COVID-19 Digital Rights & Data Privacy Tracker

This live tracker documents new initiatives introduced in response to the pandemic that pose a risk to digital rights and data privacy around the world.
Covid-19 Digital Rights Tracker Header Image - Man Walking In Shadow of Surveillance Cameras
Samuel Woodhams

First published 20 March, 2020. Last updated to include the latest information on vaccine passport apps.

Digital Rights: Key Risks

Digital Health Certificate Apps

  • 73 digital health certificate mobile apps are in operation globally
  • We consider 60 mobile apps (82%) to have inadequate privacy policies
  • 32 apps (44%) track users’ precise location
  • 14 of the 20 most popular apps have permissions with implications for data privacy
  • There are now 14 vaccine passport mobile apps, with 13.4 million downloads

Contact Tracing Apps

  • 120 contact tracing mobile apps are available in 71 countries
  • 45 mobile apps now use Google and Apple’s API. 75 don’t use the API, with potentially greater risk for data privacy
  • The U.S. has 23 apps, more than any other country in the world
  • 19 apps, with 4 million downloads combined, have no privacy policy and thus no expectation of data privacy

Location Tracking

  • 60 location tracking measures have been introduced in 38 countries
  • Telecom providers have shared users’ location data in 20 countries

Mass Surveillance

  • 43 physical mass surveillance initiatives have been adopted in 27 countries
  • Drones have been used in 22 countries to help enforce lockdowns
  • Europe introduced more new instances of mass surveillance than any other region

Monitoring Covid-19 Tracking & Surveillance

Since the outbreak of COVID-19, governments around the world have responded with a wide range of location tracking, developed dozens of contact tracing mobile apps that pose a potential risk to data privacy and security, and introduced new physical mass surveillance.

In the months since we began this index, we’ve recorded hundreds of new initiatives; from drones used to enforce lockdowns, to the mass surveillance of cellphones.

Some of these may well be proportionate, necessary and legitimate actions during these unprecedented times. However, some have dramatically threatened citizens’ civil liberties and right to privacy.

We will continue to update this live index and document new initiatives that threaten digital rights to help stem overreach, promote scrutiny, and ensure that intrusive measures don’t continue for any longer than absolutely necessary.

To view our complete findings, view this public Google Sheet.

Digital Health Certificate Apps

In March 2020, China’s AliPay Health Code system made headlines around the world. The software assigned citizens a color code that represented their COVID-19 status and was used to determine whether or not a user could access public spaces.

Since then, mobile apps designed to log and display the COVID status of an individual for domestic and international travel, access to academic institutions and workplaces have proliferated around the world.

In total, we recorded 73 apps currently in operation which had been downloaded almost 19 million times combined at the time of publication.

However, like digital contact tracing apps, many of these mobile apps have been developed in a haphazard way, putting users’ data privacy and security at significant risk. They also face numerous limitations in terms of their efficacy and risk exacerbating existing inequalities on a huge scale.

Digital Health Certificate Apps: Data Privacy Risks

  • There are currently 73 digital health certificate apps in operation
  • The apps have been downloaded at least 18.8 million times combined
  • 60 apps (82%) have inadequate privacy policies
  • U.S. developers have created almost half (35) of all apps
  • Employee screening apps (19) and venue access apps (19) are the most common, followed by international travel apps (17)

The poor design of the apps not only risks users’ health information security, it has also created immediate real-world problems.

As one review of Indonesia’s mandatory travel app explained: “People [are] exhausted after their journey and they cannot leave [the] airport” because the app crashed.[1]

eHac mobile app Play Store review

eHac mobile app Play Store review.

A reviewer of another app complained that incorrect information on the app “caused [them] to unnecessarily spend money to change [their] flight.”[2]

iFly mobile app Play Store review

VeriFly mobile app Play Store review.

Digital health certificate are yet another example of app developers, private companies, and governments attempting to solve a complex public health crisis with rushed and poorly-designed technology.

Vaccine Passport Apps

As vaccines begin to be administered around the world, an increasing number of mobile apps have been designed to log and display whether a user has received their jab.

Like all digital health certificate apps, developers have claimed these apps will encourage international travel to resume safely and allow domestic economies to reopen. However, few of these apps have adequate privacy safeguards, which raises significant concerns about collection of personal data and the erosion of users’ digital rights.

