In less than a decade, whistleblowers like the NSA’s Edward Snowden and Cambridge Analytica’s Christopher Wylie helped spur a global sea change in the public’s attitude toward privacy and global data dragnets. We may now be in the midst of another seismic moment in the history of digital privacy: Mass surveillance methods could save lives around the world, permitting authorities to track and curb the spread of the novel coronavirus with speed and accuracy not possible during prior pandemics.
It’s an extraordinary moment that might call for extraordinary surveillance methods. But privacy advocates tell The Intercept that our ongoing public health crisis doesn’t have to mean creating a civil liberties crisis in turn.
The coronavirus tracking ramp-up is already well underway around the world. In South Korea, Taiwan, and Israel, authorities use smartphone location data to enforce individual quarantines. Moscow police say they’ve already busted 200 quarantine violators caught via facial recognition-enabled cameras. NSA contractor and perennial privacy offender Palantir is helping Britain’s National Health Service track infections. Apps that leverage a smartphone’s bounty of built-in, highly accurate sensors to enforce social distancing or map the movements of the infected have been deployed in Singapore, Poland, and Kenya; MIT researchers are now pitching a similar, but more “privacy friendly,” app. In Mexico, Uber sent government authorities rider data to trace the route of an infected tourist, also banning 240 users who’d taken rides with the same driver.
In the U.S., public health officials, hoping to assess broad compliance with stay-at-home orders and to spot dangerous crowding, are obtaining personal location data in bulk from loosely-regulated online advertisers, and have discussed obtaining it from Google, according to news reports. A maker of “smart” thermometers, Kinsa Health, set up a special website to provide access to geographical fever clusters and other data uploaded from the hundreds of thousands of homes that use its app-enabled devices, earning Kinsa some buzz, including a recent New York Times article in which public health experts praised the predictive power of its user data.
These surveillance methods have been enabled by the rise of the smartphone and cloud computing — and of an entire tracking ecosystem around them. Over the past decade or so, the kindred spirits of the advertising industry and intelligence community have worked tirelessly and on parallel tracks to perfect their exploitation of the unimaginably vast trails of personal data collected through various mobile apps. The ability to learn your location and predict your behavior is priceless to both Silicon Valley and the Pentagon, whether the ultimate goal is to target you with a Warby Parker ad or a Hellfire missile.
As the Covid-19 pandemic worsens and death tolls increase, it stands to reason that the notion of reappropriating these technologies of war and profit into the preservation of human life will only make mass surveillance more palatable to a frightened public, particularly one desensitized by a decade of smartphone ubiquity and data-siphoning apps.
Emergency powers can outlive their emergencies.
There’s a glaring problem: We’ve heard all this before. After the September 11 attacks, Americans were told that greater monitoring and data sharing would allow the state to stop terrorism before it started, leading Congress to grant unprecedented surveillance powers that often failed to preempt much of anything. The persistence and expansion of this spying in the nearly two decades since, and the abuses exposed by Snowden and others, remind us that emergency powers can outlive their emergencies.
Just as the civil liberties erosions of the so-called war on terror were avoidable, a data-driven approach to pandemic response is compatible with individual rights, civil liberties advocates say — if, and only if, we demand limits and justifications every step of the way. Here are some of their suggestions:
“Whatever decisions or policies are implemented with respect to responding to this catastrophe have to be those that are demanded by public health officials and experts” as opposed to others in government, particularly “people in the security or law enforcement business,” said Mohammad Tajsar, an attorney with the American Civil Liberties Union of Southern California.
“Governments tend to have a pretty voracious appetite when it comes to data.”
This, said Tajsar, will help ensure that governments only collect information that is actually useful rather than making a mad grab for anything that might potentially help. “Governments tend to have a pretty voracious appetite when it comes to data without really understanding the limitations of [the] information, and how and what the use cases are for responding to crises like this one,” he said.
Just because a state or agency says it needs access to Data X or Technology Y, that doesn’t make it so.
“The threshold question is: has the government shown its proposed surveillance tool would effectively and significantly address the crisis?” said Electronic Frontier Foundation attorney Adam Schwartz. “If not, EFF opposes it. If so, we ask: does the benefit of the surveillance outweigh its costs to privacy, speech, and equal opportunity? If not, EFF opposes it.”
Tajsar added that this sort of skepticism should apply even to broadened access to “aggregated and anonymized” data. “There has to be a second conversation,” he said, “even in a context in which the public health community says, ‘We want a particular kind of data.’”
“Any program must be strictly time-limited,” said Faiza Patel, director of the Brennan Center for Justice’s Liberty and National Security Program at NYU Law. “Our physical safety is paramount, but at some point we will emerge on the other side of this crisis.” When that happens, she added, lawmakers and citizens should be vigilant to ensure that there has been no compromise of constitutional civil liberties and that data collected for Covid-19 is not retained.
Personal data vacuumed up for a stated purpose has the tendency to drift to other users; old mug shots are run through facial recognition systems, user emails are sold from one advertiser to another. The possibility of similar drift with coronavirus data could deter certain marginalized groups — undocumented immigrants or people with criminal records, for example — from participating in opt-in data collection efforts.
One way around this is to treat Covid-19 data like U.S. census data, said Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project. Tight restrictions on how census data is used actually encourages people to volunteer it. “You can’t use it to put people in jail,” he said of the census. “You can’t use it for immigration enforcement. You can’t use it for tax collection.”
“We have such strong privacy safeguards, not because that information wouldn’t be useful other agencies — it would be hugely useful — but because they know that [otherwise] Americans would never give us an accurate count.”
“Any data collected for disease response measures should not be accessible to law enforcement.”
Lindsey Barrett, an attorney with Georgetown Law’s Institute for Public Representation, also emphasized the importance of walling off public health data from those whose mission isn’t public health. “A very clear [guardrail] is that any data collected for disease response measures should not be accessible to law enforcement,” Barrett explained. “The CDC and state and local governments are reportedly using location data from advertisers to track the movements of people they suspect of carrying COVID19. What’s to stop them from passing that data on to ICE, which is reportedly trying to track people by buying location data from aggregators?”
The coronavirus pandemic presents a golden opportunity for corporate and government actors to recast previously unpalatable behavior as livesaving intervention. NSO Group, a corporate malware firm notorious for enabling the surveillance of journalists and activists around the world, is reportedly turning toward so-called contact tracing tools to track people an infected person might’ve crossed paths with. A Customs and Border Patrol commissioner recently reframed the agency’s controversial facial recognition system at airports as “a touch-free, hygienic way to validate your identity, as well as protect from exposure to COVID-19.”
Said Edin Omanovic, advocacy director at Privacy International, “Surveillance companies such as Palantir and NSO Group, social media companies, and big telcos have all now decided now’s the time to open up about their work and customers. I hate to be cynical at a time like this, but I reckon there’s a deal of reputation laundering going on here rather than an altruistic attempt to help things based on the advice of health experts.”
Reputations matter, and there’s no reason the government or citizens should cast bad reputations aside when choosing who to work with or what to share.
“‘Just tech harder’ shouldn’t be the government’s focus right now,” said Georgetown’s Barrett. “It should be on making tests more accessible, encouraging safe social distancing measures, acquiring and distributing more ventilators, and ensuring that the people whose livelihoods are being decimated can keep a roof over their heads and feed their kids. Silicon Valley isn’t going to fix this.”