News

IT NEWS

Mass surveillance alone will not save us from coronavirus

As the pattern-shattering truth of our new lives drains heavy—as coronavirus rends routines, raids our wellbeing, and whiplashes us between anxiety and fear—we should not look to mass digital surveillance to bring us back to normal.

Already, governments have cast vast digital nets. South Koreans are tracked through GPS location history, credit card transactions, and surveillance camera footage. Israelis learned last month that their mobile device locations were surreptitiously collected for years. Now, the government rummages through this enormous database in broad daylight, this time to track the spread of COVID-19. Russians cannot leave home in some regions without scanning QR codes that restrict their time spent outside—three hours for grocery shopping, one hour to walk the dog, half that to take out the trash.

Privacy advocates around the world have sounded the alarm. This month, more than 100 civil and digital rights organizations urged that any government’s coronavirus-targeted surveillance mechanisms respect human rights. The groups, which included Privacy International, Human Rights Watch, Open Rights Group, and the Chilean nonprofit Derechos Digitales, wrote in a joint letter:

“Technology can and should play an important role during this effort to save lives, such as to spread public health messages and increase access to health care. However, an increase in state digital surveillance powers, such as obtaining access to mobile phone location data, threatens privacy, freedom of expression and freedom of association, in ways that could violate rights and degrade trust in public authorities – undermining the effectiveness of any public health response.”

The groups are
right to worry.

Particularly in
the United States, our country’s history of emergency-enabled surveillance has failed
to respect Americans’ right to privacy and to provide measurable, increased
security. Not only did rapid surveillance authorization in the US permit the
collection of, at one point in time, nearly every American’s call detail
records, it also created an unwieldy government program that two decades later became
ineffective, economically costly, and repeatedly noncompliant with the law.

Further, some of the current technology tracking proposals—including Apple and Google’s newly-announced Bluetooth capabilities—either lack the evidence to prove effective or require a degree of mass adoption that no country has proved possible. Other private proposals come from untrusted actors, too.

Finally, the tech-focused solutions cannot alone fill severe physical gaps, including lacking personal protective equipment for medical professionals, non-existent universal testing, and a potentially fatal selection of intensive care unit beds left to survive a country-wide outbreak.

We understand how today feels. In less than one month, the world has emptied. Churches, classrooms, theaters, and restaurants lay vacant, sometimes shuttered by wooden planks fastened over doorways. We grieve the loss of family and friends, of 17 million American jobs and the healthcare benefits they provided, of national, in-person support networks displaced into cyberspace, where the type of vulnerability meant for a physical room is now thrust online.

For a seemingly endless time at home, we curl and wait, emptied all the same.

But mass, digital surveillance alone will not make us whole.

Governments expand surveillance to track coronavirus

First detected in late 2019 in the Hubei province of China,
COVID-19 has now spread across every continent except Antarctica.

To limit the spread of the virus and to prevent overburdened healthcare systems, governments imposed a variety of physical restrictions. California closed all non-essential businesses, Ireland restricted outdoor exercise to 1.2 miles away from the home, El Salvador placed 30-day quarantines on El Salvadorians entering the country from abroad, and Tunisia imposed a nightly 6:00 p.m. – 6:00 a.m. curfew.

A handful of governments took digital action, vacuuming up citizens’
cell phone data, sometimes including their rough location history.  

Last month, Israel unbuttoned a once-secret surveillance program, allowing it to reach into Israelis’ mobile phones not to provide counter-terrorism measures—as previously reserved—but to track the spread of COVID-19. The government plans to use cell phone location data that it had been privately collecting from telecommunications providers to send text messages to device owners who potentially come into contact with known coronavirus carriers. According to The New York Times, the parliamentary subcommittee meant to approve the program’s loosened restrictions never actually voted.

The Lombardy region of Italy—which, until recently, suffered the largest coronavirus swell outside of China—is working with a major telecommunications company to analyze reportedly anonymized cell phone location data to understand whether physical lockdown measures are proving effective at fighting the virus. The Austrian government is doing the same. Similarly, the Pakistani government is relying on provider-supplied location information to send targeted SMS messages to anyone who has come into close, physical contact with confirmed coronavirus patients. The program can only be as effective as it is large, requiring data on massive swaths of the country’s population.

