Slide deck from my talk at the United Nations DPPA and DPO in August 2020.

1. Digital Surveillance for COVID-19 and its
Implications for Security and Privacy
Rohini Lakshané
12 August 2020
United Nations DPPA-DPO
(un)data Seminar Series on Outrageous Questions
CC-BY
(https://about.me/rohini)

2. Overview of Covid-19 tech responses
A. Apps
i. Contact-tracing
ii. Quarantine Management/ geofencing
iii. Information, updates about the pandemic and govt services,
medical advisories, etc.
iv. Services required/ provided during lockdown and quarantine
(curfew passes, mental health counselling, delivery of groceries,
etc.)
B. Electronic-tagging devices such as ankle bracelets for quarantine
management/ geofencing

3. Overview of Covid-19 tech responses (contd.)
C. Tracking mobile phones using BTS (that is, mobile towers) in two ways:
1. Aggregated data:
https://www.reuters.com/article/us-health-coronavirus-europe-telecoms/euro
pean-mobile-operators-share-data-for-coronavirus-fight-idUSKBN2152C2,
2. Tracking individual phones:
https://www.thehindu.com/news/national/coronavirus-geo-fencing-app-will-be
-used-to-locate-quarantine-violators/article31241055.ece
3. Combination of C1 and C2
D. Combination of A and B or A and C

4. Overview of Covid-19 tech responses (contd.)
E. Drones (spraying disinfectant, aerial video surveillance, making
announcements, contactless measurement of body temperature) - Not covered in
the seminar
F. Video surveillance, face recognition, machine learning (thermal imaging of
persons in public places for the purpose of fever detection; detecting whether or
not people are wearing masks; machine learning to find correlations and
patterns in their whereabouts, movements etc; mapping of Covid19 hotspots)

5. Overview of Covid-19 tech responses (contd.)
These interventions are inherently privacy-invading:
● However, the principle of derogability of rights applies (Desperate times,
desperate measures etc.)
● A new set of risks and challenges arises when interventions that were
hitherto largely manual are digitised and datafied.

6. Health/medical data has greater protections
Patient confidentiality
https://www.encyclopedia.com/medicine/encyclopedias-almanacs-transcripts-a
nd-maps/patient-confidentiality-0
https://www.aafp.org/about/policies/all/patient-confidentiality.html
Health data/ information privacy
https://www.ncbi.nlm.nih.gov/books/NBK9579/
GDPR Recital 35, “Health Data” https://gdpr-info.eu/recitals/no-35/

7. Issues with these tech interventions
Issues with these interventions
● Usability/ user experience - Not covered in the seminar
● Technical (bugs, ‘quality’ of code, false positives, false negatives, etc) - Not
covered in the seminar
● Digital security
● Privacy (technical and legal)

8. Surveillance companies
NSO (Israel)
https://www.bloomberg.com/news/articles/2020-03-17/surveillance-company-nso-
supplying-data-analysis-to-stop-virus (March 2020… About a dozen countries are
testing the NSO technology… The software takes two weeks of mobile-phone
tracking information from the infected person -- the incubation time of the virus --
then matches with location data collected by national mobile phone companies that
pinpoints citizens who were in the patient’s vicinity for more than 15 minutes and are
vulnerable to contagion…”)

9. Surveillance companies (contd.)
NSO software codenamed Fleming
https://techcrunch.com/2020/05/07/nso-group-fleming-contact-tracing,
https://www.vice.com/en_us/article/epg9jm/nso-covid-19-surveillance-tech-softwar
e-tracking-infected-privacy-experts-worried
Cy4gate.com (pitched to the Italian govt) - Human Interaction Tracking System or
HITS.
https://www.vice.com/en_us/article/epg9jm/nso-covid-19-surveillance-tech-softwar
e-tracking-infected-privacy-experts-worried

