Pandemics and our privacy

Written By: - Date published: 9:17 am, April 22nd, 2020 - 43 comments
Categories: health, health and safety, human rights - Tags: , ,

A little chill went down my spine when I saw that the Ministry of Health was checking with our data spy agency the GCSB to enable full tracing of people to slow further outbreaks.

The Ministry told RNZ that any data held about individuals would be used only to help the public health response and “not be used for other purposes”, commenting: “We expect the majority of the information held will also regularly and automatically be deleted.”

Massively invasive tracking and testing have been the primary means by which the governments of Hong Kong, Singapore, South Korea, and Taiwan have all managed to avoid prolonged lockdowns. So it works. They also arrested all the key democratic activists in Hong Kong over the weekend. Probably a coincidence.

Across workplaces everywhere people are generating forms and apps to track where you drove from, who you had in the car, whether any of your household is sick or is an essential service worker, even whether you’ve got pre-existing immune deficiency conditions, and indeed what your temperature is when you come to work. And failure to response means …

So, after this outbreak all countries that can will be planning for the next viral outbreak. They will be planning massive preventative measures such as population movement surveillance. 

Google has been sharing some of its vast collection of location data with public health researchers and epidemiologists to help model the movement of its users. Thanks Siri. Plenty of firms are developing proximity-tracking apps to trace those who have had contact with COVID-19 patients.

As you might expect when we demand the state to take over management of society down to our actual personal movements to actually save the country, we lose a bunch of freedoms along the way. Clearly our own state is thinking along these lines already.

So, questions I would want to put to the Ministry of Health in a Select Committee, can it be proven that any and all of these temporary measures are reversible? The process of their removal must be defined into law from the moment of implementation.

Of course we have pretty clear principles for harvesting personal information, which are set out in our Act.

But as was shown this week when Paula Bennett was not found to have breached the privacy of Winston Peters when his superannuation details were released by one of very few people and high up the food chain in the heat of an election battle, you can have all the law on side and the money to get to court all you want and point to a big fat smoking gun and motive, and means, and opportunity, it can achieve zero practical protection or recourse to a mere citizen. Even a well-armed and wily one like Winston Peters.

To track potentially infected individuals, South Korea collects not only localisation data from cellphones and GPS, but also public transport data (Equivalent of our HOP cards and SuperGold Cards), credit card data, immigration records, and so on. But is there really any reason to collect and process and hold localisation data for months or years when this kind of virus only incubates inside two weeks? At last we’d know where Grandpa went to, I guess.

Behold, leviathan the state, benevolent in March and April but growing into a towering animal every day this goes on, behold this state has working groups that will not waste a crisis. Maybe we just trust the benevolence of our own little state so much that we don’t care if we open up our lives for more accurate health services, or telco services, or transport infrastructure. But once a state gains the capacity for a power to be exercised, it almost never gives it back.

It just keeps quiet about it.

Now you can go the full China version and have a smartphone app that aggregates your health data and on that assigns you a colour code (green, yellow, or red) reflecting your health status and can then prevent you from getting into a mall or a train.

Charming.

But the softer, Australian version is on its way already and primed for release. Not compulsory to upload yet, but at least it’s more polite than printing 666 on your forehead.

Now, we have to be honest and admit that there’s very little privacy left, and we willingly have it away ourselves anyway. Every swipe, every Cookie, every site we visit.

And we won’t always have a Jacinda Ardern to charm and successfully manipulate us into doing what needs to be done. The collective good is going to need some further loss of privacy to be sustained. Once the good will vanishes, it’s going to need stronger collective data to do the job instead.

Not too long ago we were at the forefront of the need for regulating the big data harvesters. Remember Ardern working with Macron on regulating the big data players?

And as recently as February this  year we promised Prime Minister Scott Morrison that we would work with them on artificial intelligence.

Note this one just on travel:

The Prime Ministers underlined the need to maintain high security standards for trans-Tasman travel, and welcomed the use of biometrics technology and timely data processing to increase efficiency. They welcomed New Zealand’s successful introduction of the Electronic Travel Authority in October 2019, for both air and cruise passengers, and noted its twin aims of improving border security and enhancing passenger facilitation. The Prime Ministers noted the world’s first 3D auto-detection algorithms for identifying biosecurity risk materials, developed from joint trials in 2019, which will increase border screening effectiveness and efficiency for both countries.”

