COVID-19 Symposium: COVID-19, Cyber Surveillance Normalisation and Human Rights Law

[Barrie Sander is a Fellow at Fundação Getúlio Vargas, Brazil and Luca Belli is Professor of Internet Governance and Regulation at FGV Law School, where he heads the CyberBRICS project; he is also Director of CPDP LatAm and an Associated Researcher at Centre de Droit Public Comparé at Paris 2 University.]

Ushering in a world of social distancing and self-isolation, the global spread of COVID-19 has intensified societal reliance on the Internet, whether for keeping in touch with family and friends, enabling work and education to be conducted remotely from home, or simply searching for and sharing information in an effort to keep track and make sense of the crisis.

At the same time, the pandemic has also amplified a number of well-established controversies associated with the online environment, including state suppression of online information, Internet shutdowns, the dissemination of disinformation and misinformation across online platforms, the digital divide between those with a reliable Internet connection and those who lack meaningful access or any access at all, massive data collection for undefined purposes, as well as government-sponsored and criminal cyber exploitation and cyber attack operations.

Pervading many of these controversies are ongoing concerns about the dominance of private technology companies within the cyber domain and the nature and opacity of their partnerships with governments. In this climate, commentators have rightly asked whether COVID-19 represents less a rupture than an acceleration of existing societal trends and, relatedly, what kind of world we will inhabit once the crisis subsides.

Crisis management sometimes requires the adoption of exceptional measures that result in limitations to fundamental human rights. However, history proves that measures adopted in emergency situations – such as terrorist attacks and financial meltdowns – are typically fast-tracked by governments without parliamentary scrutiny and frequently outlast the emergencies they were designed to address.

In this post, we focus on one set of practices in particular – cyber surveillance – and critically reflect on human rights law as a framework and a terrain of contestation for shaping the future of surveillance practices both during and in the aftermath of the COVID-19 crisis.

Cyber Surveillance Normalisation and COVID-19

As governments around the world grapple with containing the spread of COVID-19, many are using emergency powers to restrict people’s freedom of movement and significantly curtail their economic, social, and cultural activity. While the precise package of emergency measures tends to vary, governments are increasingly turning to a range of new cyber surveillance tools that rely on personal location data and the extensive use of Big Data analytics to identify patterns in people’s movements, disseminate health alerts to specific locations, and inform public health decision-making.

In China, for example, a new system called Health Code is currently being rolled out across the country. The system leverages vast quantities of mobile data and geo-location points collected by Chinese technology companies to map outbreak hotspots and then assigns users one of three colour codes – green, yellow, or red – based on their travel history, time spent in infection hotspots, and exposure to potential virus carriers. Significantly, the app not only indicates the health status of users and determines whether or not they can move around freely, but also, reports the New York Times, ‘appears to share information with the police, setting a template for new forms of automated social control that could persist long after the epidemic subsides’.

In South Korea, health authorities and district offices have been sending ‘safety guidance texts’ to the public detailing the movements of people recently diagnosed with the virus. While the texts do not specify the names of patients, they do include personal information such as gender and age, together with location data that has sometimes enabled embarrassing details concerning their private and family lives to come to light. For example, one of the alerts indicated that a man had contracted the virus during a sexual harassment class, while others have negatively impacted the businesses of shops and restaurants that infected people had visited prior to confirmation of their diagnosis.

At a time of heightened public concern and anxiety about COVID-19, location surveillance techniques are fast becoming the norm. For example, it has been reported that approximately a dozen countries are testing a new product developed by NSO Group, which analyses huge volumes of data to track people’s movements and identify with whom they have interacted. Yuval Harari has even suggested that the COVID-19 crisis could mark a dramatic transition from “over the skin” to “under the skin” biometric surveillance, with governments using the prospect of future pandemics as an excuse to monitor the temperature of a person’s fingers and the blood-pressure under their skin.

While it is vital that governments adopt public health measures to address the threat posed by COVID-19, the considerable risks associated with these cyber surveillance tools must be carefully evaluated. For instance, by mirroring the biases of their human designers and the datasets on which they rely, location surveillance systems risk falsely targeting vulnerable and marginalised groups in society. Furthermore, the fact that some vulnerable and marginalised groups, such as the elderly and slum-dwellers, may not own or use smartphones could lead to biased, unreliable and, ultimately, useless results.

The use of technological solutions, in this case, also risks further exacerbating digital divides, excluding the unconnected on the one hand, from receiving essential information about COVID-19 and, on the other, from being properly considered in pandemic monitoring. The prospect of being subject to location surveillance might also deter certain groups from seeking healthcare, whether to avoid embarrassing revelations or through fears of deportation. Moreover, whenever personal data is collected on a large-scale by governments, the risk inevitably arises that such data could be misused by government employees, stolen by criminals or foreign governments, or co-opted for other purposes.

As a mechanism for containing the spread of COVID-19, human rights groups such as the Electronic Frontier Foundation and Privacy International have also questioned the effectiveness of location surveillance systems, observing that there is limited evidence to suggest that movement or location data have proven useful in tackling and predicting the spread of previous diseases such as Ebola and Middle East Respiratory Syndrome (MERS). Susan Landau has also cautioned that where the efficacy of such systems is found wanting – for example, where there are significant numbers of false positives (people mistakenly identified as exposed to the virus) and false negatives (people exposed to virus who are erroneously not identified) – the spread of the virus could be exacerbated by consequent failures to give people reliable information and a breakdown in people’s trust in the government.

