The Choice isn’t just Privacy vs Health

You know it is bad when the tech giants are standing up against governments in favour of privacy, and drug cartels are ordering you to stay indoors for your safety.

At this point, most of what you have been reading these days would probably start with “In trying times like these” or “With a crisis staring us in the face”, and you can’t complain really. The novel coronavirus has sent the whole world in a frenzy, and we are seeing a different pace of the world. Times like these push even the self-serving politicians to get out of their chairs and do something. Even the government machinery, that is seen as slow and laid back, showcases a ‘take charge’ attitude while speeding up processes that take years otherwise. The most resistant to change try to bend to the situations. Because in a time like this, the only acceptable reaction is overreaction.

As with pretty much everything in recent times, technology is rising up with a potential answer. It is enabling a lot of good change. Countless public offices are finally moving away from paper pushing, educational institutes are hosting online lectures, archaic processes in companies are being dropped, so a lot of these catalysed decisions are welcoming.

But there is a scarier side of the same. Armed with technology, what would not pass for sane in normal times is easily getting the nod of everyone in favour of health. Of course, when asked to choose between health and privacy, majority would choose health, but is that really the choice we are facing?

We aren’t just choosing between these two, we are choosing the world we will live in, after this blows over. Temporary fixes always have a tendency to stick around for much longer than needed because “there is something lurking on the horizon, let things stay this way”.

Israel recently authorised the use of surveillance technology, typically left aside for dealing with terrorism. It was pushed back by the parliament subcommittee, but was forced anyway in the name of “emergency”. There have been protests against the same in Israel, hoping for a better approach.

Google and Apple recently announced APIs for contact tracing apps that will be available in mid May. By the time you read this, developer access has probably started. Among other requirements, there is a key element of the data collection to be decentralised.

However, the National Health Service (NHS) is sort of in a non-public stand-off with the tech giants as its plan includes gathering data in a centralised database, a move that could very well paint a picture of population movements. People who work on developing Android or iOS apps would know how tight control platform owners like Apple and Google keep. There are limitations on how Bluetooth and location data can be used. While as a developer it may force you in spots where you have to innovate a workaround or ditch features altogether, it is crucial.

The APIs announced by the two giants allow special access to Bluetooth while limiting the information that can be gathered. Consider it this way, if there are devices A to Z, the plan of NHS is to keep checking that “you passed A, B, C and D on your way” instead of “you passed 25, 32, 86 and 96; C was found infected, and so now we can tell you that he was 86 couple of days ago”.

Basically, Google and Apple say that the system is Bluetooth only, fully opt-in, collects no location, and no data from someone who isn’t COVID-19 positive. The objective is to automate contact tracing which at this point is manual and painful, while limiting the hit to privacy. This, of course, is appealing as it is hard to keep a track with so many cases.

However, the system is as effective as the data powering it, and so far, many countries have had a rather restricted approach to testing. To top that off, their other challenges, including the trolls, the JOKERs of the world, who would try to game the system.

Bluetooth based systems like this are least friendly for surveillance. They rely on rotating Bluetooth codes changing periodically and monitoring phones around keeping a note of their codes. As one user is reported infected, their app uploads the cryptographic keys used to generate the user’s codes over the past two weeks. The app with everyone else uses the daily keys to recreate the codes and alerts if a matching record is found.

Even if everyone adopts this, there are restrictions. Range of Bluetooth is typically more than what would be considered contact with an infected person, possibly giving too many false positives and freaking more people out. False reports are another risk, though addressed to a degree with an approval layer by healthcare officials. So while the solution is imperfect, it is a tool in the fight nevertheless.

Problem is that most apps would ask for location data anyway, sort of neutralising the point of innovating around Bluetooth and taking a fight against some powerful governments, whether to have better reporting or just to make the system more efficient by using location history. Just Bluetooth would mean a lot of data will be downloaded by all the devices on a daily basis. Even some bit of location data would help reduce that. And it goes back to square one if the apps choose to skip the privacy conscious approach.

Singapore launched its own app to attempt contact tracing, but with restricted permission; it isn’t exactly very effective. India has also launched its own app which the country is now trying to, or plans to, push on subsets of population in phases by offering other mandatory services, like passes to move in a lockdown or permission to use public transport when the lockdown ends.

France took a more public stance, unlike UK and others, to ask Google and Apple to weaken the privacy protections on their platforms so that they can better monitor the crisis. It is likely that it will be followed by similar requests from other governments. While the two tech giants have held their stance, it is a weird situation, where a choice is being made between privacy and health for the citizens of the world through a dialogue between tech and administration, while leaving citizens without a say in this.

France is going to roll out its app in mid May, before the APIs are available, so expect it to be severely limited in functionality. Google and Apple plan to disable the access to APIs on a regional basis and not authorise any government which seeks to make installing the apps compulsory.

With all this, one might argue this is nothing new as organisations have been trying to follow us and track our behaviour for ages, the real argument is about the long term impact. Data elements that appear harmless individually can be very powerful together. Any additional element, something seemingly as simple as biometrics to track health, when compounded with existing data, can be very powerful. There have been debates around data usage in cars, not just because they were recording data with on-board computers, but also because that data adds another layer to better profile the users.

You are already manipulated dozens of times a day into doing something or the other, whether with an ad, with leaderboard in an app, repeated news of a threat, or maybe just a clickbait title. Any additional information about you will only make this worse.

But coming back to the choice between health and privacy, maybe there is a way out. We saw how countries like South Korea moved swiftly and relied on extensive testing, well-informed population and transparent reporting.

A well informed and motivated population can be far more effective than a policed set of people who are more occupied in taking a fight against their governments. While the former will lead to a joint effort, the latter would only lead to standoffs between the citizens and the governments.

Long eroded trust in the administration can be restored, and changes can be made quickly in this time. The technology isn’t there to control the world, it is a mere tool to aid us through the crisis, maybe that’s what we should be targeting.

Tim Mossholder