By Dr Moonyati Yatid, Farlina Said and Tengku NurQistina
The role of technology in aiding our daily lives has grown rapidly since the imposition of lockdowns in many countries amid the Covid-19 pandemic.
In adapting to the new normal, e-commerce, e-learning and teleconferencing are flourishing.
Technology is also utilised by governments to manage the spread of the novel coronavirus, with increasing attention focused on digital surveillance.
Surveillance in the time of Covid-19
Surveillance has often been tied to the prickly topic of privacy invasion.
Edward Snowden’s 2013 expose of the US government’s PRISM programme, which monitored and obtained information of people in the US en masse without their consent or knowledge and invaded the citizen’s privacy, has become a cautionary tale on government’s ability to conduct disproportionate surveillance.
Recently, various countries have chosen different methods for digital contact tracing to manage the spread of Covid-19 — some are less respectful of privacy than others.
Currently, countries like Ecuador utilise GPS location tracking while Singapore and Finland opt for “proximity tracking” using Bluetooth — a less invasive method.
In Malaysia, as many as 92 drones were active as the Royal Malaysian Police (PDRM)’s eyes in the sky during the movement control order (MCO).
In the conditional MCO (CMCO), the non-geolocation Bluetooth-enabled MyTrace app exists alongside MySejahtera. The app was developed in co-operation with the National Security Council (NSC), Ministry of Health (MOH), Malaysian Administrative Modernisation and Management Planning Unit (Mampu) and the Malaysian Communications and Multimedia Commission (MCMC) to manage any outbreak.
In addition to these is Gerak Malaysia, associated with PDRM and developed by MCMC to deliver a digital ID that verifies motivations for travel.
Gerak Malaysia utilises geolocation data to track and control traffic in their version of contact tracing efforts.
There are also private-sector initiatives such as a web-based check-in platform CovCT developed by Madison Technologies (an idea similar to Selangor’s SElangkah app).
The options available raise questions on our personal information’s collection methods and storage. To manage a pandemic, it is essential to conduct contact tracing but we need to acknowledge data collection as an industry where information can be shared but also exploited.
As tracking and surveillance technology appears to be an essential part of managing the pandemic, the question then is how to protect all this data?
Dealing with the challenges of surveillance
The role of the private sector in developing the ecosystem provides a layer of innovation but also adds complexities to regulation.
The parties handling data of citizens would have to comply with regulations by the government. However, regulations require enforcement, which is challenging when data breaches are neither disclosed nor reported.
Another challenge is the rapidly changing digital environment which complicates terminology and can introduce grey areas.
In addition to privacy and security concerns, many question if such surveillance tools are effective enough to combat Covid-19 linked issues.
A study in Shenzhen, China showed that contact tracing to rapidly isolate people who could be infected with Covid-19 reduced the length of time people were infectious in the community, compared to cases identified through symptomatic observations.
Manual contact tracing is not only time-consuming, but also lacks accuracy and is limited in coverage — hence needs to be complemented by digital contact tracing.
Upon announcing the CMCO, Prime Minister Tan Sri Muhyiddin Yassin advised that both manual and digital contact tracing methods for citizens be implemented.
As part of the SOP, shops need to record the name, phone number and date of visit for all customers as part of contact tracing measures.
However, with digital contact tracing, identification of contact tracing is more precise as Bluetooth records users’ encounters and distance between them.
Further, it could also trace beyond manual tracking by shops that citizens visit, for instance at train stations, petrol stations, parking spots and other public areas.
Some of the applications rolled-out by the government have announced that data would be kept for a certain timeframe such as MyTrace (21 days) and Gerak Malaysia (six months after the end of the MCO).
MyTrace and CovCT are said to anonymise their data through logging practices with MyTrace keeping data in the clients’ device.
These are steps that could ensure good industry practices as data is only used as and when intended. However, in a weak regulatory environment and should the threat of Covid-19 ease, such systems can be abandoned, leaving legacy issues that could be exploited.
There can be fewer security updates or mismanagement of private and public systems which could introduce vulnerabilities, exploit personal information and weaken trust in the digital ecosystem.
Further, while the digital tracking design opted are less intrusive, security risks still exist as malicious actors could still hack the anonymised location and time-stamped user data.
Moreover, a drawback of Bluetooth is its potential to turn up a large number of false positives. Moreover, in order for the app to be effective, a substantial number of people will need to install the app.
In Malaysia, downloading MyTrace app is voluntary with adoption expected to be low, unlike the mandatory approach in China. Thus, while digital surveillance allows faster and wider coverage to contact-trace, there are still various concerns that are yet to be solved.
To manage potential privacy red flags, governments should limit mass gathering of data when it comes to contract tracing.
The danger lies in the vulnerability of sensitive and private information like a person’s name, address, sexual orientation, healthcare issues and political beliefs.
A precautionary step to consider is the anonymisation of such data. Further, governments need a strict set of criteria to maintain their responsibility and commitment to citizens’ right to privacy.
They also prove and earn the trust of its citizens by doing so. This is on top of proportionate, time-bound and transparent surveillance.
Lessons from the Snowden leak altered the way data is gathered and processed by governments. The US Freedom Act was inserted as a response to the NSA’s mass data collection and saw more targeted surveillance contingent on stringent permission.
For responses to private sector data collection, the California Consumer Privacy Act (CCPA) and the EU-enacted General Data Protection Regulation (GDPR) pave the way for individuals to seek damages for privacy violations, particularly violations on rights accorded to consumers.
Malaysia’s Personal Data Protection Act (PDPA) requires users to be notified of the information obtained, its purpose and the destination.
It is also the responsibility of operators to ensure the security of the data. However, the Act could use an update particularly in areas that would define SOPs, a scaled form of monetary penalties, mandatory breach disclosures and mechanisms for enforcement.
It should be noted that PDPA does not apply in the case of government collection and would not obligate federal and state agencies to be transparent in their data management.
This ought to be rectified. A public consultation paper on PDPA had made its rounds in February and would hopefully reflect the updates needed, particularly at this crucial moment.
As Malaysia and the world begin to ease their lockdowns and reopen their economies, citizens will inevitably be more exposed to the virus, to which a vaccine has yet to be found.
While there is no definitive proof that the digital surveillance itself is the reason for success in curbing the spread of Covid-19, technology has played an enormous role in this pandemic and will likely continue to do so in many aspects of governance and social life.
Nevertheless, it is pivotal that governments ensure it is used appropriately without endangering citizens to security and privacy vulnerabilities.
This article first appeared in the Malay Mail on 17 May 2020