Emergency Surveillance During COVID-19 Crisis

Israel is using emergency surveillance powers to track people who may have COVID-19, joining China and Iran in using mass surveillance in this way. I believe pressure will increase to leverage existing corporate surveillance infrastructure for these purposes in the US and other countries. With that in mind, the EFF has some good thinking on how to balance public safety with civil liberties:

Thus, any data collection and digital monitoring of potential carriers of COVID-19 should take into consideration and commit to these principles:

  • Privacy intrusions must be necessary and proportionate. A program that collects, en masse, identifiable information about people must be scientifically justified and deemed necessary by public health experts for the purpose of containment. And that data processing must be proportionate to the need. For example, maintenance of 10 years of travel history of all people would not be proportionate to the need to contain a disease like COVID-19, which has a two-week incubation period.

  • Data collection based on science, not bias. Given the global scope of communicable diseases, there is historical precedent for improper government containment efforts driven by bias based on nationality, ethnicity, religion, and race­ -- rather than facts about a particular individual's actual likelihood of contracting the virus, such as their travel history or contact with potentially infected people. Today, we must ensure that any automated data systems used to contain COVID-19 do not erroneously identify members of specific demographic groups as particularly susceptible to infection.

  • Expiration. As in other major emergencies in the past, there is a hazard that the data surveillance infrastructure we build to contain COVID-19 may long outlive the crisis it was intended to address. The government and its corporate cooperators must roll back any invasive programs created in the name of public health after crisis has been contained.

  • Transparency. Any government use of "big data" to track virus spread must be clearly and quickly explained to the public. This includes publication of detailed information about the information being gathered, the retention period for the information, the tools used to process that information, the ways these tools guide public health decisions, and whether these tools have had any positive or negative outcomes.

  • Due Process. If the government seeks to limit a person's rights based on this "big data" surveillance (for example, to quarantine them based on the system's conclusions about their relationships or travel), then the person must have the opportunity to timely and fairly challenge these conclusions and limits.

Posted on March 20, 2020 at 6:25 AM • 47 Comments

Comments

DenMarch 20, 2020 7:18 AM

Russia does the same as China and Iran. They reported use of such cameras to track down individuals who escaped quarantine facility near Moscow.

Name (required):March 20, 2020 8:08 AM

The principles are good however will not be followed unless explicitly enforced.

CuriousMarch 20, 2020 8:25 AM

Btw, I saw today on the internet on twitter, a reference to the phrase "due legal process", in a UK context.

One might think of that other phrase here as making good sense, but I suspect that the inclusion of 'legal' into the phrase 'due process' is troublesome, if possibly ending up having two different meanings/interpretations.

The troublesome part here, I imagine could be the sensible difference between thinking of 'anything legal' as being "due", and 'a process' being "due". Bascially, one meaning being about something to be 'actual' inside a law enforcement context, and the other meaning being 'fair' or 'reasonable' outside a law enforcement context. Potentially two wildly different interpretations muddled together into a phrase. In this sense, I would argue that it makes good sense to think that there ought to be a difference in meaning between the idea of 'justice' and 'law enforcement' in any context where something is thought of as being "due", so as to avoid hiding special interests, or unfair bias, or law enforcement as abuse.

Ofc, it is entirely possible that in the UK, 'due legal process' is a typical phrase traditionally having the same meaning as 'due process', and then I guess the phrase 'due legal process' has maybe always been troublesome, or maybe that the phrase is just synonymous to the other phrase 'due process'.

AdamMarch 20, 2020 9:10 AM

It was really good to see the justice minister here in South Africa take part in the last announcement of emergency measures, being quite clear about constitutional standing and committing to ensuring measure follow the law. Quite how that committment will play out, however, is still to be seen... but the words were right.

Clive RobinsonMarch 20, 2020 9:33 AM

@ Bruce,

You forgot to add South Korea to the list.

They have had some unintentional problems of "outing" certain relationships etc due to web sites mapping movments,

https://www.oann.com/mapping-coronavirus-south-koreans-turn-to-online-tracking-as-cases-surge/

Then of course there is Australia,

https://www.abc.net.au/news/2020-02-06/phone-tracking-follows-movements-of-couple-with-coronavirus/11935912

Then there is Taiwan,

https://globalnews.ca/news/6642722/taiwan-cellphone-tracking-data-contain-covid-19/

Which also brings up what I have suspect about Canada as well but whilst privately sourced info suggests it is going on, I've found little or no public info.

Thus I would assume any country that can use existing surveillance records, will end up doing so once the numbers get large enough or close enough to politicians to "look the other way" in the name of the "greater good".

If it is for the greater good of course depends on your position with regards "rights" on the line between "Individual-&-Society".

It's a complex issue because we know that "society" as we currently know it in the West / First world very much depends on "individual privacy" and to loose that we would loose the society we have currently. Yet society also has not just "obligations" to individuals it also has certain "rights" as well which puts obligations on the individual. It has been said that "Any crime no matter how small is a crime against society" therefore there can be no "victim less crime". However most would agree on reflection that many towards the top of hierarchical structures commit crimes against society all the time and never get sanctioned for their actions.

Perhaps people should go back and look at both sides of the history of the Irish cook Mary Mallon, who became known as "Typhoid Mary",

https://en.wikipedia.org/wiki/Typhoid_Mary

The story of her life and how she felt persecuted and her fate and the legislation that came about might give food for thought.

ConvexityMarch 20, 2020 9:48 AM

Seems relevant to share this this.

Some excerpts:

- The TraceTogether app, which was developed by the Government Technology Agency (GovTech) in collaboration with MOH over the past eight weeks, can be downloaded by anyone with a Singapore mobile number and a Bluetooth-enabled smartphone.

- After giving consent during the set-up of the app, users will need to turn on their Bluetooth, as well as enable push notifications and location permissions.

- The app works by exchanging short-distance Bluetooth signals between phones to detect other users of the app who are in close proximity. Current MOH guidelines define close proximity as two metres apart, or up to five metres, for 30 minutes.

- Records of these encounters will be stored locally in the users’ phones and will not be sent to the authorities.

