How tackling Covid-19 creates temptations around data privacy, and how to address them

By: Nicolas Rose

photo: KAREL RAKOVSKY, via PicJumbo.

Some businesses and health authorities are working closely to contain the ongoing sanitary crisis, including through the use of digital tools to “monitor” population activity. With that, the tension between the need to protect privacy and the temptations to exploit personal data is reaching a new high.

If a digital solution can help eradicate a deadly virus, clearly it has to be considered, as long as we make sure that all voices can have a say in designing such a solution. And why not use the ongoing debate around tracking apps as an opportunity to empower end-users in taking back control over their personal data in a trusted way ?

A no-brainer for safety

Let me track your movements, and I’ll relax your confinement. Would you give authorities access to your location data (anywhere, anytime), in exchange for increased safety and the ability to roam freely?

In many European countries, authorities are scaling up the manual tracking of Covid-19 patients, going back 14 days to all people that they have been close to, so that they can be quarantined. “Contact tracing” is a tried and tested epidemic reduction method. They are also working on a digital version, an app that will use the Bluetooth inside the person’s phone to detect who the user has been in close contact with — and alert them if they were “exposed” to a contaminated person for more than a few minutes. This follows a successful use of such tracking apps in Asia, South Korea in particular, even though the WHO recently said that there is no empirical evidence that the digital approach is effective (indeed it does not cover the whole population, and can generate multiple false positives or negatives cases).

It’s easy to see how, after two months of lockdown, strict social distancing and with genuine desire to help, most would happily sign up to use such an app. A recent poll led by the Oxford Big Data Institute shows it’s the case in Europe and even in France, a country known for strong data protection culture and regulation.

There is a precedent

Why would anyone refuse this trade when they already accept it in their everyday lives?

We all routinely give away valuable chunks of our personal data — including geolocalization information — in exchange for many online services: search engines, social networks, a simple Internet connexion, food delivery, bike rentals… anything!

For most users, this trade is done in mere ignorance of how the data is used. We simply use a Facebook or Google single-sign-on identification like they are a commodity. And without thinking, we just click YES / IGNORE on any GDPR pop-up preventing us from accessing our content.

The door is opening for increased social control

Given the scale of the Covid-19 pandemic, the door is opening for states and authorities to launch Tracking apps. Possibly giving way to other uses of our personal data, ones that could be much more coercitive.

Let’s imagine another pandemic wave, same game, new rules:

1. To enforce strict social distancing policies, health authorities could now monitor the proximity of other phones but also your location, using not just an voluntarily downloaded app, but through the phone’s Operating system, an evolution that Apple & Google are working on, and to which “only public health authorities will have access to”.
2. And what if you are not in your “designated confinement area”, you will receive an automatic fine on your phone.

After all, it’s just a way to make it more efficient, more practical for everybody (thinking that the French police issued over half a million fines in the past few weeks, all manually!)

You think it’s crazy? It’s not. Just see what’s being done in China with the QR Code app, in Russia with video surveillance with facial recognition in Moscow or in Dubai with licence plate tracking.

Is this the future we are promised, or is it just increasing social control made available through technology progress?

We need more balance in powers

The debate is highly political — but enabled by technology — and I fear it is too flawed to take place in good, healthy, democratic conditions.

• General opinion awareness is too low. People usually have too few clues what businesses and states know about them. And they don’t care. Some have nothing to hide, most just don’t know what’s at stake. Would presenting them with a clearer picture of “who knows what”, a feedback look, change their mind? I’m not even sure. This goes for most of the politicians who represent them too.
• They don’t care because they don’t know what is done with their data. And they don’t know what it’s worth. One day maybe, when we can quantify the value of this or that information, this will change, but it might be too late.
• Businesses already share data with authorities (criminal procedures and surveillance aside). Was no one shocked to hear that eight European telco carriers, including Orange, gave away the location data of their users in March? And this without a warning to their clients. The fact is… this data was already on shelf for any marketing team to buy in one way or another.
• The data is anonymized, says the European Commission, who requested the information. Sure. But we now better understand that anonymized data can be cross-referenced and de-anonymized.

So much is wrong here when it comes to ensuring personal data privacy in the long run. The deal isn’t clear enough, knowledge is insufficient, and the technological debates are often reserved to the more Tech-savvy professionals or the educated elites.

Tracking can help but doesn’t have to be creepy

In the course of my career as an investor, I’ve come across hundreds of startups and solutions helping businesses deal with user data. They cover all the spectrum, from ultra “liberal” to ultra protective.

Technologically, almost anything is possible. In the Tracking app example, we now see a clear divide between the more centralized approaches, where device ID’s are granted by a central (state) authority and another approach that enables the devices themselves to each generate specific device ID’s in a decentralized way.

It is interesting to witness European countries choosing sides (UK & France in the centralized one, Switzerland and Germany in the decentralised one). The argument that a centralized approach provides “more insight into how Covid-19 spreads and allowing more control over notifications” is reasonable but does not address the obvious: it can also open the door to unintended consequences such as function creep which is “the gradual widening of the use of a technology or system beyond the purpose for which it was originally intended, especially when this leads to potential invasion of privacy”.

What’s hard is to ensure that organizations and public services make the most of the available data without encroaching on user’s rights or harming the trust people have put in using digital tools. Don’t be creepy starts with helping others not being creepy.

Recently we invested in 2 great startups that are addressing some of these issues :

• Misakey, the personal data wallet, that gives citizens a chance to take back control of their data by centralizing it in one digital space they manage (and selectively grant access to). I love their open-source approach, and how the tool is built to help both end-users but also organizations get better at empowering their own end-users.
• Sarus, (Seed round just announced!) a multi-party data sharing tool, that lets data scientists and business analysts work on sensitive data without accessing the data directly — therefore guaranteeing privacy with much more efficiency than simple anonymization (which by definition deletes important and valuable parts of the data), while reducing data leakage risks.

It is hard to say how this Covid-19 crisis will unfold, and what the digital landscape for Tracking apps will look like in a few months. At the current pace, we might well have given away a lot of power to businesses and authorities, with little to show for in return. This is why we need to ensure that data privacy safeguards, a privacy by design approach, are factored into all digital apps to minimize the temptation of tracking people’s whereabouts and other personal data, and the ensuing inevitable breakdown of trust.

In this historical moment, it is important that we not only defeat the Covid-19 virus but that we collectively make the right technology choices that can work for all people and not just for a few.