Satellite image of Florida and Caribbean

Tracking the coronavirus: privacy vs. protection

Image credit: Tectonix

Can data tracking slow the coronavirus pandemic? And at what cost to personal privacy? We balance the opportunities against the risks to find out.

A tweet by data analytics firm Tectonix recently went viral. The interactive video map (pictured above) shows how visitors returning from a Florida beach party spread out across the country. Many of those tested positive for Covid-19 and could infect thousands of others, underlining how reckless behaviour by individuals ignoring public health affects everyone else. It graphically illustrates why politicians and public health experts are so keen on tracking the public’s movements. Data like this “can save lives at scale”, says Tectonix chief marketing officer Mike DiMarco, “but only when used responsibly. It should drive informed, productive decisions, not infringe on our rights.”

Tracking digital health data goes back a long way. In 2008 researchers described how Google’s search queries can help to detect influenza, as sufferers search for the symptoms online, and Google launched Flu Trends to help predict outbreaks. Google queries for ‘Covid-19’ and actual cases do correlate (see chart included at foot of article), but not everyone who has it is also searching for it and vice versa. It’s imperfect but it’s a simple demonstration of how data can help.

Now Google is receiving enquiries about more invasive practices like contact tracing, to help identify who infected people have met, but it says it doesn’t have that data. The UK government is embracing the idea to partner with tech companies, and the NHS unveiled its collaboration with tech giants to develop a Covid-19 data platform. However, Palantir Technologies’ involvement triggered criticism as the firm had staff links to the Cambridge Analytica scandal.

UK telecoms companies are also exploring how they can share information. Under the UK’s Privacy in Electronic Communications Regulations, mobile phone location data, for instance, can only be used with consent or after anonymisation, says Renzo Marchini, lawyer and partner at law firm Fieldfisher. But how far does the law really protect privacy? And is it an obstacle to tackling the pandemic?

“The law doesn’t get in the way,” says privacy and data protection lawyer Eduardo Ustaran, a partner at Hogan Lovells. “The data protection law in Europe is sufficiently flexible to allow for using health data under certain circumstances to understand who has the virus and to [allow] sharing it with those third parties that should be concerned. Everything is within reason.”

Indeed, the EU Data Protection Board issued a statement in March to clarify that data protection rules “should not hinder Covid-19 measures” but data controllers must be cautious to protect personal data. Marchini says if the UK government wanted to track granular information – such as a particular individual’s location – it would have to pass a law to disapply the normal prohibition. Emergency legislation already weakened rules to intercept and collect data.

Mobile phone tracking can be extremely intrusive. Dr Daniel A Pauly, a German technology lawyer and expert on EU data protection law, says data from phones can even reveal how each individual behaves: “Data that shows what you were doing or where [you were] moving. This is creepy and impermissible from a legal perspective in most EU jurisdictions. It is exactly what countries like China, Singapore or South Korea do and raises serious concerns.”

While many governments around the world have experimented with tracking citizens to fight coronavirus, some European countries want to take it further. Germany, for example, is interested in the Pepp-pt initiative for contact tracing which uses Bluetooth to sense other mobile phones nearby, producing an alert message if the user comes close to someone who has tested positive. Advocates point out that Pepp-pt promises secure data anonymisation and cross-border interoperability, but it remains unclear whether it complies with ‘EU values’, which say that data should be stored on devices locally rather than on a central server, for example, to make state-level surveillance more difficult.

Authorities are moving towards more tracking elewhere in Europe. Slovakia changed the law to allow the Public Health Office access to mobile location data, while Polish authorities offer Covid-19 infected individuals an app to prove they remain in quarantine. In a state of emergency, the Hungarian parliament handed populist Prime Minister Viktor Orban sweeping powers, with draconian state surveillance measures expected to follow.

Google says it is exploring how aggregated anonymised location information could help in the fight against Covid-19. EU and UK data is only used in an anonymised form. But research suggests anonymisation doesn’t necessarily stop re-identification. Research by Dr Yves-Alexandre de Montjoye at Imperial College London suggests timed location data of only four points is enough to identify an individual in 95 per cent of cases. The New York Times put it to the test and found it quite easy to make anonymised geo-location data personal again with a little knowledge of working habits.