In Singapore, the country’s government publishes grossly detailed information about coronavirus patients on its Ministry of Health public website. Ages, workplaces, workplace addresses, travel history, hospital locations, and residential streets can all be found with a simple click.

Singapore’s coronavirus detection strategy also included a
separate, key component.

Last month, the government rolled out a new, voluntary mobile app for citizens to download called TraceTogether. The app relies on Bluetooth signals to detect when a confirmed coronavirus patient comes into close physical proximity with device owners using the same app. It is essentially a high-tech approach to the low-tech detective work of “contact tracing,” in which medical experts interview those with infectious illnesses and determine who they spoke to, what locations they visited, and what activities they engaged in for several days before presenting symptoms.

These examples of increased government surveillance and
tracking are far from exceptional.

According to a Privacy International analysis, at least 23 countries have deployed some form of telecommunications tracking to limit the spread of coronavirus, while 14 countries are developing or have already developed their own mobile apps, including Brazil and Iceland, along with Germany and Croatia, which are both trying to make apps that are GDPR-compliant.

While some countries have relied on telecommunications
providers to supply data, others are working with far more questionable private
actors.

Rapid surveillance demands rapid, shaky infrastructure

Last month, the push to digitally track the spread of coronavirus came not just from governments, but from companies that build potentially privacy-invasive technology.

Last week, Apple and Google announced a joint effort to provide Bluetooth contact tracing capabilities between the billions of iPhone and Android devices in the world.

The two companies promised to update their devices so that public
health experts could develop mobile apps that allow users to voluntarily
identify if they have tested positive for coronavirus. If a confirmed
coronavirus app user comes into close enough contact with non-infected app users,
those latter users could be notified about potential infection, whether they
own an iPhone or Android.

Both Apple and Google promised a privacy-protective
approach. App users will not have their locations tracked, and their identities
will remain inaccessible by Apple, Google, and governments. Further, devices will
automatically change users’ identifiers every 15 minutes, a step towards
preventing identification of device owners. Data that is processed on devices
will never leave a device unless a user chooses to share it.  

In terms of privacy protection, Apple and Google’s approach is one of the better options today.

According to Bloomberg, the Israeli firm NSO Group pitched a variety of governments across the world about a new tool that can allegedly track the spread of coronavirus. As of mid-March, about one dozen governments began testing the technology.

A follow-on investigation by VICE revealed how the new tool, codenamed “Fleming,” actually works:

“Fleming displays the data on what looks like an intuitive user interface that lets analysts track where people go, who they meet, for how long, and where. All this data is displayed on heat maps that can be filtered depending on what the analyst wants to know. For example, analysts can filter the movements of a certain patient by their last location or whether they visited any meeting places like public squares or office buildings. With the goal of protecting people’s privacy, the tool tracks citizens by assigning them random IDs, which the government—when needed—can de-anonymize[.]”

These are dangerous, invasive powers for any government to use against its citizens. The privacy concerns only grow when looking at NSO Group’s recent history. In 2018, the company was sued over allegations that it used its powerful spyware technology to help the Saudi Arabian government spy on and plot the murder of former Washington Post writer and Saudi dissident Jamal Khashoggi. Last year, NSO Group was hit with a major lawsuit from Facebook, alleging that the company sent malware to more than 1,400 WhatsApp users, who included journalists, human rights activists, and government officials.  

The questionable private-public partnerships don’t stop
there.

According to The Wall Street Journal, the facial recognition startup Clearview AI—which claims to have the largest database of public digital likenesses—is working with US state agencies to track those who tested positive for coronavirus.

The New York-based startup has repeatedly boasted about its technology, saying previously that it helped the New York Police Department quickly identify a terrorism suspect. But when Buzzfeed News asked the police department about that claim, it denied that Clearview participated in the case.

