A new approach to privacy in pandemic conditions
In 2020, the global COVID-19 pandemic did not bypass Poland. Health, social and economic changes caused by the pandemic resulted, among others, in a sudden increase in the use of ICT systems. The aim of the article is to show the changes in the approach to the use of ICT systems by users, administrators, government offices, human rights institutions.
New Internet phenomena have emerged, with telemedicine, for example, developing at an accelerated rate, but also an increase in online attacks, abuse, and fraud. Changes in pro-citizen attitudes have also been observed. All of these phenomena, as well as those I did not mention, because it is impossible to discuss them in one article, make us think about the future, what reality we will have to get used to after the pandemic is over. This article is a review of information about privacy in pandemic.
- COVID-19 contact notification applications. Examples of solutions in different countries
There is speculation that dedicated mobile apps for contact tracing and alert generation could play a significant role in the fight against COVID-19. The EU is working with Member States to develop effective solutions to this issue. As apps can expose sensitive user data, Parliament stressed the need for care in their development [ii].
The European Commission has recommended a common EU approach to contact tracing applications designed to alert people if they have been in contact with an infected person. In its resolution of 17 April and during the debate in plenary on 14 May, Parliament stressed that any digital measures against the pandemic must fully comply with data protection and privacy laws. It said that the use of the apps must not be mandatory and that they should include sunset clauses to eliminate them when the pandemic is over.
Members stressed the need for anonymized data; to reduce the risk of potential abuse, data should not be stored in centralized databases. Parliament also said that it should be made clear how apps are intended to help reduce infections, how they work, and the commercial interests of their developers.
The recommendations have been established as an “EU toolbox”
- National health authorities should approve applications and be responsible for compliance with EU data protection regulations.
- Users have full control over their personal data. Installation of apps should be voluntary and they should be uninstalled as soon as they are no longer needed.
- Limited use: use only personal data relevant to the purpose, should not include location tracking.
- Strict time limits: personal data should be kept no longer than necessary.
- Security: data should be stored on the user’s device and encrypted.
- Interoperability: applications should also work in other EU countries.
- National DPAs should be fully involved and consulted.
The document “Mobile applications to support contact tracing in the EU’s fight against COVID-19. Common EU Toolbox for Member States” dated April 15, 2020 describes national initiatives for these applications[iii].
The situation with apps dedicated to COVID-19 alerting is changing rapidly. Due to the fact that a sick person can become infected before they even show symptoms, the app will allow you to determine if there has been contact with a healthy person who has already infected.
Mr. Michał Sajdak from sekurak.pl, a website dedicated to various aspects of IT security, published a list of solutions used in the above mentioned applications[v].
He found that basically all solutions based on near-field analytics rely on Bluetooth (BLE – Bluetooth Low Energy). They collect more or less data, store data locally or on servers. They also have different approaches to privacy or security. And so, on the technical side, first we observe different concepts (frameworks / protocols): PACT[vi], Covid-Watch[vii], DP-3T[viii] or Bluetrace [ix].
There are also very general concepts (Pan-European Privacy-Preserving Proximity Tracing[x] . Secondly, we may have different implementations of the same framework – and this is where vulnerabilities may appear (e.g. vulnerable application, through which attackers may potentially get to our phone, application extensions, which supposedly “implement” a given standard, however they add something instead. Large problems may also occur in the backend – e.g. someone using classic web vulnerabilities gains full access to the server).
Most solutions boil down to exchanging messages via Bluetooth, while measuring signal strength and exposure time. On the other hand, there is contact with medical services (who confirm that someone is ill) and further dissemination of information to people who may have been exposed. The authors present the implementation of the DP-3T project in the form of an accessible comic book. The comic has been published by the authors as Public Domain, which means that you can post it, publish it, and attach it to your own application, as long as it actually implements the described privacy-protecting protocol.
