It’s spreading quickly now—governments around the world latching onto our smartphone locations as a proxy for where we all are, when and for how long. The data forms a map of population tracking to report on density and social distancing as well as anonymized travel patterns. Some governments are a level beyond, exploring movement tracking, contact tracing, quarantine enforcement.
What started in China, Singapore and South Korea as an exercise in rigorous containment has rapidly expanded to Europe and the U.S., countries within which the sacrifice of freedom still causes anxiety, despite the clear public interest. It turns out that after years of critiquing China’s surveillance state, come the crisis there were some useful lessons to be learned.
On Friday (March 27), the U.K.’s data and privacy authority confirmed that the government could use mobile phone data to fight the spread of COVID-19. This is a critical step. A spokesperson for the Information Commissioner’s Office said that “data protection is not a barrier to sharing data—to protect against serious threats to public health. Data protection law enables the data sharing in the public interest and provides the safeguards for data that the public would expect.” Confirmation the U.K. was looking at phone data to track the virus first came ten days ago.
As I reported last week, as the tracking landscape in Europe and the U.S. began to change: “Everything about coronavirus is unprecedented. Our leaders talk about “the invisible enemy” and being on a war footing. The technology at their disposal will create a huge conflict within each of us. We want our governments to do all they can, but at some point we will make privacy compromises as never before.”
We have seen reports from Italy, Germany and Austria that phone tracking it taking place. And just two days before the U.K. privacy watchdog approved the use of mobile data, it was reported that the European Commission was discussing a more co-ordinated move with the mobile network trade association, the GSMA. In fact, there were reports that the GSMA might go further, with the potential for a central program across more than 700 operators to collect cross-border tracking data, a travel and contact tracing database designed for fighting a pandemic.
Meanwhile, the stream of coronavirus infection maps has been joined by social distancing maps—and that’s all based on mobile data and tracking. “If you have a smartphone, you’re probably contributing to a massive coronavirus surveillance system,” the Washington Post reported on March 24.
The best way to think about the concept of phone location tracking to fight the virus in in four stages, it’s a spectrum trading granularity and potency against privacy:
Entirely anonymized location pings to give the authorities a sense of where are large numbers of phones and so large numbers of people. The same data might be used to map simple density hot sports and how they are changing over time, a broad view of social distancing.
The next level is to track the location and movements of devices, but anonymized into broad patterns. General inferences can be drawn around changes in commuting behaviour, how far people stray from home, whether the same groups are seen together, and so on.
Beyond that we start to get into identifiable data. This means we can associate a phone with a user—in truth that’s possible with even anonymous data tracks—without going beyond simple location data. But with further analysis, we can begin a simple contact tracing timeline.
The most pervasive level is tailored to the individual. This might be quarantine or curfew enforcement, it might be linking a phone to its metadata—I know where you were and I also know who you call and text, therefore I can infer who you met and when. Whether this is done remotely or by voluntary or mandatory apps doesn't change the data.
From a technical perspective there are no real challenges here. The trackers on your phone, some obvious and some less so, already report your movements. Tapping into those onboard software technologies which can access GPS as well as network touch-points is entirely feasible at scale—that’s done today for marketing purposes. And then we have the location information collected by the networks themselves, as we roam cell to cell, using both voice and data, throughout our days.
We know that any and all data surveillance measures have been used or trialled in China to tackle coronavirus, and there was an acknowledgement of this darker data mining in comments made by Israel’s Benjamin Netanyahu on march 14. “All means will be used to fight the spread of the coronavirus,” he said, before referencing the use of the country’s counter-terror tech. “that until today I have refrained from using among the civilian population.”
The rubicon has been crossed in the U.S. and Europe now for the use of smartphone location data to track the virus. With some exceptions, many of which are voluntary or specifically enforced, we remain at the anonymous end of the spectrum for now. But the next few weeks will become much harder. And it will become difficult to rein in technologies, however seemingly invasive, that might help.
A few days ago, EFF warned that governments have not shown these surveillance technologies “would make a significant contribution to containing COVID-19,” arguing that without such proof there is no justification. “Indeed,” they added, “governments have not even been transparent about their plans and rationales.”
And that’s it in a nutshell, the debate that will now run. and run. You want your government to fight the virus, to make everyone safe. But that will come at a heavy price—isolation, restrictions on freedoms and surveillance. But when the physical changes return to the new normal, what compromises will be left in place.
I am often asked what happens beyond the initial fight against coronavirus, as these surveillance measures take hold—will they be removed and the data deleted? We know there is a constant battle between law enforcement and the privacy lobby for where the line should be drawn, just look at the encryption debate.
But this goes further. Tracking millions of people who have done no wrong. And so it will be pulled back.
The lessons learned, though, and the new capabilities built on the back of what happens next, those are here to stay. As Edward Snowden warned earlier this month, such measures tend to be “sticky.”