Emmanuel Macron has described the battle against Covid-19 as "a war against an invisible enemy". He is right. How do we fight this invisible adversary and to what extent do we have to abandon long-standing democratic values to do so?
The Covid-19 pandemic has become a battleground over whether state surveillance or privacy should take precedence and whether a workable balance between these two competing priorities is even possible.
• Covid 19: Contact tracing audit finds system 'beyond capacity'
• Covid 19: As NZ considers TraceTogether, a Kiwi in Singapore gives his verdict on the tracking app
• Covid 19: Researcher finds security problems with Police phone-tracing tool
• Covid-19: Can NZ victims' movements be track• ed via their phones? Privacy Commissioner's verdict
Two new terms have found their way into our lockdown lexicon: "social distancing" and "contact tracing". Social distancing is not a new concept. It has been used in previous pandemics, including the Spanish Flu epidemic more than a century ago. For the present pandemic, social distancing has been implemented in a variety of ways, with decidedly mixed results.
According to the WHO, contact tracing, also referred to as proximity tracing, involves identifying a contact, listing the contact and then following up on it.
Typically, the follow-up stage is a visit or "house call" from a health official or the police. The process is slow, laborious and expensive.
As with social distancing, contact tracing has had mixed results. Further, by conducting face-to-face visits, officials, some of whom have not had adequate personal protective equipment (PPE), have had to expose themselves to the risk of infection.
Governments quickly worked out that there is a better way to do contact tracing through location tracking and other technical solutions including using cellphone tower data and Global Positioning System (GPS) signals. However, for non-military uses, GPS is only accurate to a 4.8m radius. With the Covid-19 contamination range estimated to be about 2m, more precise tracking was needed.
Location and contact data have a particular hierarchy. In contact tracing terms there are three broad levels:
Level I - Aggregated community level data
At a macro level the authorities are able to map how people in a particular area or community are behaving and where they are going. Because the data is gathered at a high level and aggregated it contains little personal data about individuals.
In a pandemic, this type of data would be able to identify whether people are staying at home or not and whether they are congregating.
Level II - Anonymous individual-level data
This information is far more specific. However, because it is anonymous, individual privacy is maintained. This means that people who might have been in contact with someone infected with the virus will be notified but will not know exactly who infected them.
Level III - Individualised Data
An individual is identified and his or her movements known, so authorities can monitor that individual and enforce quarantine regulations.
Invasive state surveillance
Governments realised that more sophisticated surveillance technology needed to be developed. Countries such as China and India have led the way in developing this technology. China has long used surveillance, including an extensive network of CCTV cameras, facial recognition software and big data to monitor its citizens. It quickly repurposed this technology when the pandemic emerged in Wuhan last year, deploying well tested, highly effective but intrusive surveillance and intervention techniques.
China has relied on traditional social distancing techniques to some extent, but its solution is primarily technology driven. It is aimed at not just contact tracing but to compliance monitoring and quarantine enforcement.
China's surveillance technology is highly sophisticated. It is deployed around the country. All citizens are required to carry a compulsory ID card. It has their personal details, including an 18-digit citizen identity number and their hometown address. The Government uses phone location data. Geolocation pings are sent out, identifying exactly where a person has been and their actual or potential contact with someone infected with Covid-19, for a two-week period.
Using a mixture of big data and human analysis, authorities work out who is likely to be infected. People in the risk zone are alerted. Reports have emerged of CCTV cameras positioned outside apartment doors of those under quarantine. Drones also circle about warning citizens to not congregate and to keep their masks on.
Today, in China's urban areas, most people have some sort of smartphone. If they do, the smartphone must display a coloured QR digital barcode. This comprises a three-coloured risk profile - green (uninfected) orange (potentially infected) and red (infected). Enforcement teams made up of police and volunteers apprehend citizens not complying with the rules.
China's massive network of CCTV cameras monitors everyone entering and leaving public buildings and their apartments.
The surveillance network consists of visible and invisible elements, which have enabled the state to monitor people's movements and tackle the Covid-19 crisis very effectively, but at the expense of individuals' privacy. For example, in Hong Kong, some residents were required to wear a wristband, similar to the GPS leg bands used by the Department of Corrections in New Zealand, which sync to an app on their smartphone, and alert authorities if they move outside their permitted area.
China is not alone in employing these technical measures. Singapore, South Korea and Israel use a combination of location data, CCTV footage, voice data and credit card information to achieve similar objectives.
When satellite navigation, such as GPS, signals are unavailable, geolocation applications can use information from cell towers to accurately triangulate the approximate position of a device. Wi-Fi signals can also be used by location-based apps. Recently, the South Korean Government went a step further, announcing they had developed an enhancement which allows patients to be tracked in real time to identify exactly how the disease is moving.
