Privacy in times of COVID-19

From governments to tech giants everyone wants to track people more efficiently while privacy takes a back seat

Wired editor in chief Nicholas Thompson recently shared, “Phone companies know where your phone is at all times. It has a harder time tracking people indoors than it does outdoors, but the phone will know who you've been near and therefore if it knows who's been exposed. It can determine your risk.”

Earlier last week Nicholas and senior correspondent Adam Rogers did a Livestream where they answered questions from readers about the current state of the COVID-19 pandemic, covering everything from testing to virology to the scientific rationale behind wearing a mask.

“It's already happening. In Hong Kong, you get a smartphone app when you come in. Many of the Asian countries and regions are instituting 14-day quarantines when you show up in the country, even if you're from there, and you have to register on your phone and they monitor your location,” said Adam.

Nicholas also mentions a paper in Science that said quarantines aren't going to work, social distancing isn't going to work, what we recommend is that somebody designs an app that tracks your location and that sends you an automatic alert when you have been near someone who has tested positive.

However, the paper raises ethical questions? “Successful and appropriate use of the App relies on its commanding well-founded public trust and confidence. This applies to the use of the App itself and of the data gathered.” (Please read the paper if you love science and mathematics. I just focused on the ethical part. Science is not my cup of tea.)

India as of now(9:36 AM) has 5274 active cases that are 3.88 cases per one million, the Indian government is going all guns to control the pandemic with some crazy and rational means. While it is more or less confirmed that the lockdown might get an extension, the government is all set to launch CoWin-20(who comes with such positive names), a new smartphone app that aims to track individuals by their smartphone locations and curb the community spread of coronavirus.

The app is now in beta, promises to also work as a guide for individuals to learn about the location of coronavirus testing labs as well as quarantine centers in Indian cities.

According to The Next Web, the app will use your location data and Bluetooth to gauge if you’ve been near a person who was infected by COVID-19. “It likely determines that by looking through a database of people who have been infected, as well as with one containing individuals’ travel history. It’s also said to be able to tell you if you’re in an area with a high number of coronavirus cases.”

The app also promises to keep your data encrypted and limited to the device; it’ll only share your data with the health ministry if you’ve tested positive for the disease. “It isn’t yet entirely clear how the government will track those people and match up to their location data in the app.”

We have no idea how long this data will be stored and how it will be secured. But more importantly, India’s data privacy law is still under discussion.

China has already rolled out an app for people to test if they’ve been in ‘close contact’ with people exposed to the fast-spreading coronavirus. The app active in 200 cities, assigns a color code to users. While the code is visible to folks using the app, it also shares that data with the police. “People can scan a QR code to get a green, yellow, or red tag. The green tag means you are healthy and can roam around the city unrestricted, yellow means a seven-day quarantine, and red means a 14-day quarantine.”

While it looks the way forward (we don’t know what works, because experts are learning with every day and we are consuming whatever we can get) but the stigma is going to be the next thing once we have become immune to COVID-19.

“People have a hard time remembering privacy rights when they’re trying to deal with something like a pandemic,” says Vasuki Shastry, a Chatham House fellow who studies the interplay of technology and democracy. “Once a system gets scaled up, it can be very difficult to scale it back down. And then maybe it takes on other uses.”

The scholar Shoshana Zuboff, the author of The Age of Surveillance Capitalism, reminded Peter C Baker, The Guardian that, prior to 9/11, the US government had been in the process of developing serious regulations designed to give web users real choice about how their personal information was and wasn’t used. “In the course of a few days,” Shoshana says, “the concern shifted from ‘How do we regulate these companies that are violating privacy norms and rights’ to ‘How do we nurture and protect these companies so they can collect data for us?”

Germany, Austria, Italy, and Belgium are all using data – anonymized, for now – from major telecommunications companies to track people’s movement. South Korea sends texts to the public identifying potentially infected individuals and sharing information about where they’ve been.

If this wasn’t enough the tech giants from Google to Facebook have joined the race with good intentions on the face. But we know how honest have been these giants when it comes to data and security. 

Google mobility data

Recently Google has revealed anonymized location data on the movements of people in 131 countries as a guide for public health officials during COVID-19. This is how mobility changes for India look like. With the entire country on lockdown, the biggest mobility drop has been witnessed by “Retail and Recreation” (-77% compared to baseline) includes places like restaurants, cafes, shopping centers, theme parks, museums, libraries, and movies theaters.

Transit Stations(-71% compared to baseline) has seen the second-biggest drop and Residential is the only one (+22% compared to baseline) that has seen positive growth.

India is staying home which is what is required if we want to reduce the impact of COVID-19 but this also gives a sneak peek of the user behavior that she is doing when out and when staying in the home. (This month Google shared Google Maps data showing how my travel has dropped. Obviously, it does because I have kept the location feature tracking on but it has its other side too.)

Addressing the privacy concerns Google says that these reports are developed to be helpful while adhering to its stringent privacy protocols and protecting people’s privacy. No personally identifiable information, like an individual’s location, contacts or movement, is made available at any point. “to be helpful while adhering to our stringent privacy protocols and protecting people’s privacy. No personally identifiable information, like an individual’s location, contacts or movement, is made available at any point.”

