By Reuben Yap - Project Steward for Zcoin
Many policy decisions are being made to fight the immediate threat of coronavirus. These include the use of technology to assist with contact tracing and social distancing, tools to allow wide sharing of medical information to hasten research, and the creation of a digital dollar, that would allow individuals to receive immediate financial relief.
In times of emergency it is easy to ignore the privacy risks, especially when lives are at stake. However, we must remain vigilant as to how these policies compromise privacy, given they will linger long after the lifespan of the virus.
For example, nations like South Korea, Israel, Iran, China and Russia have implemented large networks of surveillance technology using cell phone data and facial recognition for locating individuals who may have been exposed to the virus within crowds.
Even countries traditionally known for preserving citizens’ freedoms, like the U.S., are considering harnessing the technology on the basis that it will benefit the greater good, despite the reduction in personal privacy that will linger long after the lifespan of the virus.
In the case of coronavirus apps in South Korea and Russia, users’ location is not the only thing being tracked. In earlier versions of Russia’s app, permissions around accessing geolocations and user cameras, core settings and address books were requested, and the app was regularly transmitting user data without encryption. When paired with Russia’s street cameras and gathering of purchase histories, personal privacy is almost nonexistent.
With South Korea’s app, although names were redacted, individuals often still had enough information to deduce others’ identities. Both of these measures not only ensure that identities are clear enough for authorities to track, but also allow them to monitor individuals’ movements and interactions long after they heal from the virus.
As governments wade into these deep, troubling waters it is important to realize there is no going back. Individual surveillance can and will easily lead to the tracking of other personal movements and even financial transactions, beyond basic browser data or location information.
With the proposal of a digital dollar that was initially tied to the U.S. economic stimulus bill, privacy around online financial transactions is also on the line. While having direct access to citizens — including the unbanked — allows the government to provide them with economic relief, it also harbors a great deal of risk.
In fact, in early February, Federal Reserve Chairman Jerome Powell had stated that the Fed “was not considering issuing its own CBDC yet, despite constantly evaluating its pros and cons,” due to the volume of considerations around cyber security and privacy. This rapid renege in policy appears to be a knee-jerk response, and may even open the door to the phasing out of physical cash, which has already happened in countries such as China.
Ultimately, financial privacy still needs more attention — especially where the government is involved. Before the invention of cryptocurrencies like Bitcoin and before credit cards were ubiquitous, cash was king. Cold, hard cash still offers ease-of-use and privacy. Individuals can do what they want and need with cash, because it is essentially untraceable.
When people pay in cash, governments and companies do not have access to the data about where and on what their money is spent. This is how it should be: your everyday purchases should be no one’s business but your own, as long as you are not infringing on the well-being or individual liberty of others. It may seem convenient to receive airdrops of money from the government or reminders from marketers about things you wanted to buy, but this is at the expense of your privacy as well as your freedom.
In a country that defends the right to bear arms as a check and balance against an oppressive government, the death of physical cash could mean that the government could cut you off from the financial system at their own discretion.
China’s social credit system offers a perfect, modern view into a very grim future. For example, if your social credit score is too low, your access to public services will be removed, permissions to travel will be denied, your internet usage will be heavily monitored. You and your family’s ability to attend good schools or apply to good jobs will be restricted, and the government has the right to publicly shame you on a blacklist that would make U.S. Senator Joseph McCarthy, famous for his Red Scare tactics, proud.
This virus has also forced us to rely heavily on digital tools for communication. Yet as we’ve seen from recent privacy breaches, most online tools are designed for convenience and monetization of data, not privacy.
While there are tools such as Signal, an end-to-end encrypted messaging service; Wire, a secure collaboration platform; Tor Browser or DuckDuckGo, which provides private browsing without risk of tracking or surveillance, and other end-to-end (e2e) encrypted cloud storage and email providers, they remain a small niche and have usability trade-offs.
Even medical data is under siege with companies driving deals with the U.K’s NHS and hospital chains, like Ascension, to share patient data. Although sharing data may seem relatively harmless where medicine is concerned, not all of the data follows HIPAA patient protection guidelines. When breaches of privacy are combined with individuals’ tracking data, purchase data, browser histories, and interactions through communication platforms, companies and governments can build perfect profiles of each and every person.
While technology instigates many of the above issues, it can still help protect privacy in many ways. Zero-knowledge proofs, multiparty computation and homomorphic encryption are just three ways that data can be processed and aggregated without revealing individuals’ details.
Recently, U.S. Senator Kirsten Gillibrand encouraged the use of PETs (privacy-enhancing technologies) in protecting user data. Most recently, Google and Apple announced a new system that will use short-range Bluetooth communications to alert people when they are in close range with an individual diagnosed with coronavirus.
Although the system currently requires an app and shares some data — which still breaches privacy — user consent is requested before information is shared, GPS locations are not tracked, and any information is broadcasted anonymously through keys that regularly cycle.
It’s still not perfect, but does offer promise. In an age where our data can be accessed by anyone, sold or exploited, the mandatory use of PETs where applicable cannot come sooner.
As companies and countries continue to formulate new methods for tracking and gleaning information from individuals, we need to continue to develop methods to keep their efforts at bay and remain a step ahead. We also need to ask if the trade-offs are proportionate to the benefits, and if the authorities can or will be held accountable.
Unfortunately this proportionality is lacking today and as Edward Snowden recently stated in an interview, “What is being built is the architecture of oppression.”
Although the future around personal data may sound bleak, there is still time to demand privacy. Everyone should be held accountable for protecting privacy, a fundamental human right. As the saying goes, privacy loves company.
The more we take responsibility for our own privacy and question the motives of those who wish to suppress our most basic freedom, the greater the chance that privacy returns to being the norm, rather than the exception. The implications of our decisions now will carry on for generations to come.
Reuben Yap serves as the project steward for Zcoin, a global privacy-first digital currency. He was a corporate lawyer for ten years specializing in institutional frameworks before joining Zcoin. Reuben has been a strong advocate of online and financial privacy for over a decade. He founded one of SE Asia's top VPN companies (bolehvpn.net) and was the first merchant in Malaysia to accept cryptocurrencies. Reuben graduated with a LLB from the University of Nottingham.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.