The authors have also given permission to translate it into other languages. Two versions were presented: a shorter and a longer one[xi] . For the purposes of this article, technical information will be omitted. An important element included in the project are documentations, e. g. containing risk analysis and in the broad context of the very issue of systems aiming at certain user tracking in the context of close contact with a certain object or person. For example, such scenarios are considered here:
- Someone is deliberately spreading false information about infections spreading chaos (all it takes is a powerful enough BLE transmitter);
- Interference with communications from infected;
- Tracking of infected individuals (e. g. by MAC address) and their independent geolocation;
- Threats resulting from communication between the application and the backend (e. g. disclosure of detailed information about the infected);
- Access to the backend by services (not necessarily medical), crackers, or careless administrators.
The author of the article from sekurak.pl considers the solution adopted by Singapore to be the base solution for many countries (including possibly Poland). The BlueTrace protocol was created there, and later an open-source implementation of OpenTrace. At least in the declarations we have here an approach that treats privacy seriously: the location of the users is not given, the relevant logs are stored on the phone (not in the backend), and if there is a need to send logs to the server, the user is directly asked to give such consent. If they don’t give it, nothing happens.
In some simplification, some basic information (phone model, contact time, temporary IDs of nearby users) is collected locally. On the server side, the user’s ID (encrypted with the server’s private key) and phone number are stored. Some manual actions that need to be performed (e. g. to delete your “account” from the server) can be a bit worrying.
Austria has already released its application,- a solution audit report is available[xii]. It was admittedly done under time pressure (and will most likely continue). The scope includes both legal and technical issues (testing areas include source code for Android / iOS applications or backends (including those supporting SMS communication)). The Swiss application as well as the Estonian one is also supposed to use DP-3T.
Germany was supposed to implement a centralized system, but there has been a change – there will be decentralization. The app itself (which will probably be the official one) is based on DP-3T. Norway, on the other hand, is pulling out of a project to implement a social contact tracking app in the wake of the Covid-19 pandemic due to a dispute over user privacy between the Norwegian Institute of Public Health and the country’s data protection authority.
According to the Norwegian Data Protection Agency, the low spread rate of infection with the disease-causing Covid-19 coronavirus SARS-CoV-2 in the country makes the collection of personal data of the country’s residents by the tracking app unjustifiable in view of the privacy implications of its implementation for users. So far, the app has been tested in Norway in the area of three municipalities.
Currently, between 20 and 50 new cases of coronavirus infection are detected each week in Norway, according to the Norwegian Institute of Public Health. However, the Institute is concerned about a second wave of the outbreak and argues that the Smittestopp application should be further implemented in preparation for it. Discussions have been scheduled between representatives of the institution and the Data Protection Authority to address this issue. The Norwegian app was suspended even before the NGO Amnesty International published its report on it.
The paper points out that of the many similar programs currently widely used to fight the epidemic around the world, Smittestopp poses many threats to user privacy. This is because, according to Amnesty International, the app allows for “near real-time location tracking”. According to AI collaborative security expert Claudio Guarnieri, “this incident should serve as a wake-up call to all governments that rush to deploy apps that are intrusive and designed to pose a risk to human rights. ”
The application used in Colombia is based on another solution that was created a few years ago under the threat of Zika or Dengue virus. Interestingly, for using this application, its users get additional 1 GB of traffic (and 100 minutes of calls) from telecom operator (it’s funded by the Government; more scrupulous will say – it’s funded by all citizens). Security analysis of the application is also available[xiii].
South Korea is one example where almost totally “total” solutions have been applied; in a country considered to be democratic. The analysis[xiv] includes the location of telephones (from telecom operators), CCTV monitoring records, card payment history, and a database containing immigrants’ data. One can say – no application is needed, although such an invasion of privacy is unlikely to meet with a warm welcome in other countries – especially because as detailed information about those infected is published[xv] without much restraint.
Cyberdefence24.pl reports[xvi], «The Covid-19 human contact tracking apps released by Kuwaiti and Bahraini authorities are “invasive,” violate privacy and enable surveillance of users, according to a report published by Amnesty International. As the BBC reports, researchers from Amnesty International analyzed 11 pandemic contact tracking apps for privacy, including software made available in Algeria, Bahrain, France, Iceland, Israel, Kuwait, Lebanon, Norway, Qatar, Tunisia and the Emirates.