Further, according to a Huffington Post investigation, Clearview’s history involves coordination with far-right extremists, one of whom marched in the “Unite the Right” rally in Charlottesville, another who promoted debunked conspiracy theories online, and another who is an avowed Neo-Nazi. One early adviser to the startup once viewed its facial recognition technology as a way to “identify every illegal alien in the country.”

Though Clearview told The Huffington Post that it separated itself from these extremists, its founder Hoan Ton-That appears unequipped to grapple with the broader privacy questions his technology invites. When interviewed earlier this year by The New York Times, Ton-That looked flat-footed in the face of obvious questions about the ability to spy on nearly any person with an online presence. As reporter Kashmir Hill wrote:

“Even if Clearview doesn’t make its app publicly available, a copycat company might, now that the taboo is broken. Searching someone by face could become as easy as Googling a name. Strangers would be able to listen in on sensitive conversations, take photos of the participants and know personal secrets. Someone walking down the street would be immediately identifiable—and his or her home address would be only a few clicks away. It would herald the end of public anonymity.

Asked about the implications of
bringing such a power into the world, Mr. Ton-That seemed taken aback.

“I have to think about that,” he said. “Our belief is that this is the best use of the technology.”

One company’s beliefs about how to “best” use invasive technology is too low a bar for us to build a surveillance mechanism upon.

Should we deploy mass surveillance?

Amidst the current health crisis, multiple digital rights
and privacy organizations have tried to answer the question of whether governments
should deploy mass surveillance to battle coronavirus. What has emerged, rather
than wholesale approvals or objections to individual surveillance programs across
the world, is a framework to evaluate incoming programs.

According to Privacy International and more than 100 similar groups, government surveillance to fight coronavirus must be necessary and proportionate, must only continue for as long as the pandemic, must only be used to respond to the pandemic, must account for potential discrimination caused by artificial intelligence technologies, and must allow individuals to challenge any data collection, aggregation, retention, and use, among other restrictions.

Electronic Frontier Foundation, which did not sign Privacy International’s letter, published a somewhat similar list of surveillance restrictions, and boiled down its evaluation even further to a simple, three-question rubric:  

  • First, has the government shown its surveillance would be effective at solving the problem?
  • Second, if the government shows efficacy, we ask: Would the surveillance do too much harm to our freedoms?
  • Third, if the government shows efficacy, and the harm to our freedoms is not excessive, we ask: Are there sufficient guardrails around the surveillance? (Which the organization detailed here.)

We do not claim keener insight than our digital privacy peers. In fact, much of our research relies on theirs. But by focusing on the types of surveillance installed currently, and past surveillance installed years ago, we err cautiously against any mass surveillance regime developed specifically to track and limit the spread of coronavirus.

Flatly, the rapid deployment of mass surveillance to protect the public has rarely­, if ever, worked as intended. Mass surveillance has not provably “solved” a crisis, and in the United States, one emergency surveillance regime grew into a bloated, ineffective, noncompliant warship, apparently rudderless today.

We should not take these same risks again.

The lessons of Section 215

On October 4, 2001, less than one month after the US
suffered the worst attack on American soil when terrorists felled the World Trade
Center towers on September 11, President George W. Bush authorized the National
Security Agency to collect certain phone content and metadata without first
obtaining warrants.

According to an NSA Inspector General’s working draft report, President Bush’s authorization was titled “Authorization for specified electronic surveillance activities during a limited period to detect and prevent acts of terrorism within the United States.”

In 2006, the described “limited period” powers continued, as Attorney General Alberto Gonzalez argued before a secretive court that the court should retroactively legalize what the NSA had been doing for five years—collecting the phone call metadata of nearly every American, potentially revealing the numbers we called, the frequency we dialed them, and for how long we spoke. The court later approved the request.

The Attorney General’s arguments partially cited a separate law passed by Congress in 2001 that introduced a new surveillance authority for the NSA titled Section 215, which allows for the collection of “call detail records,” which are logs of phone calls, but not phone call content. Though Section 215 received significant reforms in 2015, it lingers today. Only recently has the public learned about collection failures under its authority.

