These normally privacy-forward sources are saying this in response to the pandemic, obviously. But it's also because companies that track, target, identify and surveil individuals are pitching their technologies to ID and trace the infected — in shady backroom discussions with the White House.
The pandemic has us all in vulnerable positions, and some tech companies are just ethics-free enough to step in and take advantage of entire populations being held hostage by COVID-19. They see us as profitable, captive data generators while their PR departments act like they did something virtuous for the greater good. Like Zoom.
For reasons us privacy nerds can't comprehend, many people rushed to adopt and use Zoom for in-home teleconferencing once all the sheltering-in-place started. Zoom happens to be a privacy nightmare with a terrible security track record — so bad that in late 2019, EPIC (Electronic Privacy Information Center) made an official complaint to the FTC alleging "unfair and deceptive practices." According to EPIC, "Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user."
That's not all: Zoom collects "your physical address, phone number, your job title, credit and debit card information, your Facebook account, your IP address, your OS and device details, and more" ... and traffics that data with whomever it's doing business with (it's unclear where or how Zoom sntaches that info, except to say it's "when you use or otherwise interact with our Products").
If only sleazy data dealers used their talents for good, right?
Look: former privacy pitchers, I get why you're now catching for Big Brother. This is an emergency. But looking at what's working (or not) in other countries, we will fail at containment unless we make sure pandemic response tracing tools don't blur into the fulfillment of ICE and police wishlists.
If you're sitting at home (you better be) arguing this is a matter of privacy versus safety, you've just shown us that privacy and surveillance abuses are merely abstract concepts for you. This is not a black or white issue; staying at home is, washing your hands is, and behaving like you're infected for the safety of others is. We have failed to contain coronavirus, to stop its spread, and to prepare for the worst. Those failures have nothing to do with a lack of invasive surveillance, and cannot be cured by finally closing the information-sharing loop between Big Tech and Stephen Miller.
Elizabeth M. Renieris, a Fellow at Harvard's Berkman Klein Center for Internet & Society explained in When privacy meets pandemic how it's critical that core international human rights principles on privacy are baked into coronavirus-related tech.
"What happens if we trace people with no ability to help them," Renieris wrote. "What if it just doesn't work in some contexts? We especially have to ask these questions where some experimental methods of contact tracing are being entrusted to large for-profit tech companies." Ms. Renieris adds:
While no one seriously questions the need for interventions that can protect public health and safety, the framing of many privacy-related concerns skips a fundamental step in the analysis — namely, asking when an interference with fundamental rights is justified.
This analysis is grounded in core principles of international human rights law — not something particularly within Facebook or Google's expertise. If the privacy community skips this critical step, we have already lost the battle to protect our fundamental rights.
Do it wrong and people avoid getting tested, you wind up with unknown infected populations, and you create a marriage of surveillance and policing that cannot be walked back — you fail to contain the virus and democracy is DOA. Do it right and you have an informed and voluntary population, policing is separate from public health and medicine, there are safeguards in place to prevent inevitable abuses, and you stem the tide of infections.
Pandemic surveillance: Privacy's tipping point
Yes, other governments around the world are using surveillance tools to stem COVID-19's spread. The main countries using technology to track and throttle the spread of the virus are China, Germany, Hong Kong, Israel, Italy, Singapore, South Korea, and Taiwan.
As you may know, China and Israel have gone full draconian. Israel has decided to leverage novel coronavirus in order to "lean in" on that whole police state thing. "Last week the Israeli government issued emergency orders granting the Shin Bet security service the authority to track its citizens," reported Haaertz, "allowing digital monitoring of coronavirus patients' cellphones, using means that were not disclosed."
The country's security service is "using the technology at its disposal to track the routes that patients have taken outside their homes and to determine whom they have gotten close to ... [and] tracking details of all calls made by coronavirus patients." But at least Israel is supposed to have an expiration date on keeping citizen data. Unlike China.
After unsuccessfully concealing the severity of its COVID-19 outbreak for two months, China rolled out the advanced tracking tech it used to round up more than a million Uyghur Muslims (now in concentration camps) and uses that tech to enforce an isolation policy. It includes phone tracking, facial recognition, and requiring hundreds of millions of citizens in lockdown to download an app. The app places people into three stoplight categories (green is free to move about; red is 14-day quarantine).
China, of course, said this was successful in stopping the pandemic, which has since resurfaced in the country, challenging that claim.
The countries with the best balance of privacy and virus tracing are containing it, namely South Korea and Taiwan. In fact, most of the countries showing success with coronavirus tracing have unique, current legislation specific to pandemics with provisions on data collection. The laws in Germany, Italy, South Korea, and Taiwan meet the European Union's General Data Protection Regulation (GDPR) standards. These countries are thinking about what will happen in the days after we all survive the novel coronavirus, and acknowledge that it's a terrible idea to unbraid privacy from healthcare.
In South Korea and Taiwan, two countries who've done well to push back against the virus without the draconian tech-surveillance measures of China and Israel, legislation around data collection includes oversight and transparency for its citizens. "For example," Haaretz wrote regarding South Korea's approach, "citizens were provided with an explanation of what information was collected, for what purpose and when it would be erased."
That's how South Korea's officials addressed the problem of people avoiding tests over privacy concerns. Jung Eun-kyeong, the director of South Korea's Centers for Disease Control and Prevention told press, "We will balance the value of protecting individual human rights and privacy and the value of upholding public interest in preventing mass infections."
Singapore's COVID-19 mortality rate is arguably the lowest — and though the country isn't high in the freedom and democracy index, its success in using tech to fight the virus may be linked to its conditions around data privacy. "Privacy legislation in Singapore was most recently revised in 2014 and entails that the processing of data about individuals requires their consent," press reported. "Downloading the application was voluntary, it did not monitor people's whereabouts, and the information collected was not provided to the government."
In a way, it's no surprise that entrepreneurs, greedy corporations, and dark-intentioned authorities are seeing COVID-19 as an opportunistic land grab for money, control, and power. It's sickening.
What is surprising, however, is how some seem to have learned from the mistakes of the greedy. Singapore -- again, no steward of democractic freedoms -- clearly gets that if you treat your people's privacy and data the same way Facebook does (or China, or Zoom for that matter), your problems are going to breed problems like tribbles.
The notion of repurposing tools that data harvesting companies use to track, snatch, and profit from our personal data without our explicit consent is some pretty ballsy -- or naive, or grossly privileged -- wishful thinking. These data collection tools were not built to save lives in emergencies: they were purpose-built for exploitation and abuse.
The only way to repurpose them safely and effectively is to treat them like they're radioactive: we must proceed with the certainty that all virus tracking and tracing tech will be abused. To not do so will be catastrophic.