Discussion Prompt: What existing national security legislation, new bulk analysis efforts, and emergency measures have different states deployed to curb the spread of Covid-19?

See all contributions to this question.

Measures to contain Covid-19 vary greatly among countries and have begun to include using data sourced from mass communications surveillance. In this novel crisis there is no direct precedent for using surveillance powers targeting such a large proportion of the population. Europe, and countries like the UK, Israel, South Korea, and Singapore have enacted different models, all with varying trade-offs between public health and human rights. Ultimately, radical transparency, trust, and participation would be the best way to fight the pandemic.


Just as all countries worldwide are scrambling to react to Covid-19, the UK’s use of data and digital technologies to deal with the pandemic is not yet clear. We are seeing technologies and firms introduced into the UK at haste, with little clarity or official statement. For comparison, we look to other countries’ & regions’ models, which range from Europe’s relatively non-invasive aggregated mobile location analytics to Israel’s bulk access to communications data by its intelligence agencies.

The UK has legal and technical instruments through which to task its security and intelligence agencies to lead the data driven responses to the crisis. This would be at the cost of transparency, however, harming the trust required to garner support from the population for what might be a long period of restrictions. Ultimately, in the UK, an approach based on openness and participation would be best.


The European model: aggregated mobile location analytics

The main development in the European context regarding the use of non-government data during the crisis, is around mobile location data from telecommunication companies. This is generally not based on GPS, but rather on coordinates of phone masts, to which a mobile device connects throughout the day. British mobile companies O2 (Telefonica) and EE (BT) are sharing anonymised location data with the government to help track the flows of movement of the population — not at the individual level — that can confirm whether travel restrictions are being observed. Open Rights Group has documented how these mobile companies routinely provide this kind of service on a commercial basis. Mobile location data can be used for planning where to locate a shopping centre or to plan transport policy. There have been reports about Google being in discussions to provide the UK government with location insights from GPS data collected in their apps and Android operating system.

Concerns about the efficacy of the anonymisation of location data remain, but these practices are fairly common. The main issue with these uses of non-identifiable mobile location data is the lack of openness and transparency from the UK government – in contrast to the information available from other European countries, such as Germany, where data protection authorities are actively involved in oversight.

A very different matter is the use of fully identifiable data to enforce the primary active measures to combat the pandemic: contact tracing and quarantine. Contact tracing has more privacy implications than quarantines, as it requires more data and it generates new potential targets. Forced isolation through technology also has privacy implications, but other rights are more involved.

European governments have been quite reluctant to use surveillance powers, no doubt in part due to the human rights implications. Below we look at some of the main approaches from other countries to this problem and whether the UK could implement them.


The South Korea model: targeted communications data acquisition by public authorities

Contact tracing through extensive data matching — CCTV, mobile, and financial data — is in place in South Korea, with police and health authorities obtaining location data from telecommunication companies if an individual refuses to provide this information. The authorities have now semi-automated this request system to obtain data in around ten minutes.

Using identifiable mobile location data in the EU — and for now, the UK — requires a specific legal instrument for national security or public safety that fits under the exceptions in the European E-Privacy Directive. There is no general public interest exception as such, and not even telecommunication companies are allowed to use this data without consent, other than for billing purposes.

The UK has the legal and technical infrastructure to do this, carrying around 750,000 requests for communications data a year with only administrative authorisation. Some health authorities can exercise these powers, although it seems they rarely do. The list of authorised public bodies could be changed if needed, with only some minor modifications by ministers to the Investigatory Powers Act 2016.

Existing legislation for civil contingencies and public health emergencies contains very few powers to specifically use data beyond traveller information and requests within the administration. The Coronavirus Act passed this week contains no specific powers to obtain or process data for fighting the pandemic.


The Israeli model: bulk access to communications data by intelligence agencies

Israel has taken the most controversial approach to pandemic surveillance outside of China. On March 17, the government authorised the internal security service Shin Bet to reuse for contact tracing a previously undisclosed dataset of the mobile location records of millions of people in Israel and the Palestinian Territories in the West Bank.

Few commentators pointed out that British security and intelligence agencies have been obtaining bulk communications data on the UK population for decades and already have the regulatory infrastructure to use it. According to official oversight reports, in 2017, there were 15 such warrants — technically called “directions” at the time — for bulk communications data, with almost 100,000 individual items being accessed by MI5 alone.

