Some jurisdictions in Canada and around the world are using cell phone data to track the spread of COVID-19. How would this work? What are the privacy concerns around using personal data for this purpose?
We asked Florian Kerschbaum, a Professor in the Cheriton School of Computer Science and the Director of the Cybersecurity and Privacy Institute, to help us understand this complex issue.
How can cell phones be used to track the spread of COVID-19?
Cell phones provide location data. A cell phone is associated with a person; therefore, that person and cell phone can be located. This tracking can be on the phone (e.g., using GPS) or by the carrier (using the cell tower connection data).
In combination with health data of positively tested persons (and their mobile phone number), this allows analysis of the spread of the virus and potential violations of quarantine regulations.
What are the legal aspects of government asking cell phone companies to share client data?
What is important to understand is that as long as these data collections exist, legal protections are insufficient. A crisis, such as COVID-19, may very well convince a government to overturn its previous privacy legislation and use the data for unintended purposes.
This may also create a precedent for future actions and erode privacy over the long run. Most importantly, while democratic governments often support their citizen’s right to privacy, a crisis like COVID-19 may challenge this and they may become opponents of this right. If we desire a sustainable approach to privacy, we need to prevent data collection in the first place, which in turn will prevent the desire to share the data.
What is your main concern if this approach was to be taken? Or do you think it would be justified?
Location data allows many more inferences than just following a chain of infections. It allows inferences about personal preferences, many of which are protected by privacy legislation. While many people would agree to join the fight on COVID-19, they may be uncomfortable if certain personal secrets were revealed, for example, broader healthcare data.
Changing the importance of long-held values, such as privacy, in a crisis would create a dangerous precedent, eroding confidence in those values. It would significantly change the future debate. Technologies without user consent are much more invasive than technologies with user consent and should hence be only used only if no alternative exists.
What technology could balance privacy and the fight against COVID-19?
The simplest way of implementing data sharing is to exchange data or share it with a trusted third party. However, then the sharing parties lose all control over their data. There exist cryptographic protocols that allow third parties to perform an analysis of shared data without exchanging that data. These so-called secure computations require additional network and computational resources, but can preserve the privacy of all that except the result of the agreed-upon analysis. In this case, it would be the measured infection rate of COVID-19.