Vaccine Passport Apps: Data Privacy Risks

  • There are currently 14 vaccine passport apps in operation
  • The mobile apps have been downloaded at least 13.4 million times combined
  • 10 apps (71%) have inadequate privacy policies
  • 6 apps (43%) track users’ precise locations
  • 17 apps are expected to be released in the coming months

The following data table shows details of vaccine passport mobile apps available globally. Android install figures have been sourced from the Google Play Store, while the iOS monthly install statistics are from SensorTower for February 2021.

* Note: WeChat – Digital Health Certificate install figures may not reflect the true number of vaccine passport users as this feature is integrated into the wider WeChat application. It has therefore been excluded from the overall install figure provided in the key findings.

As well as having poor data privacy protections, these mobile apps also risk exacerbating global inequality. As vaccines are being distributed unequally around the world, some citizens will benefit from these apps while others won’t.

Despite their many limitations and data privacy implications, these mobile apps are likely to become a prominent part of governments’ technological strategy.

All Digital Health Certificates: Privacy Analysis

The following section provides a deep dive into the privacy policies of all of the digital health mobile apps, with a particular focus on collection of personal data, data security and location tracking.

Our analysis includes apps that require users to submit vaccination status, PCR test results, antibody tests and self-symptom logs.

Privacy Policy Analysis: Key Findings

  • 36 (49%) mobile apps do not have dedicated privacy policies
  • 36 (49%) apps do not disclose exactly what personally identifiable information (PII) is collected
  • 59 (81%) apps do not disclose how long users’ data will be stored for
  • 42 (58%) apps share information with third parties in some way
  • 49 (67%) publicly state they will share user information with law enforcement agencies and authorities when requested.
  • None of the apps are open source

Some of the privacy policies were not just inadequate, they were potentially misleading.

According to Canada’s ArriveCAN privacy policy, the app “doesn’t use GPS or other technology on your mobile phone to track your location.”[3] Yet our analysis showed the app contained the ACCESS_FINE_LOCATION permission which could allow the app to monitor a users’ precise location via GPS. The app has been downloaded almost 200,000 times.

We also discovered some apps have potential vulnerabilities. Scans of Brunei’s BruHealth app, for example, showed that it potentially contained malware. The app has been downloaded over 100,000 times.

Even when apps are developed with data privacy in mind, there is always a risk that they will be misused in the future.

In January, law enforcement agencies in Singapore were reportedly given access to personal data from the TraceTogether app, despite clear indications on the original privacy policy that this would not happen.[4]

In our analysis, more than half of all apps explicitly state they will share users’ personal data if asked by a relevant authority.

Privacy advocates have warned of this type of mission creep since the beginning of the pandemic and digital health certificate apps are similarly at risk of serving more nefarious purposes in the future.

This is particularly true given the potentially invasive permissions embedded within the apps and their poor privacy policies that don’t safeguard effectively against personal data collection.

The following data table shows the 20 most popular COVID digital health certificate apps around the world with information on their privacy policies and potentially invasive permissions. Android download figures have been sourced from the Google Play Store, while the iOS monthly figures are from SensorTower for February 2021.

Contact Tracing Apps

We have documented 120 contact tracing apps in 71 countries, with many more scheduled to be rolled out in the coming weeks.

Contact Tracing Apps: Data Privacy Risks

  • There are currently 120 contact tracing apps available globally
  • India’s Aarogya Setu is the most popular, with 100 million downloads
  • The U.S. has 23 contact tracing apps, more than any other country in the world
  • 30 apps (25%) use GPS as the primary contact tracing method
  • 58 apps (48%) use Bluetooth and 26 (22%) use Bluetooth and GPS
  • 45 (37.5%) contact tracing apps are now using Google and Apple’s API
  • 19 apps, with over 4 million downloads combined, have no privacy policy

Much like VPN apps, contact tracing apps have provoked heated discussions in regards to their data privacy and inclusivity.

The data privacy concerns raised initially have gradually eased in recent months by the increasingly widespread adoption of Google and Apple’s Exposure Notifications API. That’s because Google and Apple’s API requires mobile app developers to adopt a decentralized approach if they want to utilize the API’s functionalities.