My bet is those kinds of records aren’t going to be temporary. Certainly not if we want a tourism industry for the next few years.

So how much more of our democratic values are we going to trade for the state’s demands in the name of public health and safety? The digital response to COVID-19 magnifies this shift.

As they have in Australia, we will develop a public health app. It will start as Opt-In, shift to Opt-Out, and then go to Compulsion.

Maybe that’s as short as when the next Level 4 lockdown happens.

Maybe Google just slips it into its next Terms and Conditions upgrade.

Hey government, can we at least debate this in the open?

43 comments on “Pandemics and our privacy ”

  1. Alice Tectonite 1

    Bad enough under Labour led government, imagine if Nats get hold of it. Or the sadistic fuckers at Work & Income…

  2. A 2

    Great post.

    When will we be consulted?

    The Covid cards seem to be a colosal waste of money because they are going to aim for around 5 million of the things…how many of us are objecting and won't carry one, and at what number of people refusing to be tracked "for their own good" does this tech become useless?

  3. Andre 3

    This proposed Covid Card seems an interesting way to gather info for contact tracing, while reducing concerns around something as intrusive as a compulsory app for your phone.

    https://www.stuff.co.nz/national/health/coronavirus/121083996/coronavirus-new-zealand-considering-100m-contact-tracing-covidcard

    • pat 3.1

      That struck me as a much better option…especially as it dosnt require a smart phone, and has a limited lifespan…curiously it dosnt appear to have been mentioned since by either media or gov who all appear to be discussing apps

      • barry 3.1.1

        Except it is not likely to work, the same with the apps. bluetooth is not the right technology for recording proximity.

        In the end it is a trade-off between health, money & privacy. If we had ID cards we could use them to scan into trains, restaurants etc and then we could be contacted if there was a need. If we had China's app then we could have less of a lockdown and achieve the same benefit.

        If there were an app that worked and it saved $20billion of government money in support for failed businesses would we risk a short privacy reduction?

        We won't even wear masks which would achieve a similar level of security without loss of privacy for a fraction of the cost.

    • Andre 4.1

      No matter how many assurances techies give me about data anonymisation, security etc, I've got a real problem with the idea of putting some kind of app on my phone that requires bluetooth to continually be on and has some sort of fairly precise tracking capability.

      But I'm totally ok with the idea of carrying around a government issued card-sized device that does essentially the same thing. The main articulable reason is that a separate dedicated device is much less a risk for malware.

  4. RedLogix 5

    There is always a trade off between personal freedom and social freedom. Reaching for an example everyone can identify with … if everyone was free to choose which side of the road they wanted to drive on that day, the roads themselves would quickly become dangerous mayhem and become unusable. So we trade off some of our personal freedom and submit to a rule that we must all drive on one arbitrary side (and many other rules) in order to gain the social freedom that enables all of us to drive where we want safely.

    So far this is pretty obvious. But the subtle observation to be made here is that we don't make the same rule for pedestrians on a sidewalk. There is simply no need for it, because the consequences of a collision between two people just walking are usually pretty trivial. But driving a car at speed is not only more 'powerful' than walking, it's also more dangerous, so we tolerate less personal freedom when we get in a car.

    From this we can usefully generalise that the more dangerous the context is, the more we need to trade off personal freedom for social freedom. All this is a complicated way of explaining something most people grasp pretty intuitively anyway. Given an ultimate existential threat like a hostile invasion, we'd all quickly submit to the extremes of martial law with almost no objection. At the extreme we'd sacrifice our own lives for the social survival of the nation.

    The really interesting question is this; moving in the direction of giving away personal freedoms is usually marked by a crisis of some nature. It's a visible process. But when the crisis passes the opposite movement back toward restoring personal freedoms is much less obvious, there is no crisis, there are no headlines … it's not clear what mechanism drives us to restore the balance between personal and social freedom again.

    Does the pendulum ever quite go back to where it was? Is it a bit sticky? Under what conditions does the pendulum get stuck at tyranny? After all my all-time favourite scifi author Vernor Vinge had a great line for this "ubiquitous surveillance being one of the better known end-points for civilisations".