According to the organization’s report, the BeAware Bahrain program and the Shlonik app promoted by Kuwaiti authorities proved to be the most invasive. The Norwegian Smittestopp also failed to meet the standards, however the authorities of this country have already resigned from its introduction. The report’s authors point out that while most such apps rely on Bluetooth proximity technology to merely note a user’s contacts, the software from Bahrain and Kuwait tracks the location of specific individuals based on GPS data.
The information collected by the programs is then sent to central databases. In practice, this allows authorities to monitor the location of residents in real or near real time. Amnesty International also stressed that users of these applications are required to provide their national registration number when registering, which allows the authorities to identify specific individuals. In other countries, the use of this type of software is anonymous.
“The apps violate user privacy and serve as completely unwarranted, invasive surveillance,” Amnesty Security Lab head Claudio Guarnieri said in a statement. Local activists are further concerned that the data collected through the app will not be deleted after the Covid-19 pandemic ends and could be passed on to third parties, such as security services. They recall that the data was accessed, for example, by the producers of a TV show in Bahrain, who were given access to the data to check on camera and via an app whether the country’s residents were at home during Ramadan. Neither Bahrain nor Kuwait has responded to Amnesty International’s report».
From the above few examples we can observe a duality of attitudes, represented respectively by the authorities of the states, acting under time pressure, in the face of a real threat, and on the other hand the reactions of NGOs, independent experts in the field of security. We observe a certain close interest in the situation, which creates opportunities for certain abuses in the field of human rights. For example, the Panoptykon Foundation draws attention to the fact that exceptional solutions should apply only in times of emergency, and should not be adopted as final solutions. In his article Wojciech Klicki raises the following issues[xvii] : «Technology could be useful in combating a global coronavirus pandemic. The use of some of them involves invasion of privacy and increased surveillance of the public. However, these emergency measures must meet certain conditions, which we, together with European Digital Rights, call on EU and national authorities to respect. Today’s extraordinary measures must not become tomorrow’s.
(…) Technologies are used, among others, to supervise people in quarantine (e. g. Polish application “Home Quarantine”) or to inform residents that they have had contact with sick people (e. g. solutions used in Singapore or Korea). Israeli solutions belong to the latter group: services will precisely track the location of every phone to create a detailed network of social contacts. The infrastructure for such action already exists – for years Shin Bet (Israeli counterintelligence) has been using it against suspected terrorists. (…)
However, extraordinary circumstances do not justify the possibility of arbitrary interference with the privacy and other rights of residents. We support the appeal on this matter made to the EU institutions and Member States by the European Digital Rights organization, of which we are a member. EDRi pointed out that in the interest of public health we should obey such rules as:
- using such limitations on the rights of the individual that are necessary, proportionate, and justified – such requirements result not only from European regulations (the EU Charter of Fundamental Rights), but also from the Polish Constitution. This means, for example, that before applying a particular tool that interferes with individual rights, the authorities must answer the question of whether the intended goal cannot be achieved using other, less intrusive methods;
- Protecting personal data today and in the future – the tools that are deployed to combat coronavirus should provide the greatest possible protection for personal data and be compliant with GDPR. This includes, for example, the need to ensure data security and to limit the possibility of using data solely for pandemic control;
- the introduction of emergency tools only for the time of the fight against the coronavirus – the flexibility of the GDPR is based on the idea that in exceptional situations data protection gives way to the public interest. However, the exception must not become the rule and authorities should periodically review whether specific rules are still necessary or whether redundant data can already be deleted and collection technologies withdrawn.
This last remark by EDRi needs to be particularly emphasized because it is addressed not only to the authorities, but also to society as a whole. (…) European Data Protection Supervisor Wojciech Wiewiórowski wrote that no matter what happens in the coming weeks, the world will no longer be the same – we will have to ask ourselves if we are willing to sacrifice our basic rights in order to “feel better” and “be more secure”. We agree that fundamental questions will be answered in the coming months.
