March 24, 2020
As Coronavirus Surveillance Escalates, Personal Privacy Plummets
Tracking entire populations to combat the pandemic now could open the doors to more invasive forms of government snooping later.
By Natasha Singer and Choe Sang-Hun
In South Korea, government agencies are harnessing surveillance-camera footage, smartphone location data and credit card purchase records to help trace the recent movements of coronavirus patients and establish virus transmission chains.
In Lombardy, Italy, the authorities are analyzing location data transmitted by citizens' mobile phones [1] to determine how many people are obeying a government lockdown order and the typical distances they move every day. About 40 percent are moving around "too much," an official recently said.
In Israel, the country's internal security agency is poised to start using a cache of mobile phone location data [2] -- originally intended for counterterrorism operations -- to try to pinpoint citizens who may have been exposed to the virus.
As countries around the world race to contain the pandemic, many are deploying digital surveillance tools as a means to exert social control, even turning security agency technologies on their own civilians. Health and law enforcement authorities are understandably eager to employ every tool at their disposal to try to hinder the virus -- even as the surveillance efforts threaten to alter the precarious balance between public safety and personal privacy on a global scale.
Yet ratcheting up surveillance to combat the pandemic now could permanently open the doors to more invasive forms of snooping later. It is a lesson Americans learned after the terrorist attacks of Sept. 11, 2001, civil liberties experts say.
Nearly two decades later, law enforcement agencies have access to higher-powered surveillance systems, like fine-grained location tracking and facial recognition -- technologies that may be repurposed to further political agendas like anti-immigration policies. [3] Civil liberties experts warn that the public has little recourse to challenge these digital exercises of state power.
"We could so easily end up in a situation where we empower local, state or federal government to take measures in response to this pandemic that fundamentally change the scope of American civil rights," said Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project, [4] a nonprofit organization in Manhattan.
As an example, he pointed to a law [5] enacted by New York State this month that gives Gov. Andrew M. Cuomo unlimited authority to rule by executive order during state crises like pandemics and hurricanes. The law allows him to issue emergency response directives that could overrule any local regulations.
Increased surveillance and health data disclosures have also drastically eroded people's ability to keep their health status private. [6]
This month, Australia's health minister publicly chastised a doctor whom she accused of treating patients while experiencing symptoms of the virus -- essentially outing him by naming the small clinic in Victoria where he worked with a handful of other physicians.
The health provider, who tested positive for the coronavirus, responded with a Facebook post [7] saying the minister had incorrectly characterized his actions for political gain and demanded an apology.
"That could extend to anyone, to suddenly have the status of your health blasted out to thousands or potentially millions of people," said Chris Gilliard, an independent privacy scholar based in the Detroit area. "It's a very strange thing to do because, in the alleged interest of public health, you are actually endangering people."
But in emergencies like pandemics, privacy must be weighed against other considerations, like saving lives, said Mila Romanoff, data and governance lead for United Nations Global Pulse, [8] a U.N. program that has studied using data to improve emergency responses to epidemics like Ebola and dengue fever.
"We need to have a framework that would allow companies and public authorities to cooperate, to enable proper response for the public good," Ms. Romanoff said. To reduce the risk that coronavirus surveillance efforts might violate people's privacy, she said, governments and companies should limit the collection and use of data to only what is needed. "The challenge is," she added, "how much data is enough?"
The fast pace of the pandemic, however, is prompting governments to put in place a patchwork of digital surveillance measures in the name of their own interests, with little international coordination on how appropriate or effective they are.
In hundreds of cities in China, the government is requiring citizens to use software [9] on their phones that automatically classifies each person with a color code -- red, yellow or green -- indicating contagion risk. The software determines which people should be quarantined or permitted to enter public places like subways. But officials have not explained how the system makes such decisions, and citizens have felt powerless to challenge it.
