A new paper by Rob Kitchin has been published in Space and Polity examining the implications to civil liberties of using surveillance technologies to tackle the spread of COVID-19.
Civil liberties or public health, or civil liberties and public health? Using surveillance technologies to tackle the spread of COVID-19
To help tackle the spread of COVID-19 a range of surveillance technologies – smartphone apps, facial recognition and thermal cameras, biometric wearables, smart helmets, drones, and predictive analytics – have been rapidly developed and deployed. Used for contact tracing, quarantine enforcement, travel permission, social distancing/movement monitoring, and symptom tracking, their rushed rollout has been justified by the argument that they are vital to suppressing the virus, and civil liberties have to be sacrificed for public health. I challenge these contentions, questioning the technical and practical efficacy of surveillance technologies, and examining their implications for civil liberties, governmentality, surveillance capitalism, and public health.
Keywords: coronavirus; COVID-19; surveillance; civil liberties; governmentality; citizenship; contact tracing; quarantine; movement; technological solutionism; spatial sorting; social sorting; privacy; control creep; data minimization; surveillance capitalism; ethics; data justice.
The coronavirus pandemic has posed enormous challenges for governments seeking to delay, contain and mitigate its effects. Along with measures within health services, a range of disruptive public health tactics have been adopted to try and limit the spread of the virus and flatten the curve, including social distancing, self-isolation, forbidding social gatherings, limiting travel, enforced quarantining, and lockdowns. Across a number of countries these measures are being supplemented by a range of digital technologies designed to improve their efficiency and effectiveness by harnessing fine-grained, real-time big data. In general, the technologies being developed and rolled-out fall into four types: contact tracing, quarantine enforcement/movement permission, pattern and flow modelling, and symptom tracking. The Irish government is pursuing two of these – contact tracing and symptom tracking – merged into a single app ‘CovidTracker Ireland’. In this short essay, I outline what is known about the Irish approach to developing this app and assess whether it will work effectively in practice.
CovidTracker Ireland
On March 29th 2020 the Health Services Executive (HSE) announced that it hoped to launch a Covid-19 contact tracing app within a matter of days. Few details were given about the proposed app functionality or architecture, other than it would mimic other tracing apps, such as Singapore’s TraceTogether, using Bluetooth connections to record proximate devices and thus possible contacts, together with additional features for reporting well-being. The HSE made it clear that it would be an opt-in rather than compulsory initiative, that the app would respect privacy and GDPR, being produced in consultation with the Data Protection Commission, and it would be time-limited to the coronavirus response. It was not stated who would develop the app beyond it being described as a ‘cross-government’ effort.
On April 10th, the HSE revealed more details through a response to questions from Broadsheet.ie, stating that the now named CovidTracker Ireland App will:
“help the health service with its efforts in contact tracing for people who are confirmed cases;
allow a user to record how well they are feeling, or track their symptoms every day;
provide links to advice if the user has symptoms or is feeling unwell;
give the user up-to-date information about the virus in Ireland.”
Further, they reiterated that the app ‘will be designed in a way that maximises privacy as well as maximising value for public health. Privacy-by-design is a core principle underpinning the design of the CovidTracker Ireland App – which will operate on a voluntary and fully opt-in basis.’ There was no mention of the approach being taken; however the use of the HSE logo on the PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing) website indicates that it has adopted that architecture, an initiative that claims seven countries are using their approach, with reportedly another 40 countries involved in discussions.
As of April 22nd the CovidTracker Ireland app is under development, with HSE stating on April 17th that it was being tested with a target of launching by early May when it is planned that some government restrictions will be lifted.
Critique and concerns
From the date it was announcement concerns have been expressed about the CovidTracker Ireland, particularly by representatives of Digital Rights Ireland and the Irish Council for Civil Liberties. A key issue has been the lack of transparency and openness in the approach being taken. An app will simply be launched for use without any published details of the approach and architecture being adopted, consultation with stakeholders, piloting by members of the public, and external feedback and assessment.
There are concerns that a centralized, rather than decentralized approach will be taken, and there is no indication that the underlying code will be open for scrutiny, if not by the public, at least by experts. It is not clear if the app is being developed in-house, or if it has been contracted out to a third-party developer and if the associated contract includes clauses concerning data ownership, re-use and sale, and intellectual property. There are no details about where data will be stored, who will have access to it, how will it be distributed, or how it be acted upon. There is unease as to whether the app will be fully compliant with GDPR and fully protect privacy, especially given that a Data Protection Impact Assessment (DPIA), which is legally required before launch, has seemingly not yet been undertaken. Such a DPIA would allow independent experts to be able to assess, validate and provide feedback and advice.
