By Leif-Nissen Lundbæk, Co-Founder and CEO of Xain
At a meeting of the European Council in March, leaders discussed a number of ways to restore normalcy to areas shutdown by the COVID-19 pandemic. Vowing to “protect our citizens and overcome the crisis,” leaders outlined a number of ways to maintain normalcy while trying to contain this novel coronavirus.
The vast majority of these initiatives are fairly benign, beneficial even: ramping up testing and diagnostic capabilities, for example. Others though, have far-reaching implications that could infringe on citizens’ rights to privacy and freedom of movement.
Containment, however noble a cause, must be handled with caution. As we’ve seen many times before, and often in periods of crisis, regulators have a tendency to be a little heavy-handed in rolling out new measures meant to protect us. Unfortunate as it may be, these initiatives are inherently sticky, often outlasting the thing we initially sought protection from.
How at-risk you are to these protective measures generally boils down to where you live. Latin America and Asia, for example, have extremely lax, and often nonexistent, protections for their citizens’ right to privacy. The European Union, with its constitutional right to privacy, is thought to be the gold standard in digital privacy. The United States falls somewhere in-between.
Privacy as a spectrum
In China alone there exist more than 350 million surveillance cameras, a vast network capable of identifying and tracking citizen movement. That’s one camera for every four citizens.
Digitally, it doesn’t get much better. The country is home to the “The Great Firewall,” a series of censorship tools meant to keep citizens from venturing too far outside of state-approved content and applications online. Google, Facebook, Wikipedia and hundreds of other popular websites are blacklisted, leaving Chinese people at the mercy of approved sources of information and news.
If China is rock bottom, Europe occupies the opposite end of the spectrum, at least digitally.
Introduced in 2018, the General Data Protection Regulation, commonly known as GDPR, offers strict protections for consumers through a series of processes meant to give users control over their personal data and how companies protect it. Some though, argue that it’s not enough.
Edward Snowden, the notorious intelligence contractor who leaked a treasure trove of documents detailing a worldwide invasion of privacy calls it a “good bit of legislation,” but adds that it’s a “Faustian bargain,” or a “deal with the devil.”
“The problem isn’t data protection,” Snowden said. “The problem is data collection. Regulating protection of data presumes that the collection of data in the first place was proper, that it was appropriate and that it doesn’t represent a threat or danger. That it’s okay to spy on your customers or your citizens so long as it never leaks, so long as only you are in control of what it is.”
And then we have most of the rest of the world in the middle, including the United States, a country that features more surveillance cameras per capita than even China, and no GDPR-like regulation at the federal level meant to protect consumers from data misuse — whether that be data collected by mobile networks, ISPs, or the government itself.
In the US, the number of hacks has increased in recent years, and little is being done to hold companies accountable for protecting sensitive data. Worse, terabytes upon terabytes of your most private details, collected by your oft-used services, are stored each year at the Utah Data Center, where the NSA has a permanent record of just about everything. It’s a time bomb waiting to explode.
A 2017 hack, for example, exposed more than 143 million Americans’ names, drivers license numbers, addresses, dates of birth, and perhaps most shockingly, their social security numbers. And how is a breach on this scale policed by the Federal Trade Commission in the United States? A fine and a promise to pay for one year of credit monitoring for each person affected. The fine, essentially a 500-plus million dollar slap on the wrist would have totaled billions inside the EU.
COVID-19 ushers in a brave new world of government surveillance
Now that we’ve identified the extremes of the privacy spectrum, and the space in the middle, you might be asking yourself why this is important. It’s because each of these countries and regions, and many more just like them, now have coronavirus in common. And each is looking at new, ever-more-invasive ways to protect its citizens through overreaching solutions.
To stamp out new coronavirus infections, and to contain existing hotspots, regulators around the globe are calling on technological solutions to track and limit movement. A number of telecom companies, for example, have recently begun sharing geolocation data with government officials. While it’s thought to be aggregated and anonymous, security researchers have proven that it’s possible to de-anonymize this information when matched with other data points. This could, potentially, leave people vulnerable to tracking on an individual level.