Given these concerns, it is not beyond the bounds of possibility that governments may be using the COVID-19 crisis as a pretext to expand and normalise their surveillance powers. Once government surveillance systems have been established, history suggests that they are seldom relinquished. Surveillance normalisation may result from bureaucratic inertia or mission creep, but it is not unreasonable to suspect that the exploitation of emergency circumstances to enact measures that would otherwise be unthinkable amounts to an explicit choice on the part of many governments. After all, surveillance represents a seemingly ‘easier’ policy lever in contrast to establishing a robust healthcare system that is adequately equipped to protect the public in the longer term.

Human Rights Law as a Framework

If, as some have suggested, the COVID-19 crisis is likely to serve as a ‘never again’ moment that will define policymaking for years to come, the precise direction that policymaking will take nonetheless remains an open question. Faced with the prospect of new highly intrusive cyber surveillance tools becoming normalised across the world, scholars and civil society groups are increasingly turning to the vocabulary of human rights law as a form of resistance.

Human rights law offers an important framework to guard against the normalisation of intrusive cyber surveillance programmes both during and in the aftermath of the COVID-19 crisis. The value of human rights law resides in the way it frames the regulatory conversation, encompassing a series of criteria and standards that governments must satisfy. For example, governments may not interfere with the right to privacy unless they can demonstrate that the interference is provided by law, undertaken in pursuance of a legitimate aim (for example, the protection of public health), and necessary and proportionate to the achievement of that aim.

Applying this framework requires governments to establish a publicly accessible and sufficiently precise legal basis for the measures in question, as well as to demonstrate an evidential basis for the connection between the surveillance measures and the legitimate aim, why alternative less intrusive measures are inadequate, and the safeguards that have been put in place to ensure the measures are not overbroad (for example, by identifying the extent to which the measures are narrowly tailored to achieve their protective function, limited in duration, and subject to appropriate oversight).

Exceptionally, more stringent limitations on rights may take place through derogations (see, for example, Article 4 of the International Covenant on Civil and Political Rights and Article 15 of the European Convention on Human Rights). While some rights are non-derogable, states may derogate from the rights to privacy and freedom of expression in times of public emergency which threaten the life of the nation. However, derogations are only permissible to the extent that the measures in question are strictly required by the exigencies of the situation, not inconsistent with other obligations under international law, and do not involve discrimination.

These safeguards aim to ensure that all measures – be they based on policy, technology or a blend of both – adopted to mitigate pandemics through surveillance remain consistent with internationally binding human rights laws and standards as well as with national constitutions guaranteeing protection for fundamental rights such as privacy and freedom of expression.

Human Rights Law as a Field of Contestation

At the same time, it is important not to lose sight of the fact that human rights law – like all law – is not simply a governing framework but also a field of contestation. As Balakrishnan Rajagopal has observed, human rights is ‘a language… of hegemony and counter-hegemony, and we need to recognize the multiple uses to which it is put and the fact that it is a terrain of contestation… for multiple deployments of power and resistance’. In other words, while human rights law offers an important vocabulary for resisting intrusive surveillance practices, it can also serve as a language of legitimation of State power.

The legitimation function of human rights law is visible in the recent surveillance caselaw of the European Court of Human Rights (ECtHR). For example, in Big Brother Watch and Others v. the UK (a case currently under consideration by the Grand Chamber of the ECtHR), the Chamber concluded that ‘the decision to operate a bulk interception regime in order to identify hitherto unknown threats to national security is one which continues to fall within States’ margin of appreciation’, adding that such regimes constitute ‘a valuable means to achieve the legitimate aims pursued, particularly given the current threat level from both global terrorism and serious crime’. While certain aspects of the UK’s bulk interception regime were found to be incompatible with the right to privacy and right to freedom of expression under the European Convention of Human Rights, in this passage the Court upheld and legitimated the practice of bulk interception as compatible with the Convention in principle. of bulk interception as compatible with the Convention in principle.

Surfacing the dual character of human rights law as both a vocabulary of resistance to and legitimation of State power is important for two reasons. First, as Paul O’Connell has explained, the dual character of human rights law reveals ‘the centrality of social struggle in shaping the concrete meaning of rights in specific contexts’ and highlights how ‘rights are not imbued with some essential, transcontextual essence; instead they are defined and re-defined in the very struggles over their meaning’.

And second, as past decades of human rights doctrine have tellingly revealed, one must not underestimate the potential for human rights law to endorse and legitimate regressive State practices. Such potential underlines the importance of complementing struggles in the field of human rights law with other emancipatory efforts – whether in the legal field or beyond.

As the struggle to resist the normalisation of intrusive cyber surveillance tools deployed by governments to address the COVID-19 crisis commences, an awareness of both the potential and limits of human rights law as an emancipatory vocabulary is likely to prove increasingly important in the months and years ahead.