Tracking coronavirus: big data and the challenge to privacy | Free to read
We’ll send you a myFT Daily Digest email rounding up the latest Data protection news every morning.
When the World Health Organization launched a 2007 initiative to eliminate malaria on Zanzibar, it turned to an unusual source to track the spread of the disease between the island and mainland Africa: mobile phones sold by Tanzania’s telecoms groups including Vodafone, the UK mobile operator.
Working together with researchers at Southampton university, Vodafone began compiling sets of location data from mobile phones in the areas where cases of the disease had been recorded.
Mapping how populations move between locations has proved invaluable in tracking and responding to epidemics. The Zanzibar project has been replicated by academics across the continent to monitor other deadly diseases, including Ebola in west Africa.
“Diseases don’t respect national borders,” says Andy Tatem, an epidemiologist at Southampton who has worked with Vodafone in Africa. “Understanding how diseases and pathogens flow through populations using mobile phone data is vital.”
With much of Europe at a standstill as a result of the coronavirus pandemic, politicians want the telecoms operators to provide similar data from smartphones. Thierry Breton, the former chief executive of France Telecom who is now the European commissioner for the internal market, has called on operators to hand over aggregated location data to track how the virus is spreading and to identify spots where help is most needed.
Both politicians and the industry insist that the data sets will be “anonymised”, meaning that customers’ individual identities will be scrubbed out. Mr Breton told the Financial Times: “In no way are we going to track individuals. That’s absolutely not the case. We are talking about fully anonymised, aggregated data to anticipate the development of the pandemic.”
But the use of such data to track the virus has triggered fears of growing surveillance, including questions about how the data might be used once the crisis is over and whether such data sets are ever truly anonymous.
The debate over the use of location data sets could be a forerunner to a broader discussion about civil liberties and surveillance in Europe and the US as governments put in place plans to lift at least parts of the lockdowns.
The strategies for reopening an economy before a vaccine is developed could involve monitoring the contacts of newly infected people, which will raise questions about how much curtailment of privacy societies are prepared to take.
In South Korea, which is seen as a benchmark of how to control infectious diseases, the authorities can require telecoms companies to hand over the mobile phone data of people with confirmed infections to track their location. The data has enabled the rapid deployment of a notification system alerting Koreans to the movements of all potentially contagious people in their neighbourhoods or buildings.
China and Israel have also used personal telecoms data to trace coronavirus patients and their contacts. Governments around the world are creating apps to gather more personal data, such as who is sick and with whom they have been in contact.
Even the EU’s General Data Protection Regulation, which was adopted in 2018, has a clause allowing exceptions for cases that are in the public interest.
Number of people that were found to be travelling in and out of Milan when Italy was supposed to be on its first week of lockdown.
Proportion of time Belgians are spending within their home postal area after confinement measures were introduced.
Percentage of individuals that one study found could be re-identified with 15 demographic characteristics, even when their data was anonymised.
Vittorio Colao, former Vodafone chief executive now at General Atlantic, says people should be willing to allow the use of “pseudo-anonymised” data by health services such as Britain’s National Health Service to respond to the pandemic. Originally from northern Italy, he says citizens understand the need to trust authorities to handle their data.
“It is not a question of spying on everyone forever but of saving lives for a time that demands temporary rules,” he says. “We trust Uber to know everywhere we go, we trust Gmail with everything we write. If we don’t trust the NHS with our health data then who do we trust?”
Vincent Keunen, founder of app developer Andaman7 in Belgium who works on ways to securely share health data, says citizens have legitimate concerns about vast amounts of data being used to track them individually. But he says it is a tricky balance to strike between using technology to help tackle health crises and safeguarding privacy.
“The use of technology should end as soon as the health of the people is guaranteed. We must be vigilant,” he says. “If you go to one extreme, you’ll have super high privacy but then you die and it becomes useless to have privacy. It’s a very delicate balance to reach.”
The use of location data to track the disease has been applied in Italy, Spain, Norway and Belgium, with the UK, Portugal and Greece set to follow.
In cities such as Madrid and Milan, telecoms operators have created heat maps that show how restrictions on movement are working and what effect the presence of police on the streets is having on behaviour.
Telecoms companies in Spain were able to show that the movement of people in one city dropped 90 per cent during the first week of the lockdown and a further 60 per cent of the remainder in the second week, while in Italy the lockdown was largely ignored for the first week, with between 800,000 and 1m people still travelling in and out of Milan.
In Belgium, the data showed that long distance trips of more than 40km dropped 95 per cent after confinement measures were introduced. Belgians are spending 80 per cent of their time within their home postal area, with mobility down 54 per cent. The data can show if large numbers of people in cities have fled for their second homes, as was the case in France.
The insights that telecoms companies can derive from these data sets build on their experience of working with epidemiologists to track infectious diseases in the developing world. Telenor, the Norwegian company, has participated in big data projects to predict the spread of dengue fever in Pakistan and malaria in Bangladesh. Kenth Engo-Monsen, a senior researcher at Telenor, says it was able to show that movement between Norwegian cities dropped 65 per cent after restrictions were applied.
“Knowledge about a population’s travel pattern is vital to understanding how an epidemic spreads throughout a country,” he says.
Telefónica, Spain’s national carrier which owns networks across Latin America, has developed expertise working with companies like Facebook to use data to deal with natural disasters such as earthquakes. It also worked with Unicef and the University of Notre-Dame in 2017 to improve epidemiological models for predicting the spread of the Zika virus in Colombia.
