Time and again, governments have used crises to expand their power, and often their intrusion into citizens’ lives. The COVID-19 pandemic has seen this pattern play out on a huge scale. From deploying drones or ankle monitors to enforce quarantine orders to proposals to use face recognition or thermal imaging cameras for monitoring public spaces, governments around the world have been adopting intrusive measures in their quest to contain the pandemic.
EFF has fought for years against the often secretive governmental use of cell phone location data. Governments have repeatedly sought to obtain this data without a court order, dodged oversight of how they used and accessed it, misleadingly downplayed its sensitivity, and forced mobile operators to retain it. In the past, these uses were most often justified with arguments of law enforcement or national security necessity. Now, some of the same location surveillance powers are being demanded—or sometimes simply seized—without making a significant contribution to containing COVID-19. Despite the lack of evidence to show the effectiveness of location data to stop the spread of the virus, a number of countries’ governments have used the crisis to introduce completely new surveillance powers or extend old ones to new COVID-related purposes. For example, data retention laws compel telecom companies to continuously collect and store metadata of a whole population for a certain period of time. In Europe, the Court of Justice of the European Union declared such mandates illegal under EU law.
Like other emergency measures, it may be an uphill battle to roll back new location surveillance once the epidemic subsides. And because governments have not shown its effectiveness, there’s no justification for this intrusion on people’s fundamental freedoms in the first place.
Individualized Location Tracking
Mobile carriers happen to know their subscribers’ phone’s locations (usually the same as the locations of the subscribers themselves) from moment to moment because of the way cellular networks work. That knowledge has turned into one of the most extensive data sources for governments—and not infrequently advertisers, stalkers, or spies—interested in tracking people’s movements. But while phone location data is sufficient to show whether someone went to church or the movies, it simply is not accurate enough to show whether two people were close enough together to transmit the virus (commonly characterized as a distance of two meters, or about six feet).
While location surveillance is problematic at any time, the coronavirus crisis has led to a rapid uptick in its use; many measures to facilitate it have been passed by fast-tracked legislative procedures during national state of emergencies. Some governments have even bypassed legislators entirely and relied on executive power to roll out expanded location surveillance—making it even less transparent and democratically legitimate than usual. Governments may use the urgency of the crisis to erode limits on the ways people’s location histories can be used, demand this data be turned over to authorities in bulk, or require companies to stockpile records of where their customers have been.
COVID-inspired cell phone location surveillance around the globe
Attempts at rapid expansions of government location surveillance authority have come to light in at least seven countries.
In Israel, in a significant win for privacy, Israel’s High Court of Justice has recently revoked the authorization of the police to access location data for contact tracing without a court order. On March 16th, the government had approved emergency regulations, 48 hours after Prime Minister Benjamin Netanyahu announced his government’s intention to approve health tracking methods. The regulations enabled both the police and Israel’s domestic security agency (usually known as Shabak or Shin Bet, after its Hebrew acronym) to track the whereabouts of persons that might be infected or are suspected to be infected with COVID-19 without a warrant. The emergency regulation has now been suspended, and the Court has ordered that the government address the use of mobile phone tracking through legislation. Despite the win, the fight against warrantless access to location data is far from over: on May 5th, the parliament’s Intelligence Subcommittee voted 6-3 to extend the Shin Bet’s warrantless access to location data to track infected people, while the government is working towards advancing legislation to enable this form of surveillance more permanently. Right after the approval of the emergency regulations on March 16th, the Association for Civil Rights in Israel filed a petition to Israel’s High Court stressing the need to protect democracy during the pandemic:
Democracy is measured precisely in those situations when the public is afraid, exposed day and night to nightmare scenarios […]. Precisely in such moments, it is vital to act in a considered and level-headed manner, and not to take draconian and extreme decisions and to accustom the public to the use of undemocratic means […].
In South Africa, where a state of disaster has been in place since March 15th, the government amended a law to create a COVID-19 Tracing Database. The database will include personal data of those who are infected or suspected to be infected of COVID-19, including their COVID-19 test results, as well as the details of those who have come or are suspected to have come into contact with them. The Act authorizes the Director-General of Health to order telecom companies to disclose the location of infected or suspected to be infected person, without prior notice, as well as the location of those who were in contact or suspected to have been in contact with them, and to included all of this data in the COVID-19 Tracing Database. The law was met with severe backlash from civil society, and has since been amended twice. In a win for privacy, the last amendment deleted the provisions that obliged telecommunications companies to disclose location data for inclusion in that database.