The experience of the global war on terrorism teaches that the authorities are reluctant to withdraw from extraordinary measures introduced “exceptionally, for an exceptional time”. One could just look at the information disclosed by Edward Snowden about the mass surveillance conducted by U.S. services, whose dynamic development began after the attack on the World Trade Center in the atmosphere of the “war on terror”. Another example is the European epic concerning the so-called retention of telecommunications data.
The obligation to provide services with the phone records and locations of cell phones of all Europeans was introduced in response to the attacks in Madrid and London and has remained to this day – despite a lack of evidence that it is necessary to ensure security, and numerous judgments stating that it is an excessive interference with human rights. (…)
The key point will be when, having defeated the global pandemic, we leave the fear it caused behind. If this is a world in which the tools introduced today continue to function, and we become familiar and accustomed to them, then change will be difficult to reverse.
Therefore, in agreeing today to measures that limit our rights, we must demand that the authorities not only act in accordance with standards of human rights protection and only limit them temporarily. We need to remember how we have lived so far, and have a clear disagreement on our rights being restricted – even if they convince us that the applications that worked during the emergency of a pandemic will also be effective during the annual ‘flu epidemic’».
- Citizen contact tracking applications in practice
The first statistics describing the application’s performance appeared more than two months after various countries around the world launched applications related to Covid-19. It turned out that the use of these solutions by citizens varies, but no less than the expected level giving meaningful results. In Japan such application was downloaded almost 3 million times. As we can read e.g. on cyberdefence24.pl[xviii] : «For a system of this kind to be effective, it is essential to disseminate it widely. (…)
Typically, 60 percent of the population is indicated as the threshold for the effectiveness of similar systems. However, the government in Tokyo has not set a specific target. “The more people use the app, the more effective it becomes,” – Minister Katsunobu Kato told a parliamentary committee. (…) The 2.7 million downloads of the app in Japan so far may translate to about 2 percent of the country’s population. In Poland ProteGO Safe application has been downloaded by a little over 150 thousand people, which is insufficient for effective monitoring of the disease development. The situation is definitely better in Germany, where almost 10 million users downloaded the app within the first 24 hours».
A similar percentage of Covid-19 users, around 2 percent of the population, was reported in France[xix]. «At a press conference organized (…) by the French authorities on the effectiveness of the StopCovid application, the rulers reported that so far the application has been downloaded from the App Store or Play Store by a total of 1.9 million French people, or 2 percent of the country’s population. However, not everyone has activated it – according to the report presented, just over 1.8 million users have opened the program and started using it.
The app can be uninstalled at any time, and users can delete all the data it has collected. Authorities estimate that in the past three weeks, 23,900 users deactivated the program and 460,000 simply uninstalled it. There may be even more such people – since installing the app does not require a name or address, officials have limited access to information about who is actually using CovidStop.(…)
Meanwhile, the presented report (…) shows that so far the app has only been able to identify 68 people who have declared that they are infected with coronavirus. The software recorded 250 contacts involving these individuals and sent a total of 14 alerts warning other users».
- Changes in the understanding of privacy during pandemic
Counsel Robert Nogacki and Dr. Marek Ciecierski in their article published i. a. on interia. pl [xx] indicate other than commonly understood norms of privacy: «After all, not everyone shares the view that privacy must be protected even in times of epidemic. Former Portuguese minister to the EU Bruno Macaes, now a writer and commentator, said in an astonishing tweet, “I am more and more convinced that the biggest battle of our time is the one against the ‘religion of privacy’. It could literally kill us all”. Admittedly, he later clarified that he was not criticizing privacy as such, but since we never had to define it, it remained a metaphor or worse, a religion. But the idea that privacy concerns in a battle against a virus are not only irrelevant, but could prove fatal, seems rather extreme. On the other hand, advocates of uncompromising privacy protection seem to think that any form of monitoring of people with a virus bears the hallmarks of suspicious surveillance.