- The app also has several layers of security and privacy safeguards in place. For example, users will submit only their mobile numbers after downloading the app. Each phone will then be assigned a user ID. This user ID is then used to generate temporary IDs at regular intervals. It is this temporary ID that is exchanged between the phones of TraceTogether users. Such regular generation of temporary IDs protect users from eavesdropping and tracking overtime by malicious actors, according to GovTech.

Very interesting!

myliitMarch 20, 2020 10:02 AM

@Den

“ Russia does the same as China and Iran ...”

From Gessen, https://www.newyorker.com/news/our-columnists/the-coronavirus-and-the-kursk-submarine-disaster

“When we face catastrophe, our minds look for points of comparison. Recently, people have talked and written about world wars, the Spanish flu, the plague, and the Great Depression. I have written about terror. Each of these parallels sheds some light on our current predicament. Here is one more: often, these days, I think of a submarine.

In August, 2000, the Kursk, a giant nuclear submarine, went out to sea off the coast of Murmansk with an undertrained crew and a load of torpedoes that were past their expiration date....

There is no direct parallel between the coronavirus pandemic and the Kursk submarine, but, as sometimes happens with President Donald Trump and Putin, there is a similarity of spirit. Both Presidents stayed silent when they should have been speaking. (Putin vacationed; Trump golfed.) Both offered false hope and accepted no responsibility. Both blamed other countries (Russia briefly embraced the theory that an American submarine had collided with the Kursk), and both blamed their predecessors for destroying a system that should have saved people. ...”

Clive RobinsonMarch 20, 2020 10:33 AM

@ Convexity,

This user ID is then used to generate temporary IDs at regular intervals. It is this temporary ID that is exchanged between the phones of TraceTogether users. Such regular generation of temporary IDs protect users from eavesdropping and tracking overtime by malicious actors, according to GovTech.

Then GovTech either do not know what they are talking about or are deliberatly lying to people.

To see why treat it as a crypto system.

1, The UserID is a very weak "master key".

2, The TemporaryID is generated by a weak PRNG.

3, To prevent TempID collisions the PRNG is broken into "ranges" that each user gets a unique range.

In essence the PRNG is a counter driving a mapping function to derive a one to one relationship from input to output (very weak crypto function). The key to this function is known to the authorities (and is also probably easily calculated). The UserID is the start position for the counter used to generate the range of numbers used for the TempID.

Even if this process was designed to be secure in of it's selfe, it's not secure as part of an overall system.

Because the mobile phone operators know where your phone is to within a few meters they also know it's network number and hardware number, and the precise time the phone uses. Thus they also will probably know thr exact time your mobile sends out it's Bluetooth broadcast.

It does not take a rocket scientist to do traffic analysis on such a system, and as "the traffic is the message" all would be revealed by this.

As I've mentioned before, I was involved with the design of a system to track mobile phones to give physical flows of vehicle and pedestrian traffic and optionally those on public transport. One of the original requirments was for "anonymous temporary ID's". When you look into the problem actually trying to track movment requires certain characteristics for the temporary IDs and even the most minimum of those alows for full traffic analysis to be carried out thus users de-anonymised totally...

Ross SniderMarch 20, 2020 11:32 AM

I usually agree with the EFF, but I don't think I agree in this case. I think surveillance and big data must be opt-in and opt-out.

National Security folks definitely think of their work as both public safety and national emergency. When applying the criteria they'd look at it and say the following.

Privacy intrusions must be necessary and proportionate: "for signals intelligence, counterintelligence, domestic surveillance and propaganda we really do need these records, and it is proportionate to the risk."

Data collection based on science, not bias: "we collect on everyone - and have special records collection open for people of interest defined by a FISA court process which systematically prevents bias and ensures a legal basis."

Expiration: "we will expire any data collection surveillance programs when they are no longer needed. However, if the data is useful for dealing with a comparable crisis or national priority, we retain the right to continue the programs for those comparable purposes."

Transparency: "We can't actually publish these fully publicly, but our legal system allows us to brief the people chairing the House Intelligence Committee, and since those people represent the American Public, it's legally the same thing without the risk of operational risk."

Due Process: "The FISA Court system and chain of command provides a consistent legal basis through which cases are examined on their basis by an set of court judges."

I'm not making these arguments with my own urgency, merely trying to extrapolate and publish how mass surveillance and propaganda targeted domestically at American citizens is ALREADY argued against these principals.

RealFakeNewsMarch 20, 2020 11:56 AM

I'm mixed on this topic.

* I don't think it should be done, ever, as it is a breach of trust between the individual and the State, even if the individual knows or suspects a State of doing this, or it's just plain possible to do by a rogue State.

* I agree with it, because people are idiots and will not act rationally to protect themselves or others in such a situation.

I've lost count of those who say it's merely a cold or the flu (SARS is neither).

Just look at how hoarders have been allowed to empty the supermarkets world-wide out of selfish greed (I do consider it to be a form of panic-induced insanity manifesting as irrational hoarding behavior).

If ever there was evidence of a self-fulfilling prophecy, that is it.

The worst part is Governments seem (so far) uninterested in stopping it. One questions why. In the UK, I think it is a lack of man-power (Police) to do anything significant without causing riots that can't be stopped.

Society is on a knife-edge.

It's also interesting to note that the rich, liberal democracies are the countries suffering the most (both in terms of disobedience and effects from the virus).

Media-induced mass-panic?

Decades of research to be had here on human psychology and behavior.

ALMarch 20, 2020 12:47 PM

With the lack of testing in this country, I just don't see it happening here. And remember, there is not just "the" test, there is the one that is ballyhooed, and that is the diagnostic test, and then there is the test to see if an antibody is present. That would mean one got the virus and recovered, and are now immune.

I think I got it, recovered and am immune, but that requires the antibody test. And that's a cheaper test. As this carries on, there are going to be increasing number of people who get it, with mild symptoms, recovered and will have the antibody.

