MS Risk Blog

Will Cyber Surveillance Continue Post-COVID-19?

Posted on in Uncategorized title_rule

Recently, historian Yuval Noah Harari said that people “could look back in 100 years and identify the coronavirus epidemic as the moment when a new regime of surveillance took over…”. Eastern European countries are currently moving towards unprecedented surveillance methods to enable tracking of suspected COVID-19 cases and to enforce lockdowns. Slovenia said it would not compromise the right to privacy in order to use technological tools that enable contact tracing. Meanwhile most other countries in the region have made such compromises.

Poland launched an app which uses a mobile location service and facial recognition, and sends random requests for users to take pictures as evidence that they’re home. Bulgarian police were authorised to request data from mobile and internet communications to monitor citizens under mandatory quarantine. Ukraine, Slovakia and Lithuania enacted laws enabling location tracking systems. Estonia instructed its statistics office to use mobile geolocation data from phone companies to study citizens’ movement. Serbia tracked Italian telephone numbers to check whether people returning from Italy were self-isolating. Albania and Croatia used drones to monitor compliance with lockdowns. Hungary issued a decree relaxing the obligation of authorities to notify individuals when collecting personal data when done for COVID-19 purposes. Moscow introduced an automatic permit checking system for public transport. If citizens don’t have permission to be outside they will be fined. In addition, Moscow’s 170,000 street cameras and facial recognition software now target possible coronavirus carriers who violate COVID-19 restrictions.

Opposition activists in Moscow say this will lead to unprecedented government intrusion, dubbing it a “digital concentration camp”. Meanwhile Moscow mayor Sobyanin said: “When we talk about the health and lives of an enormous amount of people, there’s no choice.” The right to private life is protected by international law under Art 8 ECHR and Art 17 ICCPR, but can be restricted under certain circumstances. It must serve to protect a legitimate aim, one of which are the protection of public health, and the measures adopted must be temporary; proportionate; and necessary. In many States, privacy rights have now given way to public health. States were warned in a joint statement by 107 organisations, including Amnesty International, to respect human rights when employing cyber surveillance to fight the COVID-19 pandemic. In its Statement on the processing of personal data in the context of COVID-19, the European Data Protection Board said that when it is not possible to only process anonymous mobile location data Member States should introduce legislative measures to safeguard public security when processing non-anonymized location data.

The system used in Moscow stores user data which Sobyanin said will be deleted after self-isolation ends. It is however not guaranteed that this user data will simply disappear. In this digital age, security leaks are a very real possibility. Sarkis Darbinyan, lawyer for NGO Roskomsvoboda which monitors online freedom, said there “is a high probability that once the epidemic ends this data will start leaking to the [black] market, which happens to so many other data bases”. This information could also be misused by employees in the government or be stolen by other countries. The data collected during a health crisis could be particularly vulnerable as it is collected and used in a rush. According to Richard Searle, senior security architect, this raises the risk that sufficient diligence and information risk management is not applied to these types of apps and initiatives. Mikhail Klimarev, a technology expert, said: “Personal data will leak out. You don’t have to ask a fortune-teller to see that because the system is being made in a hurry.”

There is also fear that governments will be reluctant to relinquish these tools after the crisis has passed. When speaking about the Russian government, Leonid Volkov, chief strategist to the opposition leader, said: “If they have created it, they will never allow themselves to turn it off. It’s too tempting.” In addition, Artem Kozlyuk of Roskomsvoboda warned that “…in Russia, it’s always done behind closed doors. There’s a danger that after all this is over, the authorities won’t want to put these tools away.” The country has already seen a decline in online freedom in the name of security. The concern that Russia will continue using these surveillance technologies is therefore not surprising.

On the positive side, some governments are openly acknowledging the privacy issues raised by implementing such measures. Many of the surveillance measures adopted are more overt. For instance, the app introduced in Poland is an open-source, voluntary app that uses encryption and is trying to meet privacy requirements. After passing a law allowing collection of phone data, Slovakian Justice Minister Maria Kolikova said that they “realize that this is an infringement of fundamental rights and freedoms, let’s not pretend it is not.” It is recognised that crisis management sometimes require exceptional measures that undermine human rights. Undermining privacy rights can be justified as location tracking could mitigate the spread. It gives governments a better overview of the infected population. Apps can also help health care systems notify people who might have been infected.

Meanwhile human rights group Privacy International has questioned the effectiveness of some of these tools. For instance, there is limited evidence that location data proved useful in handling and predicting the spread of Ebola. Bernadett Szel, opposition politician in Hungary, said that restricting data rights “is unnecessary and disproportionate, and furthermore does not help, even hinders the fight against the epidemic.” People might mistakenly be identified as exposed to the virus or, even more concerning, people exposed mistakenly not identified. Location surveillance systems can also have a disproportionate effect on vulnerable groups in society. UN special rapporteur Fionnuala Ni Aolain said that the “danger is that states, particularly non-democratic or less open societies, would use the opportunity given by the health emergency to crack down on particular minority groups, or individuals or groups that they see as highly problematic.”

History shows that, in emergencies, governments fast-track measures without sufficient scrutiny. Such measures have sometimes outlasted the emergencies they were meant to address. Aolain points to 9/11 and the fact that emergency powers introduced after this event was still in place after 20 years. Taylor Monahan, CEO of MyCrypto, said that COVID-19 has raised fear and irrationality similar to post-9/11, only “now we fear our neighbors.” The pandemic has given governments a new momentum to introduce and enforce these tools. In addition, new technology has made it even easier for States to monitor their citizens.

It must be recognised that government surveillance can be a useful tool in mitigating the spread of the coronavirus. The question is what happens after. Scholars and rights groups are concerned that cybersurveillance may become normalised during this period. “The data access allowed and the infrastructure built today will not necessarily disappear once the current pandemic is over, but may be expanded and used for other purposes,” said Cohen, head of policy at enterprise software company Privitar. Not only might some governments retain their newly developed surveillance tools, but the data collected during the pandemic could be stolen by hackers. While the COVID-19 pandemic might justify prioritising public health over privacy for the moment, there is a danger that some of these surveillance measures will stay in place.