10. Surveillance companies (contd.)
Cellebrite (Israel)
“When someone tests positive, authorities can siphon up the patient’s location data and
contacts, making it easy to “quarantine the right people,” according to a Cellebrite email
pitch to the Delhi police force this month.”
https://thewire.in/tech/spyware-delhi-police-covid-19-quarantine
“This would usually be done with consent, the email said. But in legally justified cases, such
as when a patient violates a law against public gatherings, police could use the tools to
break into a confiscated device, Cellebrite advised. “We do not need the phone passcode to
collect the data,” the salesman wrote to a senior officer…”

11. Surveillance companies (contd.)
Apps developed by Pixxon AI - Surveillance company in India:
https://play.google.com/store/apps/details?id=com.pixxonai.covid19
https://play.google.com/store/apps/details?id=com.pixxonai.covid19wb
NotionTag Technologies - Video surveillance company in India; Makes facial recognition
software called FaceTagr. App developed by it:
https://play.google.com/store/apps/details?id=www.facetagr.com.cobuddy
More info about Pixxon AI and FaceTagr at:
https://citizenmatters.in/tracking-quarantine-tracing-cases-sharing-info-can-these-govt-i
ssued-apps-help-fight-covid-19-17151

12. Gold rush to surveillance tech
The market is rife with numerous companies offering numerous Covid-19 tech
solutions. It is hard to verify their claims about efficacy and accuracy.
Not much information is publicly available on whether or not they have been tested
and audited or evaluated independently from the perspective of privacy and security.

13. Security threats/ risks/ vulnerabilities
1. Targeting of healthcare bodies, pharmaceutical companies, academia,
medical research organisations, and local government. (As an example, see:
https://www.ncsc.gov.uk/news/apt-groups-target-healthcare-essential-ser
vices-advisory)
2. Risks/ vulnerabilities in Covid response tech: For example, Aarogya Setu
Android app static security analysis report using the tool MobSF:
https://drive.google.com/file/d/15RpAvajPqCHxPxKwbemoJXuvVL1MsV
dE/view (overview of results on the next slide)
3. Scams, phishing, counterfeit apps etc.

15. More threats and risks
● Function creep
● No rollback of expanded surveillance capabilities
● Data breaches/ leaks
● Inadvertent disclosures (not leaks or breaches) such as “Fitness tracking app Strava gives
away location of secret US army bases”
https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-locatio
n-of-secret-us-army-bases (Interesting to note: Indian Army advises personnel to use govt’s
Aarogya Setu app, but with usual cyber precautions:
https://theprint.in/defence/army-allows-personnel-to-use-govts-aarogya-setu-app-but-wit
h-usual-cyber-precautions/402527)

16. Safeguards, redress mechanisms, checks & balances
for Covid19 tech interventions
Data protection/ Information privacy law/ legal provisions
Public audit (open source -- client side and server side code, verifiable builds)
Independent auditor appointed in consultation with civil society
Audits for security and privacy
Judicial, legal, executive oversight
Interventions should be proportionate, purpose-limited, time-bound, and implemented with
transparency

17. Further reading
A passwordless server run by spyware maker NSO sparks contact-tracing privacy concerns
https://techcrunch.com/2020/05/07/nso-group-fleming-contact-tracing/
10 requirements for the evaluation of "Contact Tracing" apps
https://www.ccc.de/en/updates/2020/contact-tracing-requirements
Aarogya Setu: The story of a failure (technical analysis of the earliest versions of the app)
https://medium.com/@fs0c131y/aarogya-setu-the-story-of-a-failure-3a190a18e34
Qatar: Contact tracing app security flaw exposed sensitive personal details of more than one
million
https://www.amnesty.org/en/latest/news/2020/05/qatar-covid19-contact-tracing-app-security-
flaw/

18. Further reading (contd.)
White paper on DP3T
https://github.com/DP-3T/documents/blob/master/DP3T%20White%20Paper.pdf
The Price of Covid Freedom May Be Eternal Spying
https://www.bloomberg.com/opinion/articles/2020-05-10/coronavirus-contact-tracing-apps-me
an-spying-end-to-data-privacy
John Snow’s mapping of cholera outbreaks, 1854
https://www.ph.ucla.edu/epi/snow/mapsbroadstreet.html