Coronavirus: They want to use your location data to fight pandemic. That's a big privacy issue

Why Deutsche Telekom's data donation to fight the spread of COVID-19 sets a potentially troubling precedent.
Written by Cathrin Schaer, Contributor

This week, Europe's largest telco, Deutsche Telekom, announced it is playing its part in the global fight against the spread of the coronavirus, COVID-19.

The company said it is handing 5GB of customer data over to the Robert Koch Institute, the organization tasked with coordinating a national response in Germany. 

The institute, RKI for short, may be able to use the anonymized data to track the general public's movements to make predictions about how the virus spreads and to help answer questions about the effectiveness of social distancing.

Other telecom companies in Germany may also donate data soon. Vodafone released a five-point plan, in which it confirms it may also donate anonymized customer data; Vodafone is already helping authorities in Lombardy, Italy

SEE: 60 ways to get the most value from your big data initiatives (free PDF)

And Austria's leading telco, A1, has also donated data. Germany's third-largest provider, Telefónica, told local news outlet, Spiegel, that it had no plans yet to do donate any data.

But Deutsche Telekom's grand gesture has not been applauded by all. Critics point out that other countries are already using mobile-phone data in a more authoritarian manner.

In China, Israel, and South Korea, such data is being used to track the contacts of infected locals and to ensure quarantine is enforced. Critics also question the legality of the donation and whether customers' data privacy has been respected – and even whether the data donation would actually prove useful.

While GPS-related data, such as that collected by Google, can be very precise, mobile-phone location data collected by service providers often uses cell-phone towers to track the user. Its accuracy is between 25 meters and 100 meters (82ft to 328ft), which might not be particularly helpful in big cities.

Germany's federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, didn't have a problem with Telekom's donation and says it conformed to local laws. 

The head of the RKI, Lothar Wieler, also defended the Telekom donation: "We see it as a meaningful concept." 

The customer data was passed to the RKI by Motionlogic, a Deutsche Telekom subsidiary. Usually Motionlogic sells consumer data for marketing and advertising purposes to brands who might, for example, want to know where it would be best to erect a billboard.

A Deutsche Telekom spokesperson also dismissed the criticisms. "Telekom has been using the same underlying procedures to produce and analyze this anonymized mass data since 2015," she argued. 

Back then, those procedures were approved by the former commissioner for data protection, and this week's data handover was approved by the current commissioner. This is not about tracking individuals, she insisted.

But tracking is not necessarily what data-privacy advocates are concerned about here. They're worried about consent and transparency. 

Telekom customers have not been asked explicitly if their data could be used for this purpose and neither the company nor the privacy commissioner seem willing to explain what was in that 5GB of data. According to experts, that's a lot of information when it comes to mobility.

"This whole topic is not a new concern," says Jan Penfrat, a senior policy and data privacy specialist at the Brussels-based European Digital Rights organization, or EDRi. 

Telecom companies have been collecting and selling their customers' geolocation data for a long time and, even if this is an ongoing practice by Deutsche Telekom, the lack of transparency is still worrying.

"It could still be fine – there is a legal basis for using data in these circumstances, and most likely I would agree with that – but what I am most worried about is that it will be used as an argument to put this into practice in the long term," Penfrat told ZDNet.

"Different companies and some governments would like to see this kind of data collection become an everyday thing."

It is certainly not an issue that is going away. In the US, the government is currently in talks with tech giants like Google, Apple and Facebook about how their customers' data could be used to prevent COVID-19 from spreading there.

In Germany, a medical school in Hanover is working with local mapping company, Ubilabs, to build an app that will allow for individualized infection tracking. With this app, named GeoHealth and expected to be available in a few weeks, a person who has tested positive for COVID19 voluntarily donates the GPS data from their phone. 

Other users will be able to tell if they were in the same place, at the same time, as the infected person. If the users get a "red light", warning them they were very close by, they are advised to go and get tested.

This week, the government of the autonomous Spanish region of Catalonia also launched its own, similar app, called STOP COVID19 CAT

Looking at the permissions, data-privacy advocate, Christopher Schmidt, pointed out on Twitter that the app will transfer data to health authorities until the epidemic is over, that it uses Google Firebase, and it "knows who you're talking to".

Transparency is the most important issue, Schmidt told ZDNet. "Before doing something like Telekom has done, it's important to inform people – even if the measure is based on vital social interests," he said.

SEE: Coronavirus: Business and technology in a pandemic

Another problem is the lack of an up-to-date and agreed-upon framework for the anonymization of user data, the writers of a 2018 article in Nature magazine argued. 

Anonymized data can often be easily reidentified, which causes concerns in situations like this, they say. That, and the lack of  a framework, has been a serious barrier to using data in a humanitarian crises in the past, as happened during the Ebola virus.

If you're using people's personal data, if it is to fight something as serious as this virus, anonymization may not necessarily take precedence, the EDRi's Penfrat concludes. 

"But you should be transparent, you need to carefully define the limited purpose for which data is being used and you need to be able to answer questions about how long you will keep that data."

Editorial standards