Naked Security: sophos
Credits: Naked Security sophos

Impact of COVID-19 and Government Response

COVID-19, a novel form of coronavirus, has already been declared as a pandemic and compared with World War II and the 2008 financial crisis. The impact of COVID-19 has been so huge that the Royal Observatory of Belgium has observed that Earth has seen a drastic dip in seismic noise. Just as earthquakes cause earth’s crust to move, similarly, there are vibrations caused by moving vehicles and industrial machinery. As Cambridge University philosopher Anastasia Berg noted in the Chronicle of Higher Education that in these circumstances

“it’s not a call for epidemiological modelling…. but for philosophy. The question of What should I do rests on the first question of How should I live”. 

The latter question amid COVID-19 pandemic has made us realize how important Internet and digital tools are to our lifestyles and provides us with a bright spot for Online Creativity in the darkness. On one hand, we rely on technology to share information and advice, listen to our favourite musicians, binge-watch movies or organize mutual aid for neighbourhoods and communities in the form of food or 3D-printed ventilators/masks etc. Open-source software has allowed technologists, scientific and medical teams to instantly share their research to develop a vaccine. On the other hand, such pandemics give governments the leeway to deploy pervasive technologies to monitor human behaviour and punish those who violate the rules. 

Several governments have already deployed surveillance tools (majorly, location tracking) in their battle against the coronavirus epidemic. The following country wise analysis gives a glimpse of that:

1. European Union

It would use anonymised data and aggregated mobile phone location to coordinate the tracking of the virus spread.

Technology used: Location Tracking

Players involved: Vodafone, Deutsche Telekom, Orange, Telefonica, Telecom Italia, ` Telia and A1 Telekom Austria.

It would use anonymised data and aggregated mobile phone location to coordinate the tracking of the virus spread.

2.  Bulgaria

Technology Used: Tracking through Telephone and Internet data.

Players involved: Bulgarian Police.

Technology would be used to monitor those under compulsory quarantine, and would allow them to monitor who they talked to and which sites they visited. 

The procedure would also be supervised by the courts.

3. United States

Technology used: Heat Map tracking anonymised mobile devices

Players Involved: Tectonix GEO in partnership with location technology company X-mode, Centre for Disease Control and Prevention, Facebook, Google, Amazon etc.

The data collected is anonymised at the ‘advertising ID Level’ and associated with the device, not the owner.

Facebook is already sharing disease-prevention maps to help combat the spread of coronavirus through its ‘Data for good’ project.

Planter (American Software Company) is working with the Centre for Disease Control and Prevention (CDC) on data collection and data integration related to disease tracking. 

CDC uses Palantir to ‘monitor the situation and inform coronavirus hotspots and thereby their response efforts’.

4.  Argentina

Technology used: Location Tracing

Players Involved: Argentina’s Co-Track, Public Prosecutor’s office, Province Criminal Investigation Agency, Attorney General Office and Argentina Secretariat of Public Innovation

Individuals violating government ordered quarantine in the cities of Santa Fe and Rosario will be required to sign a document that if they violate the rules,  uninstall the app or prevent it from operating, they would be fined/jailed.

App – Covid 19 Ministerio de Salud, asks for national ID number, email and phone as mandatory fields in order to submit the test. The Android version requires numerous permissions: calendar, contacts, geo-location data (both network-based and GPS), microphone, camera, full network access, change audio settings, run at startup; draw over other apps, prevent device from sleeping etc.

5.  Germany

Technology used: Bluetooth Tracking between smartphones helping to track.

Impact of COVID-19 and Government Response

COVID-19, a novel form of coronavirus, has already been declared as a pandemic and compared with World War II and the 2008 financial crisis. The impact of COVID-19 has been so huge that the Royal Observatory of Belgium has observed that Earth has seen a drastic dip in seismic noise. Just as earthquakes cause earth’s crust to move, similarly, there are vibrations caused by moving vehicles and industrial machinery. As Cambridge University philosopher Anastasia Berg noted in the Chronicle of Higher Education that in these circumstances “it’s not a call for epidemiological modelling…. but for philosophy. The question of What should I do rests on the first question of How should I live”. 

The latter question amid COVID-19 pandemic has made us realize how important Internet and digital tools are to our lifestyles and provides us with a bright spot for Online Creativity in the darkness. On one hand we rely on technology to share information and advice, listen to our favourite musicians, binge-watch movies or organize mutual aid for neighbourhoods and communities in the form of food or 3D-printed ventilators/masks etc. Open source softwares has allowed technologists, scientific and medical teams to instantly share their research to develop a vaccine. On the other hand, such pandemics give governments the leeway to deploy pervasive technologies to monitor human , and punish those who violate the rules. 

