Benjamin Franklin: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

This is not creepy at all. Google announced the company will hand over location data to health officials to help combat the Wuhan coronavirus.

Google promised it will not release “personally identifiable information, like an individual’s location, contacts or movement.”

Yeah, where have we heard that before? Doesn’t Google already work closely with the government? You betcha! France’s data watchdog fined Google $57 million “last year for a lack of transparency over how it uses people’s data.”

COVID-19 Community Mobility Reports

Google named the project COVID-19 Community Mobility Reports:

As global communities respond to the COVID-19 pandemic, there has been an increasing emphasis on public health strategies, like social distancing measures, to slow the rate of transmission. In Google Maps, we use aggregated, anonymized data showing how busy certain types of places are—helping identify when a local business tends to be the most crowded. We have heard from public health officials that this same type of aggregated, anonymized data could be helpful as they make critical decisions to combat COVID-19. Starting today we’re publishing an early release of our COVID-19 Community Mobility Reports to provide insights into what has changed in response to work from home, shelter in place, and other policies aimed at flattening the curve of this pandemic. These reports have been developed to be helpful while adhering to our stringent privacy protocols and policies. The reports use aggregated, anonymized data to chart movement trends over time by geography, across different high-level categories of places such as retail and recreation, groceries and pharmacies, parks, transit stations, workplaces, and residential. We’ll show trends over several weeks, with the most recent information representing 48-to-72 hours prior. While we display a percentage point increase or decrease in visits, we do not share the absolute number of visits. To protect people’s privacy, no personally identifiable information, like an individual’s location, contacts or movement, is made available at any point.

It sounds pretty vague to me, which is one reason why I find it creepy. I expect Google and the health officials to have transparency when it comes to this.

And yes, the disclaimer is very broad. I’d say, this is largely a PR move. Apart from this, Google must be held accountable for its many other secondary data uses. And Google/Alphabet is far too powerful, which must be addressed at several levels, soon. https://t.co/oksJgQAPAY — Wolfie Christl (@WolfieChristl) April 3, 2020

Yves-Alexandre de Montjoye, head of London’s Imperial College’s Computational Privacy Group, gave Google props for fixing most privacy concerns, but found problems with project:

Although he also called for Google to provide more detail about the technical processes it’s using in order that external researchers can better assess the robustness of the claimed privacy protections. Such scrutiny is of pressing importance with so much coronavirus-related data grabbing going on right now, he argues. “It is all aggregated; they normalize to a specific set of dates; they threshold when there are too few people and on top of this they add noise to make — according to them — the data differentially private. So from a pure anonymization perspective it’s good work,” de Montjoye told TechCrunch, discussing the technical side of Google’s release of location data. “Those are three of the big ‘levers’ that you can use to limit risk. And I think it’s well done.” “But — especially in times like this when there’s a lot of people using data — I think what we would have liked is more details. There’s a lot of assumptions on thresholding, on how do you apply differential privacy, right?… What kind of assumptions are you making?” he added, querying how much noise Google is adding to the data, for example. “It would be good to have a bit more detail on how they applied [differential privacy]… Especially in times like this it is good to be… overly transparent.”

The Data

The project covers 131 countries and regions. The first report details data from March 29.

Let’s look at my state of Oklahoma.

Is all of this accurate? I mean, the reports lag two or three days. Not hours, but days!

Google’s movement data is probably more reliable than third-party location data. However, looking at their Austria report, I can’t believe visits to ‘retail & recreation’ places have decreased only 87%. All those places are closed, staff is mostly absent.https://t.co/Dc1BsL5ey0 pic.twitter.com/7uOB3mTLP5 — Wolfie Christl (@WolfieChristl) April 3, 2020

There are many reasons why Google’s data may be inaccurate, e.g. measurement, mapping to place coordinates, classification of places… In any case, if governments or researchers should get further non-personal analyses from Google, everything must be 100% transparent, at least. — Wolfie Christl (@WolfieChristl) April 3, 2020

De Montjoye is iffy on the accuracy:

On the topical question of whether location data can ever be truly anonymized, de Montjoye — an expert in data reidentification — gave a “yes and no” response, arguing that original location data is “probably really, really hard to anonymize”. “Can you process this data and make the aggregate results anonymous? Probably, probably, probably yes — it always depends. But then it also means that the original data exists… Then it’s mostly a question of the controls you have in place to ensure the process that leads to generating those aggregates does not contain privacy risks,” he added.

The data just shows where people are going. It cannot tell you if people are practicing social distancing. A bunch of people can go to a park and stand 4-6 feet from each other:

Wyoming is showing a decline in travel to most places but an increase in visits to parks. That tells you nothing about whether people are social distancing in those parks. But as we’ve already seen in the United Kingdom, police are quite capable of confusing “traveling to parks to get exercise” with “not engaging in social distancing.” On Thursday, Los Angeles County sheriff’s deputies arrested a paddleboarder off the coast of Malibu for violating a stay-at-home order. Bringing the man to the sheriff’s station in Calabasas for processing before releasing him exposed him to a much greater risk of COVID-19 infection than if they had just left him alone.

Shin Bet, Israel’s domestic intelligence agency, already instilled a sophisticated program similar to Google.

The agency also received criticism from privacy advocates:

Israel’s domestic intelligence agency, the Shin Bet, is retooling its spyware to meet the medical emergency. In recent days it has deployed a nationwide digital-surveillance program, using technology designed for counterterrorism, to locate people at risk of infection. The program uses cellphone data of people known to be infected to identify who else was close enough to catch the virus. As a result of the surveillance, the health ministry said 400 Israelis received a text message Wednesday asking them to enter quarantine. “According to an epidemiological survey, you were near someone sick from coronavirus. You must immediately enter Quarantine for 14 days to protect your relatives and the public,” the text message said. Shin Bet’s program, authorized by the attorney general and supported by health ministry officials, was criticized by privacy advocates and some lawmakers. The supreme court, acting on a petition by two civil-rights groups, issued an injunction ordering a halt to the program by next Tuesday unless parliament establishes the relevant oversight committees. The parliament was shut Wednesday by its speaker, an ally of Mr. Netanyahu, in a dispute with opposition parties over control of its committees.