The decentralized system provides users with randomly generated, anonymous temporary keys. Upon a positive test result, the users’ app will share the temporary codes it’s used to a central server. These codes are then sent to every other device with the app installed to perform contact matching risk analysis and, if the random key matches one that the app has previously logged and meets the specified risk exposure criteria, it will send an alert and ask the user to self-quarantine.

Unlike the centralized approach, the decentralized approach protects users’ anonymity by performing the contact matching analysis at the local level, rather than at the point of the central server.

Overall, 45 contact tracing apps are currently using Google and Apple’s API, including 13 contact tracing apps in the U.S. There are also plans in another six U.S. states to use the API in the future.

While an increasing number of countries have adopted the decentralized approach, an alarming number still put users’ health information privacy at risk. 19 contact tracing apps, which have been downloaded over 4 million times combined, don’t even have a dedicated privacy policy.

Contact tracing apps often use GPS technology to track your precise location – a VPN that spoofs GPS is among the only consumer technology that can prevent this from happening.

The efficacy and inclusiveness of contact tracing apps also remains in doubt. According to a recent WIRED report,[5] the UK’s contact tracing app “risks leaving out people with older phones, in particular those without the money to buy a newer one,” as it requires users to have a phone running Android 6.0 or iOS 13.5 or later.

However, the greatest hurdle facing contact tracing apps is ensuring enough people download and use them. One recent study claimed that at least 60% of citizens would need to download the app for it to work effectively. Since then, however, the researchers have stressed that these apps may still help save lives with lower levels of uptake.[6]

However, even if the apps are downloaded by a large section of society, that doesn’t guarantee success. This uncertainty of outcome casts significant doubt on whether the erosion of digital rights that these apps represent is worthwhile.

In France, the country’s contact tracing app was downloaded 1.8 million times and yet it only sent 14 notifications, according to TechCrunch.[7] In Iceland, the app was downloaded by 40% of the population and yet, “it wasn’t a game changer,” according to Gestur Pálmason,[8] who is overseeing the country’s contact tracing efforts.

Even the Product Lead of Singapore’s lauded TraceTogether has highlighted the limitations of contact tracing apps.

Issues surrounding the interoperability of contact tracing apps are likely to dominate the debate in the coming weeks. The EU Commission has announced[9] that European apps would begin to be interoperable from October 17, with the German and Italian apps the first to connect.

Similarly, in the U.S. an increasing number of contact tracing apps are using the national key server created by The Association of Public Health Laboratories.[10]

Contact Tracing Apps: In-Depth Analysis

We analyzed 47 contact tracing apps in 28 countries in detail and found that many put users’ data privacy at risk.

  • 25 apps (53%) do not disclose how long they will store users’ data for
  • 28 apps (60%) have no publicly stated anonymity measures
  • 24 apps (51%) contain Google and Facebook tracking
  • 9 apps contain Google AdSense trackers
  • 11 apps contain Google conversion tracking and re-marketing code
  • 7 apps include code from Facebook

In our analysis of these mobile apps, we found code relating to Google’s advertising and tracking platforms in 17 contact tracing apps. This includes AdSense, Google’s advertising network that allows publishers to make money by showing ads to their users, and also the much more powerful Google Ad Manager, formerly known as DoubleClick for Publishers, which allows publishers to show ads from a huge array of sources.

Aside from the ethics of monetizing public health in this way, the presence of such tracking code in contact tracing apps raises red flags around data privacy and personal data collection due to the targeting options offered by Google’s ad platforms.

We also found code that enabled varying levels of integration with Facebook in seven apps. This ranges from direct integration with Facebook’s advertising platform to functionality allowing users of the apps to link their Facebook accounts, or to share content from the contact tracing apps to Facebook.

The general lack of data privacy features in these apps exacerbates concerns that contact tracing apps may be used to harvest citizens’ personal data.

Access this Google Sheet for our complete findings.

Global Contact Tracing App Details

The following data table shows the 10 most popular contact tracing apps from around the world. Download figures provided are from Google’s Play Store.

* For full list of developers, please refer to this Google Sheet.

All Measures - Regional Analysis

The following data table summarizes measures being adopted that threaten digital rights, by global region. For details of individual measures skip ahead to the following sections:

Location Tracking

Many public health authorities around the world have turned to initiatives involving location-based services to help monitor their populations.