Players Involved: Robert Koch Institute and Fraunhofer Heinrich Hertz developed an app and shared it with the government. Similarly Deutsche Telekom, a telekom operator, shared telecom data with the government.

Anonymously saves the distance and duration of contact between people on the smartphone to make it possible to digitally reconstruct infection chains.

6.  Indonesia

Technology used: Location Tracking.

Players Involved: Indonesian Ministry of Communication and Informatics.

Trace Together, a tracking app collects 14 days of mobile phone location data from the infected person, and then matches it to location data collected by telecommunication companies that pinpoints individuals who were in the patient’s vicinity and sends them a warning.

7.  Israel

Technology used: GPS and Wifi Network (SSID) Contact Tracing.

Players Involved: Israeli Ministry of Health and Shin Bet (Israeli Security Agency).

App called “The Shield”  is intended to alert users if they have been at a location in Israel at the same time as a known COVID-19 patient. The data collected is saved only on the mobile device and is not transmitted to the Ministry of Health.

8.  Mexico

Technology used: Drones

Players Involved: Government

Drones used for security tasks such as to surveill gatherings in public parks and plazas and telling people to go home, distributing hand sanitiser, gel and face masks on public roads,  public transport and neighbourhoods.

A web form to screen COVID-19 cases developed by the Mexico City government collects a wide range of personal information such as name, age, telephone number, home address, social network username, and cellphone number. The privacy notice establishes that such data may be transferred to a vast array of judicial and administrative federal and local authorities.

9.  South Korea

Technology used: CCTV Footage, mobile phone tracking data and credit card spending records.

Players Involved: Government of South Korea.

Incoming travellers are required to install an app on their cell phone through which they report their state of health. A second app tracks those who are ordered to quarantine to make sure they don’t leave their space of confinement.

10.  Slovakia

Technology used: Location data from mobile phones.

Players Involved: Public Health Office.

It collects limited data and uses it only in connection with the coronavirus outbreak. The data will be gathered by the Public Health Office and these new surveillance powers shall cease on December 31.

11.  Norway

Technology used: Geo-location Data, Contact Tracing and Bluetooth Location Data.

Players Involved: Simula – Norwegian Company and the Norwegian Institute of Public Health.

The data is stored on a server of 30 days.  If a user is diagnosed with the virus, its location data can be used to trace all the phones that have been in close contact with the person. Authorities will use this data to send an SMS only to those phones who have chosen to install the app and receive notifications.

12.  Estonia

Technology used: Geo-location Data.

Players Involved: Estonia’s Government Crisis Commission has instructed the state statistical office, Statistics Estonia, to use data from companies such as Telia, Elisa and Tele 2 in order to study people’s movements to prevent the spread of COVID-19.

The data protection inspector has agreed that this tracking is legitimate as long as the data is not personalised and it is used only for the purpose of providing generalised results.

13.  Brazil

Technology used: Geolocation Data and Heat maps.

Players Involved: The Rio de Janeiro City Hall has signed an agreement with telecommunications company TIM.

Cross referencing of epidemiological hubs with high population density locations is done. Movement of users is tracked through antennae-facilitated geolocation triangulation and sent online to the local government enabling it to monitor whether individuals are complying with isolation measures and assess movement trends before and after the pandemic.

14.  Taiwan

Technology used: Data Integration and Sharing.

Players Involved: Taiwan National Health Command Center.

Government integrated its national health insurance database with its immigration and customs information to trace potential cases.

15.  Singapore

Technology used: Bluetooth Tracking.

Players Involved: Government Technology Agency in collaboration with Ministry of Health.

The app, which can be downloaded by anyone with a Singapore mobile number and a Bluetooth-enabled smartphone, asks users to turn on Bluetooth and location services, and enable push notifications. The app works by exchanging short-distance Bluetooth signals between phones to detect other users within two metres of each other, or within five metres for 30 minutes. The app is intended to facilitate existing contact tracing efforts and fill in individuals’ memory gaps. Users must give explicit consent in order to participate, and can withdraw consent at any time.

16.  Russia

Technology used: Bluetooth Tracking.

Players Involved: Government Technology Agency in collaboration with Ministry of Health.

The app, which can be downloaded by anyone with a Singapore mobile number and a Bluetooth-enabled smartphone, asks users to turn on Bluetooth and location services, and enable push notifications. The app works by exchanging short-distance Bluetooth signals between phones to detect other users within two metres of each other, or within five metres for 30 minutes. The app is intended to facilitate existing contact tracing efforts and fill in individuals’ memory gaps. Users must give explicit consent in order to participate, and can withdraw consent at any time.

