Privacy in the time of a pandemic: how is your data doing?

illustration_1_cc.jpg

Image description: Woman on phone being watched by feminine humanoid cameras

Image description: Woman on phone being watched by feminine humanoid cameras. Illustration by Neema Iyer.

I am curious about two things - artificial intelligence[i] and the right to privacy in data-driven societies. Especially since we live in the context of low internet access, 28% estimated internet uptake, and the gendered digital divide with more men accessing the internet than women in Sub Saharan Africa. The context makes me wonder if it is worth pursuing my curiosity about artificial intelligence, algorithms, machine learning and automated decision-making or rather focus on closing the digital divide.

The current health crisis has made it clear that it has to be about both. Governments and corporates worldwide have taken unprecedented measures to contain, trace and track the spread of the coronavirus by turning to digital technologies and advanced analytics to collect, process and share data for effective responses.

Rightly so civil society[ii] has rallied to ensure privacy norms are adhered to during these times to avoid a free-for-all by governments and private sector on all of our data. Yet the gendered and sexuality issues around data collection and processing including heightened concerns of surveillance and related impacts such as discrimination and bias needs more emphasis.

Ensuring privacy and protecting data in COVID related tech solutions

Digital solutions to the pandemic are continuously evolving on the continent collecting large amounts of personal and health data. With the status of data protection found to be inadequate in Africa, the magnitude of data collected in these solutions raises questions of governance in relation to the right to privacy and data protection especially in contexts of inequality.

The Africa Internet Rights coalition stresses the need for any solution to safeguard the right to privacy, requesting states and stakeholders to be transparent about surveillance measures being taken and collect necessary information only in response to the pandemic. The South African COVI-ID platform for example positions itself as a privacy-by-design platform. The South African government has not taken it on though preferring its own COVIDConnect service available via WhatsApp and SMS[iii].

At a regional level, the Africa Communication and Information Platform solution is described as a “unique opportunity to change the way we conduct disease surveillance, enhance our ability to acquire good and timely data, and make all Africans count”, and makes use of a mobile USSD platform and artificial intelligence. Its provisions for data protection aim to ensure public trust in the process. Data is collected in accordance with national law and regulations and based on the ECA’s principles of good ID. However, there is little information on where it has been launched to determine if privacy and data protection laws in those countries are sufficient.

National Data Protection Authorities (DPAs) stepped in to provide guidance in data protection processes at the national level. The authorities provided pointers to avoid future misuse of technology such as unwarranted increased surveillance and determine who has authority in collection and processing of dat.

In Senegal, the Commission DE Protection de Donnes Personnelles (data protection authority) assesses the process of anonymisation data before its reuse for statistical and scientific research purposes to ensure the data may not be de-anonymised. Mauritius Data Protection Authority developed the  Guide on Data Protection for Health data and AI in the Context of the COVID-19 Pandemic for development of mobile tracing apps and AI solutions to ensure the right to privacy including pseudonyms, transparency, right to be informed and time limitation.

In Morocco, the Moroccan Data Protection authority - CNDP,   developed minimum standards focused on addressing citizens' concerns over increased surveillance and the government's need for health data to respond to the virus. Citizens involvement has also been championed by advocating for the technology to be available for citizens audit.

However citizen control over data is limited. Centralisation of databases with data collection, processing and use is being granted to relevant health professionals rather than the people who provide this information, and there is limited citizen audit of these systems.  Senegal, MauritiusMali, and South Africa, for example, have focused on guidelines for centralised data collection to health authorities.   These centralised databases may be susceptible to abuse and misuse and data breaches which would jeopardise our privacy.  To ensure privacy, South Africa appointed a designated retired judge to receive weekly reports on the database and is empowered to provide guidance on ensuring privacy is protected. 

 

Examples of digital solutions responding to the pandemic in Africa

SolutionsDescription
CUN Economic Commission for Africa - Africa wide Africa Communication and Information Platform (ACIP)The Africa Communication and Information Platform (ACIP) for health and Economic Action is a data-driven solution that leverages the extensive mobile uptake on the continent by operating as a mobile USSD platform and artificial intelligence to communicate with citizens and collect data on the pandemic and for social welfare purposes.
East Africa Community Common PassUsing an app called Common Pass, travellers in the East African region will share their recent tests in a way that ensures the authenticity of results and the privacy of the traveller to resume travel in the region. Personal information will not leave the traveller’s phone without their consent.
South Africa COVI-ID

The application has been built by a group of South African academics, students, and entrepreneurs. It is considered a uniquely “African” solution that gives everyone the ability to prove their COVID-19 status, reliable, secure, and without loss of privacy”.

