Technology: Data

Governments have collected large amounts of data to fight the coronavirus. That's raising privacy concerns

Key Points
  • Different governments have leveraged different methods to varying degrees of effectiveness in fighting the pandemic, and some have been deemed more controversial than others.
  • Security flaws were found in the contact tracing apps of South Korea, Qatar and India, which made the private details of people using those apps vulnerable to security breaches.
  • EDPB and OECD are calling on governments to cease and reverse the exceptional use of data when the pandemic is over, including for mobile apps, but the feasibility of this depends on their end-to-end design.

Technology has enabled the world to respond quickly to the coronavirus pandemic — but solutions through mass data collection have also raised questions about privacy rights.

Digital check-in systems, wristband trackers and mobile applications are just some examples of the surveillance technology implemented by governments to monitor and track the movement of people as they seek to stem the spread of the virus.

Massive amounts of data have been collected to provide policy-makers with accurate and efficient information to help manage resources, and ultimately shape health and social policies.

However, though these measures have paved the way for efficient contact tracing, they harness the power of data in ways that put the privacy of individuals at risk.

Privacy spectrum

Different governments have leveraged different methods to varying degrees of effectiveness in fighting the pandemic. Some have been deemed more controversial than others.

On one end of the spectrum is China, which has deployed drones, artificial intelligence and security cameras in front of people's apartments to enforce quarantines and monitor public spaces.

VIDEO9:0709:07
The changing face of privacy in a pandemic

On the other side of the spectrum, western countries like Germany, Italy and Switzerland have employed more cautious approaches.

These European countries also fall under the playbook of the General Data Protection Board, or GDPR, which was established in 2016 and has been touted by the European Union as a "digital gold standard" for protecting data and privacy.

Countries like Singapore, South Korea, Qatar and India are somewhere in the middle. Each has launched mobile applications, among other solutions, to help with contact tracing efforts or self-isolation measures.

Not all contact tracing apps are the same

Singapore's app, TraceTogether, is voluntary for all citizens and residents. The government says it does not collect any location data. The nation also adopted a digital check-in system at all public places, including malls and stores, to facilitate contact tracing efforts.

Meanwhile, Qatar's contract tracing app, Ehteraz — which means precaution — is mandatory for all citizens and residents. 

In addition to its contact tracing app, South Korea uses credit card information, phone call records and CCTV footage to form a more complete picture of the whereabouts and activities of its citizens.

Certain regions of India have also employed surveillance tools like their contact tracing app Aarogya Setu, phone records, camera footage and phone location data, in order to identify possible links to patients infected with coronavirus.

Security flaws were found in the contact tracing apps of South Korea and India, which made the private details of people using those apps vulnerable to security breaches. Qatar's Ehteraz app was also highlighted by Amnesty International to have "serious privacy flaws."

Although the flaws were quickly fixed, the continued reliance on these digital tools raised questions on whether data protection laws have been properly adhered to.

Calls to end mass data collection

The European Data Protection Board and the Organisation for Economic Co-operation and Development have called on governments to cease and reverse the exceptional use of data when the pandemic is over.

This data includes and applies to a person's location data that is acquired from calls or apps on their mobile phones.

The feasibility of this depends on careful planning of the collection and processing of data from start to finish, said Shahnawaz Backer, a security advisor for American tech firm F5 Networks.

"For instance, if the data is being collected in a centralized manner and stored with encryptions, enterprises can deactivate data collection and destroy the master key that allows access to this data," Backer told CNBC. "Where possible, data should be tokenized to reduce breach impact."

To tokenize data is to turn sensitive information, such as a person's identification number, into a random sequence of characters in order to to protect the information from breaches.