To battle the COVID-19 global pandemic, States are increasingly deploying intelligence and surveillance tools to monitor their populations in an attempt to stop the spread of the virus and limit its human and economic impacts. The use of these tools and techniques, once largely the purview of security, intelligence, and law enforcement, represents the extraordinary lengths that many States are taking to stop the infection. These efforts involve collecting data on citizens from cell phones, financial transactions, and social media intelligence, and combining it with health data, raising significant concerns about privacy and civil liberties. Parallels can be drawn between the global pandemic and the post-9/11 era, which saw significant broadening of state surveillance and intelligence powers around the world – powers that were never rolled back, and have instead became part of the fabric of the State intelligence and security apparatus.
It is imperative that States and their citizens question how much freedom and privacy should be sacrificed to limit the impact of this pandemic. It is also not sufficient to ask simply “if” something is legal; we should also ask whether it should be, and under what circumstances. States should consider the ethics of surveillance and intelligence, specifically whether it is justified, done under the right authority, if it can be done with intentionality and proportionality and as a last resort, and if targets of surveillance can be separated from non-targets to avoid mass surveillance. These considerations, combined with enhanced transparency and sunset clauses on the use of intelligence and surveillance techniques, can allow States to ethically deploy these powerful tools to help stop the spread of the virus.
States are employing intelligence and surveillance techniques to contain the spread of the illness because these methods can help track and identify infected or exposed people and enforce quarantines. States have used cell phone data to track people at risk of infection or transmission and financial data to identify places frequented by at-risk people. Social media intelligence is also ripe for exploitation in terms of identifying social contacts. This intelligence, is increasingly being combined with health data, creating a unique (and informative) picture of a person’s life that is undoubtedly useful for virus containment. But how long should States have access to this type of information on their citizens, if at all? Considering natural limits to the collection of granular data on citizens is imperative, both in terms of time and access to this data.
The authority to collect and use data in this way needs to be established in a transparent manner. The use of these techniques and methods should not come as a surprise to citizens of a democratic state. The enemy is a virus – not an adversary that will adjust its tactics with the revelation of this information. The need for secrecy about specific collection and analysis methods may prevail, but the actual collection and use of this information should be transparent to the public.
Data should also be used in a manner that is consistent with how and why it was collected, a principle that has already been violated. In Israel, data previously collected for counterterrorism purposes is planned to be used to retrace the movements of people thought to be infected with the virus, a clear breach of the original purpose of collection, albeit one that has been supported by Israel’s high court. The temptation exists for States to use existing data and collection platforms out of expediency, but this risks grave breaches of privacy and human rights, not to mention the law in many countries. Establishing new, purpose-built collection mechanisms and authorities may be preferable to simply exploiting existing ones. This could ensure that the checks and balances that need to be implemented in order to ethically and legally exploit those datasets are established properly. As importantly, determining the future uses of the new datasets, and limiting who will be able to access them and under what conditions, is essential. Firm boundaries need to be set now about who can use this information and for what purposes.
There is no question that there are harms to privacy associated with increased surveillance. The question becomes: Under what circumstances are these harms proportional to the benefit gained from the increased surveillance? States need to think about how intrusive measures need to be, and for how long they should be in place. Is widespread cell phone location data collection warranted until a vaccine is developed? Is social media monitoring acceptable to prevent spread? Is using financial transaction data to locate people acceptable, and under what circumstances? These are questions that should be answered in advance of the deployment of these techniques. Benchmarking the implementation and, more importantly, the termination of these efforts against disease spread, lethality, and economic effects will be necessary.
While these tools and techniques may be expedient, determining other ways to achieve the objective of reducing the spread and impact of the virus is also critical. Is the deployment of these exceptional measures truly required, or are there less intrusive ways of obtaining similar data or effects? These measures should be deployed as a last resort, after having exhausted other potential measures. It is also important to consider that many of these techniques were developed to be applied against non-compliant subjects such as terrorists, spies, and criminals. Using the full extent of these powers against compliant subjects may be excessive, and steps should be taken to ensure that only measures that are strictly required are implemented. At the same time, human memory is fallible, and data outlining a person’s pattern of movement can be much more reliable in terms of reconstructing the days during which the potential spread of infection occurred.
Finally, considering who is (and is not) a legitimate target of this type of surveillance will be imperative. Increasing or decreasing levels of surveillance based on actual threat and risk is something regularly done in the intelligence world – and something that should be done in this case as well. Is someone who is infected a legitimate target of all types of surveillance techniques? What if they are complying with their quarantine requirement? What about someone who was exposed to the virus, but is refusing to quarantine? And what of international travelers? The levels of surveillance and data collection should be proportional to the threat and risk, and applied in a discriminate manner against only legitimate targets of surveillance.
Many States have intrusive intelligence and surveillance capabilities that they will be tempted to deploy during the pandemic. This may be deemed necessary by many States, as desperation to contain the human and economic impacts of the virus sets in. But if the war on terror taught us anything, it is that once these powers are in place, they are extremely difficult to limit or roll back. Sunset clauses and clear benchmarks for levels of surveillance are only a start – transparency over the methods used will be critical in ensuring that societies make informed decisions about what they find acceptable and ethical during a pandemic. Some potential transparency mechanisms include media briefings, oversight committees, or perhaps consultation with a transparency committee. These are useful, powerful tools that, if deployed correctly, may help countries return to “near-normal” faster than if they are not used. This is desirable, but we must be cognizant of what we are sacrificing in the process.