In fight against coronavirus, governments embrace surveillance

By Vincent Manancourt, Janosch Delcker, Mark Scott and Laurens Cerulus
·7 min read

BRUSSELS — Chinese-style surveillance is coming to a neighborhood near you.

From drones barking orders at park-goers to tracing people's movements through cellphones, Western governments are rushing to embrace sophisticated surveillance tools that would have been unthinkable just a few weeks ago.

In the European Union, home to the world's strictest privacy regimen, leaders have taken the unprecedented step of asking telecoms companies to hand over mobile phone data so they can track population movements and try to stop the spread.

The European Commission has gone further, asking all such data to be centralized to speed up prevention across the bloc, three people involved in the talks told POLITICO. But epidemiologists argue that such efforts are only a first step: To be fully effective, some say, the EU will have to follow the example of South Korea and China and make infected people download an app that would reveal exactly where they go and whom they meet.

“It would be much more efficient [to stop the spread of the coronavirus] if everyone had the same app,” said Sune Lehmann Jørgensen, a professor at the Technical University of Denmark who is advising the government on how best to track the coronavirus. “But we shouldn’t just institute global surveillance.  [The] 9/11 [attacks] showed us that in times of crisis, we can erode people’s rights."

While governments seek out more effective tracking tools, companies best known for providing digital surveillance for security forces are proving only too happy to oblige. Some, like the Israeli NSO Group and facial recognition company Clearview AI, have barely emerged from controversies about their practices, while others, like U.S.-based Palantir, are closely linked to the intelligence and defense communities in the United States.

The race to embrace invasive tools underscores a simple dynamic at play during the current global pandemic: Public health concerns are trumping the desire to protect individuals' privacy online and in the real world, even in the home of the General Data Protection Regulation, Europe's sweeping privacy rules.

And so far, regulators and the public are largely standing by.

“The acceptance level for tracking is higher," said Staffan Truvé, chief technology officer of cybersecurity intelligence firm Recorded Future. "Everyone feels at risk. The personal benefit of briefly giving up your privacy feels much bigger than with terrorist attacks.”

Just a few weeks ago, when the pandemic was still a distant fear, privacy advocates latched on to a clip of Chinese police ordering an elderly woman back into her home via drone-mounted loudspeaker as an example of Big Brother tactics gone awry.

Now, drones are deployed in Brussels, the heart of Europe's institutional capital, to enforce social-distancing rules, and stay-at-home orders are being broadcast through the streets of German cities.

The speed with which such solutions have not just been rolled out, but also been largely accepted by anxious populations is prompting critics to warn of a danger to democracy. In Israel, the government last week approved sweeping new emergency surveillance powers that allow authorities to enforce quarantine orders and warn people about potentially infectious encounters.

Despite the potential for snooping and privacy breaches, the EU has said it would continue to approve the transfer of data about EU citizens to Israel. And some European lawmakers are already calling for similar surveillance powers closer to home.

In France, two conservative senators last week tabled an amendment that would authorize telecoms operators to collect health and location data on all mobile phone users for six months. It was defeated, but telecoms-to-government data transfers are happening on an ad hoc basis.

In Brussels, Thierry Breton, the EU's Internal Markets Commissioner, has been at the forefront of efforts to get companies to share data. During a conference call with executives from telecoms giants, including Deutsche Telekom and Orange, the Frenchman asked them to hand over so-called metadata, or peripheral information stripped of individual identifiers, on millions of people's mobile phones.

“The whole idea [in sharing mobile data with governments] is to be ahead of the curve," said Frederic Pivetta, the founder of Dalberg, a data analytics firm that has been contracted by the Belgian government to use telecom data to map the spread of the coronavirus. "This exercise is meant to flatten the curve, so less people are going to be infected because you know where the infected people are today."

As governments take similar steps across the EU, they can look to Norway for an example of how it can be implemented.

Telenor, the local carrier, has been sharing aggregated mobile data with scientists for three weeks, according to Arnoldo Frigessi, a statistician at the University of Oslo involved in the project. He said that his team had been able to track a roughly 60 percent drop in people moving between municipalities by tracking smartphone movements.

But now that most people were staying at home, Frigessi said more needs to be done to ensure people are staying separated. His team is helping the Norwegian government to create its own smartphone app in the coming weeks to give greater insight into individuals’ activities.

An app "is a completely different story," he said.

Norway is not alone.

Spain, Romania, Slovakia and Poland have already created their own version of these apps, which experiences in South Korea, Hong Kong and China suggest can be highly effective in slowing the spread of disease.

The rush to embrace data-sharing and even apps that track infected people's whereabouts raises the question: Where are Europe's data regulators? For now, they are largely keeping an eye on developments and even in some cases giving their blessings to new data-collection initiatives.

“I’m observing how in the corona pandemic, other countries are neglecting data protection in parts," said Ulrich Kelber, who's in charge of the federal privacy regulator in Germany. "But in Germany I don’t see any reason for that because all solutions can be designed so that they don't infringe upon fundamental rights."

Kelber endorsed a scheme under which Deutsche Telekom, the local carrier, handed over 5 gigabytes of data on its 46 million mobile customers to the Robert Koch Institute (RKI), Germany's national disease control center. Across the border in Austria, top data regulator Andrea Jelinek, has done the same for similar data-sharing plans. Such aggregated data does not offer granular information on people's everyday movements.

“Rest assured that all offices are watching this [data-transfer practice] closely,” Jelinek, who also chairs the EDPB, Europe's umbrella group of privacy authorities, told POLITICO. “People have other concerns right now than hollowing out data protection standards."

But privacy advocates strongly disagree.

Pointing to a wave of new surveillance powers approved nationally and EU-wide in 2015- 2017, following a wave of terrorist attacks, critics argue that regulators are green-lighting practices that will be almost impossible to unwind once the pandemic has passed.

Patrick Breyer, a German MEP, said that once approved, mobile data-sharing schemes would set a dangerous precedent for real-time monitoring of meetings and gatherings.

“There can be many reasons why you would want to meet in private without being tracked by the government and without alerting them to it," he said. "It's important in a democracy, and even more important in autocratic regimes, where people need to meet in secret, to make sure that they are not exposed to a government crackdown."

According to European Commissioner Breton and other top officials urging telecoms operators to hand over data, privacy can be respected because the data concerned is anonymized and aggregated.

But that is a little reassurance, according to privacy experts who point out that an individual's identity can easily be deduced from just a handful of anonymized mobile phone location data points.

"The challenge with this data is that we don't believe it can be anonymized," said Yves-Alexandre de Montjoye, head of the computational privacy group at Imperial College London, whose research found that almost all people could be personally identified from just four pieces of anonymized mobile phone data. "It comes down to what is reasonable and proportionate."

Laura Kayali contributed reporting.

Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email pro@politico.eu to request a complimentary trial.