    Crunching this back down to the matter at hand, my instinct is that for the duration of the COVID crisis most people will trade off some privacy and personal freedom, for the ability to travel, socialise and work safely … IF there is a clear cut sunset mechanism undoing the new rules when the crisis is over.

    Then there is another completely different way to frame this; what if personal freedom was largely an illusion?

  5. weka 6

    That's the sound of the MoH poking holes in the Ardern government's moral legitimacy to manage the covid outbreak well.

    That messaging is classic MoH. Doctor knows best.

    Never mind about Bennett and Peters, Bennett demonstrated ably some years ago that our privacy laws are sufficiently loose to allow much abuse. She not only released the private information about beneficiaries, once she was found to be in breach of the privacy act she basically said she didn't give a shit.

    Cue Bill English's big data plans. Normalise using personal data to control beneficiaries, the middle classes will come later.

    I'm seeing a fair amount of twitter talk about the tech side of contact tracing. They throw in some bits about privacy, but I'm not seeing many people taking it seriously. We should be worried.

  6. Carolyn_Nth 7

    It does worry me. I have always been suspicious of the amount of data people willingly put online. [See Zuboff's, Age of Surveillance Capitalism)

    I rarely use facebook. And I also rarely use a mobile phone. I have a flip phone for phone & texting and don't have it on a lot, and rarely have it one when I'm out and about.

    I have a smart phone that I've never used as a phone – am trialing a year with lowest cost plan, but actually only use it for free wifi when I'm out and about. And since lock down, I haven't had it on.

    Don't have GPS in my car.

    I have wondered about the ease of tracking people via HOP cards.

    It's made so it's impossible to totally avoid this insidious surveillance of our private lives. For most people, it probably doesn't have a lot of impact. But it puts those who are critical of those with power, wealth and influence, it could too easily be mis-used to silence them.

  7. McFlock 8

    Basically, there's no fucking way any cellphone-based tracking system will be put back in the box. Even if the programme closes, the private sector (and secret squirrel crowd) will be putting together the lessons learned for their own non-pandemic projects.

    I'm actually pretty relieved I have an obsolete android version – there's a good chance I'll be an outlier not able to take the app.

    There are good reasons to do tracking invasively in a "papers please" manner during a pandemic. That's why I like the bluetooth card idea – the programme can only last a year or so before it needs all the cards replaced. Each and every time you get or carry it, it's "wasn't this just supposed to be for the pandemic?"

    A phone app preinstalled as a bachground-running thing on every new phone? Becomes unnoticed with no reminders, and never dies as long as the phone is alive.

    • KJT 8.1

      Everyone who uses any form of bank card, is constantly tracked already.

      It was publicly said that one of the reasons supermarkets were allowed to open, is that everyone makes a purchase, and could be contact traced through their bank records.

      We already know that banks were happy to give that information to the police, pre-covid, recently, without a warrant. Even though that was illegal.

      Of course, smart phone tracking is here already.

      It would be naïve to think that our security services, who have already shown their contempt for privacy laws, don't use this information.

      I'm OK, with health authorities using information in a silo for a limited purpose, but doubt that will be the case.

      Misuse of peoples private information, seems to be a feature of National Government.

  8. DennyPaoa 9

    If any NZ government accepts or adopts this policy. We will be more closely aligned with China,(I dont have a problem with that per se) and we'd effectually be adopting full public surveillance which does play into the 5 Eyes network hands which have been collecting bio-data which has been going on since the Iraqi war, if not before?
    But then again, they couldnt find a terrorist!

    • Peter ChCh 9.1

      Yes, but as RedLogix says above (paraphrasing here), living in a society comes with a tradeoff between personal freedom and social freedom.

      Excessive personal freedom and we will end up like the USA, with nutters claiming the personal freedom to own bazookas and sub machine guns at the expense of the social freedom of the majority. Desperate times, which these are and will remain for a few years, requires a small erosion of personal freedom. But yes, a sunset clause would be good.

  9. Robert Guyton 10

    Perhaps we should lose our phones.

    En masse.

  10. RedBaronCV 11

    I'm going to stay as far away from this as possible.