In Singapore, the Ministry of Health has posted information online about each coronavirus patient, often in stunning detail, including relationships to other patients. The idea is to warn individuals who may have crossed paths with them, as well as alert the public to potentially infected locations. "Case 219 is a 30-year-old male," says one entry on the Health Ministry's site, [10] who worked at the "Sengkang Fire Station (50 Buangkok Drive)," is "in an isolation room at Sengkang General Hospital" and "is a family member of Case 236."
On Friday, Singapore also introduced a smartphone app for citizens to help the authorities locate people who may have been exposed to the virus. The app, called TraceTogether, [11] uses Bluetooth signals to detect mobile phones that are nearby. If an app user later tests positive for the virus, the health authorities may examine the data logs from the app to find people who crossed their paths. A government official said the app preserved privacy by not revealing users' identities to one another.
In Mexico, after public health officials notified Uber about a passenger infected with the virus, the company suspended the accounts [12] of two drivers who had given him rides, along with more than 200 passengers who had ridden with those drivers.
In the United States, the White House recently spoke with Google, Facebook and other tech companies about potentially using aggregated location data captured from Americans' mobile phones for public health surveillance of the virus. Several members of Congress subsequently wrote a letter urging President Trump [13] and Vice President Mike Pence to protect any virus-related data that companies collected from Americans.
The digital dictates may enable governments to exert more social control and enforce social distancing during the pandemic. They also raise questions about when surveillance may go too far.
In January, South Korean authorities began posting detailed location histories on each person who tested positive for the coronavirus. The site has included a wealth of information -- such as details about when people left for work, whether they wore masks in the subway, the name of the stations where they changed trains, the massage parlors and karaoke bars they frequented and the names of the clinics where they were tested for the virus.
In South Korea's highly wired society, however, internet mobs exploited patient data disclosed by the government site to identify people by name and hound them.
As other countries increase surveillance, South Korea had an unusual reaction. Concerned that privacy invasions might discourage citizens from getting tested for the virus, health officials announced this month that they would refine their data-sharing guidelines to minimize patient risk.
"We will balance the value of protecting individual human rights and privacy and the value of upholding public interest in preventing mass infections," said Jung Eun-kyeong, the director of South Korea's Centers for Disease Control and Prevention.
That is a tricky balance that some United States officials may need to consider.
In New York this month, Mayor Bill de Blasio posted details on Twitter [14] about a lawyer in Westchester County who was the second person in the state to test positive for the virus -- including the name of the man's seven-person law firm and the names of the schools attended by two of his children. A few hours later, The New York Post identified the lawyer [15] by name and was soon referring to him as "patient zero" in the coronavirus outbreak in New Rochelle.
In a response posted on Facebook, [16] Adina Lewis Garbuz, a lawyer who is the wife of the man, Lawrence Garbuz, pleaded with the public to focus instead on the personal efforts the family had made to isolate themselves and notify people who came into contact with them.
"We would have preferred this all remain private," Ms. Garbuz wrote in the Facebook post, "but since it is no longer, I wanted to at least share some truths and allay people's fears."
Aaron Krolik and Adam Satariano contributed research.
[2] https://www.nytimes.com/2020/03/16/world/middleeast/israel-coronavirus-cellphone-tracking.html
[3] https://www.nytimes.com/2019/07/07/us/politics/ice-drivers-licenses-facial-recognition.html
[4] https://www.stopspying.org/programs
[5] https://legislation.nysenate.gov/pdf/bills/2019/S7919
[6] https://www.nytimes.com/2020/03/04/us/stigma-coronavirus.html
[8] https://www.unglobalpulse.org/about/
[9] https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html
[11] https://www.tracetogether.gov.sg/
[14] https://web.archive.org/web/20200303223818/http:/twitter.com/nycmayor/status/1234968701700595712
[15] https://nypost.com/2020/03/03/nyc-lawyer-with-coronavirus-in-severe-condition-health-department/
[16] https://www.facebook.com/adina.garbuz/posts/10218749730509115