In between the contact tracing, the surveillance, and our work environment increasingly moving online, our personal data and privacy have never been this exposed.
With a few notable exceptions, no organizations or governments were prepared for this pandemic. At first, the pandemic itself wasn't taken seriously enough, let alone other concerns like privacy. But it wasn't too long before the collisions between health and privacy became evident.
In China, the government installed CCTV cameras to monitor quarantined individuals to ensure that they don't leave, while in some parts of India, the sick were stamped and tracked. Aside from serious human rights violations such as these ones, there were also more subtle problems.
For instance, contact tracing apps were hotly debated throughout much of the spring and summertime. The idea of using phone apps to trace infection chains sounds very well, but doing it without compromising the privacy of the user brings major technological challenges, and potentially reduces the effectiveness of the apps. In May, the Human Rights Watch reported that these applications pose serious human rights risks, especially as they were used by governments all around the world. In the end, contact tracing apps largely disappointed, and in the areas where they were used successfully, privacy concerns also seemed to follow.
Regulators too were woefully unprepared for the COVID-19 crisis. For chaotic months, the legality of various technological solutions was unclear and guidance was scarce. But now, things are starting to change, guidance is highlighting that privacy is more than just an afterthought -- it's still a fundamental right that must be respected, pandemic or not. Canada for instance, one of the leaders in online privacy and security applications, made some controversial decisions.
"When the COVID-19 pandemic emerged in Canada, some felt privacy should be set aside because protecting the lives of Canadians was more important. Given the gravity and the immediacy of the situation, that reaction was not surprising. However, it was based on a false assumption: either we protect public health, or we protect privacy," a statement from the Office of the Privacy Commissioner of Canada read.
"Technology itself is neither good nor bad. Everything depends on how it is designed, used and regulated. Technology can be used to protect both public health and privacy."
The European Union has had a similar position. In a report called “Digital solutions to fight COVID-19”, the EU emphasizes the importance of digital transparency and data protection, while highlighting many shortcomings in how such solutions have been applied internationally. In many countries, governments adopted emergency measures to give themselves extensive powers, usually for a limited period of time -- powers that include data access and processing. Often, the boundaries between healthcare and police enforcement were blurred, the report found.
Things can easily go awry, especially where democracy is undermined by authoritarian leaders. In Turkey, for instance, the government launched a GPS-based centralized app that was mandatory for all COVID-19 affected people -- essentially enabling the government to know where its citizens are; good for infection tracking, horrible for privacy and security. In Azerbaijan, people's movements can be controlled by an application that issues electronic permits for travel, an app verified by the police.
To make matters even worse, we still have to deal with system cyber risks, especially as we're working online and from home more and more. IT departments working for both companies and public institutions have had to adapt on the fly and develop solutions that enable activity to continue -- but this was often done at the risk of security. As a result, many people are now using unsecured devices and internet communications, which puts not only their own data at risk but also those of their employer. It's also possible that the data in government custody can be leaked or hacked, which makes the risks even greater (having your private data accessed by the government is unpleasant enough, but leaking it to malicious actors is a whole new level of trouble).
Ultimately, the COVID-19 pandemic has raised privacy issues for which we don't have a clear answer. During a public health crisis privacy laws still apply, but finding the right balance between health interventions and human rights is not always straightforward.
The pandemic could be a turning point for how we judge and ensure online privacy. Even after the virus ultimately subsides, people are still more and more likely to work from home, they will still spend a lot of time online, and there are other pandemics lurking around the corner. If we don't push important interventions we risk losing lives, but if we're too quick to surrender our freedom and privacy, we may end up setting a stage for mass surveillance that will stand for decades to come.
Ultimately, it's important to support civil rights and freedoms while strengthening the rule of law and the checks and balances system. But governments are less likely to do that in an inactive society. It's up to each and every one of us to demand that legislators apply proportionate and justified action in this exceptional circumstance, while not giving institutions or companies indiscriminate mass surveillance powers.