On 25th May 2018, the European Union (EU) took the reins of data protection in the global digital economy with its General Data Protection Regulation (GDPR). Internet users worldwide were faced with a brand new umbrella of terms and conditions that global technological giants scrambled together for GDPR compliance. A month earlier, Facebook’s Mark Zuckerberg had already apologized for the Cambridge Analytica scandal with “…I’m sorry we didn’t do more at the time…”
Before the world was burdened with the Covid 19 pandemic and the surveillance of contact-tracing apps (Fig. 1), the maze of global data mining ensured a large percentage among digital consumers worldwide was happily unaware of the technological possibilities of location tracking and data protection. Simultaneously, there has been ample evidence globally of the vulnerability of technological information systems. As recently as April 2020, Zoom had photobombed meetings by uninvited intruders, Google is being sued for illegally collecting children’s biometric data, and multiple Android apps are obscuring malware and spyware distribution. With the uncertainty of Covid 19’s one-week incubation period, governments worldwide faced the issue of weighing public safety against individual privacy in trying to contain an unknown infectious spread. As a result, privacy concerns have entered the mainstream, and the possible ubiquity of Covid-19 surveillance has finally dawned on the global digital consumer.
According to MIT Technology Review’s Covid Tracing Tracker (Fig. 2), 4 countries among 22 which have launched contact-tracing apps have made installation mandatory for its citizens. Although India’s Aarogya Setu installation is a mandatory requirement only for travellers, Qatar has made it compulsory for all its citizens and Turkey requires installation for only those citizens testing positive for Covid 19. Among these 4 countries, China’s “health code” system on Alibaba’s Alipay and Tencent’s Wechat has been ‘rolled out in more than 100 cities across the country’, and is ubiquitous for its extensive surveillance of citizens. The resultant worldwide privacy concerns have caused many social activists to question data protection and retention policies.
Despite the United Kingdom’s ambiguous response to Boris Johnson’s Chief Advisor, Dominic Cummings’ 419 KM excursion to County Durham, the government is quite clear about the necessity of Covid 19 contact-tracing. The UK’s National Health Service (NHS) has announced that its ‘test and trace system’ will maintain records regarding “personal data about people with coronavirus” for 20 years, with their contacts’ information stored for five years. In India, Mr. Robot-aliased French Ethical Hacker, Elliot Alderson’s exposé of security concerns about Aarogya Setu prompted the Indian government to announce its Data Access and Knowledge Sharing Protocol . Recently, Aarogya Setu’s source code has been released on GitHub, and a bug bounty was announced.
Of course, the vulnerability of global data information systems was confirmed recently by CyberNews’ security analysts when they discovered “800 gigabytes of 200 million detailed user records on a publicly accessible server” including data files ostensibly attributed to the United States Census Bureau. According to the CyberNews Team, “Certain codes used in the database were either specific to the Bureau or used in the Bureau’s classifications.” Unprotected databases are not the only global privacy concern. Data mining is often hidden among unnecessary app permissions or the terms and conditions of registration that generally users do not pay attention to. For example, on 27th May 2020, Arizona Attorney General Mark Brnovich in the United States filed a lawsuit against Google for its “willfully deceptive and unfair acts and practices” regarding collection of users’ location information despite “Location History disabled” and “Web and App Activity.”
As governments join the global data surveillance for Covid-19 tracking, privacy concerns are no longer the limited purview of the individual consumer. The MIT Technology Review team which is “watching the Watchmen” considers Singapore’s Trace Together at the forefront of contact tracing apps with its decentralized approach, open-source license, and ‘opt-in’ feature. For the Senior Editor of the MIT Technology Review, Patrick Howell O’Neill, “The way forward is to ensure transparency in contact tracing apps” in terms of data collection and retention. With the Chinese health codes determining movement in public spaces as well as private establishments such as offices and restaurants, contact tracing apps and Covid-19 surveillance is likely to remain a glaring reality in our daily lives for a few years to come.