And apparently, there is immunity. They now think that people who were reported reinfected never recovered from the initial infection. China's new rate of infections are down as the "herd" immunity takes hold.

vas pupMarch 20, 2020 2:44 PM

Coronavirus: Robots use light beams to zap hospital viruses
https://www.bbc.com/news/business-51914722

"Please leave the room, close the door and start a disinfection," says a voice from the robot.

"It says it in Chinese as well now," Simon Ellison, vice president of UVD Robots, tells me as he demonstrates the machine.

Through a glass window we watch as the self-driving machine navigates a mock-hospital room, where it kills microbes with a zap of ultraviolet light.

Production has been accelerated and it now takes less than a day to make one robot at their facility in Odense, Denmark's third largest city and home to a growing robotics hub.

Glowing like light sabres, eight bulbs emit concentrated UV-C ultraviolet light. This destroys bacteria, viruses and other harmful microbes by damaging their DNA and RNA, so they can't multiply.

The robot was launched in early 2019, following six years of collaboration between parent firm, Blue Ocean Robotics and Odense University Hospital where Prof Kolmos has overseen infection control.

Costing $67,000 (£53,370) each, the robot was designed to reduce the likelihood of hospital-acquired infections (HAIs) which can be costly to treat and cause loss of life.

While there's been no specific testing to prove the robot's effectiveness against coronavirus, Mr Nielsen is confident it works.

"Coronavirus is very similar to other viruses like Mers and Sars. And we know that they are being killed by UV-C light," he says.

To be fully effective, UV needs to fall directly on a surface. If light waves are blocked by dirt or obstacles, such shadow areas won't be disinfected. Therefore manual cleaning is needed first.

UV light has been used for decades in water and air purification, and used in laboratories.

But combining them with autonomous robots is a recent development.

American firm Xenex has LightStrike, which has to be manually put in place, and delivers high-intensity UV light from a U-shaped bulb.

The company has seen a surge in orders from Italy, Japan, Thailand and South Korea.

Xenex says numerous studies show that it's effective at reducing hospital-acquired infections and combating so-called superbugs. In 2014, one Texan hospital used it in the clean-up after an Ebola case.

More than 500 healthcare facilities, mostly in the US, have the machine. In California and Nebraska, it has already been put to use sanitizing hospital rooms where coronavirus patients received treatment, the manufacturer says."

Question: Can POTUS using DPA powers force Xenex to produce such machines for US facility only until pandemic in US finished?


La AbejaMarch 20, 2020 4:15 PM

Privacy intrusions must be necessary and proportionate.

A program that collects, en masse, identifiable information about people must be scientifically justified and deemed necessary by public health experts for the purpose of containment. And that data processing must be proportionate to the need.

  1. Government busybodies with nothing better are always invading our privacy no matter what.
  2. They always have "experts" of the correct political persuasion to push the paperwork and scientific justification for everything they do.
  3. We the people are the problem in their eyes.
  4. They are always working to "contain" us, i.e., to restrict, hinder, micromanage and regulate everything we have permission from them to do in this life.
  5. Their "proportionate need" is always bulging out the front of their pants like so many peeping toms and gentlemen on the make.

My main point being, that it is altogether impossible to reason with EFF or other Big Government minded people. I cannot tell if the concessions they make on our behalf are intended to be sarcastic, or only to cultivate an even bigger government with an expanded social welfare state to impose even more severe crackdowns and punitive social controls upon us than those we have progressively experienced since our devastating loss in the Vietnam War, the treason of JFK and LBJ, Title IX, the Gun Control Act of 1968, and the 9/11 PATRIOT Act.

And now Coronavirus. Yet more "temporary" emergency measures that will be made permanent in order to please those already drunken with so much absolute power over our lives.

JonKnowsNothingMarch 20, 2020 4:24 PM

@vas pup
re:

Question: Can POTUS using DPA powers force Xenex to produce such machines for US facility only until pandemic in US finished?

disclaimer: I am not a lawyer and I don't play one on TV...

The USGov has a large number of legal methods to constrain or mandate civilian enterprises and activities.

The easiest path I think would be to declare the item part of our National Security(like weapons) or a Critical Resource(like oil). This opens a huge chasm of options. Export regulations can then be applied to get the desired results.

Most of the details are wrangling over the payment for the goods, rather than their final destination.

myliitMarch 21, 2020 6:32 PM

@steve

+1

“ There's nothing more permanent than a temporary measure. ...”. or see disaster capitalism, Coronavirus capitalism, Dick cheney stuff sitting on the shelf to start a war, invade Iraq, etc., or the like ...

gordoMarch 21, 2020 7:19 PM

Anti-infection paradigms or phases: containment, mitigation, and lockdown.

As one phase informs the next . . . and back again . . . wash, rinse, repeat (in a good way), etc., ... (?)

Containment phase data suggests the most efficacious use of personal data collection, that is, if testing is both available and started early enough in an infection cycle for contact tracing.

Mitigation phase data suggests infection data collection usage at a higher, less personal level, i.e., infection scale across geographic communities to inform health-policy edicts. Though a distinction between mitigation and suppression has been made by the Imperial College COVID-19 Response Team[1], data usage appears similar to that used under mitigation regimes.

Lockdown phase data suggests infection data collection usage at the highest, least personal level for determining when lockdowns can be lifted.

Depending upon the society and its experience with prior epidemics or lack thereof, enforcement needs will vary.

It may also go without saying, but one would hope that the better the data collection the better the modeling and the better the policies.

Open to correction, on any of the above.

What It Means to Contain and Mitigate the Coronavirus
By Robert P. Baird, The New Yorker, March 11, 2020

At the community level, epidemiologists tend to speak of two different paradigms to limit both the extent and the rate of infection. The first, known as containment, is used at the start of an outbreak. It involves tracking the dissemination of a disease within a community, and then using isolation and individual quarantines to keep people who have been infected by or exposed to the disease from spreading it. According to Caitlin Rivers, an epidemiologist at Johns Hopkins, “the reason that we want to find those people early is so that we can make sure that they stay out of circulation in the community and also to make sure that they get the care that they need as soon as they need it.”