    MOH already link most health data to your national health number and there is no way that they won't use this more widely. Health in general seems to be wildly naive about the uses their data collection can be put to. They also upload health information to the national database. It's deeply scary.

    And don't for one moment think that the data base Bill English created is only for beneficiaries. The object ( can't find the source) was to have the spine of the system as an individual number for every new zealander against which data sets with data about them can be loaded. I think it's under the commercial arm of the Stats dept so money is involved – plus some spectacular naivety about data reintegration methinks.

    https://www.stats.govt.nz/integrated-data/integrated-data-infrastructure/

    The rules are here and don't for one moment think that the public interest is narrowly drawn. – the privacy impact assessments link is an eyeopener. Basically external datasets can be loaded by an applying party and this used to extract the data from the government datasets loaded which include health, tenancy data, education etc.

    An example is this from the Rugby Union

    https://www.stats.govt.nz/privacy-impact-assessments/privacy-impact-assessment-for-adding-nz-rugby-register-data-to-the-idi

    who wanted to load data from a book NZ Rugby register (basically it's a settle the pub argument book but.whatever happened to copyright?) which has details of all players above a certain level gleaned from newspapers etc. What the union want to do is use this data to attach to individual health records to analyse the long term health outcomes of rugby playing ( so if you play in a forward pack you may not get life/health insurance in the years to come or pay an increased premium ? Data to minimise ACC premiums and claims) The privacy analysis is a joke. They assume that players in a modern era might be able to be identified but not those earlier . WTF- a few minutes with other sources would fix that issue.

    However, NOWHERE does the assessment ask the blindingly obvious question – would individuals agree to surrendering their long term medical records to the Rugby Union for the purposes of analysis and subsequent possible dissemination to other parties such as ACC or insurers and why are they not getting that choice.

    Benefits of adding NZ Rugby Register data to the IDI

    Research using the NZ Rugby Register data will assist NZ Rugby to manage the player welfare risks in rugby. At present, NZ Rugby is faced with a lack of knowledge, and this data will help NZ Rugby to confirm or refute claims that were previously unsupported by research evidence.

    Adding NZ Rugby Register data to the IDI will:

    • enable analysis on health outcomes of former provincial-level rugby players compared to similar New Zealanders who did not play provincial rugby or higher
    • specifically, allow NZ Rugby to compare rates of dementia, arthritis, heart disease, cancer, and all-cause mortality, along with measurements of quality of life
    • by having this knowledge, put NZ Rugby in a better position to manage the risks and help fulfill their duty of acting as a responsible sports organisation.

    Time to dump this whole database – it's outstandingly dangerous- and cut out the "income earning arm of stats" – it's blinding them to their public service role if they can see dollars. One bad actor with this stuff would have a field day

    • McFlock 11.1

      IDI isn't actually too bad – because there's no govt-wide ID number, the interdepartmental linkages are probabilistic. Also, statsnz and MoH managed to argue down MSD and put in OTT controls on researchers. It's a headache.

      One issue I have with a cellphone-based solution is that it puts everything through one channel: whomever is in control of that can see everything.

      FB has a lot of stuff, the bank has a lot, stores I use club cards at know a lot. But a bank vault where different employees have different parts of the combination is more secure than a vault where an employee knows the entire combination.

      • RedBaronCv 11.1.1

        From what I have read there is a unique identifier in the spine. But see the description below. It may be stored as a sort of relational database but put in say your birthdate, sex, ird number and a couple of other factors and what you get out will be pretty much your data. Nor do I hear anyone asking us if we want say our health data shared widely. Plus a bad actor could go through and de -aggregate to find say "individuals who have had an abortion." And its easy enough to de anonomise data sets.

        https://www.adruk.org/news-publications/news-blogs/new-zealands-integrated-data-infrastructure-linking-data-for-better-science-and-policy-123/

        "The ‘spine’, containing more than nine million people, is the central dataset that all other datasets are linked to. It is created through probabilistic linkage, linking tax data to births data, births to visa data, and visa to tax data; these links are then combined to create the spine dataset. It is estimated that fewer than 1% of links in the spine are incorrect. "

        • McFlock 11.1.1.1

          Given the paranoid levels to which they prevent researchers having anywhere close to that access, I'd be surprised if anyone had that level of unsupervised control.

