By Andy Mukherjee
MUCH of our pre-coronavirus lives may be reclaimable with some modifications around how we work, socialize, and travel. In one crucial way, though, the post-pandemic landscape will be very different: The individual’s autonomy over her data may be lost forever. Our mobiles will keep us safe — by spying on us.
This will have important consequences for the relationship not just between citizens and governments, but also between consumers and businesses.
Blame the coming end of privacy on success. South Korea and Taiwan have won acclaim for flattening the COVID-19 curve by digitally tracking infected persons. As my colleague Anjani Trivedi described in March, no government was using dispersed databases as extensively to fight the spread of the disease as Seoul. Before an explosive outbreak in its worker dormitories, Singapore earned praise for TraceTogether, which claims to be the first Bluetooth contact-tracing app covering an entire nation. The 1.4 million users represent roughly a fourth of the island’s population.
It hasn’t gone unnoticed that enthusiastic adapters of such software are in East Asia where, as MIT Sloan School of Management professor Yasheng Huang and others note, “a collectivist spirit may encourage civic-minded embrace of and a more willing compliance with governments’ infection control.”
But while cultural differences can help explain the beginning, the end game may be more universal: power and profit. Safely restarting economies will require governments to restore trust in people mingling in factories, offices, cafes, and trains. It can supposedly be done with data more granular than what can be obtained from cellphone networks. Hence states want access to phones, with or without informed consent. Turning the clock back will be hard, if not impossible.
Take India’s Aarogya Setu, or Bridge of Health, COVID-19 contact-tracing app. It’s got privacy warriors worried because the country lacks a data protection framework. Among other things, activists want the government to ensure that “any data collected in an external server is designed to be deleted and that it won’t be integrated with other databases,” according to a working paper by the New Delhi-based Internet Freedom Foundation. For now, there are only assurances that the app will wither away once the outbreak is contained, but no legal guarantees.
The Singaporean app records physical proximity in an anonymized form on smartphones. Minimal data is stored on servers. Only if a user falls sick are his contacts tracked and alerted. Given that it’s been less than two years since the revelation that Prime Minister Lee Hsien Loong’s health records were hacked, I’d hesitate to brand the experiment as foolproof. But it’s at least a voluntary exchange. India’s app is anything but. As the country tentatively reopens after a 43-day lockdown, it’s been made mandatory — first for public-sector employees and now for private-sector workers. Company bosses are liable to ensure their workers download the app, though nobody is accountable for misuse of data.
TraceTogether’s building blocks are in the public domain. The source code of Aarogya Setu is yet to be opened. The Indian government recently denied a French security researcher’s claim that the privacy of 90 million Indians is at stake. Hours later, the so-called ethical hacker who goes by the name of Elliott Anderson tweeted that five people were feeling unwell in Prime Minister Narendra Modi’s office.
Where boundaries between private and public are thin to begin with, a pandemic can make them disappear. A New York Times analysis of China’s Alipay Health Code software, which mixes a cocktail of data to color-code a person’s health status, found that some information is shared with the police. The digital prowess of Alibaba Group Ltd. or its rival, Tencent Holdings Ltd., has no match in India. But firms are eager to harness the online footprints of the country’s 1.3 billion people. COVID-19 might give those plans a fillip.
Just as the Sept. 11 attacks irrevocably shrank personal freedoms as security-at-all-costs became a policy driver, COVID-19 will erode privacy in the name of public health. The potential market is immense for instruments far more intrusive than Big Brother’s telescreens. Richard Brooks, a computer engineering professor at Clemson University in South Carolina, told Bloomberg News: “If the ability to track social contacts exists to stop a contagion, I can guarantee you it will be used to track the spread of dissent.”
An Israeli court verdict that banned Shin Bet, the internal security agency, from using its COVID-19 tracking app shows the discomfort societies have with handing over a shiny, new lever of control to governments. Europe’s data protection laws will try to ensure that the emergency collection and processing of personal information is conducted with accountability, and for a limited purpose. The British parliament’s human rights committee says it isn’t convinced that the National Health Service’s proposed tracing app protects privacy.
Tracing in Korea went overboard in the early days, when the authorities released so much data that anonymous patients became identifiable — and got harassed. A strong data protection law forced Korea to limit disclosure. The bottom line: Where they exist, robust institutions could still offer resistance. In most other places, the individual’s autonomy has already become a virus casualty. Poorer countries where consumers have only recently started going online will see states insist on devices that come with pre-loaded tracking apps. More information will reside on central servers than epidemiologists have asked for or need. But who will stop the juggernaut?