The Privacy-Security Balance in Digital Surveillance: Lessons from COVID-19

A major feature of the current COVID-19 crisis has been the sudden growth of state control and influence on everyday lives. Whilst most would agree measures such as nationwide lockdowns are a short-term necessity, it has highlighted how governments are able to give themselves potentially chilling new powers to wield at very short notice, aided by modern technology.

One issue that has emerged in recent weeks is the use of surveillance technology by nation states to help contain the virus, and its short and long-term implications for individual privacy. A question that will need to be asked sooner or later is: what lessons can we take from the current crisis to ensure the right balance is struck between security and privacy when governments believe there is a need to use this kind of technology in the future?

In the midst of a global health pandemic, the issue of individual liberty has to some extent been put to one side as countries around the world rush to get a grip on the virus. As Steve Durbin, managing director of the Information Security Forum, noted: “There is a deeply ethical and philosophical discussion to be had around the access to and use of information which unfortunately we do not have the time to undertake in these exceptional circumstances.”

Digital Surveillance Techniques

In essence, COVID-19 digital surveillance techniques have centered around tracking the movements of people found to have the virus via their mobile phones and identifying those who have been in close proximity. This is primarily to establish those who require testing and/or quarantining, but in some cases, to help enforce lockdown measures.

The surveillance technologies being utilized are not in themselves novel, although the purpose for which they are being used is. Richard Searle, senior security architect at Fortanix explained: “There have already been apps that have looked at things like contact tracing in the last 10 years… there’s been lots of interest in using that data to gain richer insights into patterns of behavior. What people are now looking to do is really to mobilize a lot of the existing technology that’s within those types of apps and features to fulfil a different type of purpose.”

"What people are now looking to do is really to mobilize a lot of the existing technology that’s within those types of apps and features to fulfil a different type of purpose"

There has been significant regional variation regarding the use of digital surveillance technology. In parts of South-East Asia, it was seized upon by authorities very quickly as the COVID-19 crisis developed. Rick Holland, CISO and vice president strategy at Digital Shadows commented: “China, Singapore, and South Korea are a few examples of countries that have implemented digital contact tracing. Traditional contact tracing has been conducted through interviews and relying on subjects' memories to detail, who they have been in contact with. With digital contact tracing through cell phone GPS and Bluetooth data, governments are now able to track virus infections and potential hotspots with greater accuracy and on a scale not possible in the past.”

It is already easy to see how this technology can be used for more draconian purposes. An example of this has been demonstrated in China, where extensive monitoring and geo-tracking of citizens has been undertaken to enforce social distancing measures.

In the Western world, there has been a more natural reticence to engaging in such methods. Nevertheless, it is something that has certainly been on the mind of all governments. In the UK, in just the last few days, it was reported that a new NHS app is being developed which can inform users if they had come into close contact with an infected person. Additionally, there have recently been calls for the development of a pan-EU COVID-19 health tracking app by Europe’s data protection tsar.

Short-Term Implications

Many people may be wondering why this topic is even being flagged as an issue at all. After all, it appears as though the South East Asian countries at the forefront of using these surveillance technologies have been highly successful in reducing the number of COVID-19 cases, thereby protecting people’s health and undoubtedly saving lives. As Holland noted: “What may be most novel about COVID-19 and digital surveillance is the willingness of citizens to embrace it and trade off personal privacy for the wider health and economic benefits.”

Yet there are plenty who will shake with fear at the idea of their government being able to track their movements, even if for a limited time, especially in more authoritarian states. Guy Cohen, head of policy at Privitar, said: “Generally, where we go and the people we meet can reveal very sensitive information. For example, visiting churches, political rallies or gay bars can lead to inferences about religious, political or sexual preferences. Visits to a medical clinic allow inferences about health. Some harms are not space specific, but rather person-specific as who we meet, where and when, can also reveal a lot about our relationships, which can themselves be highly sensitive.”

"What may be most novel about COVID-19 and digital surveillance is the willingness of citizens to embrace it and trade off personal privacy for the wider health and economic benefits"

Another very real concern regards security leaks, potentially putting vast swathes of sensitive information at the mercy of cyber-criminals. Data collected in the midst of a health crisis may be especially vulnerable to this type of threat. “Lots of public datasets are being made available and lots of people are trying to use them in a very hackathon type way to push things together quickly in response to the current public health crisis. That presents a risk because possibly there won’t be the levels of diligence and information risk management applied to those types of apps and initiatives,” said Searle.

Safeguards for the Future

A fear that many people have is that once governments give themselves new powers, they are reluctant to relinquish them. “One of the longer-term implications of digital surveillance is that it becomes the new norm. As we saw with the passage of the Patriot Act, the government was given broad new powers that challenge the privacy and liberties of US citizens,” commented Holland.

It is vital that steps are put in place to limit state digital surveillance powers, preventing nefarious uses in the future. “The risk is that in our rush to act, we fail to adequately consider how to achieve our goals while minimizing the privacy cost, and that the reasoning we follow and systems we build become a lasting feature, rather than an emergency measure," said Cohen. "The data access allowed and the infrastructure built today will not necessarily disappear once the current pandemic is over, but may be expanded and used for other purposes. We should therefore make sure the steps we take are necessary, well-governed and time-conscious.”

Part of this process may well be accepting that there will be exceptional circumstances in which it is essential for governments to use digital surveillance technology to protect the lives and health of citizens. But with the right will, it is very possible to start putting systems in place that ensures this is done securely whilst still preserving people’s privacy to a large degree. In Searle’s view, this revolves around the use and development of technologies to stop such data being used in the wrong way. Methods like confidential computing and data encryption can be used to keep personal data confidential, respecting privacy. 

“The initiatives that are being developed around the world are setting a trend that’s not going to go away because people are going to realise that in future we’re going to need this technology in readiness for something else that might happen in the future,” he said.

The balance of maintaining individual privacy during times of emergencies, as we are seeing with COVID-19, is very delicate. Yet as the old adage goes ‘necessity is the mother of invention’, and if the current crisis has taught us anything, it is that there is a need for measures to be put in place that ensure the right balance between liberty and security is struck in times of emergency.

The technology to track movements is out there and has proven to be useful in containing the COVID-19 virus. Making sure it is only used for this type of purpose, and when it is, safeguarding individual privacy as much as possible, is a goal that we should all be aiming for; this could be one positive legacy to rise from the ashes of this difficult period.

What’s Hot on Infosecurity Magazine?