It seems as if the COVID19 pandemic is an occasion to fear the rise of the surveillance state. And with some justification. Since the inception of the coronavirus epidemic, a number of governments have begun to use cell phone location data as a means of monitoring the spread of Covid-19.
At an aggregate level, that data is used to track the movements of numbers of people to and from areas in which the virus is present. This permits authorities to monitor population centres to which the virus may spread, allocate testing and medical resources, and implement social distancing measures in areas where it is likely that the virus has been introduced. From a privacy perspective, this is a relatively benign form of tracking. Data is anonymized, and personal movement data is not disclosed.
A second and more aggressive approach has been adopted in 11 countries, including South Korea, Israel, Singapore and Poland. This approach requires individuals to install an application on their devices that feeds individual location data to the health authorities. This permits the relevant authorities to track in real time where an individual goes and with whom they come into contact. In South Korea, that data is available on a publicly accessible database, so that anyone can know where a particular individual has been and with whom.
Cell phone tracking of the latter kind lends itself to monitoring compliance with the mandatory order, issued on March 25 under the Canada Quarantine Act, which requires individuals returning to Canada to isolate themselves for 14 days.
The Prime Minister has, for now, ruled out the use of location data on personal devices to
- track the movement and contacts of persons infected with the corona virus.
- track persons that came in contact with virus carriers and who may needtesting and treatment; and
- monitor the compliance of individuals with the mandatory social isolation order.
However, if the virus rapidly spreads further, no doubt device tracking will be contemplated and possibly enacted in Canada. This involves a decision most governments are loath to take: trading privacy interests against public health.
Device location information is currently in the hands of the carriers who provide services to individuals. In general, existing privacy legislation, PIPEDA and its provincial counterparts, prohibits the disclosure of such information. However, there are notable exceptions that would permit carriers to disclose location data to governmental authorities to assist in enforcing legislation such as the Quarantine Act or provincial public health legislation.
Let us hope it will not come to that. But if it does, stringent safeguards should be employed to minimize the encroachment on privacy rights.
The emergency disclosure of location data to government should, at a minimum, meet the following requirements:
- the requirement to disclose location data to government should be made public in the most transparent manner;
- the disclosure should be strictly limited to the duration of the epidemic. Once the social distancing in effect now is lifted, the disclosure of location data to government should stop immediately;
- the data disclosed by carriers should be stored separately and only be accessible to specifically authorized public health officials and persons designated by them;
- anyone, other than authorized public health officials or their designees who accesses or uses this data for improper purposes should be subject to strict penalties; and,
- the location data in the possession of government should be destroyed as soon as the emergency is over.
The corona crisis must not serve as an excuse to establish the surveillance state . Nor should the data be used for any purpose other than to save lives in the current emergency. The Internet Society Canada Chapter urges the government to take the above steps, should it choose to implement tracking of personal device location data.