The current pandemic has come at a pivotal time in the evolution of digital systems. We now can understand and manage the crisis like never before. Networked devices and systems that can help track, understand and predict viral transmission. Big data analytics approaches can help policymakers design appropriate society-scale responses, and assess not only the risks to life and health of the virus itself, but also the economic impacts of different policy actions such as shelter-in-place, social distancing, face mask requirements, and other interventions. Yet ultimately these models are driven by very personal data: where you have been, who you have been proximate to, and what your various health attributes are (ranging from underlying conditions, like asthma, to recent test results from blood tests).
Could your personal data save your life?
The personal data revolution was a long time in coming and has been accelerated by widespread consumer adoption of connected devices. Smartphones, in particular, are packed with sensors and radios to link personal, individual data (ranging from location to heartrate) into cloud-based systems that can rapidly and readily aggregate information from hundreds of millions of people into population-scale analyses. The rise of technology oligopolies, such as the mobile operating system duopoly of Apple and Google, mean that two decision-makers can access data on most of the world’s population. When we add platform players like Ali Baba and Facebook on top of the devices, and network providers like Vodafone or Orange or China Telecom or Reliance Geo, we have near-ubiquitous coverage of billions of people.
Today, that data is relatively siloed, particularly when we try to integrate it with health data such as electronic medical records. Until 2020 there were a growing body of personal data privacy laws and regulations arising around the world, from the GDPR in Europe to the CCPA and HIPAA in the US, which served to create protections for individuals from the depredations of large corporate interests.
In the exigencies of the COVID-19 crisis, we have seen government-supported waivers of digital privacy laws, enabling sharing of data across siloes. Now, medical records and health data can be crossed with telecoms data to enable virtual contact tracing and align it with known positive tests for virus, accelerating public health management. Public safety and national interest overrode demands for personal liberty. To do this, multiple copies of multiple databases have been created, making for a personal and cyber security nightmare. More on that in a bit.
A step further from tying together your telecom data and your health records is the integration of quantified-self technology from companies such as Ginger.io. What if we could use ubiquitous smartphone technology to assess and predict your individual health profile, and tell you whether or not you need to go to a hospital to get tested? Select symptoms of COVID-19 can be picked up potentially before even you, the user, are aware that you have an issue. These predictive health systems have been under development for more than a decade, and now perhaps are finding their moment in the current crisis. The classic inertial reluctance of people to try new things is getting upended as new behaviour patterns are emerging around the pandemic. As tragic as the crisis is, it paradoxically has created a wealth of new opportunities for innovators. And for individual consumers – new capabilities around these integrated data sources and technologies can be tried out in a way that weren’t practical even 6 months ago.
You now have, at least for the moment, the opportunity to take advantage of all of the big data that has been collected about you by Big Tech, and use it for your personal safety.
This moment is fraught with peril in the long term. Hard-won privacy protections have been rolled back not for weeks or a couple of months, but potentially for a year or two. And once privacy laws are held in abeyance for a couple of years, it becomes that much more difficult to reinstate them later. Once this data is available and widely accessible, it can be exploited by unscrupulous actors, ranging from pecuniary corporates to subversive state actors. (Think this is hyperbole? Personal data was demonstrably used by a foreign government to sway elections in 2016, efforts were made in 2018, and already security experts are warning efforts are underway for the 2020 election cycle).
Personal data can save your life, yes, but at what cost?
The tragic reality is that many of the new data security risks that have opened up in the name of public safety were unnecessary. A group of privacy researchers from multiple institutions such as MIT, Imperial College and the World Economic Forum, industry players like Microsoft and Orange, and even the French government, have been working on a new data security model that lets you access, share, and control your personal data, gaining the benefits we describe above, without creating data leakage or additional cyber risk. It’s open-source, it’s called the OPAL Project, and it has been under development for several years. In the race to formulate public health responses, however, it was not employed in the COVID crisis.
We, unfortunately, don’t have enough cyber literacy for people to understand why trying to save your life with your personal data also creates a data security risk. We’re trying to remediate this with the Oxford Cyber Futures programme that we’ve launched with Mastercard, but that’s only a tiny part of what’s needed. Governments need to understand alternative approaches to data sharing in crisis, and consumers need to understand what trade-offs they are making. Hopefully, in the next pandemic, we will be better prepared around data, and what to do with it.
David Shrier created and leads Oxford Cyber Futures, a new online certificate programme from the Said Business School, University of Oxford built in collaboration with Mastercard. A globally recognized expert on technology innovation, he has published 5 books on topics such as cyber security and data privacy. He holds dual academic appointments at the University of Oxford and the Massachusetts Institute of Technology.