s Parliament) and the country’s court system, allow the Shin Bet spy agency to secretly track the cellular location data of confirmed and suspected coronavirus carriers.
It’s a move that made it possible for hundreds of Israelis to receive a text message Wednesday night that told them they were “in close proximity to someone with corona,” but some are also portraying it as a power grab: Gabi Ashkenazi, a senior politician in Gantz’s Blue and White Party, said it was “inappropriate to approve such a measure in this manner, without public and parliamentary supervision.”
China has long had a mania for intrusive state surveillance, so many observers see scope for “mission creep” in its deployment of surveillance systems to combat the coronavirus. Once rolled out, these facial recognition and location-tracking systems are unlikely to go away.
In South Korea, widespread CCTV deployment and financial and phone tracking have also been credited with helping to manage the outbreak, though the resulting “safety guidance texts” have reportedly exposed unwelcome details about people’s private lives by disclosing their movements.
In these cases, the populace is relatively aware of and used to being tracked. In Iran, however, the government has rolled out an app for citizens to download “to determine if you or your loved ones have been infected with the coronavirus,” without making it clear that the app sucks up personal information and allows the tracking of its user’s location, in real time. What the “AC19” app does not do is diagnose a coronavirus infection.
The anonymity question
The world’s toughest privacy regulators say it is possible to use tracking in the coronavirus fight without infringing on people’s rights.
On Thursday, the European Data Protection Board—comprising all the EU’s national and local data protection authorities—said the bloc’s General Data Protection Regulation does “not hinder measures taken in the fight against the coronavirus pandemic.” So if public authorities and employers need to process people’s data in the context of an epidemic, they don’t need to get their consent first.
The board also said governments were able to pass emergency laws allowing them to ask mobile operators for people’s phone location data—even if the data is not anonymized or gathered with consent—conditions usually imposed by the relevant EU legislation, the ePrivacy Directive.
However, it added: “Public authorities should first seek to process location data in an anonymous way (i.e., processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location…The least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved.”
This appears to be the approach that’s being taken in the U.K., where the government is talking to mobile operators about using their anonymized location data.
But is it possible to make the best use of people’s mobile location data while retaining anonymity? According to Eiko Yoneki, a research fellow at the University of Cambridge Computer Laboratory in England, the issue is tricky.
Yoneki, who in 2011 codeveloped an app called FluPhone to track people’s behavior during epidemics, says anonymized data can provide insight into how diseases spread through human networks. However, it can sometimes be possible to de-anonymize the data by correlating it with other information held by the government—and if the aim is to identify infected individuals and take action to stop them spreading the disease, then the situation changes substantially.
“If you want to protect or prevent future infections, or if any action is required, then my guess is you have no chance to [maintain anonymity]. A certain level of identity should be revealed,” Yoneki says.
Setting limits
Then there’s the issue of what happens to the data—and the whole surveillance mechanism—once the emergency is over.
Eva Blum-Dumontet, a researcher with the U.K.-based civil liberties group Privacy International, draws a comparison with the mass surveillance measures that were instituted after the 9/11 attacks but never quite went away. These are the online spying systems whose ongoing use formed the basis of Edward Snowden’s bombshell revelations in 2013, and over which Privacy International has repeatedly sued the British authorities.
“One of our key concerns is: Is it just for the period of the coronavirus crisis, or what happens next?” asks Blum-Dumontet. “We’ve seen this before with the question of terrorism…We never seem to return to normal.”
Israel’s new coronavirus surveillance measures, which were approved directly by the country’s attorney general without parliamentary oversight, offered “no clarity on what is happening and no deadline on ending the use of the measures,” she noted. It was left to Israel’s Supreme Court to step in and demand legislative oversight of the measures.
A representative of Israel’s health ministry told local media yesterday that the surveillance measures would continue even if the country imposed a full lockdown on its citizens because it would make it possible to track people even within their homes. “Quarantine doesn’t mean just being at home. It’s being in a separate room,” the spokesperson reportedly said.
So how should governments be playing this? As Oregon Sen. Ron Wyden told the Wall Street Journal earlier this week, “There must be procedures to keep this information safe, to delete information once it’s no longer in use,” and, in the U.S. context, “to ensure it isn’t used against Americans by law enforcement.”
According to Blum-Dumontet, surveillance measures should be introduced only on the recommendation of public health officials and following parliamentary discussion about their proportionality.
“We are starting to see what works in terms of addressing the crisis,” she says. “It’s having a situation where the population is ready to go on lockdown; it’s testing a lot; it’s having a robust health care system. The World Health Organization is not advocating for the surveillance of people en masse.”
The WHO has indeed not said much about the subject: A spokesman said Thursday he did not think it had a position on surveillance measures as they are a human rights issue.
More coronavirus coverage from Fortune:
—This famed economist doesn’t think we’re headed for another Great Recession
—South Korea has the most comprehensive coronavirus data. What it’s taught us so far
—10 questions about the 2020 election during the coronavirus pandemic, answered
—6 steps to sustainably flatten the coronavirus curve
—How hackers are exploiting the coronavirus—and how to protect yourself
—Hong Kong launches surveillance operation to track suspected coronavirus patients
—Listen to Leadership Next, a Fortune podcast examining the evolving role of CEOs
—WATCH: The race is on to create a coronavirus antiviral drug and vaccine
Subscribe to Fortune’s Outbreak newsletter for a daily roundup of stories on the coronavirus and its impact on global business.
