In late March, as large swathes of Europe locked down, Belgian authorities wanted to know if movement restrictions were being obeyed enough to slow the spread of the coronavirus. They turned to the country’s mobile operators.
Data traffic from the companies showed that Belgians were spending about 80% of their time within their zip codes, suggesting they were largely adhering to shelter-at-home orders. That helped the government shelve plans for tighter confinement rules.
"Aggregated mobility data helps us make more balanced decisions,” Belgian Telecom Minister Philippe De Backer said. "It has helped us decide to continue the confinement measures, rather than becoming too strict.”
Data from phone operators is being increasingly solicited in government efforts to contain the pathogen. Unlike Apple Inc and Alphabet Inc’s Google, whose tracking software to alert users if they’ve come into contact with an infected person will be voluntary, mobile phone operators inherently need access to a subscriber’s approximate location to route calls or text messages through the nearest cell tower.
European authorities want to leverage that data to monitor the march of the pandemic, especially as they start to ease lockdowns – raising some privacy concerns.
Operators have for years collected and sold aggregated data to companies and authorities, typically showing the number of people in an area for crowd management or to help municipalities and public transport companies predict commuting patterns. On rare occasions they’ve provided private location data to confirm or contest alibis in criminal cases.
But now as vast amounts of movement data flows into the hands of government agencies, privacy experts are urging caution.
For some, the initiatives are reminiscent of the National Security Agency programs exposed by Edward Snowden, under which the US government scooped up massive amounts of metadata from phones without a warrant.
"There’s a long history of misuse of telephone records by governments that will give people some pause,” said Marc Rotenberg, president of the Electronic Privacy Information Center in Washington, D.C.
European authorities say they’re only using the aggregated data to review mobility patterns or to build models to trace the trajectory of the epidemic.
In Belgium, the pandemic taskforce gets aggregated information showing trips between two zip codes and their duration.
The Norwegian Institute of Public Health uses data from Telenor ASA to help local authorities determine the number of hospitalizations and ICU beds needed. The institute has asked Telenor to break the data down by age and gender to better model the pandemic, a request the phone company is looking into, said Kenth Engo-Monsen, a senior researcher at the operator.
Mobile phone location data will play an important role in the easing of lockdowns, says Dirk Brockmann, a professor at Berlin’s Humboldt University and a member of the project on epidemiological modeling of infectious diseases at the Robert Koch Institute, a German government public health agency.
"It’s a very good measuring device on how people respond to the release of restrictions,” said Brockmann, who has access to daily movement updates from German phone companies.
While telecom operators stress they’re only sharing aggregated and anonymized data in accordance with EU privacy rules, governments could pass special laws to obtain data on people suspected of being infected, as officials have done in China, for instance.
Slovakia is one of the first European countries to pass such a law, giving government agencies access to individualized phone data to stem the spread of the virus. In the UK, Germany and elsewhere, voluntary mobile apps are being developed to track infections.
Anonymised data isn’t subject to the EU’s strict privacy rules – including user consent – since it’s no longer considered personal information. But if aggregated location data can be traced back to an individual, it could be sensitive. It could reveal where someone spent the night, whether they have drug addictions or other deeply personal information.
Telecom companies use multiple steps to process such data. In Austria, A1 Telekom Austria AG encrypts and strips identifiers from the raw location data before sending it to Invenium Data Insights GmbH, a data-processing company. The data is sent in the form of a hashed ID – a code of garbled letters, numbers and symbols – that would take 100 years to deanonymise, according to Michael Cik, a co-founder of Invenium.
In France, Orange SA aggregates anonymised data of around 50,000 people and adjusts it to reflect the carrier’s market share for predictions on the total population, according to chief technology officer Mari-Noelle Jego-Laveissiere. Sweden’s Telia Co removes outliers, such as a small family in a rural area, from the dataset to protect them.
For all those precautions, the process still isn’t failsafe. While aggregating data provides another layer of safeguards, privacy lawyers and experts say clear industry standards don’t exist. Datasets considered anonymous could identify someone if combined with another dataset.
In a statement in early April, the Dutch data protection watchdog warned that "anonymising this type of data is not possible”. If someone with knowledge of where a person lives or works had access to the "anonymised” location data of a range of people, they could make some deductions, it said.
Telecom operators, on the hook if client confidentiality is compromised, have tried to keep some control over the process.
While they’ve agreed to hand over aggregated data to the European Commission to help fight the propagation of the virus across the bloc, they’ve raised questions about who will have access to the information and whether it would be combined with other datasets.
The EU says the data would be handled with "the highest security standards”, and that it won’t be processed in a way that could unintentionally identify individuals.
Back in Belgium, recent mobile-phone data showed that Belgians increased their mobility in the holiday week after Easter, drawn probably by the sunny weather and because of lockdown fatigue.
"This has been used to reinforce the message that the current measures must be kept in place and, more importantly, respected,” a Belgian official said. – Bloomberg
Did you find this article insightful?