India is also embracing mass state surveillance, both at a governmental and private enterprise level, but with limited attention to privacy. There has been a veritable explosion of contact tracing apps since the country went into lockdown on March 25. An app - Aarogya Setu - requires users to provide access to their location data. People also have to provide their name, gender and profession, along with details of all the countries visited in the past 30 days. Users have to identify whether they are a smoker and enter their current medical condition.
Aarogya Setu warns users if they are in the same proximity as someone infected with Covid-19. The app uses a range of technologies including GPS location data, Bluetooth and the user's phone number, along with the Indian Council of Medical Research's database.
Another app, Sahyog, complements Aarogya Setu for contact tracing. It collates data and employs geo-tagging to improve the analysis of the data.
No less than 19 Covid-19 tracing apps have been released to the Indian market. India has an estimated 10 million local users of these apps. Indian companies are developing lucrative export markets for this technology. It is being sold to the US, UK, UAE, Bahrain, Kenya, Nigeria and Turkey, to name a few.
Innefu Labs is a Delhi-based software and app developer. The Delhi Police used Innefu's facial recognition software to monitor the recent protests against the Citizenship Amendment Act. Police in Kerala have purchased Innefu's Unmaze app. Using location data, the app tracks about 20,000 people who have been infected by Covid-19 and are in quarantine. Using this technology, 3000 people have been caught violating the quarantine and about 200 have been arrested.
Different approaches are being taken in India's 28 states, but all with the same end in mind, close monitoring of the population and with very little regulatory oversight. For example, in Chhattisgarh, in the centre east of the country, the state Government has introduced a "CG Covid-19 ePass", purportedly to streamline the application process for people seeking vehicle ePasses to travel within their district and beyond. About 50,000 users are reported to have downloaded the app. However, many say that it is a disaster and they have been unable to obtain an ePass.
In the state of Karnataka in the southwest of the country, the Government has launched "Quarantine Watch". Everyone in self isolation at home must send in a selfie every hour during the day, to verify they are playing by the rules. In the state of Gujarat, on the northwest coast, there has been an upsurge in Covid-19 deaths. The state has developed an app called "SMC Covid-19 Tracker". This also requires a selfie and location ID to regularly be sent to authorities.
Tamil Nadu, a state in the south, has a similar approach. CoBuddy uses facial recognition software to monitor those in isolation. Geo-fencing creates a virtual boundary. If people in quarantine leave a restricted area, for example their home, alarms are activated. Nor can they slip out, leaving their phone at home, because random messages are sent requiring an instant selfie. This is Big Brother in action.
In Odisha, a state in the mideast of the country, citizens can "dob" each other in for social distancing violations by using the Government's "Covid-19 Odisha" app. In Kerala, another southern state, the Government uses a smorgasbord of technology including location data (using cell tower data and GPS signals), CCTV footage, geo-fencing and phone logs to monitor and track those with or suspected to have Covid-19.
Privacy advocates in India, such as the Internet Freedom Foundation, are concerned about the erosion of fundamental rights, asserting that these apps have a lot in common and amount to the "institutionalisation of mass surveillance". The foundation warns that there is a real risk that they will devolve into systems of movement control and lockdown enforcement.
Israel is another case in point. Its internal security agency, Shin Bet, is under scrutiny for using individuals' cell phone location data to track their movements. It has recently emerged that Shin Bet has been collecting this data for some years now for counterterrorism purposes.
This is something we need to avoid in New Zealand. The public must have full trust in the process and the Government must be transparent about its intentions.
The US is also going down this road. Senior White House adviser Jared Kushner has set up a task force. Details remain sketchy. However, apparently the goal is to create a national coronavirus surveillance system. How far state-sanctioned mass surveillance goes remains unclear.
What is however clear is that overt surveillance is becoming a fact of life in many places in the US. For example, the town of Elizabeth, New Jersey, has launched a squadron of drones to enforce social distancing. The drones patrol public areas and prevent people gathering. The Police Department has defended its use of these drones, saying that this is not Big Brother - no recordings are made, and no pictures are taken.
Privacy advocates acknowledge that with Covid-19 the US is experiencing a genuine crisis and that people's health is paramount. But Jessica Rich, a former director of the Federal Trade Commission Consumer Protection Bureau, questions what is happening. She reminds us that surveillance "doesn't mean we have to destroy privacy". I agree. The thought of flying robots enforcing crowd control in the US should raise alarm bells. The fact it is happening today shows that the unimaginable has quickly become the reality.