Measures have included the use of aggregated mobile location data to track citizens during lockdowns, mobile apps designed to help identify the location of those infected, and the deployment of advanced cellphone monitoring technologies.

Below is a reverse chronological list of confirmed location tracking being adopted around the world.

Singapore – 14/09/20

Singapore introduced Bluetooth contact-tracing tokens for its residents in September. The tokens were an important way of expanding contact tracing efforts to those without smart phones.

As the BBC reported, “The initial rollout is happening in areas with a greater concentration of elderly people, who are both at a greater health risk… and less likely to own a smart phone.”[11]

Brazil – 10/07/20

In a positive move, Brazil’s Supreme Court overruled a government order that forced telecommunications companies to share users’ location data with authorities.

“Privacy advocates have hailed the judgment as a historic win, but warned that the court’s decision could lead to unintended consequences – by allowing other government agencies to set precedent on data protection issues before the country’s data protection authority is established,” according to the Global Data Review.[12]

New Zealand – 07/07/20

Hamish Walker, a New Zealand politician, leaked the personal details of COVID-19 patients to the media in July. The data was acquired by Michelle Boag, the chief executive of a rescue helicopter trust, who then passed it to the politician. “The incident has shocked New Zealanders and is being viewed as the first smear attempt of the upcoming general election,” The Guardian reported.[13]

Israel – 24/06/20

Just a matter of weeks after the controversial tracking measure was halted, Israel’s parliament voted to reintroduce Shin Bet’s location tracking initiative on June 24.[14]

Chile – 19/06/20

Telecommunications companies in Chile confirmed they were passing location data to public authorities in a bid to monitor the movements of citizens. According to one report, the location data is “aggregated and anonymous.”[15]

Israel – 09/06/20

An Israeli official announced on June 9 2020 that the country’s internal security service had brought its cellphone location tracking operation to an end.

The official, who requested anonymity, told Reuters: “This (tracking) will be renewed only if there is a big outbreak, at which point snap legislation would be required in parliament.”[16]

The use of the location-tracking technology, which was originally designed to counter terrorism, had previously been challenged in court.

Morocco – 29/05/20

In an article published on May 29, entitled ‘Morocco’s coronavirus surveillance system could tip into Big Brother,’ Aziz Chahir argued that the country’s recently deployed location tracking apps risked plunging the country “further into a hyper-surveillance system”.[17]

According to the article, Morocco had purchased much of the location-tracking technology from Israel.

China – 26/05/20

On May 26, the Guardian reported that authorities in Hangzhou had announced their intentions of making a health status app permanent.[18]

According to the article, the app is similar to many deployed around the country that displays a “QR code with an individual’s virus status, which can be used to determine the extent to which the individual is allowed to move about.”

The new, broader app is thought to provide every citizen with a score out of 100 and record information including the number of cigarettes smoked, hours slept and steps taken by the user.

India – 11/05/20

On May 11 it was reported that an app used by Madhya Pradesh authorities designed to track the location of quarantined patients had leaked personal information online.

“The database contained the names of people who are meant to be quarantined, information about the type of phone they used and their last known location – at times as accurate as within 5 meters – and was available for download on an website,” the Hindustan Times reported.[19]

After its discovery, the database was quickly taken offline.

Jordan – 08/05/20

On May 8, the Prime Ministry of Jordan Facebook’s page posted a video announcing a new mobile app called Cradar.[20]

The app is designed to allow citizens inform authorities about unauthorized gatherings and warn them if they suspect someone of having the virus.[21] It is one of many mobile apps developed by authorities in Jordan.

Other mobile apps include a contact tracing app[22] and an app designed to help authorities enforce quarantine.[23]

Hungary 04/05/20

The Hungarian parliament announced plans to temporarily suspend parts of the European-wide General Data Protection Regulation (GDPR), EURACTIV reported in early May.[24]

The new measures “include the suspension of the rights to access and erasure of personal information, and those who lodge a complaint or exercise their right to a judicial remedy will also have to wait for the proceedings to start until after the government proclaims an end to the state of danger.”

Opposition politician Bernadett Szél responded by saying, “restricting data rights is unnecessary and disproportionate, and furthermore does not help, even hinders the fight against the epidemic.”

