This article was published on March 26, 2020 on Business Law Today, a publication of the American Bar Association, Business Law Section at https://businesslawtoday.org/2020/03/covid-19-data-privacy-health-vs-privacy/. We received permission for Mr. Claypoole to republish for the ADCG community.
The Black Death stole people’s identities. Sweeping through Europe and Asia periodically from the 14th to the 18th century, the disease erased entire cities, and individual graves were traded for huge trenches with scores of nameless bodies. Spread by traders and human travel that brought disease carriers everywhere, people were reduced to numbers, as not only the sick disappeared but so did everyone who might have remembered them.
COVID-19 is unlikely to cause such a demographic catastrophe, but it may have an effect on our identities, stripping away privacy protections in the name of pandemic control. Our most significant technology companies are leading the charge to harness data and the newest industry tools to both fight the spread of this disease and to reduce our personal privacy in the process.
Two social benefits are in direct conflict right now, and the business of technology is tipping the scale from one to the other. On one hand, actions needed to slow the spread of COVID-19 can save countless lives depending on how soon and how effectively they are deployed. On the other hand, many of these same actions target individuals and pull them from anonymity or isolate their information in databases and bring them to public attention.
The most significant privacy infringements are playing out on a macro scale as governments and businesses join together to track and halt the spread of the disease. China locked down more than 500 million mostly healthy people to keep COVID-19 in check, and it has been using unmanned aerial vehicles to scan crowds and spot feverish people from hundreds of feet away, signaling to watchers on the ground. Chinese state television noted that people in Shanghai who were ordered to sequester have digital monitoring devices attached to the doors of their homes.
Giant search engine company Baidu developed an algorithm for the Beijing subway police to quickly identify commuters not wearing masks. Baidu’s online doctor consultation platform has handled over 15 million inquires and hosts over 100,000 doctors answering questions. Chinese law does not seem to limit what Baidu may do with this health information about its users.. The world’s largest e-commerce company, Alibaba, launched a drug delivery service to treat people with chronic diseases to relieve hospitals burdened by COVID-19 overcrowding. This takes patients’ health information out of the hospital setting into an extensive database that also tracks their online purchases. Chinese gaming company Tencent, the operator of WeChat, is providing a chatbot to people seeking basic diagnoses and the company has launched free online health consultation services. We have seen no reporting on what personal information is required to receive these services.
South Korea is often cited as handling its virus response better than most other countries—its government-employed disinfectant-spraying drones and thermal goggles that read people’s temperature from a distance. South Korea also “rolled out a ‘Self-Quarantine Safety Protection’ tracking app to keep digital eyeballs on the roughly 30,000 people officials told to stay home for two weeks. If a person brings their phone out of the permitted area, a mobile alert gets beamed to the individual and their government case officer.” The country has also worked with industry to introduce a mobile app-based facial recognition system that allows health providers and others to quickly identify the names of patients. The secrecy, religious practices, and fingerprint scanning requirements of a South Korean sect fell under international scrutiny when a high number of its members filled the country’s COVID-19 statistics.
The State of Israel gave an order to shelter at home to all of its citizens and used a cell phone tracking tool previously only used by the government for fighting terrorism. This tool notes the movement of mobile phones so the government can tell if you are defying its orders and track your activities. Prime Minister Netanyahu said, “We will very soon begin using technology… digital means that we have been using in order to fight terrorism.” Opposing politicians criticized mobile phone monitoring as an assault on the privacy of Israelis.
Established biometric company SuperCom, headquartered in Israel, sees the COVID-19 pandemic as a way to sell its biometric infected population monitoring system, explaining, “The solution is a scalable electronic monitoring and tracking platform ready for deployment. It includes a waterproof, hypoallergenic Bluetooth ankle bracelet, a smartphone and SAAS software in the cloud, but is also customizable such as for smartphone-only monitoring. SuperCom says is already speaking with a number of government organizations to roll out the solution globally.” Japan has used temperature scanners for all incoming airplane passengers. Singapore worked with local technology companies using QR codes to track citizens.
