Containing spread of Covid-19 requires exceptional measures, but these cannot come at the cost of fundamental rights.
María Paz Canales
While technology offers a range of solutions in the fight against the Covid-19 pandemic, the ethics of how this technology is deployed needs careful consideration.
Any technological response to a global health crisis must be commensurate with fundamental rights, and be guided by principles of necessity, adequacy and proportionality
The access and use of personal and sensitive data of citizens must distinguish between "surveillance of the spread of the virus" and "surveillance of people" who turn out to be carriers of the virus.
Depending on which part of the world we are in, by now most of us have spent a month or more in varying states of voluntary and involuntary lockdown amid the Covid-19 crisis. While self isolation as a public health necessity is something we seem to have come to terms with, we are yet to fully grapple with the ethical use of technology in the fight against the pandemic. From the acceleration of telemedicine, to the prediction of risk of infection, to the control of involuntary isolation, to efficiency in the prioritization of testing, technology seems to offer an attractive range of solutions. But the question of how this technology is deployed requires careful consideration. And the answers may lie in the lessons we have learnt from past excesses and mistakes.
Any technological response to a global health crisis must be commensurate with fundamental rights, and be guided by principles of necessity, adequacy, and proportionality. Information technology can play a contributing role in monitoring and controlling the pandemic, but its irresponsible implementation can chip away at past gains made in furthering human rights, particularly the right to privacy, the right to physical and mental integrity, and the right to life without arbitrary discrimination (in the workplace, health, social security and access to social benefits). A statement to this effect was released by human rights experts at the United Nations on March 16, urging States to not abuse emergency measures to “quash dissent” and violate human rights. “Although we recognize the seriousness of the current health crisis and recognize that international law allows the use of emergency powers in response to significant threats, we urgently remind States that any emergency response to the coronavirus must be proportionate, necessary, and non-discriminatory,” the statement read.
The ”significant threat” in this case — the Covid-19 pandemic — threatens not only public health but also economic and social stability. This is particularly true in Latin American countries where job insecurity, marked by an increasing shift towards informal daily wage work and extractive industries, has been on the rise.
As for the principle of adequacy, to separate good ideas from bad we need to ask rigorous and contextual questions about the suitability of any system to achieve the stated objective. The design of any such system should incorporate medical experience and scientific approaches, and simultaneously guard against incurring the population's mistrust in the proposed measure. The systems that are being developed in response to Covid-19, including social controls to limit transmission, must be proportionate and in accordance with the medical response.
Technology by itself cannot be effective unless accompanied by institutional governance that ensure the fulfillment of the stated objective. This is especially true in the current crisis which calls for a behavioral change in the form of self-isolation or social distancing. The credibility of public health institutions is critical in promoting such behavioral change. Use of any technology that disregards a coordinated response may end up being counterproductive, producing a false sense of security among the population and resulting in the relaxation of other necessary measures which may have proved more effective (in this case, the self-isolation mandate). The last thing we need during a pandemic is for public health institutions to have to compete for legitimacy, either with other State organs or with third-party intermediaries which provide these technologies.
Technology can play a contributing role in monitoring and controlling the pandemic, but its irresponsible implementation can chip away at past gains made in furthering human rights.
The objective, of course, is not to avoid use of technology, but rather, to ensure that it is commensurate with other medical responses that have been known to work — at least in limited circumstances, based on previous experiences — and are implemented in a well-institutionalized way to effect a steady, if marginal, increase in our ability to combat the pandemic.
The International Experience
The use of existing surveillance technologies, by countries such as China, Iran, and Israel, is particularly problematic. Emergency responses to Covid-19 cannot be allowed to deepen opaque social control systems without accountability mechanisms. If we go down that route, the pandemic will allow authoritarian regimes to not just survive the crisis but also carry out an image makeover in the process. The countries that seem to have successfully contained the pandemic till date (China, South Korea, Singapore , and Taiwan) also made large coordinated investments in proactive testing capacity, response infrastructure, and the availability of reliable information — all of which have been cited by experts as vital components of an effective response. The digital response is, at best, an add-on. South Korea, for instance, introduced the Self-quarantine Safety Protection app on March 7, after the primary containment measures, including massive testing and isolation of infected individuals and groups, had already been widely deployed.
The adequacy of geolocation as an effective tool to combat the pandemic is also something that needs to be mulled over. Reports suggest that its accuracy is much less than what technological optimists seem to attribute to it. Data provided by cell phone towers lacks the granularity required to monitor the necessary 2 or 3-meter contact for the transmission of Covid-19; the result is the same for people who connect to the same WiFi network. Under certain conditions, Bluetooth networks could provide slightly more precise results (as used in Singapore, for example). Similarly, GPS signals could be more precise, but only work well outdoors: they can determine if two people were in the same building, but not how close they were to each other.