[ . . . ]

Rosalind Eggo, along with a team of researchers at the London School of Hygiene & Tropical Medicine, where she works on epidemiological modeling, created a mathematical model to predict the spread of covid-19. She told me that to halt the spread of an outbreak that started with twenty infected people would likely require public-health authorities in a community to trace the contacts of anywhere from forty to a hundred people per week, with a better than eighty per cent success rate. Contact tracing is time-intensive work: the European Centre for Disease Prevention and Control, the European Union’s equivalent of the C.D.C., estimated that it would take about a hundred person-hours of work to trace the contacts of each confirmed case of the covid-19. But if done quickly, and at the proper scale, the method can be effective. Containment, coupled with school closings and some other so-called social-distancing strategies, appears to have limited the spread of covid-19 in Hong Kong and Singapore. But those countries started their efforts while the outbreak was still in its infancy. “If you act early enough, you can stay in the containment phase,” Jeremy Konyndyk, a senior policy fellow at the Center for Global Development, who helped lead the Obama Administration’s response to the Ebola outbreak in 2014, told me. “You still face the threat of reintroductions from abroad, so containment is ongoing, but it saves the most lives, preserves your health system, and ultimately, in the long run, it nets out to the lowest amount of disruption. But you have to choose that disruption early to get that outcome.”

[ . . . ]

In communities where a local outbreak gets out of control, Rivers says, “there comes a tipping point in epidemics where you’re finding a lot more people who are unlinked” to known cases. “That’s a sign that contact tracing is not scaling appropriately.” Though public-health authorities may continue to trace contacts after community spread has begun—in order, for instance, to better understand the particular features of how a disease spreads—epidemiologists generally recommend incorporating the mitigation paradigm. In practical terms, this means redeploying public-health workers away from contact tracing and disease surveillance and towards efforts with a broader reach, including working with schools to determine when to close and when to reopen, with businesses to protect their employees and their customers, and with hospitals to prepare for a surge of new patients. Communities typically implement so-called social-distancing measures as well, such as cancelling conferences, sporting events, and other large gatherings. This has already occurred in Seattle, where gatherings larger than two hundred and fifty people have been banned and where, starting tomorrow, the public schools will be closed for two weeks. “Mitigation starts with the idea that we will probably not drive transmission to zero,” Rivers said. “So then we start thinking about what we can do to prepare our hospitals and communities to reduce transmission.”

[ . . . ]

The Chinese and Italian experiences with covid-19 suggest that the two major epidemiological response paradigms may soon be joined by a third: lockdown. Whether such a measure would be feasible in the United States depends on a host of unresolved medical, economic, and legal questions. Konyndyk, for his part, believes that at least one American city will likely face the sort of crippling surge in cases that caused Italy, on Wednesday, to tighten its national lockdown even further.

https://www.newyorker.com/news/news-desk/what-it-means-to-contain-and-mitigate-the-coronavirus

---

[1] Given the distinction made between mitigation and suppression, see also:

Impact of non-pharmaceutical interventions (NPIs) to reduce COVID19 mortality and healthcare demand
Imperial College COVID-19 Response Team, 16 March 2020

Two fundamental strategies are possible: (a) mitigation, which focuses on slowing but not necessarily stopping epidemic spread – reducing peak healthcare demand while protecting those most at risk of severe disease from infection, and (b) suppression, which aims to reverse epidemic growth, reducing case numbers to low levels and maintaining that situation indefinitely. Each policy has major challenges. We find that that optimal mitigation policies (combining home isolation of suspect cases, home quarantine of those living in the same household as suspect cases, and social distancing of the elderly and others at most risk of severe disease) might reduce peak healthcare demand by 2/3 and deaths by half. However, the resulting mitigated epidemic would still likely result in hundreds of thousands of deaths and health systems (most notably intensive care units) being overwhelmed many times over. For countries able to achieve it, this leaves suppression as the preferred policy option.


[ . . . ]

Last, while experience in China and now South Korea show that suppression is possible in the short term, it remains to be seen whether it is possible long-term, and whether the social and economic costs of the interventions adopted thus far can be reduced.

https://www.imperial.ac.uk/media/imperial-college/medicine/sph/ide/gida-fellowships/Imperial-College-COVID19-NPI-modelling-16-03-2020.pdf

That Imperial coronavirus report, in detail
https://ftalphaville.ft.com/2020/03/17/1584439125000/That-Imperial-coronavirus-report--in-detail-/

Clive RobinsonMarch 22, 2020 6:56 AM

@ gordo,

The report say's more or less what my numbers do when you use the shorter infectious period they do and the less liberal contact periods.

Importantly is the norion of "waves of infection" bassed on two assumptions,

1, The disease is not compleatly eradicated from the general population.

2, That there will be infection comming in from outside the general population.

Whilst it is hard to deal with the first, the second is easier. However you have to ask the economic cost of turning points of entry into two zones with an issolation gap and also not alowing people in or out of the country. That is National Issolation with extensive decontamination and exclusion of certain goods like all frozen and some fresh goods that can not be effectively iradiated with as a minimum UV-C for a sufficient period of time.

As for getting R0 down to zero, it is possible without waves of infection provided you ensure there is no reservoir of infection from which a new wave of infection can start. Which could be economically expensive in the short term, but probably less so than repeated waves of infection.

Thus the optimal stratagy would be a long period of suppression after the initial infection wave then drop to heavey handed containment with full contact tracing. This would mean being on a "War Time Footing" for atleast a year after a vaccine becomes available which would start with every school child and those at risk such as those over 50 years old and work towards the middle.

There is of course the problem of "compulsion" every thing we put in our bodies carries risk, the air we breath, the water we drink, the food we eat and any drugs legal or otherwise. Some will argue that having a needle of what they call "poisons" stuck in your arm is not a right society should have over them... The obvious answer is that if they don't want to participate in the responsability of being in society then they should be removed from society untill they do. We know there are two ways to do this, the first is based on their right to remain in the country, the second is to use incarceration. Previous attempts to do either of these has not worked very well in the UK.

However the UK has in the past had a successful quarantine against Rabies from Continental Europe and other places. This was by general "livestock and pet exclusion" and expensive quarantine for exceptions. In more recent years "chipped pets etc" have been allowed. As this is a "proven model" of infection control I suspect it will not be long before somebody in the media will suggest it.