So we have a wall of distrust because over the last 20 years, since the World Trade Center, there has been a failure to create institutions, legislation or paradigms that allow us to trust this invasive technological world».
The authors I have mentioned also raise an important issue about the need for a Digital Bill of Rights [xxi].
«There is a debate in many countries (unfortunately, not so much in Poland) over apps to track people who are sick or suspected of carrying COVID-19. Scientists are sounding the alarm in the face of clear privacy violations. At the turn of April and May, about 600 scientists from all over the world warned in a joint statement that GPS-based contact tracking applications do not have “sufficient accuracy” and threaten privacy, and some enable surveillance for other purposes».
Now is a good time for highly developed societies to start creating a legal framework to tame the almighty technologies, to form regulation in the new digital age. In October 2019, at the World Forum on Artificial Intelligence for Humanity, President Emmanuel Macron called on experts and governments to jointly define a new charter of rights to guarantee basic protections in the digital world, stressing that «the stakes are absolutely critical and crucial for our democracies». Later in their text, the authors offer a recommendation on how to achieve the right balance[xxii].
«Public health, privacy rights and economic prosperity are the three paradigms of all democratic societies. But they require compromises and sticking to a few ironclad rules.
First, any surveillance measures taken must be reversible, proportionate and completely transparent. The process for removing them should be defined at the time of implementation. The past has shown that there are temptations to perpetuate extraordinary states and solutions. For example, many of the broad-based surveillance provisions in the “temporary” PATRIOT Act were routinely renewed by Congress in 2005 and recently extended in March 2020.
Second, governments should require app developers to demonstrate how the information will help combat coronavirus. For example, there is no legitimate reason to collect location or contact data on individuals for months in the case of a virus with a two-week incubation period. Otherwise, their holders will be tempted to use the data for political or commercial purposes.
Third, political leaders must address a structural problem. The traditional norms and institutions that underpin democracy are incompatible with the digital world. Digital policy experts have long recognized the imbalance between digital technologies and individual freedoms. Western leaders lacked the political will for systemic solutions.
Politicians’ general lack of preparation for the pandemic itself should serve as a warning that unforeseen challenges could be catastrophic for society. While there is confidence that a pandemic does not permanently threaten freedoms such as assembly and movement, there is no such conviction when it comes to digital rights – far more complex and nebulous. Instead, there is a fear, well-founded as it may be that measures adopted in emergency situations could make mass surveillance the new norm».
The changes that have taken place in social and economic life with the advent of the Covid-19 pandemic have led to much reflection on the need for additional legislation to protect the rights of citizens. The large-scale emergence of new negative online phenomena has forced countries to react quickly.
Wherever remote working/learning has been enabled, additional threats have emerged from both attackers and poorly secured systems and networks. According to some sources[xxiii], «Prior to the pandemic outbreak, the average proportion of people working remotely was 27% during the workday. As of March 31, 2020, more than 60% of employees are taking advantage of such an opportunity». Thus, there is a growing demand for legal protection of remote working and learning solutions.
On the other hand, any applications created in order to support the fight against the spread of viral threats should be designed and implemented in a way to be the least invasive to the privacy of citizens. The experience gained so far with applications implemented in various places around the world prove that it is possible to implement applications in compliance with human rights.
(A cura di Sławomir Fiodorów[i], traduzione dalla lingua polacca a cura di Karolina Garstka, si ringrazia Jolanta Grebowiec-Baffoni)
- https://github.com/DP-3T/documents/blob/master/public_engagement/cartoon/pl/Comic.md#pe%C5%82na –wersja
[i] dott. Sławomir Fiodorów University of Wrocław, Departament of Social Sciences, Poland, ORCID 0000-0001-6789-7594.
[ii] Monitoring COVID-19 applications: ensuring privacy and data protection, https://www.europarl.europa.eu/news/pl/headlines/society/20200429STO78174/aplikacje-monitorujace-covid-19-zapewnianie-prywatnosci-i-ochrony-danych [accessed 18.06.2021.]
[iii] eHealth Network, https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf [accessed18.06.2021.]