17.  Pakistan

Technology used: Call Detail Records for Contact Tracing.

Players Involved: Ministry of Health.

Under the Digital Pakistan Programme, Pakistani residents were sent a message labelled “CoronaALERT”. However, it is not clear where will the data be stored or what more data is being used to identify cases.

18.  Hong Kong

Technology used: Electronic Monitoring bracelets.

Players Involved: Hong Kong Government.

At airports, people are given wristbands, with a unique QR code. The user will then download “StayHomeSafe” on their phone and scan the QR code to pair the wristband with the app. This is called geofencing technology. As a person walks around the home during quarantine, it will sample the signals of home – ‘composite signature of home’.

19.  Belgium

Technology used: Location data and real-time tracking.

Players Involved: Belgian Public Health Agency, Telephone companies Proximus and Telenet, Third Party Company Dalberg Data.

Telecom companies transfer data to third party data companies. Data is used to spread and locate hotspots. It is being explored to send them targeted medical advice via SMS.

20.  China

Technology used: Real Time tracking, AI Detection Systems, Thermal Imaging, Drones, AI Medical Imaging, Cloud Computing.

Players Involved: Alibaba, Baidu, ByteDance, Tencent, Xiaomi, Alipay and Foxconn etc.

In order to fight misinformation, Baidu created a map layer on top of its standard Map App that shows real-time locations of confirmed and suspected cases of the virus so that people can avoid hot spots.

Tencent has launched Medipedia entries to provide expert-reviewed information, the myth-busting platform JiaoZhen, and a map of out-patient clinics to help people find their nearest one.

Qihoo 360 has launched a platform travellers can use to check if anyone on their recent train or plane trips has since tested positive so that they can take appropriate self-quarantine measures or visit the hospital if symptoms appear.

Some efforts, such as the AI fever detection systems and thermal-imaging technology being deployed in railway stations.

Alipay Health Code app, developed by Hangzhou’s local government with the help of Alipay owner Ant Financial, on their smartphones is mandatory. After users fill in a form with personal details, the software generates a QR code in one of three colors. Green enables its holder to move about unrestricted. Those with yellow codes may be asked to stay home for seven days. Red means a two-week quarantine. The app also appears to share information with the police.

JD Logistics deployed autonomous ground robots for last-mile delivery of supplies in Wuhan Hospitals.

Alibaba Cloud has offered AI computing capabilities to public research institutions for free to support virus gene sequencing, new drug R&D and protein screenings.

Baidu has opened up LinearFold, its RNA prediction algorithm, to genetic testing agencies, epidemic prevention centres and research institutes around the world. 

Infervision launched a “Coronavirus AI solution” an AI software from front line clinicians to detect and monitor the disease on CT scans.

21. India

Technology used: Location Tracking, Data Analytics, Geo Tagging, Automated Facial Recognition System, Geofencing, AI based video analytics.

Players Involved: Government of India, State Governments, District Police, Municipal Corporations, Karnataka Revenue Department, National health Authority, Maharashtra State Innovation Society Third Party developers like – Pixxon AI Solutions Pvt. Ltd., Face Tagr, Uengage Services Private Limited, Innefu Labs, Vijna Labs – Manipal Group, Pixxon AI.

Aarogya Setu is a smartphone app which uses Bluetooth and ‘Location Generated Social Graph’ to alert proximate cases of CoViD-19 positive contact. It’s privacy policy states that the data will only be shared with the government. Of India in an aggregated form. Further data is encrypted from the collection stage.

Co-Buddy App developed by FaceTagr is used by Thiruvallur District Police. App validates a person’s location using GPS coordinates, and as an added layer of authentication, uses face verification to ascertain their identity. The app continuously checks for the location of the phone and sends an alert to the police if a person steps outside of the geofence, which can be set from anywhere between 10 metres to 100 metres, according to promotional material of the app which was shared with MediaNama. The police can also see a heat map of all quarantined/affected people on a centralised map by district, by area on a centralised web dashboard.

The Mahakavach app built by Maharashtra State Innovation Society, Digital Impact SQ and Kumathon Foundation, through its contact-tracing feature, will provide the list of all public places and railway stations that the person could have visited.

SPOTTER (Surveillance of potential offenders through technology) is also deployed by Pune Police and developed by Vijna Labs. The information is sent to a private cloud-based server which runs a real-time artificial intelligence based face recognition and location tracking algorithm and compares against the registered information. When the face data and location data match against the database, a positive attendance and update is made into a dashboard. If the face or location data do not match against the database, a real-time alert is triggered for the authorities to take action for non-compliance of home quarantine rules.