          How it works fr researchers is that once you pass the vetting so your project is safe and worthy of the IDI, you got into a room with a single machine. No data uploads. You type in your queries. They get back to you after a while to say whether you're allowed to see the answer.

          You don't get back anonymised individual records. They give you aggregates that are too large to be reverse-engineered into identifiable data, last I looked at the process. And even then the linkage is an estimate, with gaps filled in from dataset to dataset (or conflicting data between organisations "corrected") with a probabilistic guess.

          Don't get me wrong, if they'd gone with MSD'd ideas for use, it would be a privacy nightmare full of pretend-precogs "because the data says you're likely to be xxxxx". And it could always change its rules. And I've not really considered it worthwhile (just to replicate findings already made by nations with a national ID number? meh).

          But the clubcard at the supermarket paying you to participate? Your purchases tell rando analyst and advertising purchaser if you're single, in a new relationship, or about to expect a baby. Exercise loggers were telling stalkers where their victims lived by simple elimination. IDI designers went to great lengths to make that sort of thing structurally impossible, like refund handling authority at a tech giant.

          • RedBaronCv 11.1.1.1.1

            They acknowledge that it can happen ( see the rugby example- can't come up to more recent data) but the central issues remain- I don't want say my health data being accessed by the NZRFU without my express permission which I wouldn't give and this can fall into the hands of "bad actors" . How private would low end data be under a RW government?

            BTW I don't use club cards, exercise loggers, social media like facebook twitter,etc. I do use firefox with the latest upgrades- encrypted page requests and duck duck go. I really try to have as small a footprint as possible. Also thinking of reverting to largely cash and have an RF wallet for the phone now i’ve upgraded from last century technology.

            • McFlock 11.1.1.1.1.1

              great, now you just have to defeat face recognition software paired with transaction logs.

              As for the IDI, yes they identify the risk. And explain how they mitigate those risks.

              • RedBaronCv

                There are glasses being tested and coming for that- plus other devices that cause electronic disturbance around you.

                And don’t forget they only decide to mitigate the risk until the day they decide they don’t want to mitigate the risk any more.

          • RedBaronCv 11.1.1.1.2

            And even anonymous data can effect outcomes for individuals. If the rugby study showed that most props died before 60 good luck with getting life insurance if you answered that question on the application form.

            • McFlock 11.1.1.1.2.1

              If it shows most props die before 60, insurance companies will have known it for decades.

              The next question is whether there's a causal link. That's the sort of thing the IDI is ostensibly for, e.g. running rugby position against history of concussion, occupation (maybe props are more likely to be in risky jobs), and cause of death.

              • RedBaronCv

                Look you can easily pick holes in an example I give but the the basic principles as you affirm in the next sentence remain the same. If there is more than a casual link who benefits?

                Highly unlikely to be the individual concerned where independent questions can be asked to see if they fit the critera and then they can be discriminated against. But the NZRFU – why do they want to know this stuff? It will be costing them money so they are wanting some return.

                And I remain utterly unconvinced that they should be allowed to access private healthcare details without the informed consent of those whose records are being accessed even if they only get a bulk answer.

                • McFlock

                  It's not the NZRFU directing the outputs, though.

                  Look at the recent history of concussions in sport, especially the attempted coverups. The beneficiaries of research by disinterested and independant researchers will benefit future players more quickly. The entire idea of this sort of research is to look to the experiences of the past to help the people in the present and future.

                  Hell, you're talking me into liking the damned idea, even though for me it involves going into a room, logging into a strange machine, typing code from memory, and waiting an hour only to discover I left off a semicolon and screwed the entire program.

                  • RedBaronCv

                    The NZFRU asked for the extra data they provided (someone's book to be uploaded) so the data in it could be used to scrap the IDI for further data – presumably of their choosing subject to some controls and I assume payment from them so it is a profit driven exercise as far as I can see for both parties. The data in the IDI was derived from individuals who have not consented.

                    It's a bit like those genetic databases (that are causing all sorts of ethical problems). If you upload yours then you actually upload the rest of the family by default.

                    But we will have to agree to differ I feel. I rate individual privacy and informed consent very highly and can see some very real personal downsides for individuals – never mind the bad actors if they become involved.

