The rapid spread of the Covid-19 virus has forced governments to adopt extraordinary measures: a number of countries including China, Singapore, and South Korea have stepped up surveillance to track those infected with the disease.
The systems which allow one to monitor the movement of people through their smartphones, has already been implemented in 11 countries. However, increased surveillance has immediately raised the issue of a potential abuse of people's privacy by governments and hackers.
Asian Mass Surveillance: Better Safe Than Sorry?
China was the first one to instrumentalise its street CCTV cameras, drones, facial recognition technology, mobile apps and a whole lot more in order to curb the spread. Dr Binoy Kampmark, a cyber security expert, recollects that the Chinese government call to high-tech companies to develop software to conduct surveillance on those who have contracted COVID-19 and those in contact with the infected has led to several advances that risk being abused.
"The systems in term of identifying and monitoring individuals regarding the coronavirus have amplified recently", says Kampmark. "Megvii, for instance, uses artificial intelligence to measure temperature, employing what it calls the 'AI temperature measurement system'. Thermal cameras are used to identify suspected suffers with abnormally high temperatures".
He notes that programmes such as the "Close Contact Detector" app, developed jointly by the China Electronics Technology Group Corporation and sections of the Chinese government, are informing users about someone in their proximity who have been infected or are suspected of being infected. For its part, Chinese company Baidu claims that it "has developed a facial-scanning program capable of using AI to identify individuals who do not wear protective masks", Kampmark remarks.
South Korea followed the suit by tracking people's movement through surveillance cameras, bank card transactions and mobile phone location data which help create an application mapping coronavirus cases and sending emergency alerts in real time.
"In South Korea, a three-pronged surveillance approach has been adopted to combat COVID-19, all of it typical of pandemic surveillance", the cyber security specialist points out. "CCTV has been deployed along with phone tracking software and banking transactions. Such technological infrastructure has been celebrated as containing COVID-19 but at the cost of surrendering any vestiges of privacy".
All of a sudden, the private life and even the sexual affairs of Koreans tested positive for Covid-19 became the focus of public attention. As Hyung Eun Kim of BBC News Korean noted in early March, though no names or addresses were given social media users managed to connect the dots, identify and embarrass the infected.
Nevertheless, it seems that "a large degree of consent has been offered in this regard" by the people of South Korea, Kampmark suggests.
British Tracking Apps: Pros and Cons
Meanwhile, the UK that has recently entered into a police-enforced lockdown is reportedly considering exploiting the Asian best practices. As The Guardian revealed on 19 March, the Boris Johnson government is in talks with mobile phone providers and tech giants to use phone location data to keep an eye on Brits movements amid the outbreak.
Kevin Curran, professor of cyber security at Ulster University says that mobile apps tracking people with confirmed Covid-19 cases have already become popular in the country. According to him, "most of these apps suck data from government health institutions" or else the newly-created online tools rely on users self-reporting that they have coronavirus.
"At this time for instance, Covid Symptom Tracker is the third most popular app in Apple's UK store and it is the second most popular in Google Play's chart in the UK", he elaborates. "It was created in three days by researchers at Guy's and St Thomas' hospitals and King's College London University".
Though the creators of this app have said that all shared data would be anonymised and not used for any commercial purpose and that users could delete all their records when the crisis was over, the professor insists that it would be far better if all the personal information is deleted automatically once the crisis is over as "most people will forget to login again and delete their data".
According to the academic, these applications also require users to share personal details, to describe symptoms, if they have any, on a daily basis, as well as to give a temperature reading.
"There is a worry however about 'fake' apps and sites which claim to be humanitarian and collect data for hacking purposes", the academic warns. "People have to be very careful and have confidence in who actually created the app".
However, the most worrying data point would be the people's medical history, Curran highlights, adding that the example of South Korea indicates that "privacy concerns of course are real".
He expresses dismay at poorly protected websites collecting sensitive data on UK patients to track self-reported cases of the coronavirus, as one launched by the University of Oxford last week.
"The website was widely criticised for not being secure enough, especially as it is dealing with people's medical data and people were able to navigate other people’s data through simple 'sequential id' searching", he emphasises. "Their first mistake was to collect information on a non secured http webpage. This was negligent. Also assigning sequential IDs to each report did allow what we call enumeration attacks to be done on the website and access other people’s records. That actually would be the greater sin".
Questionable Efficiency & Legal Barriers
Curran believes that in general, it sounds like a good plan to have self-reporting sites and apps as government statistics to a large degree are just guesses as they can only identify patients with the virus who self-presented. However, at the same time, most people do not know they have the virus, he adds, suggesting that in reality the tracking apps "are not that effective".
For his part, Binoy Kampmark draws attention to "legal barriers in terms of confidentiality and data privacy" in the European Union and the United States that make getting the public consent for the government surveillance "problematic and, in some cases, constitutionally difficult".
Nevertheless, Israel's Supreme Court has recently allowed the country's security agency Shin Bet to carry out its mass surveillance program to monitor citizens suspected of carrying the coronavirus by using their smartphone data. Shin Bet's campaign had been put on pause by the justices until the Knesset formed a Subcommittee on Clandestine Services to supervise the intelligence work.
"As for how effective such programs are in combating coronavirus, we often only have the data supplied by the AI companies on the issue", Kampmark underscores. "These are, in turn, sold to governments as measures of health and safety, pandemic surveillance as a virtue. That is where the danger lies. As for concerns about data leaks: any accumulation of data, and in this case, medical data, permits the possibility of hacking. The consequences of developing such data sets have not been considered in their entirety".