The UK has joined the lengthening list of countries – which includes Iran, Israel, Italy, Singapore, South Korea, Taiwan and the US – where service providers are providing information to governments on citizens’ whereabouts.
Exactly what is being provided varies by country, with some service providers being asked for anonymised data to understand the general movement of people, while in other countries the government is tracking individual users.
In the UK, after days of rumours that the government was in talks with mobile operators, and just two days after the ICO said that using location data was permissible provided it was “properly anonymised and aggregated”, BT has confirmed it is providing anonymised mobile location data to the government. A BT spokesperson described this as “a limited amount of aggregated, anonymised data that shows generalised patterns in the movement of people to assist with policy planning”. The company says it is trying to strike a balance between the right to privacy of its customers and a wish to help the government, police and medical authorities cope with the crisis.
It appears that the geolocation data being provided is based on cell tower location, not individual user device. In the countryside that might cover a large area, but in London it could pinpoint users down to a 100 meter radius because of the density of towers and cells.
However, this level of surveillance is far less than in some other countries.
- Austria is using anonymised location data supplied by Telekom Austria to measure footfall in popular tourist sites.
- Belgium is using anonymised data from service providers.
- China is using an app to give citizens a coding that restricts or enables movement depending on their risk profile.
- Germany is using telecoms data supplied by Deutsche Telekom to model citizens’ movements.
- Iran has instructed its citizens to download an app that tracked their movements.
- Italy is using movement maps utilising data provided by service providers. It has already charged more than 40,000 citizens for violating restrictions.
- Israel is using cell location tracking technology combined with data scraped from social media, taken from phone calls and texts. Its government has been given licence to do this for 30 days.
- Poland is using an app called ‘Home Quarantine’, which requests geo-located selfies to ensure you are self-isolating. Police are alerted if the user fails to comply within a certain timeframe.
- Singapore has developed an app for contact tracing called TraceTogether, based on Bluetooth. It is being used to identify people who have been in close proximity to coronavirus patients.
- South Korea – has developed an app to support people in self-quarantine which utilises GPS. If they leave their location it alerts officials. The country has also been able to loosen restrictions because it has built a publicly-available map that tracks the movement of infected individuals and is able to inform people if they come within 100 metres of an infected person.
- Taiwan has activated geofencing that alerts the authorities if someone who is self-isolating leaves their house. This has led to police investigating phones that have run out of power.
- The UK is using anonymised data from service providers to track movements of people. BT has confirmed it is co-operating with the UK government.
- The US set aside $500 million to enable the CDC to build a “surveillance and data collection system” and is rumoured to be using data from the ad industry to track people’s movements.
Although EU countries are legally restricted to using anonymised data because of GDPR, the EC has been in talks with the GSMA to discuss whether it would be possible to instigate a more co-ordinated approach across its 700+ operator members to collect cross-border tracking data, and create a travel and contact tracing database. According to Reuters, Telefonica, Telecom Italia, Telenor, Telia and A1 Telekom Austria have already agreed to supply data to the EC.
The European Data Protection Supervisor (EDPS) says this does not breach GDPR guidelines provided the EC uses anonymised data, defines the dataset it wants to obtain, how it will be using it, and makes this clear to the public. The EC has already undertaken to delete all data obtained after the crisis. However, EDPS head Wojciech Wiewiorowski indicated that access to the data should be limited. “It would also be preferable to limit access to the data to authorised experts in spatial epidemiology, data protection and data science,” he said.