Anyone who has followed the history of government IT projects will know that there’s a record of botched and delayed implementation, budget overruns, and scope creep. The scope creep is what worries most of us privacy nerds…:
There’s a new entrant in the rarefied club of Big Tech: national governments.
As politicians grapple with how to handle a global pandemic that has shuttered entire countries, decimated national economies and left 160,000 people dead, they’re turning to tactics better associated with Google, Apple and Facebook than with the staid world of government boffins.
To track people’s everyday movements, countries from Australia to Austria have soaked up piles of (anonymized) smartphone data from local telecoms operators. To police widespread lockdowns, others are relying on location details gleamed from digital advertising sold through popular online services. And almost 40 governments worldwide have rolled out — or are about to — their own coronavirus apps for everything from informing people if they’ve been in contact with anyone infected with COVID-19 to ensuring those that already have it stay home.
All of this should set off alarm bells.
Big Tech has become a global punching bag because of fears that Silicon Valley has too much control over our daily lives. But in their legitimate efforts to keep people safe, officials across the European Union, United States and elsewhere are quickly falling into the same trap — creating a government surveillance network on the fly, with little oversight and almost no clarity about when it will be shut down.
People are growing increasingly skeptical about how Google, Amazon and Facebook collect reams of our personal data, often in opaque ways that are hard to decipher. So why shouldn’t governments come under the same scrutiny? Governments that have a track record of failing to keep such digital information safe, lack Big Tech’s technical expertise and will, for the most part, be beholden to themselves about when to call off their digital land grab.
In the fight to halt the global pandemic, the public is being asked to put aside any fears in the name of public health. But at some point, the number of infections worldwide will start to fall. But governments’ ‘Big Tech’ moment will likely hang around well after the COVID-19 crisis fades.
Trust us, we’re the government
To be fair to policymakers, they have tried to lay out what can, and what can not, be done with this unprecedented collection of people’s (very sensitive) data.
The European Commission just published a set of (voluntary) guidelines for creating coronavirus apps, including efforts to put national privacy watchdogs in charge and place strict time limits for how long data can be stored. Governments, too, have said they’ll stick to existing data protection rules — albeit that in places such as Poland, which has made its app mandatory for those in quarantine due to COVID-19, officials say they’ll hang on to the information for up to six years.
Such assurances should be taken with a pinch of salt.
Everyone is already at full stretch with public health services struggling to cope with rising numbers of infections and lawmakers turning over every last rock to keep economies afloat. In times of crises, fundamental rights like privacy can often seem like secondary concerns — particularly when governments are enticingly close to grabbing large amounts of people’s information in ways that, until recently, were strictly off-limits.
Unanswered questions abound. Who will have access to the data? Where will it be stored? Who decides when it’ll be deleted? These are the questions officials have been asking Big Tech for years. So it’s only right — even amid the current crisis — that policymakers should be explicit in their responses with their own efforts before they start vacuuming up information as if they’re the latest digital fad from Silicon Valley.
Security, too, is a real concern.
Even Google and Apple, which have joined forces to create a (mostly) privacy-conscious effort to track people’s movements through their smartphones, admit their offering will not be 100 percent secure. In the mad rush to get something in the market, most governments are either outsourcing their COVID-19 tracking tools to local tech firms or buying boilerplate solutions from existing suppliers. The development of these services is done in a matter of weeks, if not days.
That may work well when offering regular medical advice or the latest updates on how to file your taxes — most Western governments already have digital services for such things. But it’s a whole different ballgame when officials are collecting sensitive health data, people’s specific locations or other information that would prove extremely harmful if it fell into the wrong hands (either within governments or with online fraudsters).
It’s become a cliché to say these are unprecedented times. But if the increased scrutiny of Big Tech in recent years has taught us anything, it’s that a healthy dose of skepticism is required when presented with tech offerings that seem too good to be true.
For years, politicians have decried how companies have harvested people’s data in the name of improving lives. It’s only right they’re now held to the same standard.
Mark Scott is chief technology correspondent at POLITICO.