Critics are also concerned that CovidTracker Ireland merges the tasks of contact tracing and symptom tracking which have been pursued separately in other jurisdictions. Here, two sets of personal information are being tied together: proximate contacts and health measures. This poses a larger potential privacy problem if they are not adequately protected. Moreover, critics are worried that CovidTracker Ireland might become a ‘super app’, which extends its original ambition and goals. Here, the app might enable control creep, wherein it starts to be employed beyond its intended uses such as quarantine enforcement/movement permission. For example, Antoin O’Lachtnain of Digital Rights Ireland has speculated that we might eventually end up with an app to monitor covid-19 status that is “mandatory but not compulsory for people who deal with the public or work in a shared space.”
As Simon McGarr argues, the failure to adequately engage with these critiques and to be open and transparent means that “the launch of the app will inevitably be marred by immediately being the subject of questions and misinformation that could have been avoided by simply overcoming the State’s institutional impulse for secrecy.”
Internationally, there is scepticism concerning the method being used for app-based contact tracing and whether the critical conditions needed for successful deployment exist. Bluetooth does not have sufficient resolution to determine two metres or less proximity and using a timeframe to denote significant encounters potentially excludes fleeting, but meaningful contacts. There are also concerns with respect to representativeness (for example, 28% of people do not own a smartphone in Ireland), data quality, reliability, duping and spoofing, and rule-sets and parameters. The technical limitations are likely to lead to sizeable gaps and a large number of false positives that might produce an unmanageable signal-to-noise ratio, leading to unnecessary self-isolation measures and potentially overloading the testing system.
There is a concern that app-based contact tracing is being rushed to mass roll-out without it being demonstrated that it is fit-for-purpose. Moreover, the app will only be effective in practice if: there is a program of extensive testing to confirm that a person has the virus and if tracing is required; and 60% of the population participate to ensure reach across those who have been in close contact (c.80% of smartphone users). The symptom tracking relies on self-reporting, which lacks rigour and, as testing has shown, a large proportion of the population who were tested because they were experiencing symptoms returned negative. This is likely to lead to a large number of false positives and it is doubtful that these data should guide contact tracing.
At present, while Ireland is ramping up its testing capability towards 100,000 tests a week, it might need to increase that further. The Edmond J. Safra Center for Ethics at Harvard University suggest that in the United States: “We need to deliver 5 million tests per day by early June to deliver a safe social reopening. This number will need to increase over time (ideally by late July) to 20 million a day to fully remobilize the economy. We acknowledge that even this number may not be high enough to protect public health.” The equivalent rate for Ireland would be 300,000 tests per day. In Singapore, only 12% of people have registered to use the TraceTogether app, which raises doubts as to whether 60% of the population in Ireland will participate, especially since the public are primed to be sceptical given media coverage about the app have raised issues of privacy, data security and data usage.
Will CovidTracker Ireland work and what needs to happen?
There is unanimous agreement that contact tracing is a cornerstone measure for tackling pandemics. Assuming that the privacy and data protection issues can be adequately dealt with it, it would be good to think that CovidTracker Ireland will make a difference to containing the coronavirus and stopping any additional waves of infection.
However, there are reasons to doubt that app-based contact tracing and symptom tracking will make the kind of impact hoped for unless:
its technical approach is sound and civil liberties protected;
there is testing at sufficient scale that potential cases, including false ones, are dealt with quickly;
the government can persuade people to participate in large numbers.
The government might also have to supply smartphones to those that do not own them, as they did in Taiwan. Persuading people to participate will especially be a challenge since the government is not being sufficiently transparent at present in explaining the approach being taken, the app’s intended technical specification, how it will operate in practice, its procedures for oversight, and how it will protect civil liberties.
It is essential that the government follow the guidance of the European Data Protection Board that recommends that strong measures are put in place to protect privacy, data minimization is practised, the source code is published and regularly reviewed, there is clear oversight and accountability, and there is purpose limitation that stops control creep.
If implemented poorly, the app could have a profound chilling effect on public trust and public health measures that might be counterproductive. As a consequence, the Ada Lovelace Institute, a leading UK centre for artificial intelligence research, is advising governments to be cautious, ethical and transparent in their use of app-based contact tracing. Ireland might do well to heed their advice.
Update: a revised version of this working paper has now been published as open access in Space and Polity.
A new paper by Rob Kitchin (Programmable City Working Paper 44) examines whether digital technologies will be effective in tackling the spread of the coronavirus, considers their potential negative costs vis-a-vis civil liberties, citizenship, and surveillance capitalism (see table below), and details what needs to happen.
Using digital technologies to tackle the spread of the coronavirus: Panacea or folly?