Whilst some people do accept the need for rabies control and thus chipping others do not. Thus the question arises as to if people are going to accept being chipped?

However unlike for pets, the chips in humans will need not just full tracability but also tied uniquely to an individual which would in effect involve every person having their physical description encoded into the chip just as we do with modern passports. However unlike passports that expire every few years thus image and other details get updated, near unique identification for longer periods would require things like finger prints and retinal scans along with DNA encoded into the chip...

Something tells me very few people in the West would countenance such draconian measures, but I'm sure there are many lets call them "senior civil service" types or if you prefer "authoritarian followers" who would be overjoyed if not ecstatic about such an idea becoming reality, thus would gladly use any "emergancy" as an excuse to push forward such an idea (we saw similar in the UK with the now failed "Universal Benifit Card").

gordoMarch 22, 2020 9:13 AM

@ Clive Robinson,

Something tells me very few people in the West would countenance such draconian measures

It remains to be seen if human chipping would be practiced anywhere on a societal scale which leaves us with this thread's concerns and the use of seemingly friendlier phone apps and other communications infrastructure to achieve some measure of the same. A couple of more articles from this past week:

https://futurism.com/coronavirus-app-mit-safe-paths

https://www.nytimes.com/2020/03/19/us/coronavirus-location-tracking.html

We then run into knock-on effects like this:

https://qz.com/1822127/encryption-app-to-avoid-coronavirus-censorship-removed-by-apple-in-china/

Clive RobinsonMarch 22, 2020 12:01 PM

@ gordo,

the use of seemingly friendlier phone apps and other communications infrastructure to achieve some measure of the same.

Maybe I'm less charitable than others but in the UK the authorities and powers that be have quite wilfully and often illegaly grabbed what ever data they could. And certainly in the case of health care data saw absolutly no issue with selling peoples very private medical information to anyone. Their claims of "but it's anonymized" have repeatedly been shown to be insufficient for any real anonymity, just simple cross referencing with other easily available data bases stripped it off almost entirely.

As far as I am concerned there is an adverserial relationship between the UK Government and me over my personal and private data, and I have absolutly no desire to acquiesce to any of their "data grabs". It's why amongst other reasons I "pay in cash" and for other reasons follow a very ridgid protocol for taking money out of the bank in essence same amount same day same time same cashier if she is available.

As far as I can see there is absolutly no difference between being a person under suspicion of committing a crime out on bail or a convicted criminal on parol that is required to wear a GPS monitor and the Government requiring phone companies to store my location data. I am not a criminal and I see no reason why the government should treat me as one.

Worse as somebody else has noted "there is nothing so permanent as temporary", data once stored comes up for grabs by all comers months or years after the reason for "temporary" has gone away.

There is a perversion running amongst certain people that "all data is money to be made" irrespective of under what conditions it was collected. These people are not just perverted but sick in the head in ways that most of us can not comprehend. They and those that work for them directly, indirectly or even unknowingly can not in any way shape or form be trusted.

For example Google went to great lengths to encrypt users data between them and Google. Only to discover that the US Government quite illegaly tapped the data feeds of Googles private network between Google sites. We can make any number of assumptions about why the US Goverment did this and how much Google was involved. Either way the users data had been "hoovered up" and is now presumably tucked away "un collected" in that hole in the ground in Utah.

The point is any private or personal data you let out of your control is nolonger yours and somebody somewhere in their unhealthy / depraved minds sees profit in it. The problem with this is the people who would give them the most profit are those that you would least want having access to your personal or private data because they are the ones most likely to intend to or cause you actual harm in some way.

gordoMarch 23, 2020 12:02 AM

@ Clive Robinson,

Without the collection of personal data, contact tracing and all that would otherwise follow from it is, if not useless, then a mere "best guess". That's rather fallen apart.

Yes, we've been atomized into micro-targeted, data-extraction points by profit-driven actors not working in the public interest who will try to have it both ways. That's the hard part.

Emergency preparedness says we have community based contact tracing phone bank/outreach teams and both fixed and mobile tactical field units armed with test kits, stat. That should have been the easy part.

Given the disarray, the second point is made even harder.

gordoMarch 23, 2020 11:28 AM

From the preceding EFF link [emphasis added]:

Health privacy laws

The United States has no universal information privacy law that’s comparable, for instance, to the EU Data Protection Directive. The laws that exist are sector-specific and vary considerably. The baseline law for health information is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA offers some rights to patients, but it is severely limited because it only applies to an entity if it is what the law considers to be either a "covered entity"—namely: a health care provider, health plan, or health care clearinghouse—or a relevant business associate (BA). This means HIPAA doesn't apply to many entities who may receive medical information, such as an app on your cell phone or a genetic testing service like 23andme.

Realistically, HIPAA is a disclosure regulation law, not a privacy law: It regulates how your health information may be disclosed, both with and without your consent. No consent is necessary for treatment, payment, or health care operations. For example, your doctor can consult with another doctor about your latest injury without getting your consent because that’s part of treating your injury.

Individual medical information can also be disclosed without your consent for public health reporting, to assist law enforcement, and for judicial and administrative purposes, or to determine your eligibility for benefits and services. It can also be disclosed in ways you can’t find out about for national security purposes.

States can also protect medical privacy. As federal law, HIPAA establishes a national "floor," but allows states to have stronger patient privacy protections. California law in some areas is stronger than HIPAA.

name.withheld.for.obvious.reasonsMarch 23, 2020 7:12 PM

How about an open source project;

Global Pandemic Public Response Doctrine/Manifesto; (don't like the words, suggesting?);
Strategy and Implementation Framework >

I can think of three or four high level documents that could leverage existing work in drafting a definitive response to this type of public health crisis. It is obvious that government is failing as an arbiter of the people so maybe it is time to wrestle this turkey to the ground (as other incidents will likely occur).

It is the public that is paying the price for this lack of competent and cogent response that includes some level of cognizant thinking. Critiques are easy, let us move beyond the bull that is too easy to watch and put the sycophants out of a job. We have to assume that our public officials are compromised, to the degree that they are a direct danger to the public. It is not the public that is at odds with their (hoping for a better word) leaders, it is they that are at odds with the public.