The National Health Service (NHS) in the United Kingdom is developing its own contact tracing app using Bluetooth. The app picks up chatter between nearby devices. This is regarded as the best way to measure person-to-person contacts. The app identifies those in proximity and automatically notifies people if a user in the group tests positive. The service will also tell people to go home if they are outdoors for too long, thereby ensuring acceptable behaviour and, if necessary, encouraging them to modify it.
Do we need to redefine privacy?
Supporters of this new surveillance-driven approach to pandemic control say that society is facing very significant challenges and that the whole idea of privacy must be urgently reassessed. Their argument is that we already employ surveillance technology to fight terrorism and illegal immigration. They say we simply need to extend it to healthcare: the technology exists, it needs to be used to its full potential to fight this hidden enemy.
Bruno Macaes, a senior fellow at the right-wing Hudson Institute argues that mass surveillance can be used to achieve better health, all we need to do is change our definition of privacy. He says that big data and predictive algorithms are widely used today, and the time has come to expand their use to include biosecurity, particularly for something as devastating as the Coronavirus pandemic.
The New Zealand Government is under pressure to relax its Covid-19 restrictions. When it does, can the Ministry of Health effectively contact trace those with the virus? What are the options for New Zealand? Do we need to follow the hard-line approaches being followed in China and India?
The answer: no. There is a much bigger issue at play here.
Around the world, the Covid-19 pandemic has become a battleground over whether state surveillance or privacy should take precedence. Some suggest that a workable balance between surveillance and privacy is no longer feasible, nor desirable. The Chinese/Indian approach is plainly an option. But in the long term what is the cost to civil society?
There are other, far more palatable, options.
In Europe, a group of countries is developing an app which is privacy-sensitive, called Decentralised Privacy-Preserving Proximity Tracing. However, two opposing camps have formed. One is led by Germany, with French support. Its protocol has been criticised as being overly centralised. A rival protocol from Switzerland, supported by other countries such as Spain, is more closely aligned with the Apple/Google decentralised model.
The Swiss protocol offers a decentralised contact tracing model where all tracing is processed locally. Effectively, all of the relevant data remains on the user's device at all times. The data is not shared with any central authority. A server pushes data out to devices when an infected person is diagnosed, so that messages can be sent to other devices associated with the infected person.
There is no need for pseudonymised IDs because the system is not centralised. This reduces the privacy risk. Further, the developers believe it will be easier to convince people to trust the system, which in turn will lead to larger uptake by the public. It also allows the tracking system to be deactivated once there is no need for it.
The Massachusetts Institute of Technology (MIT) has developed something similar, an app called "Private Kit: Safe Paths". It operates on the basis that users update the app and declare if they have Covid-19 or not. The smartphone records their movements closely, but encrypts this information, which can only be shared with the user's permission. If a person contracts Covid-19 other people in the vicinity receive a signal, but they do not obtain the person's name or other personal details. Being a voluntary system, Private Kit: Safe Paths needs widespread buy-in and support to be effective.
Apple and Google have gone into partnership to develop their own solution. It will use Bluetooth technology, but not track physical locations or otherwise reveal a person's identity by using anonymous ID keys. It will initially be released with a specialist app but will eventually be offered with the Apple and Android operating systems. It is unclear whether the Google/Apple system will be opt-in based.
Australia and New Zealand are considering using a modified version of Singapore's TraceTogether app. As with the Google/Apple system, it estimates the distance between other smartphone-enabled apps and the duration of any interactions. The app can estimate the distance (2m) between TraceTogether smartphones as well as the duration of such interactions (30 minutes plus). Data is encrypted and stored for 21 days.
Privacy concerns have been raised in Australia. The Australian Minister for Government Services, Stuart Robert, has dismissed these concerns saying Australia's app does not employ surveillance and it is simply digitising existing tracing capacity. In effect, it is replicating manual tracing process in digital form.
Australian Prime Minister Scott Morrison has also downplayed privacy concerns, stressing that the app will operate on an opt-in basis. Morrison accepts that for an opt-in system the public needs to buy in for it to be effective. That is right. If only a few smartphones are enabled, it is not going to work. Recognising this, Morrison has called on all Australians to treat it as a "matter of national service" evoking memories of the country at war.
The nature of the concerns
Computer scientists and academics in Europe have voiced privacy concerns about using contact tracing apps to monitor Covid-19. More than 300 experts raised concerns in an open letter. They voiced alarm about potential "mission creep" and warned about the potential to unleash "unprecedented surveillance of society at large". They argue that the best way to avoid this is to prevent decentralised collection of data, particularly technology utilising shared geolocation.