An Oxford research paper tested the feasibility of contact tracing and found that a successful and appropriate use of a contact-tracing app relies on it “commanding well-founded public trust and confidence”. Many say contact tracing worked for Taiwan, which had a low rate of infection cases. However, the country also enforced a number of other measures alongside contact tracing, including a combination of early response measures, pervasive screening, comprehensive testing, and novel use of other technology. It is inconclusive to say that contact tracing alone was solely responsible for keeping cases low. Privacy researcher de Montjoye also points out that the Oxford paper failed to discuss privacy in the context of contact tracing and only relied on ethics, “something very different in terms of finding the balance”.

The Israeli government approved the repurposing of data-tracking technology developed by its Shin Bet security agency to fight Covid-19, adapting technology for combating terrorism to contact tracing. It drew criticism from privacy pressure groups when Israel’s cabinet authorised a brief extension in April. But others pointed to a more privacy-friendly app released by Israel’s Health Ministry and developed in cooperation with cyber-tech start-up Profero. The app promises to shield citizens from virus exposure while protecting privacy by keeping data on users’ devices.

Effective Covid-19 data tracking measures are a difficult balance. Privacy groups are so concerned because healthcare data and patients’ details are so very sensitive. They must not fall into the wrong hands. Technology lawyer Dr Pauly says the worst-case scenario is health data leaking to a private company, which then uses it for commercial gain. The value of health data on the black cyber market is huge. Medical records sell on the dark web for up to $1,000 for a full dataset, Experian found.

Is it worth jeopardising public trust by launching intrusive tracking measures on mobiles? Pauly thinks the privacy protection approach by EU Commission will prevail: “If they use anonymised data in a smart manner, they can derive all the information they need.” In his view, there’s really no need to make large-scale use of personal data anyway. “The instruments they have in place are sufficient for the purposes and to cope with the situation.”

Many of the Covid-19 resources pages on the web heavily track visitors, E&T found. Covid-19 could even be a boon to the ad-targeting business models that drive visitor tracking. Shares by Facebook and Alphabet held up better than the rest of the advertising industry.

Covid-19 information pages are now everywhere and visitors leave sensitive personal health details on the symptom-checker self-assessment tools that help users evaluate risks. E&T looked at the personal tracking on more than a hundred Covid-19 websites, including more than 45 Covid-19 self-assessment tools. Our results on personal tracking are alarming.

The Covid-19 self-assessment tool by the Women’s College Hospital in Canada tracks users via, a targeting and advertising tracker. MyDr, an Australian health website and symptom tracker, uses ten online trackers, none of which are deemed ‘strictly necessary’ – this has earned it a ‘high-risk’ score according to CookiePro, an analytics tool.

It’s not only private companies that are tracking, though. Even the Covid-19 self-assessment tool offered by the US’s Centers for Disease Control and Prevention (CDC) uses a multitude of online trackers – 40 of them, and none strictly necessary.

E&T found online forms garner immensely sensitive details ranging from one’s health to vices and other lifestyle habits. Withholding identities may not be enough to anonymise, experts warn – online adverting firms and hackers can create extensive profiles of netizens. The Covid-19 risk calculator by British firm i5 Health, for instance, asks users about their age and disease records such as heart conditions and mental and behavioural disorders.

Data input can be recorded and experts say when filling out such a survey anonymity cannot be guaranteed. “Nothing is anonymous on the internet,” says Paul Gagliardi, head of threat intelligence at cyber-security firm Security Scorecard. E&T showed him the i5 Health risk calculator tool. “At the minimum level we must assume such tools can record my IP address,” he says. “At the maximum they could use cookies to deanonymise me.” According to CookiePro’s assessment, i5 Health’s tool runs 12 trackers, half of which target trackers.

Gagliardi is reluctant to input his own details because the amount of data collected makes it hard to submit health details without the risk of it being linked back to an individual – maybe not immediately, but over time via data aggregation, he stresses. Tools like this, he says, must be audited more closely. It’s unlikely security and privacy were top priorities in the coding.