The pandemic would need to be classed as a national security issue for this data to be used, but since global health security is in the UK National Security Strategy and Strategic Defence Review 2015, this is probably not an obstacle. For all we know, using that data for general modelling and intelligence could already be happening.

The sophisticated technical system the NSA uses for contact tracing in the contexts of crime or terrorism was exposed by Edward Snowden. It is almost certain that the UK either has access to this system or has built its own version.

Contact tracing via examining individual records would require more steps, including creating an ‘operational purpose’, that would need to be communicated to the Intelligence and Security Committee (ISC) of Parliament. This is of course secret, but we would hope that citizens would be informed were this to happen, given the exceptional circumstances.

We do not know if this scenario is being envisaged. The Coronavirus Act includes measures to ensure the continued operation of the Investigatory Powers Commissioner’s Office, by allowing the appointment of temporary Commissioners and modifying the process for urgent warrants, including extending the period for approval from 3 to 12 days. These measures seem appropriate, given that the Commissioners are generally in an age group that may be at risk, and do not necessarily indicate an intention to ramp up surveillance, which in the case of communications data does not need judicial authorisation anyway.


The Singapore model: voluntary use of smartphone apps

At the other end of the privacy spectrum is the approach of Singapore. Despite the country’s poor reputation on civic rights and surveillance, the government has introduced a privacy-friendly smartphone app called TraceTogether that exchanges Bluetooth proximity data with phones running the same app that are nearby for 30 minutes. The app does not collect or use geolocation data, such as GPS, WiFi fingerprinting, or cell ID. After a person is infected they have to send the app’s contact history to the government and other potentially infected app users are alerted, if they have given their mobile number and agreed. In contrast with the privacy precautions before infection, the details and location — but not the name — of those infected are made publicly available.

NHSX, the innovation arm of the UK National Health Service leading the digital effort on the pandemic in Britain, is working with a health data team at Oxford University to develop an app for contact tracing and alerts. The researchers think that 60% of the population would need to use the app for it to work. The technical details and the external partners actually developing the system are not known. This has led a group of prominent UK technology experts to urge NHSX to work more openly, making public who is creating the app and following ethical best practice.


Necessity and proportionality in a pandemic

Responding to the coronavirus outbreak, communication data surveillance has become a public health issue. Protection of health is a distinct purpose for interference with rights under the European Convention on Human Rights, the UK Human Rights Act 1998, and the Investigatory Powers Act 2016. There are also clear powers for public health emergencies in GDPR and the associated UK laws.

The current approach in the UK of using anonymised mobile data and voluntary use of apps seems a proportionate response, although this is not a coherent position from government officials, rather one pieced together from media sources. The current lack of transparency and public engagement is problematic because it undermines public trust.

It is likely that demand for more privacy-intrusive measures will start in the UK after the pandemic’s peak, when testing is available and the controls need to be more focused and not necessarily cover the whole population. This could be the case, particularly if self-isolation is flouted and new clusters begin to appear. The question of proportionality will be central, but there is no direct precedent for using surveillance powers targeting such a large proportion of the population.

Using existing national security powers to task intelligence agencies with analysing bulk data would further reduce transparency and public accountability. However, one could also argue that we could take this crisis as an opportunity to make these agencies more accountable in their role of public sector bodies with human rights obligations, rather than relying on commercial surveillance even more.

Some countries — such as Latvia, Romania, Moldova, Armenia, and Estonia — have activated Article 15 of the European Convention of Human Rights and derogated most rights, except for life and the prohibition of torture. This would be a mistake for the UK. Social compliance with control measures is the most important aspect for success in stopping the pandemic, and minimising any interference with human rights, however lawful, will be better in the long term to build the trust required.

If monitoring of members of the population becomes necessary, it should be minimised in time and space, and we must ensure it doesn’t discriminate against specific groups, e.g. travelling Roma. However, the first question to assess the necessity and proportionality of any measure will be whether it actually works. Many old people still don’t have a smartphone, and it is unclear whether mobile mast data or even GPS data are granular enough for contact tracing.

The reasons for non-compliance with restrictions should be properly understood; sheer stubbornness is not the same as financial difficulties. Using data-driven automated enforcement to deal with complex human behaviours may just be too simplistic. Radical transparency, trust, and participation would be a better way to fight the pandemic.