February 08 2023

Coronavirus contact tracing apps and civil liberties

Coronavirus contact tracing apps and civil liberties

The UK has not been blessed with a good government at this time of national crisis. The long-running internecine battles in the Tory party have left us with a rump cabinet, filled with the ideologically monomaniacal, the intellectually vacuous, and the desperately obsequious. It has also left us with a cabinet that will soon be encouraging the nation to sign up to an app that will give the government unprecedented insight into the movement of its citizens.

The idea of governments monitoring the movements of their citizens has always been met with scepticism, especially in western liberal states. While other traditions may view state surveillance as a feature, rather than a bug, here it evokes thoughts of the Soviet Union, where citizens never knew when, or if, the state was watching them. Life was lived in perpetual unease.

In responding to the coronavirus, most western governments have been sensitive to such worry, and have not pushed a monitoring system which gives them significant control. Instead, a universal system has been developed in concord with Apple and Google (who we are, curiously, much happier to share our data with), which monitors our interactions and potential exposure, but with decentralised data.

It is this decentralised element which is crucial, as it minimises the ability of governments to gain disproportionate insight into the activity of citizens, while ensuring that the spread of the virus can still be tracked. Rather than join this system, the UK government has chosen to develop its own app, which foregoes the decentralised element that is crucial to its popularity and legality. This app, currently being trialled on the Isle of Wight, instead anonymises the data, but processes it at a central hub.

Neither system is perfect, and both raise concerns about civil liberties – concerns that should be voiced and addressed because we are in a time of national crisis, not in spite of it. I will come to these concerns, but what is alarming from a practical view is that this system is being pushed by a government which is, with the best will in the world, woefully inept. The only thing that has stopped us being viewed as the cautionary tale throughout the world is that the President of the United States has been telling American citizens to drink bleach, and some of them have listened to him.

As Italy, and then Spain, began to struggle with the virus in late February and early March, an informed and engaged government would have taken advantage of the lag-time – and our island geography – to swiftly respond, learning from the struggles of our mediterranean cousins. We did not do this. Johnson adopted an oxymoronically cavalier yet lumbering approach that has left us with the highest death toll in Europe. Rather than hubristically developing our own monitoring system – one that will not be compatible with cross-border travel, as it stands – perhaps the government could realise that its own limitations, and its refusal to follow the international consensus, have done little bar inflating the UK’s death toll.

Setting aside this concern, the need for some form of digital monitoring system is now almost beyond question. The success of countries like South Korea, where there is a more collectivist notion of liberty, in suppressing the virus through tracking has shown that such apps can be used in democracies. They are not only a tool of absolutist regimes like China. However, there is still difficulty in assessing how to balance the competing rights of privacy and public health.

The version developed by Apple and Google addresses this by keeping most information confined to our phones. As we move around, the Bluetooth technology registers when it comes into sufficient proximity with another phone, each having an individual identifier. Crucially, this encounter is then stored on the phone, rather than in a centralised database. When someone notes that they have developed Covid-19 symptoms on the app, the app sends a notification to all those phones who have been in close proximity to it within the past fourteen days. In using this system, it is arguable that Article 8 ECHR, which preserves our right to privacy, is not even engaged, as the Bluetooth ‘keys’ in question are not ‘personal data’. This keeps the government at arms-length, striking a proportionate balance between our need for privacy and our need to control the virus and protect public health.

This is not a degree of privacy which is maintained in the UK’s model. Here, the identifiers are sent to a centralised hub, which is also responsible for notifying individuals of their exposure to an individual who has coronavirus symptoms. The system is designed around the idea that the information will be given to the health authority, who will then distribute the information as required. Therefore, as well as alerting individuals and tracking the spread of the virus, it would allow the authorities to individualise the data and monitor an individual’s activity, engaging (and potentially violating) the right of privacy.

In developing such a system, it is unlikely that the UK government is being wholly cynical. There are advantages to operating a centralised system, including enabling the government to have a more thorough understanding of how the virus is spreading, and therefore how to combat it. From a purely epidemiological perspective, it may be preferable. However, there is the risk that such data could be used by other parts of the government, unconnected to public health. In Australia, such risk has been mitigated by legislation which prohibits other arms of the government – including national security – from accessing the data.

In contrast, the UK government has not put forward its proposals to parliament for scrutiny, with the Human Rights Committee last week publishing a report that condemned the government for only making promises about the security of the data, rather than ‘enshrining them in law’. More alarmingly, the Information Commissioners Office, which is required by law to receive proposals on ‘high risk’ data processing systems’, has yet to receive the government’s assessment on its compatibility with privacy laws.

It is unlikely that this app will make it onto the national stage unscathed. Tory rebels, who are naturally cautious of government overreach, are grumbling in the background, and will likely vote in support of the legislation drafted by the Human Rights Committee. However, while this legislation is important, it fails to adequately address the most crucial element – what to do when the app is no longer needed. Although it does introduce a system of regular review, and a procedure for the deletion of all data once the emergency passes, it leaves this in the hands of the Secretary of State for Health.

As we have seen, Matt Hancock is not endowed with the sturdiest of backbones – and even if he was, he would still be a member of the government, not an objective adjudicator. The legislation would be improved by shifting responsibility to an independent arbiter, who could make an impartial assessment as to the continued need for the data collection.

The departure of any government from international consensus at a time of global emergency should be viewed with scepticism. When it is a government of questionable ability that has consistently underperformed, this scepticism should turn to suspicion and alarm. The current proposals to monitor and collect the UK public’s data are a clear and unnecessary infringement of human rights by a government that has shown little concern for human rights in the past. In an ideal world, the prime minister would move back into the international fold, adopting the decentralised Apple/Google system. Less ideally, but still preferable, would be that parliament imposes stringent constraints on the government, ultimately moving authority for the continued use of the system to an independent adjudicator