The disaster management department of the Bihar government has launched “Garur App” for tracking and surveillance of the migrants and all those who have come into the state in the last few days through rail, roads and flights from across the country and abroad.

Privacy: A lost cause?

This table throws light on the deployment of pervasive surveillance technologies by the governments across the world to tackle the pandemic. However, coronavirus pandemic can normalise the deployment of mass surveillance tools in our lives. Apart from some of the technology enthusiasts, people are not aware about the nature of surveillance, how we are being surveilled, what type of data are we giving, where it is stored and how it’ll be used in the coming years. 

Undoubtedly, the above-stated apps can shorten the virus infection chain or almost cut it to zero. However, if these apps know our biometric data en masse, they can get to know us far better than us ourselves. As Yuval Noah Harari in an article in Financial Times explained that though biometric surveillance is a temporary measure adopted during coronavirus, but who knows? He goes on to explain an instance of Israel 1948 War of Independence, which brought temporary measures like press censorship to land confiscation, but has failed to abolish many of the ‘temporary’ measures of 1948. Similarly, data collected today would be deleted or not, surveillance would end or not is never clear. During 9/11 the battle was between security and Privacy, we chose security, today it is Health and privacy, we will of =-course choose health. But the question should be, can we choose both? It is the trust between public authorities, media and people which can make people trust science of staying at home and not coming out which empowers citizens and reduces the need for totalitarian surveillance. 

Another issue with the collection of Personally Identifiable Information (PIIs) is in violation of our right to privacy. However, most of the organizations or government agencies state that the data is collected in an aggregated way so that the identity of an individual cannot be traced. However, this anonymization of PII in aggregated form is a myth in the age of big data. There are two basic reasons why re-identification is much easier today. First, computing resources are extremely large relative to the population as long as the bad guy has enough information about his target, he can simply examine every possible entry in the database and select the best match. Second, many kinds of data can be used to help re-identify de-identified data, and such data is increasingly available in convenient, electronic form. In a 2017 case of Nursing Companies Association v. Ministry of Defence, the Israeli judge in the above-cited case highlights the relevance of state of the art data protection principles embodied in the EU General Data Protection Regulation (GDPR) in her ruling that:

 “…..Increasing the technological capabilities that enable storing large amount of data, known as big data, and trading this information, enables the cross-referencing of information from different databases, and thus also trivial information such as location, may be cross-referenced with other data and reveal many details about a person, which infringe upon his privacy… … … ..Information technologies bring new challenges of anonymization and pseudonymisation and ongoing privacy vulnerabilities……”

De-anonymisation

The apps mentioned above use most of our PIIs like our name, phone number, location, address etc. which are exactly the essential ingredient for re-identification today. PIIs in aggregated form provides a rich dataset which further when amalgamated with databases like those of health, airline, immigration etc. can narrow down the research and eventually trace individual’s information. For example, Netflix published 10 million movie rankings by 500,000 customers as part of a challenge to come up with better recommendation systems. This data was anonymized by researchers at the University of Texas at Austin by comparing rankings and timestamps with public information in the Internet Movie Database (IMDb). The point of this research was to demonstrate how little information is required to de-anonymize information in the Netflix dataset. Google, with its database of users’ internet searches, could easily de-anonymize a public database of internet purchases, or zero in on searches of medical terms to de-anonymize a public health database. Further, researchers from two universities in Europe have published a method that is to correctly re-identify 99.98% of individuals as anonymized datasets with just 15 demographic attributes. Before the government increases dragnet location surveillance, there are 3 steps which should be followed. 

Way Forward

Most of the apps mentioned above need aggregated data to map out mobility patterns of individuals, for which they don’t require individual information. This can be done by releasing anonymized data, where the dataset is coarsened to ensure no individuals can be re-identified – for e.g. blurring of facial features. Another way of ensuring privacy is to practice a technically sophisticated means called differential privacy. In this process, anonymization is followed up by Randomization which can be done through 2 steps: 1) Noise Addition – Alters the attributes by adding or subtracting a different random value for each record (e.g., adding a different random value between A+ and C- for the grade of the data subject) 2) Permutation – Consists of swapping the values of attributes from one data subject to another.

While we rely on more pervasive technologies to help us fight the novel corona virus, it is imperative to ensure that we are not harming ourselves in the long run. Whatever technologies we deploy to tackle this pandemic must not only be programmed to have privacy-by-design, purpose limitation, state-of-art anonymisation, and cyber-security protocols, but also an independent Data Protection Authority to oversee the implementation.


Authored by 

Harsh Bajpai : Research Scholar, Durham University |Twitter: @harshbajpai6

Gyan Tripathi : Law Student, Symbiosis International University | Twitter: @Gyan_Tripathi_

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s