Basically the user is responsible for what she shares and Google won’t be held responsible for any mishaps in the near future. Thank You, Google.

“I think the privacy risks are very small here," says Albert Gidari, the director of privacy at the Center for Internet & Society at Stanford Law School. "This is a good example of where aggregate location data can be developed in a privacy sensitive way to provide actionable information to decision makers on the effectiveness of social distancing."

Google has a history of complying with geofence warrants by giving the police location data that can identify devices in a certain area at a certain time. Verify, the life science division of Alphabet(parent company of Google), is making users sign in with Google account to use its COVID-19 screening service. This has led to an inquiry from US senators. So its all interlinked and shared even if these giants keep denying. 

What happens when the COVID-19 pandemic is in control will it still share "community mobility reports" to governments and health organizations when there's less of a need for it? “Right now privacy is about individual data, and this location tracking is about community data. If we're being compared to other locations, does that impact our identity? Will we start to look at privacy at an aggregate level, say NY vs Florida? There are tensions between locations being driven by the privacy debate,” reports Business Insider.

Facebook mobility data

Facebook has also joined the race. It has launched new tools that use “aggregated” and “anonymised” data on population movement, collected from users, that can show whether social distancing measures are working or when outbreaks are most likely to occur next. The tools, developed under the Facebook Data for Good program, offer Disease Prevention Maps, which show movement patterns at a region or country level that researchers can use to understand how diseases like COVID-19 spread.

Facebook has not provided any specific privacy-protecting measures it is taking but has clarified that data is aggregated at the state or country level, and does not show individuals’ patterns.

Additionally, Facebook is also launching a survey developed by Carnegie Mellon University’s (CMU) Delphi Research Centre, which is designed for public health officials to figure out where lockdown guidelines should remain or be expanded. “The survey is aimed at gathering data about US residents who are symptomatic for COVID-19 at a county level — to generate data about how to respond to an outbreak — by generating heat-maps of self-reported symptoms for instance.”

Facebook is providing the data, but it is not involved in the survey.

Zoom security issues

If there's one company that has tremendously benefited apart from the healthcare and sanitizer brands it is the sudden revival of Zoom. The video conferencing app that went public last year has become the go-to app with almost the entire world on lockdown and work from home becoming a new norm. In recent weeks, Zoom has emerged as the most downloaded on the Apple App Store, repeatedly breaking its download records. 

Launched in 2011, today Zoom is valued more than $40 billion, or roughly as much as Uber.

But the company right now is facing severe security concerns with two fresh zero-day vulnerabilities. Zoom’s iOS app has been sending data to Facebook, without notifying users, even if they had no Facebook account. Meanwhile, Zoom has also updated its privacy policy after it was revealed that the old terms would have allowed the company to collect user information, including meeting content and analyze it for targeted advertising or other marketing. “And users have been creeped out by Zoom's attention-tracking feature, which lets the meeting host know if an attendee hasn't had the Zoom window in their screen's foreground for 30 seconds.”

In another incident it has been found that some Zoom calls were routed through China, the company has offered an apology and a partial explanation. Zoom said this happened in “extremely limited circumstances.” When reached, a Zoom spokesperson did not quantify the number of users affected. Zoom said in its defense that it can “do better” on its encryption scheme, which it says covers a “large range of use cases.” Zoom also said it was consulting with outside experts, but when asked, a spokesperson declined to name any.

Meanwhile, Taiwan has banned Zoom from all government business. Parts of the German government have blocked the use of Zoom following concerns around its privacy and security protection.

Houseparty has issues too

Another app that is sitting to blow your data is Houseparty which has been a hit among netizens post lockdown. With 10 million downloads on Android, I was intrigued to check out the app but since I hardly have any friends the app was boring for me. The next time I logged on Facebook, I had a notification from Houseparty telling me that I logged on the app. I understand why it is showing me but I wasn’t expecting such a greeting.

According to cybersecurity and privacy researcher, Lukas Stefanko takes a look at the Android version of the app to see if there were any other potential issues. He said there was nothing of concern.

“The only concern is that it can collect “anonymized and aggregated information, such as de-identified demographic information” and “de-identified location information.” As seen in recent news about antivirus company Avast, even when location data is “de-identified,” it’s still possible to find out who the person is by linking it with other information.”

As the old saying goes according to TC, “if the product is free, you are the product.” “Anybody who decides to use the Houseparty application to stay in contact during quarantine needs to be aware that the app collects a worrying amount of personal information,” said Ray Walsh of research firm ProPrivacy to describe it as a “privacy nightmare.”

“This includes geolocation data, which could, in theory, be used to map the location of each user. A closer look at Houseparty’s privacy policy reveals that the firm promises to anonymize and aggregate data before it is shared with the third-party affiliates and partners it works with. However, time and time again, researchers have proven that previously anonymized data can be re-identified.”

Ladies and gents welcome to the world of anonymized data that is now being used for a good cause and I hope it stays like that. But greed overpowers everything.

For now, stay safe, informed and stay home.