In 2018, the NSA erased hundreds of millions of call and text detail records collected under Section 215 because the NSA could not reconcile their collection with the actual requirements of the law. In February, the public also learned that, despite collecting countless records across four years, only twice did the NSA uncover information that the FBI did not already have. Of those two occasions, only once did the information lead to an investigation.

Complicating the matter is the fact that the NSA shut down the call detail record program in the summer of 2019, but the program’s legal authority remains in limbo, as the Senate approved a 77-day extension in mid-March, but the House of Representatives is not scheduled to return to Congress until early May.

If this sounds frustrating, it is, and Senators and Representatives
on both sides have increasingly questioned these surveillance powers.

Remember, this is how difficult it is to dismantle a surveillance machine with proven failures. We doubt it will be any easier to dismantle whatever regime the government installs to fight coronavirus.

Separate from our recent history of over-extended surveillance is the matter of whether data collection actually works at tracking and limiting coronavirus.

So far, results range from unclear to mixed.

The problems with location and proximity tracking

In 2014, government officials, technologists, and humanitarian groups installed large data collection regimes to track and limit the spread of the Ebola outbreak in West Africa.

Harvard’s School of Public Health used cell phone “pings” to chart rough estimates of callers’ locations based on the cell towers they connected to when making calls. The US Centers for Disease Control and Prevention similarly looked at cell towers which received high numbers of emergency phone calls to determine whether an outbreak was occurring in near real-time.

But according to Sean McDonald of the Berkman Klein Center
for Internet and Society at Harvard University, little evidence exists to show
whether location tracking helps prevent the spread of illnesses at all.

In a foreword to his 2016 paper “Ebola: A big data disaster,” McDonald analyzed South Korea’s 2014 response to Middle East Respiratory Syndrome (MERS), a separate coronavirus. To limit the spread, the South Korean government grabbed individuals’ information from the country’s mobile phone providers and implemented a quarantine on more than 17,000 people based on their locations and the probabilities of infection.

But the South Korean government never opened up about how it
used citizens’ data, McDonald wrote.

“What we don’t know is whether that seizure of information
resulted in a public good,” McDonald wrote. “Quite the opposite, there is
limited evidence to suggest that migration or location information is a useful
predictor of the spread of MERS at all.”

Further, recent efforts to provide contact tracing through
Bluetooth connectivity—which is notthe same as location tracking—have
not been tested on a large enough scale to prove effective.

According to a mid-March report from The Economist, just 13
percent of Singapore’s population had installed the country’s contact tracing
app, TraceTogether. The low number looks worse when gauging the success in
fighting coronavirus.

According to The Verge, if Americans installed a Bluetooth contact tracing app at the same rate Singaporeans, the likelihood of being notified because a chance encounter with another app-user would be just 1.44 percent.  

Worse, according to Dr. Farzad Mostashari, former national
coordinator for health information technology at the Department of Health and
Human Services, Bluetooth contact tracing could create many false positives. As
he told The Verge:

“If I am in the wide open, my
Bluetooth and your Bluetooth might ping each other even if you’re much more
than six feet away. You could be through the wall from me in an apartment, and
it could ping that we’re having a proximity event. You could be a on a
different floor of the building
 and it could ping.”

This does not mean Bluetooth contact tracing is a bad idea, but it isn’t the silver bullet some imagine. Until we even know if location tracking works, we might assume the same.

Stay safe

Today is exhausting, and, sadly, tomorrow will be, too. We
don’t have the answers to bring things back to normal. We don’t know if those
answers exist.

What we do know is that, understandably, now is a time of
fear. That is normal. That is human.

But we should avoid letting fear dictate decisions with such significance as this. In the past, mass surveillance has grown unwieldy, lasted longer than planned, and proved ineffective. Today, it is being driven by opportunistic private actors who we should not trust as the sole gatekeepers to expanded government powers.

We have no proof that mass surveillance alone will solve this crisis. Only fear lets us believe it will.

The post Mass surveillance alone will not save us from coronavirus appeared first on Malwarebytes Labs.