Smartphones have emerged as a key asset in the war against Covid-19 (coronavirus). As the illness has spread, governments around the world have turned to device location data, seeking to capture a snapshot of the virus’ current whereabouts and clues as to where it might go next.

But while this pursuit of information is part of an attempt to save lives through contact tracing and movement modelling, it raises some prickly questions about data privacy, consent and whether we can revert to previous standards once the crisis is over.

How it works
A number of countries are using smartphone location data in a bid to stem the spread of Covid-19, working with mobile operators and big tech companies including Google and Facebook to compile generalised data to map movement trends.

Industry association the GSMA acknowledged this work, noting the group and its members “are doing everything they can to help the global fight against Covid-19”. In Europe, it said it is working with operators to aid the European Commission’s (EC) efforts to model the spread of the virus and understand where medical supplies are needed.

The GSMA stressed “mobile operators are committed to protecting the privacy and rights of European individuals” and will “ensure that any assistance provided to the EC, in response to the Covid-19 crisis, is under applicable data privacy laws”.

Any data insights operators agree to share would be “aggregated and anonymous to inform the Commission on general patterns of movement, without identifying individual users”, it added.

But, reports state some nations have taken a more aggressive approach, using the data to enforce quarantine measures and conduct extensive contact tracing.

What’s the big deal?
Spats over the use of smartphone location data are nothing new, with top US operators and Facebook recently facing backlash over the alleged collection and sharing of user data.

At the heart of these debates are questions about consent and control. Do users know information is being collected about them? Did they expressly approve this? And do they have the power to stop the information from being gathered?

Other key questions relate to storage and access: how long will data collected for the Covid-19 fight be retained? Who will have access to it and what rules will govern sharing?

Though many countries have data privacy laws on the books, UK-based advocacy group Privacy International noted in a press release many government location tracking efforts are being implemented “based on extraordinary powers, only to be used temporarily in emergencies”, while others rely on legal exemptions to allow data sharing.

It stressed such extraordinary measures require strict safeguards and oversight, warning if protections and mitigation strategies are not embedded from the start “the risk is that unregulated, unaccountable systems will be put in place, not just for the time period necessary to tackle Covid-19, but as the foundation for long-term mass surveillance and data exploitation systems”.

Electronic Frontier Foundation (EFF), a US-based non-profit digital rights group, insisted governments should show proof the special tracking capabilities they’re using are “effective, science-based, necessary and proportionate”. And, like Privacy International, it said such powers should be subject to “strict safeguards and audits” and “expire when the crisis ends”.

Wojciech Wiewiorowski, head of independent watchdog the European Data Protection Supervisor, recently echoed these sentiments, calling for governments across the EU to centralise their Covid-19 tracking efforts with the use of a single mobile app. Such a move, he said, would help ensure data privacy regulations are not breached.

While he acknowledged data sharing is temporarily necessary to combat the virus, Wiewiorowski warned “big data means big responsibility” and highlighted the need to ensure the use of personal data is rolled back after the pandemic passes.

In the interim, concern centres around how the data being used to help solve the crisis is handled.

Stacey Gray, senior counsel at the Future of Privacy Forum, told Mobile World Live (MWL) location data “varies pretty widely with respect to who holds it, how accurate and precise it is and how identifiable it is”.

When truly anonymised and tied to aggregate rather than individual trends, she said it can be useful without raising privacy concerns. But she noted data tied to a device or other identifier makes it “very easy to re-identify a person from their device patterns”.

Albert Gidari, director of privacy at Stanford Law School’s Center for Internet and Society, agreed there is a difference between anonymised and aggregate data, but said aggregate tower data such as the kind mobile operators might provide “even though not completely anonymous, has very low risk for privacy”.

Precedents matter
Defeating Covid-19 is a clear priority across the globe, and speedy solutions will undoubtedly save countless lives. Indeed, mobile operators and tech giants should be commended for stepping-up to the plate so quickly to provide assistance.

But privacy watchdogs noted the reason they’re urging caution is because it would be easy for the crisis to set privacy precedents which might cause harm in the future. As EFF senior staff attorney Adam Schwartz said in a blog: “Once the genie is out of the bottle, it is hard to put back.”

Gidari explained to MWL the creation of infrastructure for pandemic surveillance “raises fears about scope creep for the future” and whether data collected will be “used by agencies other than public health; will it be used to deprive individuals or communities of their rights; will individuals be identified and experience bias, prejudice or other negative responses”?

Some companies and governments have already moved to put safeguards in place.

For instance, Google said the mobility reports it is providing rely on anonymous data protected by differential privacy technology, which adds artificial noise to its datasets to further mask individual identities.

Data is only collected from users who have turned on the location history setting for their Google account, which it noted is turned off by default and can be deleted by users at any time.

Facebook said its virus mapping tool only shows information at a city or county level rather than individual movement patterns, in an effort to reduce the risk that the data could be used to identify a single person. It added data sharing is limited to “specific organisations that will use it for specific purposes”.

The EC recently issued guidelines directing the use of “anonymised and aggregated mobile location data”, adding information gathered for tracking purposes should be deleted after 90 days or as soon as the pandemic is under control.

Both Gray and Gidari pointed to the EC’s move as a good step, but flagged a lack of similar standards in the US.

Though there are laws in place governing operator collection of user data, Gray noted the US “does not have significant legal safeguards over this type of data when it is collected from apps and most tech companies”.

Gidari added neither the Federal Communications Commission nor Federal Trade Commission had moved to publish guidelines similar to the EC, though acknowledged the Department of Health and Human Services said any data it collects will be used only in response to the emergency.

He concluded “without a doubt” new privacy norms will arise from the crisis, as subsequent analysis of technology’s effectiveness in meeting the needs of public health organisations sheds light on the necessary privacy and security protections which need to be put into place.

“I think this has been a necessary wake-up call to deal with the long tail of data in government hands.”

The editorial views expressed in this article are solely those of the author and will not necessarily reflect the views of the GSMA, its Members or Associate Members.