Privacy Does Not Pause in Pandemics

When crisis strikes, privacy is too often brushed aside as a competing interest that detracts focus from the greater problems ahead.

But conceding privacy as the first sacrificial right in an emergency means we excuse policymakers from engaging in a careful assessment of the necessity, proportionality and invasiveness of measures that carry long-term consequences.

We must reject the false dichotomy of “lives over privacy” and examine how public authorities can combat the COVID-19 pandemic within justifiable bounds of civil liberties.

Without demands for accountability, we could be turning a blind eye to potential misuses of sensitive data and the accumulation of unchecked information monopolies. Now is the time to keep a vigilant watch over how governments and companies are collecting and processing data — and demand legal and technological reform against systemized surveillance.

It should be very concerning to Americans that the United States does not have a federal privacy law that establishes baseline data ethics during this pandemic.

Without a common denominator of privacy and security standards, risky and short-sighted data practices often fall through the cracks of regulation. Big Tech is the greatest beneficiary of this patchwork system, which fosters an overindulgence in user data. And they stand to gain even more if unfettered data collection is condoned through this crisis.

Facebook and Google, in particular, have a long history of privacy violations prosecuted by the Federal Trade Commission. Virtually all of their transgressions involved blindsiding consumers into an uncharted collection and use of their personal data. Now, they want to assist public health policymakers by analyzing this aggregate data for COVID-19 tracing and tracking.

Location data is undoubtedly valuable to epidemiology. Singapore and Hong Kong have both used smartphone data for COVID-19 contact-tracing with measurable success. Still, we must pause to consider the sensitivity of the recycled social media data offered by Facebook and Google, as well as the lack of accountability awaiting these companies if things go wrong.

A dataset as idiosyncratic and detail-rich as someone’s real-time location history is highly unlikely to stay anonymized without the assistance of advanced cryptographic privacy safeguards. Research published last year from Imperial College London exposed the inadequacies of mainstream anonymization techniques by accurately re-identifying 99.98 percent of Americans in a dataset scrubbed of personal identifiers.

Worse yet, it may not even take a team of researchers to undermine anonymity. In South Korea, health authorities have inadvertently stigmatized and exposed COVID-19 positive individuals in mass “public safety alerts” that published their GPS movements and demographic information. Replicating these efforts in the U.S. would not only be disturbingly intrusive, but is likely to be ineffective in isolating the disease at this stage of a nationwide contagion.

Now is not the time to place blind trust in Big Tech. It is alarming that Facebook and Google are currently bound by FTC consent orders, yet the agency tasked with monitoring the companies’ privacy programs have not clarified how a potential engagement with the U.S. government on COVID-19 measures will impact their compliance obligations.

This pandemic brings into focus the failures of the U.S. sectoral privacy system. Mobile location data is not “Protected Health Information” under the federal health privacy law, HIPAA. Since the user would be opting-in to log the location data on their own initiative, HIPAA would not apply even if this aggregate data is directly used for public health analysis.

The tech industry’s interference with fundamental rights also poses a constitutional issue. Governmental coordination with Big Tech on national disease control would give these companies the power to set public policy by proxy. This means that important public health decisions could be made inside the black box of private surveillance technologies — operating on potentially biased, unrepresentative, or inaccurate datasets.

COVID-19 presents a compelling interest for the government to act now. Yet, the urgency to accelerate a public health response must be balanced with proper safeguards for civil liberties and privacy.

In the absence of sufficient legal safeguards against data misuse, technical safeguards should be employed to automate data minimization, limited retention, and purpose limitation. Privacy-enhancing technologies that enable distributed computing — such as homomorphic encryption and secure multi-party computation — can help strike the balance of data utility and privacy whilst curbing data overreach. Built-in privacy is a failsafe where policy and regulations fall short.

People deserve concrete assurances from the government that new data-driven measures tackling the epidemic will not continue to monitor them years into the future.

We are not selfish for demanding answers for privacy right now.

Sunny Seon Kang is Senior Privacy Counsel and Head of Policy at Inpher, a privacy-preserving machine learning company, and advocates for regulatory agencies and private companies to address consumer rights and civil liberties at the intersection of law and technology.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.