SOPA Images/LightRocket via Getty Images
It has become just one more factor in the new normal we are living with today—after an escalating backlash in months gone by against phone tracking technologies, a backlash that promoted location privacy responses from Apple and Google, we’re now all being tracked to help stem the spread of the coronavirus and apparently we’re fine with it. The slight twist, of course, is that we were still being tracked anyway, it’s just that our governments are now tapping into that data.
In the U.K., not a country especially receptive to government tracking, most of those questioned in a recent survey seem happy with the measures in place and would go much further. As reported by the Telegraph on April 4, “more than two thirds of the population would back the use of CCTV footage, mobile phone data and credit card records in a mass ‘contact tracing’ exercise to prevent a second wave of coronavirus infections.” A few days earlier, a similar survey found that 86% of the population would “sacrifice their human rights to help prevent the disease.”
Despite this seeming mindset shift towards surveillance measures never before seen in Europe, the current state of tracking in the West is built around two core pillars—data should be anonymous and aggregated. Simply put, no data records should link back to an individual and the data should be viewed en masse. These are patterns and trends, not finger pointing. The core data itself, though, has to be uniquely identifiable—that’s simply how tracking works. When it comes to the plea “I am not a number,” as regards phone tracking, the answer is “yes, actually you are.”
Google itself openly joined the tracking fray on April 3, announcing that it would now provide generalised tracking data for 131 countries and regions, “to chart movement trends over time by geography, across different high-level categories of places such as retail and recreation, groceries and pharmacies, parks, transit stations, workplaces, and residential.” The tech giant was keen to emphasize that “to protect people’s privacy, no personally identifiable information, like an individual’s location, contacts or movement, is made available at any point.”
Illustrative tracker data: U.K. report, March 29.
This makes us feel better, apparently. It was the same when the U.S. decided that the location data collected by the mobile marketing industry negated the need to seek legal access to mobile network logs or to engage more invasive surveillance tech. We are happy to overlook that it’s only anonymous because organizations are withholding some of the data they collect from the government. Yes, that’s right, the mobile marketing industry is keeping us safe by hiding some of their data from the government charged with fighting the spread of coronavirus. If they wanted to individualize it, then technically they could—and for advertising, to all intents and purposes, they do.
The largest countries in Europe as well as Australia are now tapping into the location data collected by the mobile networks themselves, a dataset that has much less potency than the marketing data the U.S. has decided to use. When your network tracks your location, the pinpoint accuracy is highly dependent on where you are—even in busy urban areas with countless cell towers, we are likely talking a few tens of metres. By contrast, the marketing data uses the phone’s GPS signal as well as any other beacons it can access—it is much more accurate.
There is one difference between the U.S. and European deployments, and that’s implied user consent to collect the data. The mobile network data collected in Europe has no user opt-outs, it’s built into the way the networks operate. That’s different to the data pulled from phones. As Google explained in its own blog on the subject, these are “aggregated, anonymized sets of data from users who have turned on the Location History setting, which is off by default. Users who have Location History turned on can choose to turn the setting off at any time from their Google Account, and can always delete Location History data directly from their Timeline.”
The same is true with the marketing data being accessed by the U.S. Users denying apps permission to track locations will withhold their data from such schemes. Of course, there are some apps we want to know where we are—maps, most obviously. Others we tolerate—weather, local services, travel, fitness trackers and cameras. And then there are those that sneakily access our locations without us explicitly realizing it’s being done—I’ve covered this in the past. Apps that collect our locations feed this data to marketing companies and are paid to do so.
It’s a little over two weeks since I reported that the U.S. and Europe were likely to begin actively tracking population movements to help combat coronavirus. In the time since then that’s exactly what has happened. And our acceptance of this has been helped by the commercial trackers that show us the broad patterns from which we can infer how the virus might be spreading to our towns and cities.
Beyond the aggregated data analysis, there are apps that go further—in Poland, for example, a government-mandated app combines selfies and GPS location to ensure those quarantined at home are not breaking the rules. In Taiwan, a “digital fence” triggers a visit from the police if someone infected with COVID-19 leaves their house or switches off their phone. In South Korea and Singapore, active phone tracking has become part of the fightback. And in China, the world’s surveillance superpower, phones, their locations and their data have been stitched into a full-scale tracking and contact tracing war on the disease.
The question now is what next for the west. There is an increasing acceptance for some level of digital contact tracing to be deployed. The surveillance that underpins such an approach is highly invasive, many steps beyond where we are now, but it is unarguably effective. As the situation in Europe and America continues to spiral, it would seem inevitable that such measures might be explored.
And, with lockdowns in place, to this we can add enforcement of the time people spend away from home and for what reason. Today, April 5, there are fears that many U.K. citizens will ignore the restrictions and head out into the sun, meeting friends. Digital technologies used to both enforce restrictions and trace contacts where those restrictions are ignored does not seem out of step with a nationwide restriction on the movement of 60 million people.
Just ahead of Europe and the U.S. jumping into coronavirus phone tracking, Israel announced it would deploy such technologies. And they are ahead of the rest of the west again when it comes to next steps. A week ago, the Israeli press reported that spyware giant NSO, famous for allegedly hacking WhatsApp, was in talks with the defense ministry about tracing coronavirus contacts and scoring the likelihood of infections. An individual would have a likely infection score based on where they had been and who else had been there. This caused a privacy backlash in Israel but didn’t stop NSO reportedly pitching its contact tracing toolkit around the world.
Such a system overlays analytics onto existing cellphone tracking data, whether from a marketing-style database or from cell towers. The core data is provided in the same as the location information already being used. Because this data is sourced by governments, in reality NSO has just created an analytics layer and added its “spyware” brand to make the entire exercise thing seem more frightening to the general public than it really is. If the system shifts beyond general patterns to individual tracking, again the data is there already, it is just being unmasked.
Beyond the short-term, what we have now is a situation where the potency of the mobile surveillance seen in China in recent years has been brought to the fore. And while there is a debate as to whether governments in the west now dipping into something similar will put these new toys away once the pandemic is eventually resolved, that’s not the most salient point.
There will not be blanket mobile surveillance in the west long-term. But there will be a series of questions as to whether a surveillance ecosystem should be built to better deal with this kind of situation next time around. And there will also be a debate over when such tech can be used—civil unrest being one example. That will strike fear into privacy campaigners, as will thew fact that commercial tech developed as part of this drive will find its way into the wrong hands.