Worse, there’s little promise that this practice will stop when the pandemic passes. The EU is the only region on record that has promised to delete the data once COVID-19 is no longer an issue. Historically, however, it’s worth noting that the EU has maintained similar domestic bulk data collection practices as seen in China and the US, including warrantless surveillance. Whether this promise to delete user data is fulfilled is anyone’s guess.
But it’s not just governments we have to worry about; a new wave of applications meant to flatten the coronavirus curve present a troubling scenario for privacy advocates. Some of these new contact tracing apps could prove effective for prevention and early diagnosis of COVID-19 – for those willing to download and use them -- though they also present a dystopian scenario for misuse.
In the EU, the Pan-European Privacy-Preserving Proximity Tracing (PEPP-T) application uses Bluetooth LE to analyze signals between smartphones and notify users who come into contact with an infected person. Created by 130 scientists, technologists, and experts from eight European countries, the non-profit initiative sounds great on paper, but it’s not without its problems.
The Helmholtz Center for Information Security (CISPA) confirmed on April 20, that it was withdrawing from the PEPP-T consortium over “a lack of transparency and clear governance” as well as data protection concerns. Five other groups involved in the consortium withdrew the same week.
Also on April 20, an open letter signed by more than 300 security professionals from 26 countries stated that PEPP-T should be “rejected without further discussion.”
And it’s not just the EU, or the PEPP-T application. Part of the problem comes from the restrictions within the operating system, features meant to keep consumers safe. No regulatory body or corporate interest can override these; most contact tracing apps have similar feature sets, limitations, and privacy concerns that come along with them.
Countries unwilling to subject their citizens to this type of tracking have, so far, relied on facial recognition technology, which brings its own set of privacy concerns. Remember the massive surveillance networks in the US and China (as well as numerous other countries)? These can be retrofitted with facial identification technologies and thermal imaging — though many of these cameras already have one, or both of these technologies.
In Poland, the government has launched a biometrics smartphone app meant to confirm that infected people remain home.
China, on the other hand, takes a more active approach, ensuring that infected persons are unable to travel, using facial recognition to keep them off buses, trains, and airplanes.
Russia too employs a similar system, using facial recognition to notify authorities when the infected fail to adhere to mandatory quarantine.
Aside from privacy concerns, there’s also no simple solution to how long this data will be stored or what, if anything, will be done with it during or after the pandemic. China, for example, has used facial recognition to build a database of each of its citizens, complete with easily accessible notes on everything from employment status to prior run-ins with the law.
So what can we do about it?
If you’re looking for a solution, Norway offers a glimmer of hope. Its COVID-19 app, developed by the Norwegian Institute of Public Health, is designed to store location data for just 30 days. Data is encrypted on the device for added security and it sandboxes sensitive information to restrict access, granting it only to trusted users.
Protecting the world from a pandemic is no easy task, but implementing digital technologies meant to fight it must be done with the utmost regard for transparency, user privacy, and data protection. Users must know how long their data will be stored, as well as what it’s being used for. Governments, on the other hand, have to choose the right technology backing away from centralized approaches and instead focusing on decentralized approaches like edge AI that offer more in-built privacy. Governments must commit to transparency and education in an effort to inform the public of the benefits and risks that come with using these sorts of applications.
Anything less is just another means of bulk data collection under the guise of protection paving the way for a brave new world of government surveillance.
About Leif
Leif-Nissen Lundbæk (Ph.D.) is Co-Founder and CEO of Xain. His work focuses mainly on algorithms and applications for privacy-preserving artificial intelligence. In 2017, he founded Xain together with Professor Michael Huth and Felix Hahmann. The Berlin-based company develops privacy-protecting AI applications. Winner of the first Porsche Innovation Contest, the AI company has already worked successfully with Porsche, Daimler, Deutsche Bahn, and Siemens.
Before founding Xain, Leif-Nissen Lundbæk has worked with Daimler AG and IBM. He studied Economics at the Humboldt University in Berlin, received his M.Sc in Mathematics at Heidelberg University, an M.Sc. with distinction in Software Engineering at The University of Oxford and obtained his Ph.D. in Computing at the Imperial College London.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.