Extraordinary powers need extraordinary protections

PI's response to proposals by governments to use mobile phone location and other traffic data from telecos to help with Covid-19 response.

Key points
  • UK government seeks to use mobile phone location and other traffic data from telecos to help with Covid-19 response.
  • Limited evidence to suggest that movement data or location data useful in tackling and predicting the spread of diseases.
  • Extraordinary measures should not be deployed without risk assessments or enforcement of safeguards.
News & Analysis
Metadata post

In the last few days, PI and its Network have been recording and documenting the measures being proposed by various governments, international institutions and companies to help contain the spread of Covid-19.

In a recent development, the Guardian have reported that the UK government is the latest to seek to use mobile phone location and other traffic data from telecommunication operators to help with measures the government may develop next as part of the response to Covid-19.

It comes despite the UK government's chief scientific adviser, Sir Patrick Vallance, saying that the most useful period of time for location tracking had already passed and that such a measure “would have been a good idea in January”.

It was reported that the data to be obtained would be delayed by 12-24 hrs, i.e. not be done in realtime, and would be used to:

  • identify patterns in terms of people’s movements, and see if people are following government advice to avoid public places including pubs, bars and restaurants;
  • send health alerts in specific locations, and
  • inform decision-making by health services.

From what is known so far, it is unclear if the telecommunication operators would be providing access to the raw data they hold, or whether they would be running the analysis of the data themselves based on criteria and parameters set by the government.

Either scenario raises concerns about how these processes will be regulated, how transparent the telecom operators and government will be about how they are partnering, and the oversight mechanisms they will be subject to, if any.

Similar initiatives are starting to be deployed by Israel and Germany, whilst others are exploring such proposals including in Belgium, Italy, and Armenia.

What’s the issue?

First and foremost, there is limited evidence to suggest that movement data or location data proved useful in tackling and predicting the spread of MERS or Ebola, as discussed below. As this crisis unfolds, it is essential that any and every measure is undertaken only on the advice of health experts and is based on evidence.

Aside from that, it is not clear that sufficient consideration is being given to the safeguards necessary to protect people and their data in the short-term and long-term.

Countries such as the UK already have sweeping powers for bulk interception, bulk hacking, and long-term data retention, which are not always subject to effective oversight. PI has ongoing human rights concerns regarding the use of such powers. Those concerns apply equally to the bulk collection of location and traffic data.

No matter the urgency required, it does not justify new initiatives being deployed without risk assessments or safeguards not being enforced when fundamental rights are at stake.

If safeguards are not embedded within such proposals and mitigations strategies are not adopted, the risk is that unregulated, unaccountable systems will be put in place – not just for the time period necessary to tackle COVID-19 – but as the foundation for long-term mass surveillance and data exploitation systems.

What kind of data: Metadata

What these governments are after is what is called metadata, which is any set of data that describes and gives information about other data such as the timestamp of an electronic message, the name of the sender, the name of a recipient, the location of the device, etc.

Nearly every use of technology and interaction on a technological device generates metadata for all users and entities involved in the transaction.

Presumed as less valued or less important than content data, as illustrated by the fact metadata enjoys fewer protections than content data, metadata provides access to highly sensitive information and provides incredible insights about people, their behaviours and connections.

Anonymised data, is there a such a thing?

Often when raising concerns about the use of metadata, such as mobile data and location data, those wanting to use such information will tell you that they are mitigating the risks because they are anonymising the data.

But it has been well-documented that current (slightly outdated) methods used to anonymise data are not sufficient, and especially when aggregating with other sources of data, it is possible to re-identify. Many governments may already have access to those other data sources under their existing surveillance powers, such as the ability to request identifying subscriber data from telecommunications companies.

Joint research by MIT and the Université Catholique de Louvain even found that it only takes four (random) data points to de-anonymise 95% of users.

How has such data been used in prior public health crises?

It is not the first time we are hearing such ideas proposed for “public good” and in particular in a time of crisis. When the Ebola crisis broke out in West Africa in 2014 and then when South Korea faced an outbreak of Middle East Respiratory Syndrome (MERS) in 2015, mobile phone data was used to predict the evolution of the outbreak and to monitor patterns in peope’s movements with the aim of tackling the spread.

As studies by Harvard’s Sean McDonald have shown shown, there is limited evidence to suggest that movement data or location data proved useful in tackling and predicting the spread of either of those two diseases.

For example, during the Ebola crisis people pushed for the use of mobile phone data, using examples of how it had been used to predict vector-borne diseases. But Ebola was not a vector-borne disease which meant “that the same probabilities aren’t a useful indicator of transmission.” And in the case of South Korea no information was ever made publicly available about how the data was used, and whether the phone data made a difference, and so no evidence that it the location data (and the imposition of quarantine) helped contain the virus.

And yet, since then we have seen countless initiatives in the humanitarian and development sector to track and monitor people’s movements by institutions liked UN Global Pulse, the GSMA, as well as companies such as Facebook, amongst many initiatives to use (big) data “for good”.

The use of data and technology is changing and will continue to transform the way development programmes are delivered and humanitarian assistance can be provided to ensure more people can benefit, more rapidly and more effectively. But, in this complex interplay of assessing the benefits and challenges, it is necessary to ensure any attempts to help do not create new risks, or expose people to harm.

The risks and harms: the impact on people

In addition to questioning the usefulness of using mobile data tracking for managing health pandemics in the way governments are proposing, given the existing powers for governments to surveil and exploit data, and the lack of transparency and accountability of such systems, our concerns are heightened.

Mobile network usage data including location data, especially when aggregated with other sources, can provide great insights into people’s behaviours, movements and social networks, and making use of such intelligence for other purposes than those foreseen when the data was collected raises a lot of concerns, both about decisions made on the basis of that information, and how the information can be used against people in future.

The risks associated with using such data are varied, and already well-documented. We’ve seen how mobile data, metadata such as location data, have been used to track visitors in public spaces, monitoring women at protests, amongst others.

If this mobile data is used to identify geographic areas at risk and/or people at risk as outlined in various government proposals, what are the measures being taken to ensure it is being used solely for the purpose of tackling the spread of Covid-19 and not for further law enforcement and national security purposes?

What happens after the storm?

One of the biggest concerns around this sort of initiative and others measures announced to respond to the Covid-19 is: what happens after?

Once a government has given itself such powers, it is rare that they will vote to remove them - it is therefore vitally important that the measures we are tracking have hard expiration dates. The UK government, for example, has set a lengthy 2 year sunset clause on the emergency powers it is currently passing through the British parliament, with 6 month renewal periods.

There is without doubt the temptation for governments to repurpose any systems that have been put exceptionally in place for dealing with a health crisis - after all, it has already been paid for and deployed. Ensuring this doesn’t happen involves both listening to the health experts in a position to decide whether such powers are necessary, and holding any governments ignoring them and people’s safety to account.