Approaches that are less damaging to the exercise of rights are possible if we take advantage of the power of aggregated data to combat the pandemic. That is the type of work that telephone operators are developing in countries such as Germany, Austria, France, and Italy. In Spain, some operators have offered their big data and anonymous data management capabilities and aggregates of their network, mobility data, cloud data processing centers, as well as telephone or digital service capabilities to contain the pandemic. In this regard, the Data Protection Authority of the European Union points out that, "The data protection rules do not hinder the measures taken in the fight against the coronavirus pandemic." But the authority emphasizes that "even in these exceptional moments, the database controller must guarantee the protection of the personal data of their holders."
The most recent initiative presented in this regard is a system under development in Germany — likely to be expanded to the rest of Europe — which seeks to preserve the privacy of information while providing a useful technological tool to control the pandemic. This voluntary app will trace the proximity of proven cases of contagion, not through geolocation data, but by measuring proximity in a Bluetooth network. It will generate a unique identifier that will be stored in encrypted form on devices locally. The downloaded app on a device will locally store proximity contact information with other devices. When a case is confirmed in that proximity network, members will receive an alert message. From there, the user will have two options: deliver all the encrypted data stored on their device for scientific analysis, or request access to a test and start quarantine measures if the result is positive. Since April, this technology has been deployed in an interoperable way across Europe, with user interfaces at the national level and diagnostic information stored by each national health authority.
The Proportionality Principle
Besides the adequacy of any given digital technology, it is also worth weighing the proportionality of its use. This implies considering the regulations that limit the terms and conditions under which extraordinary powers are wielded so that they are not extended in uncontrolled and indefinite ways.
A clear, although sometimes difficult to establish, distinction must be drawn between "surveillance of the spread of the virus" and "surveillance of people" who turn out to be carriers of the virus. This is critical from the perspective of proportionality in design, since the information to which exceptional access must be had, should be subject to general privacy rules and minimized to what is scientifically reasonable.
A clear, although sometimes difficult to establish, distinction must be drawn between "surveillance of the spread of the virus" and "surveillance of people" who turn out to be carriers of the virus.
The aim is to stop the virus from spreading, and not to generate a comprehensive account of the lives of patients and their circle of contacts. It must be an epidemiological surveillance system with a solid scientific base, not a control system that undermines the autonomy of citizens, and could be misused for purposes of social control later on.
This is why it is not possible to allow exceptional authorization of access and use of personal data without a clear visibility of the predictive criteria that will be used to obtain intervention models from the data thus accessed. Without access to that black box there is no way to understand if a given intervention model complies with equity and adequacy principles, and if the outcome is proportionate to the degree to which fundamental rights are affected through unrestricted access to personal databases and sensitive data of citizens.
It has for long been recognized that fundamental rights are not absolute imperatives, but rather, a balancing act. Any restriction of said rights should be proportionate, meaning that it should not affect the essence of the the restricted right. This trade-off requires safeguards in its exercise limitation authorization that are contained in legal regulations since this is the democratic instrument that allows the different rights at stake to be balanced with transparency.
Thus, emergency legislation in the context of Covid-19 that seeks authorization of extraordinary powers so as to be able to access sensitive data on people's health (condition of being infected with Covid-19 symptoms and monitoring treatment etc.) or personal data (including geolocation information, close contacts, contact agenda on devices) in the hands of different public services or private providers, would require the following components:
- Strictly characterize the emergency and/or the terms that enable access to personal and sensitive health data by different State organs.
- Specify who will be in charge of extraordinary access to such data.
- Detail what data access will be extraordinarily requested, and how it will be used.
- Establish provisions for the end of access and extraordinary use of data with effective measures to control access or elimination, where appropriate.
- Order specific operational security measures to prevent malicious access and use of data.
- Establish mechanisms of external control and accountability to address any deviation from the stated purpose for which citizens’ data is being accessed. This safeguard is critical to protect the holders of personal and sensitive health data from future arbitrary discrimination in labor, health, welfare or social benefits, either by the State or by private agents, for having been carriers of Covid- 19.
Data access during the Covid-19 pandemic should use pseudonymization or dissociation techniques (with sufficiently robust anonymization algorithms) when trying to offer publicly available information, in addition to having security as an essential requirement, including the encrypted transit of information and its secure and resilient storage.
Rapid action to confront the expansion of Covid-19 requires exceptional measures, but these cannot be carried out in violation of the pillars of a democratic State governed by the rule of law. Combating a pandemic is not and cannot be at odds with respect for fundamental rights, nor become the door to authoritarianism.
Bad ideas are still bad in times of pandemic and this is a bad time to experiment with the exercise of fundamental rights that will be critical, once the emergency passes, to build fairer and more supportive societies that allow us to overcome the structural deficiencies that exacerbate inequities in our region. We need to come out of this together, and with our rights intact.
This article was first published in Spanish on the Derechos Digitales website and has been translated to English by Alexandra Argüelles. It is reposted here with permission.
This is part of our ongoing series on the coronavirus and its impact.