The U.S. is not immune to the acceleration of government surveillance to fight the novel coronavirus. According to the Wall Street Journal, data mining company Palantir is working with the Centers for Disease Control to model the viral spread, and, “Other companies that scrape public social-media data have contracts in place with the agency and the National Institutes of Health.” The same article points out, “Crimson Hexagon, now part of Brandwatch has a $30,000 contract with the CDC that was initiated last fall, according to government records. Crimson provides companies and governments with ‘social listening’ tools, meaning it scrapes public Facebook, Instagram and Twitter posts in part to gauge sentiment.” Social media databases can be used to look for symptoms people discuss like shortness of breath, fever, or cough.
That Google-sponsored website noted by President Trump, called Project Baseline, will link the information of people seeking testing with the other data Google collects about them. The Washington Post writes that the U.S. government is working with Facebook to track people’s movements and with Google to find insights through personal use of mapping applications. We also know that federal law enforcement has purchased large cell phone location databases from Verizon and AT&T, likely at least in part a reaction to the SCOTUS Carpenter decision, limiting the government’s subpoena-free access to this information. No word of what kind of government databases will be left in the hands of the administration after the crisis is over.
Facial recognition database giant Clearview A.I., the current (and justified) boogie man of privacy intrusion, is, according the WSJ, “in discussions with state agencies about using its technology to track patients infected by the coronavirus.” This would entail states tracking individuals using facial recognition and matching to public or business cameras. It is likely that license plate recognition operated by nearly all state law enforcement agencies will be harnessed for this task as well.
All of these new biometric-based technology implementations run counter to a trend in privacy law. The EU’s General Data Protection Regulation, as well as laws in U.S. states like Illinois, Washington, and Texas, have restricted the use of biometric identifiers by businesses. The clear utility of biometric readings as a practical security and health care tool fights against lawmakers’ suspicion of capturing our physical characteristics. The conflict will likely intensify thanks to our use of privacy-threatening, COVID-19-fighting biometric tools.
Our individual health information may also be at risk. Group health protection trumps individual privacy protection. At this stage, the U.S. is failing to provide adequate testing resources to properly measure the growth of COVID-19 infections. If you should be tested, or if you have been tested positive, what happens to that information? Reports of your illness are dropped into aggregated statistics for national, state, and local governments, but some people need more specificity to protect them from your contraction of this highly contagious illness.
Your employer, for example, will likely find out, and what will the company do with the information? Will HR keep your name under wraps—formally and informally? Even if they don’t use your name, but announce that someone has contracted the disease, or several people contracted it, how easy will it be to figure out that one of them was you? The same may be true for your neighborhood association, the schools that your children attend and other social groups. If you attended a conference, everyone you contacted may be alerted to your condition. Climbing off a cruise ship can get you quarantined and tracked by government. Protecting the community from infection runs entirely counter to your desire to hide your contraction of a seriously infectious disease.
Containing the COVID-19 outbreak is vital, and, in such crises, the health of the many outweighs the privacy of the one. But will this incident simply push us three steps further into a complete surveillance community? It has allowed China to test technological methods for social control, and I doubt those tools will be shoved back in the closet. Our own government is building many new types of databases and analytics for learning about the population, including individual people and small communities. Will these tools be maintained or ditched? State and local police are bringing more surveillance technology to bear as well. They will surely keep using the information they learned even after the viral threat is gone.
The fight against COVID-19 has triggered implementation of extensive new electronic and data-focused technology that will clearly help save lives. As this technology is implemented, we must also be careful of what we lose. Thanks to the attention paid to changes in the European and California privacy laws, companies are building internal practices for protecting the privacy of the people they encounter.
Fighting the virus places some of this private information at risk. COVID-19 threatens our health and the fight to contain it threatens our economy. We can only hope that what remains of our privacy emerges from this disaster intact.