Abstract
Digital technology solutions for contact tracing, quarantine enforcement (digital fences) and movement permission (digital leashes), and social distancing/movement monitoring have been proposed and rolled-out to aid the containment and delay phases of the coronavirus and mitigate against second and third waves of infections. In this essay, I examine numerous examples of deployed and planned technology solutions from around the world, assess their technical and practical feasibility and potential to make an impact, and explore the dangers of tech-led approaches vis-a-vis civil liberties, citizenship, and surveillance capitalism. I make the case that the proffered solutions for contact tracing and quarantining and movement permissions are unlikely to be effective and pose a number of troubling consequences, wherein the supposed benefits will not outweigh potential negative costs. If these concerns are to be ignored and the technologies deployed, I argue that they need to be accompanied by mass testing and certification, and require careful and transparent use for public health only, utilizing a privacy-by-design approach with an expiration date, proper oversight, due processes, and data minimization that forbids data sharing, repurposing and monetization.
Keywords: coronavirus; COVID-19; surveillance; governmentality; citizenship; civil liberties; contact tracing; quarantine; movement; technological solutionism; spatial sorting; social sorting; privacy; control creep; data minimization; surveillance capitalism; ethics; data justice.
Rob Kitchin is a co-editor (along with Mark Graham, Shannon Mattern, and Joe Shaw) of a new book ‘How to Run a City Like Amazon, and Other Fables’ published by Meatspace Press. The book consists of 38 chapters, with all but six consisting of speculative short fiction.
Should cities be run like businesses? Should city services and infrastructure be run by businesses? For some urban commentators, policy-makers, politicians and corporate lobby groups, the answer is ‘yes’ to both questions.
Others are critical of such views, cautious about shifting the culture of city administration from management to entrepreneurship, and transforming public assets and services run for the common good into markets run for profit.
The stories and essays in How to Run a City Like Amazon, and Other Fables explore how a city might look, feel and function if the business models, practices and technologies of 38 different companies were applied to the running of cities. What would it be like to live in a city administered using the business model of Amazon (or Apple, IKEA, Pornhub, Spotify, Tinder, Uber, etc.) or a city where critical public services are delivered by these companies?
Collectively, the chapters ask us to imagine and reflect on what kind of cities we want to live in and how they should be managed and governed.
This article explores the process by which intelligent transport system technologies have further advanced a data-driven culture in public transport and traffic control. Based on 12 interviews with transport engineers and fieldwork visits to three control rooms, it follows the implementation of Real-Time Passenger Information in Dublin and the various technologies on which it is dependent. It uses the concept of ‘data ratcheting’ to describe how a new data-driven rational order supplants a gradualist, conservative ethos, creating technological dependencies that pressure organisations to take control of their own data and curate accessibility to outside organisations. It is argued that the implementation of Real-Time Passenger Information forms part of a changing landscape of urban technologies as cities move from a phase of opening data silos and expanded communication across departments and with citizens towards one in which new streams of digital data are recognised for their value in stabilising novel forms of city administration.
Keywords: Intelligent transport systems, real-time information, smart city, Big Data, organisational change
Friday was publication day for ‘The Right to the Smart City‘ book edited by Paolo Cardullo, Cesare Di Feliciantonio and Rob Kitchin published by Emerald. The book is the outcome of the fourth international workshop hosted by the Programmable City project and focuses on the interrelationship of smart cities, rights, citizenship, social justice, commons, civic tech, participation and ethics. It includes chapters by Katharine Willis, Jiska Engelbert, Alberto Vanolo, Michiel de Lange, Catherine D’Ignazio, Eric Gordon, Elizabeth Christoforetti, Andrew Schrock, Sung-Yueh Perng, Gabriele Schliwa, Nancy Odendaal, Ramon Ribera-Fumaz, and the three editors.
1. Citizenship, Justice and the Right to the Smart City. Rob Kitchin, Paolo Cardullo, Cesare Di Feliciantonio
Part 1: Citizenship and the commons
2. Whose right to the smart city?
Katharine Willis
3. Reading the neoliberal smart city narrative: The political potential of everyday meaning making.
Jiska Engelbert
4. Playable urban citizenship: Social justice and the gamification of civic life.
Alberto Vanolo
5. The right to the datafied city: Interfacing the urban data commons.
Michiel de Lange
6. Smart commons or a ‘smart approach’ to the commons?
Paolo Cardullo
7. Against the romance of the smart community: The case of Milano 4 You.
Cesare Di Feliciantonio
Part 2: Civic engagement, participation and the right to the smart city
8. Sensors and civics: Towards a community-centred smart city.
Catherine D’Ignazio, , Eric Gordon and Elizabeth Christoforetti
9. What is civic tech? Defining a practice of technical pluralism.
Andrew Schrock
10. Hackathons and the practices and possibilities of participation.
Sung-Yueh Perng
11. Smart cities by design? Interrogating design thinking for citizen participation.
Gabriele Schliwa
12. Appropriating ‘big data’: exploring the emancipatory potential of the data strategies of civil society organisations in Cape Town, South Africa.
Nancy Odendaal
13. Moving from smart citizens to technological sovereignty?
Ramon Ribera-Fumaz
14. Towards a genuinely humanizing smart urbanism.
Rob Kitchin