  11. woodart 12

    think the horse has already bolted. your eftpos card, smartphone,laptop,shopping purchases and google feed, along with half a dozen others, leave a huge footprint already..as a professional artist, I realize that art will rightfully be down the list of essentials, nowhere near as important as golf(sarc). so, to keep my head above water, I am making a few(get bored quickly)tin foil hats, caps,beanies,etc… lets not end up like preppers.

  12. Craig H 13

    Bluetooth seems unreliable since it requires Bluetooth to be on, and if it becomes annoying, rooting of devices (replacing the operating system) will become more common as a reaction, or getting a dumb phone which can't run apps for discreet travel.

    I'm not sure if a card will work or not as people can leave it at home, but at least that's the ultimate in opt in, can be tied to alert levels (compulsory for travel at certain alert levels), and will survive a change of phone.

    I'd also say that human rights are important, but they aren't much use if you're dead, so this is probably a case of the right to life outweighing other rights.

  13. Maurice 14

    Faraday Cage ?

  14. Sacha 15

    The whole idea of an app like Singapore's (or the card equivalent) is that it only records which other people with the same app or card cross your path.

    Does not need to know where you were. Does not know if you or anyone else is infectious. Data is downloaded for manual contact tracing, which can tease out those other details just like they already do.

    Otherwise, not useful in itself for any other purpose – unlike heaps of other apps people use every day with GPS/cellsite location tracing turned on.

    Very much little brother rather than big brother. Not that the privacy aspects can be ignored. Nobody I have seen with relevant tech expertise is saying that.

    • Andre 15.1

      I'm ok with carrying around a special purpose small device that records anonymised IDs of people I get close to, and that's the only thing it does.

      But I'm very wary of loading an app for that onto my general purpose device that uses the same comms channels for a whole lot of other things.

      Yes, I do go around with my mobile data, bluetooth and location information turned off, so the closest they get is which tower my phone is connecting to. And eftpos purchases.

    • weka 15.2

      "Not that the privacy aspects can be ignored. Nobody I have seen with relevant tech expertise is saying that."

      I've yet to see a good explanation of the tech in the NZ context that also takes the privacy issues seriously (rather than an add on).

  15. "I'm ok with carrying around a special purpose small device that records anonymised IDs of people I get close to, and that's the only thing it does."

    Ditto here.

    And tho' I'm far from a luddite given the first half or more of my life was working in IT, technophiles are always anxious to show us all how clever they are – often to the extent of reinventing wheels; assuring us that the risks of online voting can be 'managed', and there are solutions to everything.

    I'll always remember the wise words of the "10 pound pom" boss I had when first starting out – to paraphrase:

    People should drive technology (and IT solutions), not the other way round. How all that has been corrupted over the years by various IT salesmen and ticket clippers. (Let’s have online voting – because we can)

  16. Carolyn_Nth 17

    Once some records are on a database, there's no telling what authorities, corporations and governments will link it to. So, basically, if it were possible to develop a stand alone virus monitoring app, that'd be my preferred option.

    But then you don't know which companies might merge with the designer of that app in the future.

    Zuboff's research shows that there have been 2 steps in the age of surveillance capitalism. The first one was the erosion of privacy, so that people have gradually come to put all sorts of info about themselves in commercial applications (Facebook, etc), to be mined for commercially useful data.

    The 2nd step was to start using that data to manipulate people for commercial (and maybe political) benefits (see also facebook, etc.).

    She also quotes research that shows how little we know of the access we give to corporations when we sign up to their apps. So signing up to 1 app, involves also agreeing to other apps nested within it. She called these nests within an interconnected ecosystem. Uni of London research showed that agreeing to one smart home device had within it nearly a thousand other apps, each with their own TOS. To really see what you are agreeing to, you'd need to review each of these TOS.

    The role of the GCSB? Maybe to ensure the virus app is not hacked by other countries? But, given the GCSB can also be used to monitor protester within NZ… I don't trust them

  17. Ad 18

    And the update …

    Palantir is in the running for the Ministry of Health tracking contract.

The server will be getting hardware changes this evening starting at 10pm NZDT.
The site will be off line for some hours.