For the second time in a generation, Americans are having to make critical choices that will affect our fundamental way of life in order to defeat an insidious enemy. In 2001, we watched in horror as nearly 3,000 of our fellow citizens were killed and thousands more injured when fanatics launched hijacked airplanes into the World Trade Center and the Pentagon. Today, more than 41,000 Americans have joined the tens of thousands of victims of the COVID-19 pandemic.
Now, as then, as we seek to fight back against our enemy, we will have to make some tough decisions. In October 2001, President Bush signed into law the USA PATRIOT Act, giving the federal government expanded powers to go after terror suspects. From its inception the law was engulfed in controversy. Civil liberties groups and others pointed out the potential for the government to abuse its new powers, and the secrecy surrounding the new law enforcement procedures was anathema to the traditional American idea of transparency.
I worked in banking at the time and was involved in implementing some of the changes brought about by the new law. We found a way to respond while protecting the privacy of our clients. Today, in the fight against COVID-19, we are facing similar questions and once again have to balance changing circumstances with the constant need to protect privacy.
Technology has advanced exponentially in the years since 2001, and thus most of us are exponentially more connected. While flip phones or early-generation Blackberry devices were attached to our hips, smartphones were unheard of in 2001. Now there are an estimated 5.2 billion smartphones in the world. New technologies give us an increased arsenal of weapons to fight the virus. Smartphones, crucially, can be used to collect data and track the spread of the disease. But as the reach of technology into our daily lives has expanded, so too have concerns about privacy.
Because this is a global pandemic, these concerns are global in nature. Governments around the world are already using technology to combat COVID-19 in ways that raise uncomfortable ethical questions for cybersecurity experts, and for any plugged-in citizen.
China, for instance, was able to achieve success in clamping down on the virus (if Chinese government statistics are to be believed) by employing its massive state surveillance network, tracking its citizens’ phones and keeping an eye on them with drones. In Vladimir Putin’s Russia, authorities recently used facial recognition technology to catch a Chinese woman who was supposed to be in quarantine but “escaped.”
But it’s not just repressive regimes. South Korea has also won praise for halting the spread of infection, but even in their economically liberal, democratic society, the government can track citizens via a variety of smartphone apps. Officials can run a smartphone usage scan to tell if you may have come in contact with someone with COVID-19. At train stations, thermal-camera monitors measure and track the body temperature of travelers.
In America, we once again find ourselves saying: ‘It can’t happen here.’”
Other key U.S. allies are already taking actions that should raise eyebrows here. In Israel, the Shin Bet intelligence unit has pivoted from tracking terrorists to tracking citizens’ telecommunications data in order to monitor infections. Authorities in India are using geofencing—turning smartphones into virtual ankle bracelets, like those used for criminals on house arrest, and penalizing people for moving into the wrong areas. Drones buzz around the United Kingdom looking to spot and report people violating social distancing regulations. In Australia, some homes are being fitted with legally mandated surveillance devices to monitor those under quarantine.
In America, we once again find ourselves saying: “It can’t happen here.” I assure you, it can. And unless we start paying attention, it probably will.
Another difference between the post-9/11 landscape and today is the unprecedented cooperation between the companies that make the phones and apps which harvest our data and the government that wants to use that data. Remember the debate in 2015-16 over whether Apple should unlock the San Bernardino mass shooter’s iPhone for the FBI? Today, Apple is already so deeply embedded with government efforts to find ways to track us that the debate of just a few years ago seems quaint. The public-private partnership to track each and every one of us is advancing rapidly while we are busy watching climbing death tolls and hiding under the covers.
Apple and Google—two companies with some of the largest reservoirs of user data on the planet—are teaming up to launch an app that would allow users to self-report a COVID-19 diagnosis and then mine their data to see where they’ve been and who else they may have infected. The app, we are assured, would be voluntary—for now. Meanwhile, the CDC is working with Palantir and Google to create a database that models the spread of the disease by trawling through our social media posts to see who has been posting about it and where.
There’s plenty of reason to be scared during this unprecedented pandemic. We all have loved ones who find themselves at risk, and we want to do everything we can to protect them and stop this disease from spreading. That’s why, on some level, these projects run by tech companies and government are encouraging—if, that is, they prove a temporary measure. But ask yourself—if Apple and Google find themselves with government-sanctioned access to new streams of user data that they can eventually monetize, would they be likely to voluntarily turn off those taps?
Perhaps most alarmingly, most Americans seem content to answer “I don’t care.” A Harris poll conducted in late March found that more than half of Americans now back “anonymized”—a tricky concept in itself—tracking via smartphones. But the respondents to this poll could be forgiven for backing something that promises to help fight a deadly disease without fully understanding the ramifications. Simply put, most people don’t know how much risk this level of data intrusion carries.
How to protect ourselves and our privacy
That’s why citizens, especially those with tech and cybersecurity expertise, need to follow these developments closely. Someone needs to be able to blow the whistle and throw the flag in the midst of all the clamor about fighting disease. No entity, public or private, should be given blanket powers to track American citizens. We need to put up guardrails alongside these projects, and we need to put them up fast.
There are so many important questions still to be asked: Who will have access to this data? How will it be kept secure? When will we stop collecting it—if ever? When we no longer need it, how will it be disposed of?
The good news is that there are ways to mitigate these problems, if the companies involved choose to use them. The information collected could be “tokenized”—provided in an anonymized format when requested, but not stored. Alongside that, a built-in “digital destruction” policy could automatically delete personal information such as your phone’s individual ID number and account names to ensure specific phone owners are truly not being tracked. Bluetooth connections used by these apps on our phones should be monitored for anomalies that could indicate “eavesdropping” by outside parties.
On top of this, the government oversight of these programs must be robust. If a cybersavvy agency such as the Department of Homeland Security can review Google and Apple’s apps to ensure they follow the correct security and privacy guidelines, the people will at least have some protection. At the same time, ethical “white hat” hackers should be gaming the apps, probing for weaknesses to pass along to increase their security.
One day the COVID-19 pandemic will end. It will, sadly, take many of our fellow Americans with it. But if we are careful, we may stop it from claiming our right to privacy as a casualty too.
Theresa Payton is CEO and founder of Fortalice Solutions and author of Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth (Rowman & Littlefield, April 22, 2020).