Maybe it is time to meet with a new political theory as well. Democracy fails to scale well and other political structures are all too fragile (as we see with the representative form of republican democracy). Direct democracy is too great a leap without a broad informative and educational social institution(s) to underpin it. But, it should be part of a framework designed to achieve it. The United States form of constitutional government is not structured to achieve a result that includes direct participation.

name.withheld.for.obvious.reasonsMarch 23, 2020 7:23 PM

The people that benefit the most from modern society rely on individuals, that is you and me, to get things done for them. They cannot prepare their meals, fabricate the materials for clothing, found steel and brass, or crystallize lattices of semiconductor wafers...let alone grow their own food. Concerns of the productive, professional, and working classes hold it in their power to demand from the 1% of 1%, not the other way round.

All the current surveillance shenanigans and the blatant abuse of civil liberties must be addressed prior to any allowance for medical surveillance. It has been this never ending, "Oh we will let that provision or statute expire." only to have it codified in some other law in other legislation. Personally, the government should give up the illusion that our rule of law operates as anything near a democratic republic. It is a technocratic crypto-fascism corporatist lobbying and management concern.

name.withheld.for.obvious.reasonsMarch 24, 2020 12:19 AM

Understanding the thinking of the people within the administration of the U.S., it is apparent that the current bifurcation in thinking could be tactical to a sicken degreee.

Moving from dismissal to transmissive containment and restrictive population movements, later to retreat to all is normal may have a sinister underlying strategic plan. (And this does not go to what would be a possible profit motive.)

HYPOTHETICAL SCENARIO (one population, two groups, one arbiter)
A large population, say the United States, a significant group (~80%) reaches a consensus where there is a shared risk to the entire population, makes a call to action. Lets call this group that is concerned and action is required and necessary, CARN-A.

The smaller group, ~20% of the population, dismisses and ignores the largely held risk specified by CARN-A and really doesn't give a soapstone, lets name that group DGAS-B.

Let us also assume that a arbiter for the entire population, named DNW, is coordinating the actions for the population, meaning both groups CARN-A and DGAS-B.

Initially DNW is indifferent to the two groups and any information that concerns CARN-A asserts and dismisses the group. DNW also does little to express any basis for CARN-A concerns to group
DGAS-B.

After a period of time and a realisation that the concern of CARN-A appears to be largely factual, DNW aligns with this group and infers that group DGAS-B go along with the program.

Still reluctant, DGAS-B receives the memo from DNW and appears to be cooperating. DNW, seeing the opportunity to bifurcate the two groups in a dramatic way, DNW now acts to convince DGAS-B that the CARN-A concern is largely unimportant.

Group DGAS-B now sees the actions, still being carried out by CARN-A, as hostile to their newly aligned position called out by DNW. A crisis now occurs wherein group DGAS-B is weaponized against CARN-A.

This means that not only has group DGAS-B weaponized, the concerns of CARN-A are weaponized. DNW can use DGAS-B to attack CARN-A, and, use the concern of CARN-A to attack
DGAS-B.

Game over, only DNW remains.

name.withheld.for.obvious.reasonsMarch 24, 2020 2:12 PM

I wonder if the 1,400 dead nurses and physicians in Wuhan (having masks and basic PPE) have anything to tell us. Maybe the current 40,000 in full hazmat gear suggest a way to deal with the issue with handling nano-sized challenges.

JoshMarch 25, 2020 4:09 AM

@Clive Robinson,

This is when one ask whether technology is construed to benefit the good of humanity. A mass surveillance tech properly deployed can no doubt help in this crisis situation. We've already seen Communist China apply their surveillance tech to combat the virus successfully. It remains to be seen whether the US of A will fall behind in this regard.

Clive RobinsonMarch 25, 2020 6:37 AM

@ Josh,

This is when one ask whether technology is construed to benefit the good of humanity

Technology is always designed "to be useful" in some way.

It's why I say "Technology is agnostic to use" and that "It's the directing mind" you should look to.

Even "atom bombs have uses outside of warfare", and many modern medicines are poisons some are even designed to kill such as chemotherapy drugs, the trick being that they kill more cancer cells than they do other cells. Another is the drug "digoxin" derived from the poison of the foxglove plant digitalis, it keeps an astounding number of people with certain heart conditions more or less normal than debilitated or dead.

The real problem with surveillance technology when used for "good" is that it almost aleays comes to the attention of a directing mind, that should never be given power of any kind[1]. Because they will come up with a series of reasonable sounding arguments to use the technology for what society would regard as "bad" if they took the time to "look behind the curtain" of those "reasonable arguments".

Worse their task is made easier by as others have poinyed out the old maxim of "There's nothing so permanent as temporary". That is something goes in for good reason like "thermal imagers" to remotely detect raised body temprature pulse rate and breathing. Sounds great and was used during SARS-1 to effectively contain the virus and make it extinct. The problem is changes in heart rate and breathing and to a lesser extent vasodilation are what are used by "lie detectors"...

So suddenly you have all this expensive thermal imaging equipment given to guard labour for a fairly rare potential pandemic. What do you do with that equipment afterwards, after all it is a considerable investment in resources... Society would want it put to good use... Which gives you the fundemental issue of "framing" what is "good use" and "bad use" which are human societal issues not technological issues as another old truism has it "a knife cuts both ways".

batmanMarch 26, 2020 6:20 AM

And USA is not that different from Russia or East Germany. Our public excuse for doing it may sound more noble but we have been doing it in this country for years before COVID-19.


The U.S. government is in active talks with Facebook, Google and a wide array of tech companies and health experts about how they can use location data gleaned from Americans’ phones to combat the novel coronavirus.

In recent interviews, Facebook executives said the U.S. government is particularly interested in understanding patterns of people’s movements, which can be derived through data the company collects from users who allow it.