In a recent report by Freedom House, the NGO said that “Prime Minister Viktor Orbán’s government in Hungary has… dropped any pretense of respecting democratic institutions.”

Turkey – 07/05/20

Turkey’s health minister announced a mandatory app for people thought to be infected, according to Human Rights Watch.[25]

“The app follows the movement of people instructed to self-isolate, and if they leave their homes, they receive a warning via SMS and are contacted instantly through automatic call technology and told to return to isolation.

“Those who fail to comply with the warning and continue to violate the quarantine are reported to relevant law enforcement and face administrative measures and sanctions, which can include jail time ranging from two months to a year in accordance with Article 195 of Turkish Penal Code.”

Russia – 05/05/20

Citizens of Moscow who have developed symptoms were asked to send three selfies daily to authorities to prove that they are remaining inside.[26]

According to a tweet by journalist Mathew Luxmoore, failure to comply could lead to fine of 4,000 roubles, approximately US$55.[27]

Malaysia – 04/05/20

Authorities in Selangor have introduced a new location tracking system as the city emerges from a lockdown.

“The system aims to support registered business or commercial premises owners by providing them with unique QR codes that can be placed on posters and scanned by visitors who enter their premises,” the Malay Mail reported.

Customers will then be required to scan the QR code before entering and, if they later test positive the businesses will be alerted.

Pakistan – 23/04/20

On April 23, Prime Minister Imran Khan announced that the country’s Inter-Services Intelligence (ISI) was helping monitor citizens with technology originally designed for tracking the location of potential militants.

“Rights activists say they fear the surveillance method could be misused by authorities to gain more access into the lives of Pakistani civilians, particularly those who are critical of the government,” VOA reported.[28]

Morocco – 23/04/20

A mobile app that monitors citizens’ location was launched in Morocco in April to assist police forces with enforcing lockdown.

The app lets police “know which checkpoints a person has passed through, allowing them to trace their movements” but “conforms to the rigorous security criteria used by the DGSN in its databases”, according to MAP officials quoted in The Star.[29]

Brazil – 17/04/20

On April 17, the Brazilian parliament passed legislation to allow the passing of telecommunication location data to public bodies. The legislation was later struck down by the Supreme Court.

Finland – 14/04/20

Mobile operator Telia published a press release stating that it had passed on anonymized cellphone location data to the government, prompting a review from the Office of the Chancellor of Justice.

According to one report, “The cabinet’s coronavirus war room uses the data provided by the app to analyze situations such as traffic flows in various parts of the country.”[30]

Kazakhstan – 08/04/20

“[The] Kazakhstani ministry of health requires the 8,000 or so Kazakhstani citizens currently under quarantine to use the SmartAstana tracking app, which enables officials to ensure that they remain in isolation,” according to Privacy International.

In Almaty, the country’s largest city, authorities are also using video surveillance to help track the location of those breaking quarantine orders. The technology is produced by Korkem Telecom, a local telecommunications firm, according to the Jamestown Foundation.[31]

Sweden – 08/04/20

“The Swedish Public Health Agency will use mobile data from Telia to analyze how people have moved in Sweden in connection with the spread of the coronavirus in the country,” according to a report by Computer Sweden published on April 8.[32]

Australia – 05/04/20

“Vodafone has provided the mobile phone location data of several million Australians in an anonymized and aggregated form to the federal and NSW governments to monitor whether people are following social distancing restrictions amid the coronavirus pandemic,” The Sydney Morning Herald reported.[33]

“To date, governments, medical experts and the media have used location data from transport apps such as CityMapper, which shows how people move throughout cities like Sydney and Melbourne using public transport, in an attempt to determine whether people’s movement has reduced.”

India – 05/04/20

Karnataka authorities introduced its new contact tracing app in early April.

“The app aims to track the movement history of persons tested positive, before their detection in order to take precautions and to contain the coronavirus outbreak,” India Today reported.[34]

According to Citizen Matters, “the governments of Kerala, Karnataka, Punjab and Tamil Nadu, the Ministry of Electronics and Information Technology (MeitY) and the National Informatics Centre (NIC) have released various mobile apps.

