Abstract
Cybercrime has risen as a result of Covid-19 in Latin America. Could contact tracing apps further erode people’s privacy and expose them to more danger, asks
“Anonymising location is not easy,” Ferraz told Index. “It’s one of the most challenging things you can work on… If [governments] apply the wrong technologies, people will soon see that location data is extremely dangerous.”
With lockdowns in Latin America potentially set to last until late August, the Covid-19 pandemic has intensified the debate about civil liberties in the region. While technology can prove invaluable for responding to viruses, Latin American governments have historically proven unreliable guardians of sensitive data. Rights groups have warned that instruments used to track the virus could later serve to break up protests or track down and murder journalists.
Ferraz’s company, Inloco, recently donated data from more than 37 million people so authorities could estimate the percentage of citizens leaving their homes. Inloco sent a push notification asking for consent from the smartphone users on its database. According to Ferraz, the platform helps state governments predict the curve of infection.
“We wanted to prove it’s possible to leverage location technology while protecting people’s privacy,” Ferraz said. “If we don’t use location technology the right way, someone will use it the wrong way.”
Paradoxically, Inloco’s developers say they designed the surveillance app to strengthen privacy. The company usually works with financial firms to prevent fraud. If a hacker discovers a person’s bank details and tries to log in to their account, Inloco’s tracking device will alert the bank that the behaviour does not match the account owner’s and it will block the transaction.
Whether used for banking or virus control, Inloco’s location-based footprint has the advantage of being dynamic. That contrasts with fingerprint or facial recognition technology, which offers a permanent record. Inloco also encrypts its users’ home and work addresses and does not store any personal details.
In contrast, Colombia’s controversial CoronApp – a free app the government made available in March – asks users for their names, national identity numbers and mobile phone numbers. It offers a daily check-up designed to identify symptoms. In return for downloading the app, citizens gain a free gigabyte of internet data and 100 minutes of calls. More than four million Colombians installed the app within the first two months of its release.
CoronApp has the potential for contact tracing, meaning smartphones with the app will send wireless signals to other nearby devices, and health authorities can issue alerts to anyone who has crossed paths with someone who has tested positive for Covid-19. After early setbacks with the contact-tracing function, the government now hopes to partner with Apple and Google to bring it in.
Contact tracing has helped authorities control Covid-19 outbreaks in South Korea, Singapore and Israel. But experts have questioned whether the technology will prove useful in a country where only 65% of the population have mobile internet access.
Alongside these practical issues, analysts have raised concerns that CoronApp could open the door to infringements on civil liberties. While the app asks for the explicit consent of citizens, they have no control over the future use of their information. Fundación Karisma, a digital activism organisation, criticised the government for not revealing how long it intended to store the data. CoronApp has since updated its terms and conditions to specify that it will store the information for the duration of the pandemic. However, it still includes a vague stipulation allowing for longer storage of some anonymised data if needed.
Carolina Botero, the director of Fundación Karisma, told Index the government had adopted the philosophy of “it’s better to beg for forgiveness than ask for permission”. She warned that Colombia ran the risk of “normalising surveillance without even having a debate”.
A series of recent privacy scandals in the country has heightened concerns about the handling of sensitive data. In April, the defence ministry fired 11 military officials and accepted the resignation of a general after local news magazine Semana accused the army of spying on at least 130 people. The targets included domestic and foreign journalists, politicians and judges.
Even the country’s National Protection Unit – the agency charged with safeguarding at-risk journalists and activists – has a tarnished reputation. Last year, police raided its Bogota offices as part of an investigation into an official suspected of selling security data to criminals.
A woman using her phone in Colombia, where the controversial CoronApp has been critisicised for its privacy implications
CREDIT: Nano Calvo/Alamy
Such privacy breaches are not unique to Colombia. Governments across the region have invested heavily in spyware in recent years. In 2015, hackers published records from the Italian firm HackingTeam. They revealed Brazil, Chile, Colombia, Ecuador, Honduras and Panama had bought surveillance technology from the company.
But no other country matched Mexico’s enthusiasm for the technology. The government spent more than $6 million on HackingTeam’s products – more than its other Latin American clients combined. And in 2017, digital watch-dog The Citizen Lab revealed the Mexican government had used Pegasus spyware to target journalists and dissenters.
Given that recent history, rights activists have expressed alarm that the Mexico City government asks for a range of personal details – including names, home addresses and mobile phone numbers – on its official Covid-19 online screening form. The privacy notice says the data may be shared with various judicial and administrative bodies.
That information could fall into the wrong hands, regardless of the government’s intentions. Chile, Ecuador, Mexico and Panama all reported major data leaks in 2019, as governments or companies accidentally placed personal information online.
Data breaches – where outsiders steal the information – are another risk. In April 2019, a hacker broke into the database of the Mexican embassy in Guatemala and published scans of passports and other documents.
Early indicators suggest cybercrime has spiralled in the context of coronavirus. With millions of workers accessing sensitive data from home, social distancing measures have created new opportunities for criminals. The cybersecurity firm Kaspersky documented a 35% rise in cyberattacks on smartphones in Mexico from February to March.
IntSights, a threat intelligence company, has identified “the marriage of violent drug gangs and the underground hacking community” as “a significant emerging threat” in the country. The prospect of criminals accessing personal details related to media workers is a frightening one, given Mexico is the deadliest country for journalists in the western hemisphere.
Vladimir Chorny, an investigator for Mexican digital rights group R3D, believes hacks are inevitable. As well as investing in cybersecurity, he urges Latin American countries to revise their laws to minimise data collection.
Current privacy legislation is lagging in Latin America. Brazil has emerged as a leader in this regard, passing its expansive General Data Protection Law in 2018. However, the pandemic has forced the government to postpone its enactment until 2021.
Chorny argues that governments should collect the minimum amount of data and introduce sunset clauses – limiting the time they hold it. The government must also assign data to a specific authority and prevent sharing between separate official bodies.
While new technologies are rapidly emerging without appropriate legislation in place, Chorny expects few of these will achieve their public health objectives. He believes that when governments begin to update their data protection laws, they may have a better understanding of why respecting privacy and freedom of expression is essential.
“The coronavirus crisis is showing us there are situations in which technology is effective and others in which it is not,” Chorny said.
“The great majority of the effective technologies are compatible with the democratic safeguards we are asking for – transparency, sunset clauses, controls. None of these [safeguards] prevents the technology from responding to a health crisis. All they do is reduce the risk that the information is misused.”