Pan-european phone surveillance with covid-19 excuse

One member in our community brought to my attention this:

and here’s a news article about it in the Portuguese context:

Why vodafone? More clients?

This is the response by European Data Protection Supervisor (EDPS) to the request for the monitoring being here discussed:

This report points out valid points but something bothers me here: the language is too polite. I don’t know if this is just to be politically correct or if it is because the supervisor is begging for data to be correctly processed. Here are some examples:

I also welcome that the data obtained from mobile operators would be deleted as soon as the current emergency comes to an end

I would also like to stress the importance of applying adequate measures to ensure the secure transmission of data from the telecom providers.

The Commission should ensure that the data model would enable it to respond to the needs of the users of these analyse

Lastly, the part that bothers me the most is the fact that the supervisor is unaware that unless aggregated location data cannot be effectively anonymised:

At the same time, effective anonymisation requires more than simply removing obvious identifiers such as phone numbers and IMEI numbers. In your letter, you also mention that data would be aggregated, which can provide an additional safeguard.

The supervisor cites this with this document and on page 23 it cites the following study:

Researchers at MIT20recently analyzed a pseudonymised dataset consisting of 15 months of spatial-temporal mobility coordinates of 1,5 million people on a territory within a radius of 100 km. They showed that 95% of the population could be singled-outwith four location points, and that just two points were enough to single-outmore than 50% of the data subjects (one of such points is known, being very likely “home” or “office”) with very limited space for privacy protection, even if the individuals’ identities were pseudonymised by replacing their true attributes […] with other labels

Which, if I am reading this right, means that when data is not agreegated you only need to points from the same “anonymous” subject to de-anonymise 50% of the subjects and up to 95% if you use for random points of one’s path. Which essentially would mean that de-anonimization is totally possible, and therefore it would be under data protection laws.

I will say here something a bit controversial: If this were done in a very privacy-preserving way, I believe this would possibly bring the privacy world some advantage. But assuming:

  • only one ISP per country
  • data is aggregated at each ISP with technicians from both the company
  • only this aggregated data is transported out of the facilities by data protection people
  • the fields and collections procedures are all publicly documented as well as who calls the shots

The logic here is that if privacy creates too much of a burden people will take notice about the human cost of doing one thing like this and perhaps not consider unless a situation like this occurs.

But maybe I’m wrong and people won’t think it’s too much effort. Perhaps the data will prove so valuable that people will want to get more of it for other purposes in the future.

Anyhow, I am almost sure somewhere along the process someone will take a shortcut and end up violating people’s privacy and that will be messed up.