Contact Tracing and Privacy
By Cody Shultz and Alec Harris
Things are opening back up again and then closing back down again. With the emergence of different variants, it seems evident we are not past the pandemic. The impact on privacy has been significant. With massive stimulus injections and enactment of “emergency powers” by governments across the globe, power and control are more centralized than ever.
So, what’s the impact on privacy? The implementation of mobile phone-based contact tracing measures. In already authoritarian countries like China and Russia, citizens must use contact tracing apps on their phones as well as “check-in” to locations by scanning QR codes as they go about their business. Singapore’s “TraceTogether” app (https://www.tracetogether.gov.sg/) has been adopted by other countries in the region. Meanwhile in the US, Google teamed up with Apple to build Bluetooth based contact tracing applications into Android and iOS mobile operating systems. The intention behind these applications is, on its face, good. In authoritarian countries, we would expect individual privacy to be subordinate to state controls and contact tracing overreach is expected from, for example, the CCP. However, in “free” countries like the United States, well-intentioned public health measures become data privacy nightmares.
For civil libertarians, the Patriot Act has become an archetypal example of state abuse of a crisis to grab new powers it will never voluntarily concede. The law is once again up for congressional renewal, this time while a new crisis, the coronavirus pandemic, is raising fresh fears of “temporary” emergency measures becoming permanent.”[1]
Governments, and tech companies for that matter, rarely relinquish power and emergencies are a great time to convince the public that more power is needed. Privacy-conscious individuals need to consider not just the merit, but the implications, of contact tracing applications. Consider that to perform contact tracing through a mobile application, the device must share:
-Where the device is at all times
-Registry of all other devices in proximity at all times
-Covid-19 status of all device owners
The potential for abuse is significant. Knowing where a phone goes, where you go, reveals what intelligence analysts refer to as “pattern of life” and it’s an immensely rich data set. With enough historical pattern of life information, the data starts to become predictive. Everyone has pattern of life “tells” that, in aggregate, reflect private information.
What if you used your lunch break to go interview for another job? Is there a trip you take every year that would predict when your house would be vacant? Did you happen to be near the commission of a crime but have nothing to do with it? All of these examples present pattern of life privacy concerns.
Contact tracing should be opt-in, non-political, and non-revenue generating. Everyone has a vested interest in mitigating covid-19 risk but ceding more personal privacy is not necessary. Taiwan offers a good example of effective but non-intrusive contact tracing. Their system relies on open-source contact tracing applications with decentralized management of the data. The Taiwanese government encouraged participation as a civic duty and their populace responded with high compliance. The Taiwan model still collects data and some libertarians might be opposed to all forms of government data collection, but public health deserves to be considered as well. Volunteering to use a decentralized open-source app is much more appealing than mandating use of a government-controlled surveillance tool.
[1] https://theweek.com/articles/913982/when-crisis-powers-become-permanent