What can we make of Morrison's assurances that Bluetooth-based solutions such as TraceTogether do not raise legitimate privacy concerns? It needs to be emphasised that these types of systems can still enable surveillance. Indeed, any technology that allows large scale data collection creates this risk. The risk is that individual users' "social graphs" information i.e. who they meet and when, might be accessed. This would allow hackers to intrude into people's lives.
Australia and New Zealand need to make a decision at a technical and policy level. South Korea has successfully tackled Covid-19, but in doing so it has aggressively used digital surveillance technology to monitor infected patients. It has also posted location histories of people with the virus identifying their exact movements. This is highly invasive.
We need to decide whether, at a fundamental level, we are prepared to live in a surveillance state. To answer that we also need to know whether the state needs such extensive crisis powers and whether there are better ways of doing this. In my view, it is critical that we find the right balance between naked state power and the maintenance of basic levels of personal freedom and privacy. This can be done simply enough by governments recognising that any contact tracing solutions must be voluntary (requiring opt-in by individuals) if any data is collected it must be encrypted and have a finite lifespan. To the greatest extent possible, the relevant data should remain on users' personal devices. The difficult question is whether medical authorities should be able to gain access to that information and if so under what circumstances.
Before rushing into any hasty and ill-conceived measures we need to carefully consider the following issues:
Technology should be used for the specific purpose of dealing with the Covid-19 crisis and no more. Access to information should be strictly limited to health department officials and for the purpose of dealing with Covid-19. The legislation needs to be carefully drafted to ensure that data can only be used for controlling Covid-19 and not to enforce lockdowns or quarantines, as is happening in India and China.
Other government agencies and private entities should be prohibited from accessing or using the information under any circumstances. The public needs to be assured that their information will be safe and used for the right reason only. Without this, there will be limited buy-in to the scheme and it will fail. Finally, any legislation must be purpose specific and tightly drafted to avoid potential "mission creep" or more properly, in this context "surveillance creep", where states use a public health crisis as an opportunity to either set up or retain citizen-level tracking infrastructure.
Finite and limited duration
The legislation should have a short and finite lifespan and express this commitment in plain and unambiguous terms.
The USA Patriot Act, enacted after the 9/11 terrorist attacks to give the federal government broad surveillance powers to deal with counterterrorism, was meant to automatically expire in 2005. 14 years later it is still on the statute books. To meet this concern, the South Korean Government has given assurances that under its Covid-19 legislation, no more data will be collected as soon as the outbreak is over, and that all personal data collected before that point will be immediately deleted. New Zealand needs a similar provision.
The technology must be designed to ensure that it achieves its technical/medical objectives, but without invading individual privacy. There are a range of different technological options, for example Bluetooth (Singapore), and GPS (MIT), or India and China's multi-layered approach, using numerous data points/inputs. The latter approach lacks proportionality, insofar as health and surveillance objectives trump those of privacy and political freedom.
Proportionality also demands that if the state is able to collect personal data that this data must be deleted after a set period, along with robust mechanisms allowing individuals to check that the data has in fact been deleted.
The system must be transparent, so that the Government and the public at large are able to understand how the technology works. The public must also be able to ensure that there are no hidden features or back doors, allowing commercial interests or other government departments to access personal data. Whatever system is employed, full technical specifications and preferably the source code should be released to the public. If this cannot be done, third parties acting for bona fide reasons should be entitled to reverse engineer the software to encourage independent scrutiny, but also to assist in fixing bugs.
I understand that the TraceTogether app's source code has not been made available to allow an independent assessment of its reliability or privacy impacts. This is a concern. New Zealand should not develop its own version of this app without complete transparency.
The app developer and the Government should be accountable for the system and the public should have the right to hold the app developer and the Government accountable for any breaches of privacy.
Macron was entirely justified in describing the battle against Covid-19 as "a war against an invisible enemy". Even so, we need to be careful that we do not win the war but embrace another enemy, intrusive and pervasive state surveillance. It is a far more formidable enemy. We need to resist the temptation. Once extensive state surveillance starts it is difficult, and will one day be impossible, to eradicate.
Former Supreme Court Justice Jonathan Sumption QC expresses a timely word of caution, saying that the UK is caught up in "collective hysteria". "The real problem is that when human societies lose their freedom, it's not usually because tyrants have taken it away." All too often, we surrender our freedom because of a perceived external threat.
We have to remember what is important here, to build an app that is effective, trusted by the public and traces the virus, not the people who have contracted it. We need to make sure we do not solve one problem and, in doing so, lose our freedom and our hard-fought right to personal privacy.
Clive Elliott QC is a barrister at Shortland Chambers.