Negligence, the greatest risk to our privacy

Essay #5 in the Data and Pandemic Politics series on data justice and COVID-19

Editors’ Note: In this essay, Beatriz Busaniche calls attention to state negligence as a risk to privacy. She contrasts overarching political concerns about how data technologies facilitate state surveillance and authoritarianism with the everyday reality of the state’s management of public data. She argues that we should pay attention not only to the injustice of imposing oppressive technologies on the population, but also to the smaller, everyday injustices that occur when data is leaked or exposed. She argues that a state that cannot take care of its people’s data also fails at serving its people in basic, immediate ways.

The editors would like to thank Rafael Evangelista and Rodrigo Jose Firmino of the Latin American Network of Surveillance, Technology and Society Studies (LAVITS) for curating essays from Latin America and Brenda Espinosa Apráez of the Tilburg Law School for reviewing and co-editing the Spanish language version. Translation into the English language by Linnet Taylor.

By Beatriz Busaniche – Vía Libre Foundation – Argentina

The COVID-19 crisis, which has unfolded in Latin America since the arrival of the first cases in the region, has made visible various weaknesses among Latin American countries in many areas of society. From the undeniable fact of inequality to the lack of containment capacity in public health systems, many problems have surfaced in the worst possible way with fatal consequences, incalculable suffering for large swathes of the population, restriction, confinement, impoverishment, and an obscene growth in the numbers of poverty.

The news which arrived in the first months of the year about how the pandemic was being tackled by Asian countries, particularly China but also the rest of that continent, demonstrated the extent to which technology was being used to control the spread of the disease. We soon became familiar with technological phenomena such as mobile contact tracing, thermal cameras to test body temperature, the systematic recording of each person’s life in public space, permanent video surveillance and even, surprisingly, how a Boston Dynamics dog robot mingled with people in a Singaporean park broadcasting advice and warnings to anyone who was not socially distancing. Big Tech demonstrated, and placed at the public disposal, the power of its technologies for measuring mobility in public space. Geolocalisation technologies directed at people in quarantine, managing permissions for mobility in the public sphere, cameras in public space to monitor the circulation of ’essential’ bodies, those people who even at the peak of the pandemic had to go out of the house to work in order to provide for those with the good fortune to work from home and/or self-isolate in more secure ways. ‘Technological solutionism’ immediately appeared on the scene as a way of controlling one of the most extreme global crises in living memory.

Latin America soon adopted the idea of developing apps to contain the pandemic, although their design and implementation never quite became clear. In general, we should consider three types of application: contact tracing, self-evaluation and diagnosis, and mobility permissioning apps.

The authorities charged with constructing these technologies on behalf of the state went to work against the clock to develop them, in some cases with abbreviated and opaque private-sector tendering processes, and in others with in-house developers. As such, while we were debating the tension between protecting private life and the need for exceptional measures to deal with an emergency, these apps went live in an unfinished state, without sufficient testing or proof-of-concept and with unknown levels of risk.

Those of us who debate and discuss the public policies that affect privacy take part in various debates about the creation of the surveillance society, the control society, the interference of the state with individual rights. But often we lose sight of the more imminent threat posed by technological ‘solutionism’, which is so prevalent: the negligence and lack of capacity on the part of those tasked with the development and implementation of the technologies involved. We often fail to get the diagnosis and provide the wrong message. For people used to living in democratic and free societies—whole generations of people who have been born and lived all their lives in Latin American democracies—the threat of an authoritarian state is an abstract and alien idea. They do not see a clear threat in the accumulation of more and more data by the state about citizens, and the way in which this information generates asymmetric relations of power in favour of whoever is in charge of it.

At Fundación Vía Libre we have learned a lesson from recent years. The most urgent and concrete threat to privacy is not the construction of an authoritarian state, but instead the existence of a real and tangibly negligent state.

In Argentina we have at least three manifest examples of this immediate threat to personal privacy.

In San Juan province, the provincial government leaked 115,000 individual applications for mobility permission. Those registrations contained private information such as addresses, places of work, conditions of employment, amongst many other personal details – all of which were compromised in a documented leak, which was then reported to the San Juan government. The response of that government was to take down the database for a few hours and then to re-publish it in identical form, without any action to resolve its vulnerabilities. Pure negligence.

In Salta Province, the app developed to process permissions in relation to COVID-19 was made available with minimal security provisions, with known vulnerabilities that were then reported by a team working close to Fundación Vía Libre. This app had the potential to expose the personal health data of a large share of those who installed it on their phones. Currently, we have no information on whether those vulnerabilities have been addressed appropriately.

The most extreme case in Argentina over the last months has been a ransomware attack on the database of the national immigration office. The attack not only involved hijacking data but also, once the ransom period had run out, the database was published on the open web without the Argentine government being able to prevent it. Among the data published by the attackers were all the details of anyone repatriated during the COVID-19 pandemic.

To date, Argentina’s information security policy does not seem to be a priority at all. The Argentine government continues with its plan of digitalisation , creating databases such as a centralised population medical registry without planning, developing or implementing appropriate security protocols. Furthermore, a state incapable of developing such a policy cannot use its people’s data serviceably, and force the private sector to obey minimum standards of data protection in the digital services it provides.

While we debate the social, political and cultural impacts of privacy, while we think about the surveillance society or the development of an authoritarian culture, here and now, it is the negligence of the state that poses the greatest risk to our privacy.

Beatriz Busaniche is the president of the Fundación Vía Libre, a non-profit civil organization dedicated to the defense of fundamental rights in environments mediated by information and communication technologies. She teaches at the University of Buenos Aires and at the Latin American Social Sciences Institute.

Suggested citation: Busaniche, B. (2020, December 17). Negligencia, La Inminente Amenaza a Nuestra Privacidad. Data and Pandemic Politics, 5.