South Africa Government COVID 19 database

The track and trace solution makes use of cellular data to trace the movement of infected people to identify anyone who may have come into physical contact with them. To address privacy concerns, a designated retired judge has been assigned the role of ensuring privacy. They receive weekly reports including names and details of everyone traced.

Morocco wiqaytna’ - our safety mobileThis 100% Moroccan tool has been promoted by both ministries of health and the interior. It is a voluntary tool and the DPA ensured it complied with national laws on data protection with emphasis placed on privacy-by-design

 

Gender matters in the right to privacy

As I read the reviews of these solutions and their legality, it feels disembodied as if the data exists separate from us and out of context:

“Our primary language for conceptualising the data we produce is through privacy, which treats our personal information as separate from us, a piece of property that can be measured, negotiated over, sold, and reused. But data doesn’t just belong to you in the way that your house or car might; it is also you” – Tricia Wang, You are not your data but your data is still you

Yet gender matters in these privacy solutions and it is upto the government to ensure gender equality in their responses to the pandemic. Privacy, from a feminist perspective, is concerned with ownership and control of our data and at the same time working against surveillance, a patriarchal tool to control and restrict women and gender diverse people’s bodies, speech, and activism.

Women and gender diverse people experience privacy differently from men because of the social perceptions of how men and women should behave determining the extent of privacy in patriarchal societies. The discussion on gender in contact tracing, for example, has left a lot to be desired as the extra risks that women and marginalised communities face are not sufficiently taken into account-

“Racing to embrace digital contact tracing without putting laws and policies in place to address the stigma surrounding the epidemic, and to protect the rights of those most marginalized, risks undermining the goal of epidemic control.”

The examples of women being stalked following physical contact tracing processes raise concerns around the misuse of personal information even in the digital space.

The UN special rapporteur on the Right to Privacy notes that “privacy and gender have long been regarded as second-order considerations but their complex impact upon society is important’’.

As  Zoom meetings increased as an avenue to connect -  a 535% rise in daily traffic to Zoom.us from March to April,  zoom bummings[iv] emerged. Zoom bummers hacked what were meant to be spaces for online and often private engagement, and spewed sexist, white supremacist content, or child sexual violence, and extreme pornography.

Not all homes were safe and offered privacy. Gender-based domestic violence and subsequently online gender-based violence escalated.  There was an increase in the distribution of non-consensual intimate images. Provisions were made for gender-based violence but the responses to online harassment were non-existent from government and platforms. As content moderators were sent home, imperfect artificial Intelligence tools took over the moderation or responses were extremely delayed. 

The privacy conversation has really pushed for provisions around contact tracing but what of the online safety, bias and discrimination resulting in use of these technologies? A gender lens using feminist methodology and principles will be necessary to understand the right to privacy in a datafied society.

Conclusion

In this three-part series – I am reflecting on the work I have done using a feminist data justice perspective to understand AI, privacy and data protection in South Africa.  This first part has looked at data and the right to privacy focusing on the current health pandemic. The second article will reflect on using the feminist methodology to develop evidence on the gendered aspect of privacy and AI. The last will be a call to action – for what is to be feminist if we cannot gather and disrupt the patriarchy?

Interested in following this project – please fill in this quick survey

 

 

Footnotes: 

[i] This term is used broadly in this paper and recognises the challenges of what really is AI. Check out this resource on debunking AI – AI Myths

[ii] Here are some links to work by civil society in response to privacy and the pandemic:

[iii] The South African Government is to launch a mobile contact tracing solution as was announced at the extension of the lockdown by the President Cyril Ramaphosa on the 15th of August 2020

 

 

[iv] Zoom Bummings – I have opted to use Bummings than Bombings under the guidance of GenderIT as bombings do not take into account the reality of those living in conflict and are continuously bombed and bumming’s are appropriate to reflect annoying bums who do this pointless and futile hacking of feminist and civil society meeting spaces.