Keith Davies, i5 Health’s director, tells E&T that all the necessary privacy and security precautions are followed; neither individuals nor their inputs are tracked.

At the forefront of tracking is Facebook – sometimes, say critics, without consent. Last month CEO Mark Zuckerberg denied allegations of sharing users’ smartphone location with the government. Facebook maintains a disease mapping tool and aggregated and anonymised data provide general trends.

Whether tracked or not, how useful is our health data online? In the case of i5 Health’s tool, users receive a low, medium or high risk score based on an artificial intelligence model relying on NHS patient data. One issue is that these users were not Covid-19 patients. i5 Health argues the analysis is based on effects of influenza and of earlier strains of coronavirus, so it is sufficient as training data for the model. But the World Health Organization (WHO) lists a number of differences between influenza and Covid-19.

Accuracy is another concern. Professor Harald Braun at i5 Health argues the tool’s accuracy rate is high and for all high-risk patients the model performed at 82 per cent accuracy. In other words, from a pool of non-Covid-19, high-risk NHS patients, the AI correctly categorised individuals four out of five times. i5 Health’s risk calculator suggests age alone does not stand out as a considerable health risk; Braun explains it is much more important to consider whether there are other underlying health conditions. But WHO stresses older people are at highest risk from Covid-19 – more than 50 per cent of all deaths are in people aged over 80.

Similar risk assessments online raise a number of other questions. One is why assessments vary so considerably. E&T compared three different Covid-19 self-assessments by submitting false personal details. i5Health risk calculators found ‘low risk’ for an imagined 88-year-old man with diabetes and no other underlying conditions. An online checker by Integris Health, a large hospital network in Oklahoma, found Covid-19 could affect him “more seriously than others”. On, which only shares results after users hand over their email address, the advice is something in between: an estimated risk for coronavirus contraction of 67.5 per cent and 22.4 per cent risk for a coronavirus fatality “based on age and medical conditions”. E&T’s findings are in line with Statnews’s assessment that reviewed eight different Covid-19 chatbots, also with disagreeing results.  

A large proportion of healthcare appointments in Britain are now being carried out remotely. It is near-perfect-timing for companies like UK health start-up Babylon Health, a remote consultation firm. Babylon Health raised $550m in investment last year and already works with the NHS. It just launched its ‘Covid-19 Care Assistant’ tool, free for Babylon members. “We know how hard governments and healthcare systems are working to battle this pandemic and fully support their tireless work,” says founder Ali Parsa.

Sources E&T spoke to have criticised the AI and quality of Babylon Health’s Covid-19 checker. Privacy concerns are also on the horizon. David Watkins, a doctor and outspoken critic of the firm’s ethics and governance, erased the app from his phone and explained in a tweet that it is due to privacy concerns. Watkins asked the company to delete personal data and received no satisfying reply.

After the service went live in Canada last year, the company faced criticism for its data privacy terms and conditions. What critics find irksome, says David Shepherd, an Alberta NDP health critic, is Babylon’s T&Cs, which allow sharing of video data with corporate partners and entities outside of Canada, including foreign governments. The app’s impact on the confidentiality of individuals’ health information is being reviewed by the Alberta privacy commissioner.

Hackers need as much personal information about victims as they can get their hands on. Tony Cole, CTO at cyber-security firm Attivo, says in the US the government’s stimulus package has become a target. Attackers impersonated the government to launch scams against individuals waiting for their stimulus cheques.

Another increasingly popular tactic is fake data subject access request (DSAR) to companies holding personal data. With the latest health pandemic it is conceivable that these requests have become more common. Personal details from DSARs can be a good base for cyber attackers to launch Covid-19 scams at people, says Hannes Saarinen, senior privacy consultant at F-Secure.

Human rights groups such as Privacy International worry that aggressive measures do not receive enough scrutiny. They could be more drastic, more harmful and longer lasting than necessary. Like lockdown, it may be effective but it’s also not painless. Why make the cure worse than it really needs to be?

Google search data graph

Image credit: E&T

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles