COVID-19 Will Forever Change User Privacy Design
Privacy concerns are top of mind right now for the technology sector. As the world’s governments tap user geolocation data from smartphones to help track the pandemic, privacy advocates are concerned about the lack of formal restrictions going into the future. Meanwhile, health officials across the world have reported varying levels of success using emergency powers to track quarantine measures and slow the spread of COVID-19.
In China, for instance, quarantine measures are being slowly lifted. However, freedom of movement is contingent on downloading apps which track both personal IDs, health records, mobile data and geotags. It’s unclear what data is being collected, and for how long that data will live in unknown databases. Similarly, Poland’s “selfie app”, while only downloaded by a few thousand users, has raised eyebrows by privacy watchdogs as it collects personally identifying data, geotags and facial recognition, which might be stored for up to 6 years.
Wherever you stand on the complex topic of internet privacy, one thing is certain: any organization with a mobile app that collects user data will need to be much more educated about the subject than ever before. Developers and designers will need to be hyper-aware of privacy-by-design, as well as the regional regulations surrounding them.
Round 2 of Privacy-first Development
Here in Europe, where Polcode is based, we’re no stranger to changing the way we develop apps based on new privacy laws. In 2018, the General Data Protection Regulation (GDPR) went into effect and forever changed how user data is collected, stored and shared.
Without the COVID-19 situation, tracking people without their knowledge on mobile devices is essentially a powerful private and government surveillance tool, breaching the norms of privacy rights. Privacy watchdogs have expressed the importance of retiring these powers when the pandemic has been resolved.
Currently, the GDPR outlines privacy guidelines during a health crisis. It allows public health officials to gather personal data without consent during a pandemic. However, governments have primarily focused on tracking geolocation data during the COVID-19 outbreak, which is an unspecified data subset under the GDPR. The government body responsible for the GDPR is currently working on new guidelines as a result of the novel coronavirus. Simultaneously, The European Data Protection Supervisor (EU’s privacy watchdog) has called for a singular app in Europe to avoid misuse of private information from too many disjointed providers.
How Does Geolocation Data Work?
• The technology
A GPS and WiFi chip are installed in every smartphone. Your connected devices constantly ping the nearest cellular data tower, which means carriers also have access to your geolocation through your SIM-card. A third way is simply manual user input, where users contribute their location data willingly.
• The geodata transmitted
A smartphone (and individual apps) may have permissions to sense not only geolocation data, but also dynamic movement and even proximity to other phones. It can tell when the phone is still, when it’s on the move, and how much it moves. Technologies like Bluetooth can transmit data about proximity to other nearby phones.
• What they can do with this data
The majority of geodata is mostly used for marketing and market research. There is also a market for selling and buying this data across advertisers. Ethical data collection anonymizes the user as much as possible. However, both companies and governments can likely pinpoint a users exact location, movement schedules, and even build rich models about habits and preferences. The privacy issue is so complex because it’s often unclear how geo-data is collected, stored, and what exactly it gets used for.
What are governments doing with geolocation data during COVID-19?
COVID-19 has introduced an unprecedented situation where government health officials, businesses and the general public have leveraged geotagging to build different tools.
Notable countries that contained national outbreaks successfully, like South Korea and Singapore, were supported by quickly deploying contact-tracing apps. Singapore’s TraceTogether app works by using Bluetooth to identify how many people the user likely came into contact with. If someone tests positive for COVID-19, the health ministry can contact those people.
However, government tracing apps are an unprecedented step into user privacy standards. Chinese social media has raised concerns as to why ecommerce and messaging companies like Alipay and WeChat are able to track health records and locations. In the west, Apple and Google announced mobile OS systems for tracking the spread of the virus, allowing users to share data voluntarily through Bluetooth transmissions and approved apps from health organizations—data sets are encrypted so that user privacy is protected.
Countries with detailed user privacy laws, like the consortium in Switzerland are also developing a COVID-19 contact-tracing app, operating within the strict guidelines of EU GDPR.
Government-imposed isolations have been common at border checks, or among people who tested positive in medical facilities for COVID-16. Apps have been explored as quarantine enforcement, allowing governments to check in, monitor and collect movement data about users. For example, Poland’s COVID-19 “selfie app” asks users who are quarantined to take a selfie and facial recognition software stores. At irregular intervals, the user will be asked to upload another selfie within quarantine to prove that they’ve not left their premises. Geo-data is also included to ensure the user hasn’t moved around between selfies. The Polish government has imposed fines for people not following their quarantine rules, and data privacy advocates have raised questions about how long the data will be stored, and how involuntary it might be for travellers in the near future.
• Proximity Detection
COVID-19 tracking apps like Argentina’s CoTrack, MIT, and Oxford University’s apps currently collect location and proximity data on mobile devices, and share only with consent and with no personally identifying data. These apps look at device interactions and proximity between phones using Bluetooth technologies, giving health officials a way to track movements, quarantine risks and group gatherings while keeping personal location data anonymized.
Moving Forward with Privacy Awareness
Knowing about your region’s privacy laws, the ethical reasons behind user privacy, and how privacy is maintained can all be quite confusing. And for good reason—a smartphone contains wildly complex interactions between hardware (chips, processors), operating systems (e.g Android and iOS), app stores, platforms, app developers, and mobile carriers. At any point between these interactions, data can be tracked, transmitted and used—with or without our knowledge.
By being informed and aware of modern privacy topics, business and developers can contribute to solving problems without stepping over boundaries that may impact
Polcode remains committed to building websites, apps and products using the latest developments in user privacy. With clients all around the world, it’s important for us to be educated about regional and local privacy laws, as well as privacy advocates so that our clients’ businesses are risk-averse. Feel free to contact us to learn more about our approach to apps development.