Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


11:15 AM

Technology Empowers Pandemic Response, But Privacy Worries Remain

As technology companies and the medical community work to find ways to track and test for the virus, privacy might fall by the wayside.

In late January and early February, a study of influenza had the ability to reveal whether subjects in the Seattle area were infected by the novel coronavirus. But medical privacy rules scuttled the idea until researchers, on February 25, decided to go ahead and test anyway. They discovered that COVID-19 had already contributed to the deaths of two people.

In China, Singapore, and Israel, government officials used citizens' cell phones to track who may have had contact with infected individuals, a capability the European Union is considering as well. Market intelligence service Unacast has used its system of tracking citizens — originally to determine mobile users' music preferences — to produce scorecards of how well the citizens of nations, regions, and cities were social distancing to reduce spread.

The different ways that nations approach the problem of the coronavirus pandemic often conflicts with privacy rights, says Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professional (IAPP). 

"There is a balance between the usefulness and effectiveness of measures and the ability to protect privacy and civil liberties, and China weighed in very heavily on one side," he says. "They sacrificed privacy and civil liberties — of course, they did not have much to begin with — to reinforce the public health interest. The US will have to find its own place on the scale."

Natural and human disasters typically redraw the lines between civil liberties and security. Following the September 11 terrorist attacks, the US government curtailed many privacy provisions to try to enhance security. Most experts, in hindsight, believe the government went too far, and some of the privacy protections have been restored. 

The rush to find ways to use technology to combat COVID-19 has given governments visibility into the spread of the novel coronavirus but will likely result in citizens sacrificing privacy — at least for the time being. The pandemic poses a different threat, one that could have a lasting impact on medical and personal privacy, according to Cindy Cohn, executive director of the Electronic Frontier Foundation (EFF).

"We must be sure that measures taken in the name of responding to COVID-19 are, in the language of international human rights law, 'necessary and proportionate' to the needs of society in fighting the virus," she said in a post. "Above all, we must make sure that these measures end and that the data collected for these purposes is not repurposed for either governmental or commercial ends.  

Yet privacy rules have arguably delayed the response to the coronavirus pandemic. The Seattle Flu Study, for example, had already been surveilling influenza infection rates in the city when researchers heard of the spread of the novel coronavirus. The medical researchers offered in late January to start testing for coronavirus, but medical privacy and ethics rules prevented them from extending the effort beyond its original scope and notifying participants of their status, according to The New York Times, which broke the story.

The researchers eventually expanded testing on their own initiative weeks later and were shut down by state officials, but not before confirming that the disease had spread to the Seattle area. On March 22, the group got permission to restart testing and was retasked as the Seattle Coronavirus Assessment Network, or SCAN.

"Everyone who takes part in this effort will help us understand how coronavirus is spreading in the Greater Seattle area," the group now states on its website. "We are increasing capacity and responding to public health priorities as they come up."

Market intelligence firm Unacast has used its ability to track mobile users to create scorecards for the social-distancing efforts of citizens of different regions. The commonwealth of Massachusetts, for example, gets an "A" for its efforts, while Hawaii garnered a "D" grade.

Efforts to monitor potential infected citizens will likely run afoul of privacy rules but can pay dividends, says Ambuj Kumar, Fortanix CEO and co-founder of encryption firm Fortanix. He points to two apps that show the possibilities if privacy issues are resolved: One is China's Alipay Health Code app, which tracks citizen movements and uses a color code to restrict the movement of people as a more authoritarian solution. Singapore used a different app, TraceTogether, which records movements within two meters of other people to determine whether people were exposed to the virus. 

New techniques, such as privacy-preserving data analysis, could allow extremely private data to be tracked from multiple sources without exposing an individual’s private data.

"It’s unlikely that more open democracies with established privacy laws will be able to implement similar systems without additional privacy protections," he says.

The EFF has warned that in fighting the epidemic technologists should consider the privacy consequences. 

We need to "make sure that we both take advantage of how technology can help us now and, equally importantly, that we emerge from this time with our freedom and democracy as strong, if not stronger, than when we went in," the EFF's Cohn said, adding that "we also need to be vigilant so that we come out the other side of this crisis with a society we want to live in and hand down to our kids. We can — and must — do both."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.