 |
| By Katitza Rodriguez, Svea Windwehr, and Seth Schoen |
In their efforts to contain the spread of the
pandemic, governments around the world are rolling out body-worn devices
(“wearables”) to assist in fighting the virus. Some governments want a technological
silver bullet to solve the public health crisis. But many of the tools aimed at
solving problems come with a host of other problems that will undermine
the public health goals for which they are adopted, and create new unintended
consequences for privacy, association, and freedom of expression.
These electronic devices are usually worn on the
wrist or ankle. Their use can be mandated by the government or voluntary
(although users don’t always understand exactly what it is they’re being asked
to wear). We might tend to associate the idea of a “wearable” with either a
smartwatch or an ankle monitor, but governments are also using wrist-worn
“bracelets” for a broad range of different purposes amid the COVID-19 pandemic.
Wearables may use an electronic sensor to
collect health information from the wearer (by measuring vital signs) and act
as an early warning to identify likely COVID-19 patients before they show any
symptoms. They can also be used to detect or log people’s proximity to
one another (to enforce social distancing) or between a person’s bracelet and
that person’s own mobile phone or a stationary home beacon (to enforce
home quarantine).
For quarantine enforcement, the devices might
also use a GPS receiver to inform authorities of the wearer’s location. Some
use Bluetooth radio beacons to let authorities confirm when the wearer is
within range of a phone that itself is running a contact
tracing app (rather than leaving the phone at home and going
outside in violation of a health order). And some may be low-tech wristbands
that are no more than a piece of paper with a QR code, which authorities may
regularly ask the user to photograph with a mobile app (among other uses of
photo demands for quarantine enforcement).
Like other technologies deployed for
pandemic-related tasks, they vary along several dimensions, including whether
they are voluntary and/or under control of the user, and whether they are used
to surveil whether a person is doing what the state told them to do, or merely
to provide the user with health information to assist the user’s
decision-making. Some impose significant privacy risks. And, particularly
because of the haste with which they’ve been deployed, they also vary in terms
of their apparent suitability for their purpose.
Here, we will highlight a range of devices that different
governments are currently asking or telling people to put on their wrists or
ankles to fight the pandemic.
Early Warning System
to Identify COVID-19 Patients
In Liechtenstein,
the Principality is financially supporting a medical study called “COVI-GAPP”
by the Swiss medical testing firm Labormedizinisches
Zentrum Dr. Risch. In this voluntary trial,
2,200 persons (about 5% of tiny Liechtenstein’s population) are being given
“Ava”-brand bracelets to determine whether these wearables can identify
COVID-19 pre-symptomatic cases (i.e. before the patient shows any symptoms).
The bracelets, which were supplied by Swiss fertility
start-up Ava, are worn at night and record biometric data such as
movements, body temperature, blood flow, breath, and pulse rate. The clinical
trial will study the biometric data to see whether an algorithm can
spot indicators that a person might have developed COVID-19 symptoms—increased
temperature, shortness of breath and cough—even before patients notice these
themselves. Participation in the clinical trial is voluntary,
and the
collected data is pseudonymized.
Become an Activist
Post Patron for $1
per month at Patreon.
The collected data is still subject to Europe’s
General Data Protection Regulation (GDPR), which applies in Liechtenstein.
As a general rule, the processing of biometric data is strictly prohibited for
the purpose of uniquely identifying a person, unless the person gives explicit consent to
such processing. While the study is government-funded, the Principality stated
that it does not have access to the research data. We should be careful
not to lose sight of or take shortcuts on data protection principles for
biometric data, such as express consent, data minimization, transparency, and
security. Personal medical data gathered from wearables and machine learning
should be used in a way that patients can understand and agree to, and should
be deleted when it is no longer needed.
Workplace Monitoring
of Social Distancing
Many employers are showing interest in making
their staff wear electronic bracelets in the workplace, often to mitigate risks
by enforcing social distancing rules.
The port of Antwerp, Belgium, has started to
use wristbands to
enforce social distancing rules on the workfloor, requiring a
specific minimum distance between any two workers. The wearables,
supplied by the Dutch company Rombit, are equipped with Bluetooth and
ultra-wideband technology and give off warning signals when workers come within
a specified distance from each other.
But enforcing social distancing is not the only
functionality of the bracelet: as the wristbands are Bluetooth-enabled, they
also allow for contact tracing, with all personal data collected for that
purpose centrally stored at Rombit’s servers. As employers’ surveillance of
workers has become increasingly widespread,
records of worker-to-worker interactions could be abused for many purposes,
like union
busting. It can also be used for other purposes like surveilling
workers to reduce “unplanned downtime”.
While wearing tracking bracelets at the
workplace might not (yet) be mandatory in most places, it is more than
questionable whether workers—with their livelihoods at stake—can exercise real
choice when their employer tells them to strap it on. Under the GDPR,
consent can’t be freely given if there is a clear imbalance between the data
subject and the data controller. In other words, consent can’t be a valid legal
ground to process the data when the employee has no real choice, feels
compelled to consent, or will endure negative consequences if they do not
consent.
Wearable Device
Proximity Tracking
EFF is wary about mobile-based Bluetooth-based proximity tracking apps.
Now such automated tracking might be migrating from phone apps to wearable
devices. Reuters
reported that the Singaporean government is switching its centralized contact
tracing technology focus away from its existing TraceTogether
smartphone app (which uses Bluetooth to detect and log close
proximity of other smartphones). Instead, that nation will deploy a new
centralized TraceTogether Token standalone wearable device, which the
government plans to eventually distribute to all 5.7 million Singapore
residents. While the TraceTogether Token uses a broadly similar technology to
the TraceTogether app, it will
not rely on participants to own or carry a smartphone. Like the app,
the new token will trace proximity between users (not
location).
According to MobiHealth
News, only users who test positive for COVID will be told to hand
their wearable to the Ministry of Health in order to upload data to a
centralized server about who they have been in contact with. EFF objects to
such centralized approaches
to automated contact tracing, whether by means of a phone app or a wearable
device. Further details about how the Singaporean device will work are
scarce. Press reports did not initially confirm if the wearable tokens will
interoperate with the mobile TraceTogether app. If they do, which seems likely,
the government will continue to collect a great deal of sensitive data about
interpersonal associations, and regularly upload that information to a
centralized government server.
The centralized TraceTogether mobile app
collects data that links device IDs to real contact information like phone
numbers, which means the government can use it to determine which individuals
have come into contact with one another. This makes TraceTogether app
incompatible with decentralized exposure notification systems like Apple
and Google’s API, where those who have been exposed to an infected
person get only a notification but their personally identifying data never
leaves the infected persons’ device. There is no centralized server where
people upload the data. EFF opposes the centralization feature of the
Singaporean mobile app, and will likewise oppose this same feature if it is
part of the new wearable token system.
Read more here
News Source: activistpost.com
Post a Comment