I attended a webinar organised by some American privacy professionals. We discussed how various governments approach privacy presently. One question stood out: “Does individuals’ privacy matter in a pandemic?”
When Barack Obama was US president, his chief of staff, Rahm Emanuel, said: “Never let a serious crisis go to waste: it’s an opportunity to do things you think you could not do before.”
Many countries have taken this to heart. There is an increase in surveillance and suggestions for the unprecedented scale of privacy breaches.
The Pan-European Privacy-Preserving Proximity Tracing (“PEPP-PT”) project comprises more than 130 members across eight European countries, including scientists, technologists, and experts. Their aim is to create “well-tested proximity tracking technologies” that national authorities can use to create their own COVID-19 apps.
I read the Pan-European Privacy-Preserving Proximity Tracing (“PEPP-PT”) manifesto and their paper titled “Data Protection and Information Security Architecture”. After reading it, I concluded that George Orwell’s Big Brother might morph into complex proportions. Orwell reminds us that “those who control the present, control the past and those who control the past control the future.” But, what does Orwell’s statement suggest?
It suggests two things: one, privacy is a fad used only when it matters to the powers and second, truthful-lies are necessary ingredients of freedom.
EU Supervisory Authorities suggest that the use of apps or websites by public authorities to track the spreading of COVID-19 will be allowed, provided they comply with the principles found in EU data protection laws. This is a hard proposition. How can the laws be upheld?
No application or architectural framework, in my mind, with the ability to trace humans and record their health assessment can conform to the complexities of any data privacy regulation. Fighting to provide individuals with the power to manage their information and designing techniques to collect it from them “legally” is spitting on the regulation.
The PEPP-PT architectural framework aims to assess the risk of contagion and provide mitigating measures such as enforced quarantining, recording of the information and, overriding individuals’ consent. The privacy of individuals might evaporate as countries struggle to contain the COVID-19 contagion.
In China, for example, their health code service run on ubiquitous platforms like Alipay and Wechat developed for the Chinese Government to monitor and report the health status and travel history of their citizens. Individuals’ privacy in China is zilch. The app has become an integral part of the Chinese authorities’ management of people and their movements in and out of affected areas.
What’s even more ironic is that companies—Google, Apple, Facebook, etc— that have been fined heavily will manage the backend of these monitoring apps.
PEPP-PT assumes that backend administrators will be “honest-but-curious” and believe all “credentials for authentication and access control are properly set and that only the intended party has access to said credentials.” As good as this sounds, it reeks of naivety. There is no perfect privacy framework methodology.
The proposal tilts consent, violates individuals’ privacy, and spits on the principles of data protection regulation—transparency, lawfulness, and fairness.
Some privacy professionals argue that governments are doing the right thing to process the information of individuals during these dire times. They argue, and rightly so, that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” However, we can ask what happens after the contagion dies? Will “public interest” continue to hold?
Privacy still matters. The onus, therefore, is on governments to ensure that these new frameworks are void of excessiveness and overbearing intrusive features. Unless, of course, we want to create a lot of Chinas around the world.