Poland, which has been in a state of emergency since mid-March, has a track record of encroaching on the rule of law, even triggering the EU’s legal process for addressing violations of European values. The EU Commission has stated that the Polish judiciary is under “the political control of the ruling majority. In the absence of judicial independence, serious questions are raised about the effective application of EU law.” Now with COVID-19, the Polish government has also introduced several COVID acts, providing new surveillance powers for the executive. Article 11 of the COVID-19 act obliges telecom operators to collect and give access to location data of people infected with COVID-19 or those under quarantine upon a simple request, as well as aggregate location data of an operator’s clients. The new legislation states that these measures will remain in place until the pandemic has ended.
Slovakia is another eastern European country that has expanded telecom companies’ obligations to retain metadata during the crisis. Slovakia has been in a partial state of emergency since March 15th, during which several amendments to the country’s telecommunications act were fast tracked through parliament. The amendments, which immediately caused outrage, authorized national health authorities to obtain location data from telecommunications operators in the context of a pandemic. As in Poland, the amended law allows both for the retention of anonymized aggregate data, as well as for individual location data. After being challenged before the Slovakian Constitutional Court, these measures have recently been suspended due to their vagueness and insufficient safeguards against misuse.
Croatia’s government attempted to introduce similar, fast-tracked amendments to the country’s electronic communications law. The bill would have authorized the exceptional processing of location data to “protect national and public safety,” and would have obliged telecommunications operators to share the data with the Ministry of Health. As in other countries, the proposal was met with outrage among civil society, experts, and opposition, as more than forty civil society organizations signed onto a letter demanding the government to withdraw the bill. The criticism was eventually successful, but the Croatian example underlines the wider pattern of states looking to expand at any opportunity new surveillance powers in the crisis, in the Balkans and beyond.
Bulgaria, yet another Eastern European country in a state of emergency, has passed an emergency law, which included amendments to the country’s electronic communications act. The law now obliges telecommunications companies to store and (upon request) provide metadata to competent authorities, including the police, to monitor citizens’ compliance with quarantine measures. The law does not require requests to be authorized by courts but merely provides for a after-the-fact judicial review process which the country also uses when retaining data to prevent terrorist attacks. Not limited in time, the measures will remain in force even after the state of emergency has come to an end. Like Poland, Bulgaria has been showing authoritarian tendencies for several years, and this extension of the country’s data retention regime, ushered in during the COVID crisis, may help solidify autocracy. The pattern of European countries reaching for location data surveillance also pokes holes in the popular image of the European Union as particularly protective of the right to privacy.
South Korea, a country with experience fighting coronavirus outbreaks since the Middle East Respiratory Syndrome (MERS) epidemic in 2015, has dramatically restricted the right to privacy in the context of the pandemic. The Infectious Disease Control and Prevention Act allows health officials to obtain sensitive personal data on the infected and those suspected to be infected, as well as their contacts and those suspected to be in contact. Such data includes names, resident registration numbers, addresses, telephone numbers, prescriptions, medical treatment records, immigration control records, credit card records, transit card records, and CCTV recordings from third parties companies. Police can seize this personal data without consent of the data subjects and without any judicial oversight. The Act also allows health officials and administrators of municipalities to collect location data on the infected (or suspected to be infected) and their contacts (or suspected contacts) from telecommunications operators and location data providers (from cell site and GPS).
Location surveillance comes with a host of risks to citizens’ privacy, freedom of expression and data protection rights. EFF has long been fighting against warrantless access to location data or blanket data retention mandates, and has called on governments to be more transparent on their surveillance programs. Especially now, during a major health crisis, in which the government has not shown the efficacy of location data about individuals, governments should be as transparent as possible about what data they are collecting for what purposes. Above all, the necessity and proportionality of any location data surveillance schemes must be demonstrated.
Katitza Rodriguez is EFF’s international rights director. She concentrates on comparative policy of international privacy issues, with special emphasis on law enforcement, government surveillance, and cross border data flows. Her work in EFF’s International Program also focuses on cybersecurity at the intersection of human rights. Katitza also manages EFF’s growing Latin American programs. She was an advisor to the UN Internet Governance Forum (2009-2010). In 2018, CNET named Katitza one of 20 most influential latinos in technology in the United States. In 2014, she was also named one of “The heroes in the fight to save the Internet“.