Coronavirus: State measures must not allow surveillance of journalists and their sources
When governments use mobile phone location and contact data to trace the recent contacts of coronavirus carriers with the aim of containing the spread of the virus, they must ensure that these measures are proportionate, transparent and time-limited and are not used to spy on journalists or violate the confidentiality of their sources, Reporters Without Borders (RSF) warns.
Since the start of the Covid-19 epidemic, authoritarian states such as China and Russia and democratic ones such as Israel, Bulgaria, South Africa and Ecuador have reported using mobile phone location data to contain the virus. RSF recognizes the need for effective measures to check its spread, but urges government leaders to ensure that such measures guarantee anonymity and respect for the confidentiality of journalist’s sources.
“During a global public health crisis, journalists play a crucial role in guaranteeing the right to information,” RSF secretary-general Christophe Deloire said. “They must be able to move about and communicate with their sources confidentially. And to cover the crisis, journalists may need to contact carriers of the virus. It is essential that the technological measures deployed by governments do not endanger this confidentiality.”
In China, the government has massively extended its use of surveillance technology to track and control the movements of its citizens. The online payment app Alipay is being used to transmit the personal data of individuals, including their location and ID number, to the police. Further analogue checkpoints and widespread use of facial recognition cameras are rendering anonymous travel and public movement close to impossible. These steps come amidst increased online censorship and a severe crackdown on critical voices.
In addition to its system of CCTV cameras with facial recognition, Russia has developed a “Social Monitoring” mobile phone app that assists “self-discipline” by those who have caught the virus. Launched on the Google Play store on the evening of 31 March and removed the next day, it has received a great deal of criticism from IT specialists because of its security flaws. The app requires every possible permission, including access to personal and banking data, location, microphone and camera, and shares this data via unprotected channels. On 1 April, Moscow city hall IT department chief Eduard Lysenko said the app was only for coronavirus carriers, who would be given a smartphone by the authorities. They are also developing a system for tracing the people with whom carriers have been in contact.
The Israeli company NSO has unveiled software that allows governments to track the spread of the coronavirus. This is the company that was recently accused of selling surveillance software to Saudi Arabia that was allegedly used to spy on the journalist Jamal Khashoggi prior to his murder in October 2018. NSO’s interest in civilian software is seen as a threat to the public’s sensitive data. According to Bloomberg, a dozen countries are already testing the software. Similar technology is already being used in Israel to locate people who have been in contact with those carrying the virus. The Israeli journalists’ union petitioned the high court on 14 March for journalists to be specifically excluded from this monitoring.
Contagion effect in democracies
In South Korea, the government is using an app to monitor people in quarantine and to send all South Koreans texts that provide safety guidance and report the movements of persons newly diagnosed with the virus, giving a link to a list of the places they visited before being diagnosed.
Other governments have announced similar measures. On 17 March, the government of Ecuador issued a decree authorizing satellite surveillance of mobile phones and the use of location data to contain the epidemic. On 2 April, the South African government passed an amendment providing for specific requests for access to data from the country’s telecommunications operators to identify the number of people infected within a particular area. The amendment stipulates, among other things, that the content of electronic communications cannot be captured.
On 25 March, the European Commission asked telecommunications companies to hand over user data streams as a means to track and predict the spread of the virus “for the common good.”
In Bulgaria, the police forces are authorised to obtain data from mobile phone operators’ cell phone towers without prior judicial authorisation in order to track quarantined or hospitalized persons who do not comply with these measures. Only within 24 hours of receiving such data, the police must inform a judge, who may or may not approve the request. Until now, such a regime had existed only in exceptional cases such as the direct threat of a terrorist act.
Controversial measures have also been announced in Germany and Austria, which have given government bodies permission to analyse aggregated and anonymized location data. A proposal by Germany’s Ministry of Health to draw on individual mobile phone data to identify possible contact persons was withdrawn after heavy criticism. But discussions are continuing about a mobile phone app for monitoring carriers.
Bluetooth app for analysing and containing the epidemic
To combat the spread of the virus, several governments are opting to deploy contact-tracing apps that use the short-distance Bluetooth signal to detect when people have been in close proximity. They include the government of Singapore which is using an app called TraceTogether. Although downloaded more than a million times, it nonetheless missed half of the new cases. Germany is currently considering use of a Bluetooth-based app.
To guarantee the anonymity and protection of journalists’ sources, RSF calls on governments to ensure that any Bluetooth contact-tracing app satisfies the following requirements:
- It should store as little data as possible and only as much as strictly necessary. Its use must be voluntary.
- It must be published as open source software from the start. The same applies to changes to the app through software updates. Only in this manner can independent experts evaluate the software and check whether it guarantees anonymity and the protection of sources.
- All data collected through the app must be strictly protected from any other use by intelligence agencies, other government agencies or corporations. Clearly specified deletion deadlines must be an essential part of the solution; compliance with these deadlines must be verified by an independent body.
- The creation of private databases with the temporary identification numbers (IDs) of a Corona tracking app must be prevented at all costs.
- Subsequent extensions of the purpose of such an app, e.g. to control or to check adherence to lockdown measures and contact restrictions, must be categorically excluded.
- The Bluetooth Low Energy Beacons emitted by mobile phones may only be used to combat chains of infection. Any other use, even for commercial purposes, which a user has not explicitly agreed to, must be prohibited.
- As soon as the concrete security risks of a Bluetooth-based solution can be assessed, the digital security risks must be carefully and transparently weighed up against the expected benefits of the solution.
The United Nations, OSCE and Inter-American Commission on Human Rights issued a joint statement on 19 March about the growing use of surveillance technology tools to track the spread of the coronavirus. It said it was crucial that “such tools be limited in use, both in terms of purpose and time, and that (...) the protection of journalistic sources and other freedoms be rigorously protected.”