[iv] https://www.gov.pl/web/koronawirus/aplikacja-kwarantanna-domowa-od-dzis-obowiazkowa [accessed 18.06.2021.]
[v] Mobile applications to notify about contact with an infected person COVID-19. How does it look in different countries? https://sekurak.pl/aplikacje-mobilne-majace-powiadamiac-o-kontakcie-z-osoba-zarazona-covid-19-jak-to-wyglada-w-roznych-krajach/ [accesed18.06.2021r]
[vi] https://pact.mit.edu/ [accessed 18.06.2021r]
[vii] https://www.covid-watch.org/ [accessed 18.06.2021r]
[viii] https://github.com/DP-3T/documents [accessed 18.06.2021.]
[ix] https://bluetrace.io/ [accessed 18.06.2021.]
[x] https://www.pepp-pt.org/ [accessed 18.06.2021.]
[xi] https://github.com/DP-3T/documents/blob/master/public_engagement/cartoon/pl/Comic.md#pe%C5%82na -wersja [accessed 18.06.2021.]
[xii] https://noyb.eu/sites/default/files/2020-04/report_stopp_corona_app_english_v1.0_0.pdf [accessed 18.06.2021.]
[xiii] https://archive.org/details/informe-publico-tecnico-coron-app-v-170320-1 [accessed 18.06.2021.]
[xiv] https://thediplomat.com/2020/04/south-koreas-experiment-in-pandemic-surveillance/ [accessed 18.06.2021.]
[xv] https://www.nature.com/articles/d41586-020-00740-y [accessed 18.06.2021.]
[xvi] https://www.cyberdefence24.pl/amnesty-international-ostrzega-przed-aplikacjami-do-sledzenia-kontaktow-kuwejt-i-bahrajn-z-najgorszym-wynikiem [accessed 18.06.2021.]
[xvii] Freedom and privacy in the age of Coronavirus, https://panoptykon.org/wiadomosc/wolnosc-i-prywatnosc-w-dobie-koronawirusa [accessed 18.06.2021.]
[xviii] Nearly 3 million Japanese downloaded the COVID-19 monitoring application
https://www.cyberdefence24.pl/wiadomosci/prawie-3-milionow-japonczykow-pobralo-aplikacje-do-monitorowania-covid-19 [accessed 20.06.2021]
[xix] France: 1,8 million of citizens activated StopCovid application, https://www.cyberdefence24.pl/francja-18-mln-mieszkancow-aktywowalo-aplikacje-stopcovid [accessed 23.06.2021.]
[xx] Privacy at risk during the pandemic, https://biznes.interia.pl/gospodarka/news-zagrozona-prywatnosc-w-okresie-pandemii,nId,4523813 [accessed 20.06.2021.]
[xxi] https://biznes.interia.pl/gospodarka/news-zagrozona-prywatnosc-w-okresie… (op. cit.)
[xxii] (op. cit.)
[xxiii] Global cyber threats related to pandemic, https://www2.deloitte.com/pl/pl/pages/technology/articles/globalne-cyberzagrozenia-zwiazane-z-epidemia.html [accessed 23.06.2021.]
Rivista scientifica digitale mensile (e-magazine) pubblicata in Legnano dal 2013 – Direttore: Claudio Melillo – Direttore Responsabile: Serena Giglio – Coordinatore: Pierpaolo Grignani – Responsabile di Redazione: Marco Schiariti
a cura del Centro Studi di Economia e Diritto – Ce.S.E.D. Via Padova, 5 – 20025 Legnano (MI) – C.F. 92044830153 – ISSN 2282-3964 Testata registrata presso il Tribunale di Milano al n. 92 del 26 marzo 2013
Le foto presenti sul sito sono state prese in parte dal web, e quindi valutate di pubblico dominio. Se i soggetti o gli autori fossero contrari alla pubblicazione, non avranno che da segnalarlo. In tal caso provvederemo prontamente alla rimozione.
Seguici anche su Telegram, LinkedIn e Facebook!