There has been a vigorous global debate about the use of smartphone contact-tracing apps as valuable tools to monitor and curtail the spread of COVID-19. We should not forget, however, that there are many other ways to track location through the analysis of the routine records that organizations capture about our behavior and transactions.
Proponents see smart-phone apps as valuable tools to help us isolate the infected and those they may have infected, and thus allow us to engage in more and more normal social interactions. If the data can be properly anonymized and decentralized, they might, in fact, be more privacy-friendly than the labor-intensive contact-tracing involving human questioning.
Opponents see them as ineffective as best, dangerous at worst giving a false sense of security and thereby exacerbating the spread of the virus. They will only work if the technology is trusted. They will only work if there is sufficient testing to allow those infected to faithfully and accurately self-report. They are also vulnerable to all kinds of user error and mischief. They hold the potential for more permanent mass surveillance of our movements.
So far, these tools have been greeted (thankfully) with more skepticism in Canada than in other societies. And our privacy and civil liberties communities have been vigorous in pointing out the many risks.
As we gradually open up our social and commercial institutions, it will be critical to monitor the contacts of those who have been tested positive for COVID-19. We should not forget, however, that there are other ways to discover our location and movements.
In many cases (not all) our social interactions are recorded. We leave behind credit or debit card transactions when we make a purchase. We submit reservation details when we go to a restaurant or attend a recreational facility. Universities and schools have class lists. Employers have employee records. Churches have congregation lists. Clubs and societies have membership information, and so on.
Isn’t it more efficient, and more reliable, under these conditions to find possible contacts by asking these third-parties for records? Who else was in that restaurant that evening? Who was playing golf on that day? Who else was in that class? Who attended your church last Sunday? Who also bought groceries in that store on Saturday morning between 10 am and 11 am?
Crucially, our public health authorities have a right to obtain all such information under the emergency powers in our provincial Public Health Acts. In an emergency in BC, for example, a health officer may: collect, use or disclose information, including personal information, that could not otherwise be collected, used or disclosed, or in a form or manner other than the form or manner required. These powers may be exercised despite any restrictions imposed by BC’s public or private sector privacy laws. Similar provisions exist in other provinces.
I am not arguing that these powers should not be exercised. But they do need to be used with caution, with transparency and with accountability to our privacy commissioners.
The laws do not authorize fishing-expeditions. They do not authorize the capture of personal data that is disproportionate to the risk. Personal data captured under these powers should only be used for the purposes of contact-tracing and no other. And they should only be retained for as long as necessary.
In contrast to the furious debate over the high-tech solutions, we have not had an equivalent debate in Canada, or in any other country that I have seen, about more traditional and low-tech demands for personal data from organizations. The use of third-party records will not identify all possible contacts but they will identify a lot.
I sense that we will see the exercise of these powers more and more, as we begin to open up our economy and our society. Organizations should be prepared for those requests. And we shouldn’t let the important debate about smartphone apps and technologically mediated surveillance distract us from thinking about the consequences of old-fashioned methods of record capture.