Prof Tatem cites coastal areas in Namibia as an example of where heat maps detailing migration into heavily infected areas can be used to prioritise other areas where bed nets and insecticides need to be deployed.
Vodafone has a researcher paid for by the Bill & Melinda Gates Foundation embedded in its data team at the company’s London headquarters, to work on data sets providing insights to academics tracking a variety of diseases.
Nick Read, chief executive of Vodafone, says the team offers invaluable insights. “We have seen how aggregated data can check the spread of disease in Africa. We’re now using the same insights to understand and combat the spread of Covid-19 in Europe,” he says.
European telecoms companies remain adamant that the information that has been provided to governments is anonymised and aggregated. That means it cannot be traced to any specific individual or phone. The process of scrubbing the data usually takes between 24 and 48 hours before it is available in data sets that can then be used by governments.
The industry insists that data about users is of little use for big data analysis of the contagion: the best way to track the spread of the pandemic is to use heatmaps built on data of multiple phones which, if overlaid with medical data, can predict how the virus will spread and determine whether government measures are working.
Telecoms companies say they are frustrated with the confusion between the kind of group data they are providing and the personal data that can be gleaned from apps on mobile phones. In Europe, personal information, such as whether someone has coronavirus and has shared that on social media or searched on Google for symptoms, is not legally accessible under GDPR by a telecoms provider.
Still, assurances from officials and industry executives have done little to appease anxiety that privacy rights could be brushed aside as governments seek to use tools of mass surveillance in their efforts to combat the virus. The concerns about political use of data have been aggravated by the fact that the European Commission wants the telecoms companies to provide the actual aggregated data, not just access to insights from that information.
Latvia, for example, has exercised its right to be exempted from certain obligations in the European Convention of Human Rights, which grants citizens privacy and data protection rights. Slovakia passed a law last month to use telecoms data to ensure people abide by quarantine laws.
Some researchers are not convinced by the claim that such data sets are completely anonymous. A 2019 study by researchers at Imperial College London and Belgium’s Catholic University of Louvain revealed there is a way to re-identify 99.98 per cent of individuals with just 15 demographic characteristics using location data. Other studies have come to similar conclusions that individuals can be identified based on aggregate data sets with relative ease. Spain’s far-right Vox party has urged people to turn off their mobile data, reflecting the anger over government intrusion on their privacy.
Austrian data privacy activist Max Schrems warns citizens should be careful of the rights they are giving away at a time of global panic. “I am worried that we will accept state surveillance during the health crisis but that it will then take years in court to get rid of it.”
However, he says there are apps that help citizens choose which data they share, leading to a more efficient tracking of the virus. “If people can decide themselves if they want to participate or not, then we have privacy-friendly alternatives. That’s a game changer.”
Some analysts worry that the data sets could be put to other uses in the future.
“They need to demand reassurances from governments [that the data] won’t be repurposed. The last thing they want is to wake up after Covid-19 and find that the data is still being used for other purposes. How do you police who is using it?” asks one industry executive. “There has to be a sunset clause.”
The telecoms industry has had to tread a fine line on the use of data or face punitive action. In the US, the Federal Communications Commission last month fined the four largest industry players a combined $208m over the historic sale of location data to third parties without the explicit consent of users.
Francisco Montalvo, Telefónica’s chief data officer, argues that governments need to combine the need to use the data without endangering privacy rights. “Governments and regulators should find a proper balance between privacy and public interest,” he says.
Many of these issues come to a head with the health apps which have been widely used in Asia and are gradually being introduced in Europe to track an individual’s health status.
Germany’s Robert Koch Institut has introduced an app, developed with Berlin digital health group Thryve,which links to fitness bands and smartwatches. It says the app will help it map the spread of Covid-19 by monitoring anonymised data for signs of infection including a user’s resting pulse, sleep and activity levels, which tend to alter significantly in the case of acute respiratory problems.
The data drawn from such apps can both track individual sufferers and people they have encountered via contract tracing methods to create a much deeper data set for governments.
The Financial Times is making key coronavirus coverage free to read to help everyone stay informed.
In Singapore, the government has asked citizens to opt in to its system and European governments including Germany have stressed that the use of tracking and tracing apps must be done on a voluntary basis.
“This is nowhere near the South Korean or Chinese or Israeli model where they have the power to track you, know you have the disease and who you know. We are nowhere near there,” says Enrique Medina, chief policy officer for Telefónica, which is working with the Spanish government.
The European Commission is working on guidelines on the use of tracing apps. Vera Jourova, vice-president for values and transparency, says citizens must be able to give informed consent.
“There must not be a hidden purpose or something I as a citizen don’t know,” she says. “The main thing is people entering such a system know what they are doing.”
Under pressure from privacy activists, the scientific community has created a body called the Pan-European Privacy-Preserving Proximity Tracing coalition in Switzerland, led by Germany’s Fraunhofer Heinrich Hertz Institute, to create standards for apps being developed that adhere to European laws around privacy.
The GSM Association, the mobile telecoms trade body, has also published a blueprint for best practice in how data gathered through apps is handled.
Juan Rio, who specialises in analytics at telecoms consultancy Delta Partners, says there will always be a trade-off between the common good and civil liberties in a time of crisis but questioned the efficacy of governments forcing citizens into using apps, as they may rebel and stop using their phones.
“With the invasive way, you are affecting the experiment. You change the behaviour of people and you cannot trust the results,” he says.
Additional reporting by Edward White in Seoul and Sam Fleming in Brussels
Get alerts on Data protection when a new story is published