Google also confirmed late Tuesday it had been in conversations with government officials, tech giants and health experts. The company says it is working on its own to tap its trove of location data, particularly any insights it can derive from its popular maps app.

https://www.washingtonpost.com/technology/2020/03/17/white-house-location-data-coronavirus/

gordoMarch 26, 2020 6:29 AM

The CDC would set up a coronavirus 'surveillance and data collection system' as part of the Senate's $2 trillion stimulus bill
Aaron Holmes, Mar 25, 2020

Of the funding allocated to the CDC, the bill sets aside at least $500 million for public health data surveillance and modernizing the analytics infrastructure. The CDC must report on the development of a "surveillance and data collection system" within the next 30 days. While it's not clear what form that surveillance system will take, the federal government has reportedly expressed interest in aggregating data that can be gleaned from tech platforms and smartphone use to monitor movement patterns.

https://www.businessinsider.com/cdc-coronavirus-surveillance-and-data-collection-stimulus-package-2020-3

Aggregated. Hmm. Everyone over 65 not at home? Everyone between 18 - 29 years old at the beach? Etc.

myliitMarch 26, 2020 7:15 AM

@Mr. Peed Off, or misc. popcorn eaters, or other

“ Never miss an opportunity to profit off a crisis.”

Regardless, if the crisis was manufactured or do to incompetence, or something like that, is it possible that Hanlon’s Razor:

Never attribute to malice that which is adequately explained by stupidity.[1]

may need to be updated or is not “Dummy Proof”?

Coronavirus has been discussed extensively on this and last weeks squid. Some of which may be OT to this thread. For example,

https://www.schneier.com/blog/archives/2020/03/friday_squid_bl_721.html#c6808206

https://www.schneier.com/blog/archives/2020/03/friday_squid_bl_721.html#c6808207

[1] https://en.wikipedia.org/wiki/Hanlon%27s_razor

gordoMarch 27, 2020 10:41 AM

The usual suspects . . .

https://www.economist.com/britain/2020/03/26/palantir-a-data-firm-loved-by-spooks-teams-up-with-britains-health-service

Palantir is working to pull NHS data into one of its two data platforms, Gotham and Foundry. There it can be cleaned and merged with other datasets, enhancing the ability of NHS administrators and the government to run analyses quickly. Palantir is working under the auspices of NHSX, the health service’s innovation arm. The firm is thought to have been drafted into the covid-19 response through Faculty, a small British artificial-intelligence (AI) company with connections to Downing Street. Faculty’s boss, Marc Warner, is the brother of Ben Warner, who became an adviser to the government on data science in December. Other American tech companies have also been drafted in to help the government’s response, among them Microsoft and Amazon, who provide cloud-computing services.

---

One would think that a higher level awareness of resource allocation and reserves would be fundamental to and ongoing in any functioning national health security system.

I suppose that budget austerity and privatization are not always a good mix with respect to health system statuses and outcomes, that is.

With the fraying infrastructures and otherwise successful failures of the private-public spheres or de-funded disaster relief regimes, what some call disaster capitalism, opportunities for renewed cooperation v2.0 are ripe for the picking.

Clive RobinsonMarch 27, 2020 2:14 PM

@ gordo,

To understand the NHS and the state it's in you have to understand Nurses and to a lesser extent Doctors and the very pi55 poor nature of the UK Government this century and before. There is a reason why there are thousands of ex nurses and doctors in the same way there are thousands of ex ambulance medics, firemen, policemen and other "paid from the central purse" workers including the armed forces.

Put simply the Government of what ever stripe has wanted to "sell of the family silver" to have a party for their friends, now that has gone they are getting rid of the faithfull servents to sell off the property so they can keep the party for their friends going.

The con is the so called "off books borrowing" of the "Public Private Finance Initiative" (PPFI that got shortened to PFI).

The idea was thought up in the so called "boom times" of the 1980's by a think tank and was rejected as "financial suicide" or "financialy irresponsible" by the Government of the time.

The best way to look at it is trust fraud with both sides of the trust knowingly commiting the fraud against the third party for whom the trust was set up, in this case it's the UK tax payers.

The Government has a duty of care with regards how much money it borrows and at what interest rate. It has to declare this borowing for all to see including those it borrows from. Thus there are limits to how much they can borrow without appearing to be financially irresponsible, and suffering penalties of various forms.

So what to do if you want to "spend spend spend" on building infrastructure etc as one PM did. Easy you set up a partnership and call it an investment. The private sector throws in a little money for the first few years in essence they pay for the building but get huge managment fees annualy and after thirty years they get not only the buildings but the land and everything else. So we the citizens pay three to four times what a mortgage --or bond-- to borrow the money and end up with increasing bills year after year and nothing at the end of it except a huge debt of ten to thirty times as much...

But the important thing as it's a partnership investment all the debt appears on the company books not the Government books so is fully tax deductable even though it's not actually the companies debt but the Government debt.

The result is whilst the Government figures look initialy good the real national debt has outstripped any way to repay it and maintain front line services. So when the "banking crisis" happened the Government got an excuse to slash front line service not just to the bone but clear through the marrow. Our front line services became "hollowed out" and with it any form of resiliance.

But it's not just staff shortages, we have equipment and medicine shortages and the lowest spare capacity in beds, ventilators and trained staff of any Western Nation.

Even at the best of times the UK has patients dying because they don't get a critical care bed in ICU. Instead they get shuffled into a side room on a ward to die... You might have wondered why I highlighted the "163" in critical condition, give you a guess as to how many ICU places there are in NHS England... Stage two which is to stop all operations and use "Post-op recovery" as a poor mans ICU using theater staff as ICU staff. I've been through "recovery" concious a few times, and trust me it's not a place you would want to be awake. Next on the list is "Resuscitation" in Accident and Emergancy where people with heart attacks or from major accidents would go... Which is why I mentioned there would be a significan increase in those non COVID-19 "other deaths". This is all Government Policy and has been for a number of decades... Oh and don't think this is unique to the UK NHS, where do you think the ideas came from, well across the Atlantic from those who want to turn the UK health Service into a new "business opportunity".

Oh and the unfunny laughter continues even in the UK Gov's panic measures. This "Nightingale Hosp" that is being set up at London's ExCell exhibition center, you hear will be staffed by military personnel and volunteers. Well on paper the Armed Forces have quite a few medical personnel... The reality is thay are "reserves" from the NHS so don't actually exist in reality...

But when you hear politicians talk about needing "ventilators" nobody asks the obvious question "what do you need to support the use of ventilators?". The answer is a very great deal, not just in highly qualified staff but special beds, monitoring equipment, automated drug systems in fact many many times the cost of the ventilator. Which in most cases is little more than a variable preasure pump that increases air preasure slightly to in effect push the fluid from the inflamation in the lungs back into the body so that gas exchange can still happen... If you ask a nurse what happens when a ventilator fails or is not available the response is "bag them" which means somebody stands there with manual bellows and does what the ventilator did... So I can guess what some of those volunteers will be doing...

gordoMarch 27, 2020 7:09 PM

@ Steve, Clive Robinson,

There's nothing more permanent than a temporary measure.

As quick and dirty as these data integrations will be, a key to their long term value lies in identifying those data sets whose integration should be maintained and those that should be sunset. The capability to ramp up surveillance from higher level baseline triggers should guide when and where to drill down into the more privacy-invasive feedback loops.

name.withheld.for.obvious.reasonsMarch 29, 2020 2:48 AM

Let's go the other way, Wolfram has some interesting research about the tails of the genome related to SARS-CoV-2. Interesting results with the data they currently have, looks like something that could use the open source MERS/SARS-CoV-2 repository. Also the comparative analysis with SARS from two mammalian viral wells is also edifying.

Initial analysis, this is just with the data that they have, is interesting but not quite illustrative of the truth. But that could be answered with better data...

Fingerprints left on the weapon at the scene?

Try Wolfram SARS-CoV-2 on the innertubes.

gordoMarch 29, 2020 9:26 AM

Government Tracking How People Move Around in Coronavirus Pandemic
Goal is to get location data in up to 500 U.S. cities to help plan response; privacy concerns call for ‘strong legal safeguards,’ activist says
By Byron Tau, The Wall Street Journal, Updated March 28

WASHINGTON—Government officials across the U.S. are using location data from millions of cellphones in a bid to better understand the movements of Americans during the coronavirus pandemic and how they may be affecting the spread of the disease.


The federal government, through the Centers for Disease Control and Prevention, and state and local governments have started to receive analyses about the presence and movement of people in certain areas of geographic interest drawn from cellphone data, people familiar with the matter said. The data comes from the mobile advertising industry rather than cellphone carriers.

The aim is to create a portal for federal, state and local officials that contains geolocation data in what could be as many as 500 cities across the U.S., one of the people said, to help plan the epidemic response.

[ . . . ]

Some companies in the U.S. location-data industry have made their data or analysis available for the public to see or made their raw data available for researchers or governments. San Francisco-based LotaData launched a public portal analyzing movement patterns within Italy that could help authorities plan for outbreaks and plans additional portals for Spain, California and New York. The company Unacast launched a public “social distancing scoreboard” that uses location data to evaluate localities on how well their population is doing at following stay-at-home orders.

[ . . . ]

The Centers for Disease Control and Prevention has started to get data through one project, dubbed the Covid-19 Mobility Data Network.[1]

[ . . . ]

Other state and local governments too have begun to commission their own studies and analyses from private companies. Foursquare Labs Inc., one of the largest location-data players, said it is in discussions with numerous state and local governments about use of its data.

Researchers and governments around the world have used a patchwork of authorities and tactics to collect mobile phone data—sometimes looking for voluntary compliance from either companies or individuals, and in other cases using laws meant for terrorism or other emergencies to collect vast amounts of data on citizens to combat the coronavirus threat.

[ . . . ]

In the U.S., so far, the data being used has largely been drawn from the advertising industry. The mobile marketing industry has billions of geographic data points on hundreds of millions of U.S. cell mobile devices—mostly drawn from applications that users have installed on their phones and allowed to track their location. Huge troves of this advertising data are available for sale.

The industry is largely unregulated under existing privacy laws because consumers have opted-in to tracking and because the data doesn’t contain names or addresses—each consumer is represented by an alphanumeric string.

[ . . . ]

There have been discussions about trying to obtain U.S. telecom data for this purpose, however the legality of such a move isn’t clear.

https://www.wsj.com/articles/government-tracking-how-people-move-around-in-coronavirus-pandemic-11585393202

[1] https://www.covid19mobility.org/

name.withheld.for.obvious.reasonsMarch 29, 2020 12:06 PM

Informative Anecdotal Testimony from Doctor at Ground Zero
Video available at https://www.youtube.com/watch?v=oyUHz62Uan8
----------------------------
Three waves of professional class staffing


  1. First wave unaware of viral challenge, many taken by exposure
  2. Second wave with inadequate supplies and no adequate containment process
  3. Full viral contagion environment

    • PPE replacements in 4/5 hour increments, such as masks
    • Two layer PPE including masks, three gloves
    • Goggles, face shield, and controlled containment environment

The reason for the hospitals, built from scratch, were to answer the lack of environmental controls in contemporary medical treatment environments. It was not because of overflow, it is to make the treatment environment commensurate with the threat. Local strategic inventory for responsive action. Doctor emphasizes remain claim, have the inventory, take rest. Testing, some three or more times negative but sometimes 6th or 8th time positive. Green zone patient are isolated from confirmed, confirmed separated from pre-case population. CT scans used to re-evaluate, sampling of every 48 hours per pre-screen.

For example, all medical personnel were near level 4 containment protocol with respect to PPE. Medical physical plant is layered, green to red with controlled entry. Doctors are deployed sequentially, from green to red with data collection key at each level. This is key for verifying immunological efficacy.

You, meaning all the western countries that are not planning a resolved approach will certainly see that their lack of clarity is going to spell something that cannot be located in the Oxford English Dictionary.

gordoApril 1, 2020 5:41 AM

@ name.withheld.for.obvious.reasons,

order of magnitude more coordinated than the U.S. system.

Sounds like coordination without resources or supplies gets one only so far, but any suggestion that Canada has been immune from privatization and austerity would be wrong.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.