“While desperate times understandably call for desperate measures, many of these mobile phone-based interventions raise concerns about the privacy of users and that of persons directly affected by the novel coronavirus, overboard surveillance, and eventually, ‘function creep’.”[35]

U.S.- 04/04/20

On April 4, CNN reported that two tech startups had tracked citizens visiting the beach in Fort Lauderdale, Florida, by monitoring mobile phone location data.[36]

One of the companies involved then posted a heat map on Twitter to show their findings.[37]

Despite claiming to only use anonymized location data, it has been repeatedly been shown that even large anonymized data sets are at risk of re-identification.

New Zealand – 02/04/20

Police authorities in New Zealand have been reportedly asking returning Kiwis to give consent to authorities to track their location via their cellphones.[38]

According< to Police Commissioner Mike Bush, returning citizens 409 text 40 [40] 'please reply, turn on your location services and if it is okay with you we will be able to monitor where you are.'"[39]

India – 31/03/20

Andhra Pradesh authorities have been reportedly tracking mobile phones of those in quarantine. The technology uses signals of mobile towers to track people’s location and monitor whether or not they are abiding with lockdown rules.[40]

India – 31/03/20

Authorities in the state of Andhra Pradesh have been using a range of location-based tracking technologies to ensure infected citizens remain in quarantine, India Today reported.

“The first tool which is called the Covid alerting tracking system is being used by the authorities to track over 25,000 people who have been placed under home quarantine by tracking the location of their phones on a real-time basis with the help of telecom service providers and mobile tower signals.”[41]

Argentina – 30/03/20

Big data firm Grandata released a heat map based on location data in March showing the movement of citizens around Argentina to monitor compliance with the new lockdown.

“This is the perfect example of the data exploitation industry and data brokers, using data that users probably where not aware they were sharing with third parties like Grandata,” Privacy International stated.[42]

U.S. – 28/03/20

“Government officials across the U.S. are using location data from millions of cellphones in a bid to better understand the movements of Americans during the coronavirus pandemic,” the Wall Street Journal reported in March.

“The data — which is stripped of identifying information like the name of a phone’s owner — could help officials learn how coronavirus is spreading around the country and help blunt its advance.”[43]

It is thought the location data was acquired from the mobile advertising industry rather than from mobile operators.

Brazil – 27/03/20

“The mayor of Recife said the city is tracking at least 700,000 smartphones to identify where the lockdown rules are being followed,” ZDNet reported in March.

“Governments across Brazil are looking to roll out a system developed that uses geolocation tracking to support actions around the lockdowns intended to slow the spread.”[44]

The system is developed by InLoco, a Brazilian startup, and tracks the location of users “through a location map that doesn’t use GPS or beacons, which InLoco claims to be 30 times more accurate than GPS”.

Switzerland 26/03/20

“Switzerland has asked state-controlled Swisscom for day-old mobile phone data to help judge whether measures to restrict people’s movements and slow the coronavirus’s spread were working,” Reuters reported.[45]

Daniel Koch, head of infectious diseases at the federal health agency, said it “it had 48 to do 48 [48] surveillance” as they were only acquiring data from the previous day.

South Africa – 24/03/20

South Africa’s communications minister Stella Ndabeni-Abrahams told reporters in March that “It is important to look at the individuals 49at 48 affected 49 49] in order to be able to help the department of health to say that we know, in a particular area we have so many people that have been 50″50 [50] industry collectively has agreed to provide data analytics services in order to help government achieve this.”

Business Insider reported that “She did not provide further details, and regulations that will govern South Africa’s national lockdown, and methods of curbing the spread of the virus, have not yet been published.”[46]

Guatemala – 24/03/20

Authorities in Guatemala have released an app to help share information regarding the virus to its citizens, according to Privacy International. The app also collects “each user’s email address, social media account handles, age, personal interests, and geographic location, and asks permission to access files, calls, and audio, among others.”[47]

The app was reportedly developed in collaboration with Google and Friends of Israel.[48]

UK – 24/03/20

Researchers from King’s College London and St. Thomas’ Hospitals, in collaboration with a health company ZOE, have released an app that allows citizens to self-report their health to provide data on transmission of the virus.

According to the project’s listing on GovLab’s living repository of data collaboratives in response to COVID-19: “This data, protected by the European Union’s GDPR, is then sent to King’s College London and the NHS.”

Bulgaria – 24/03/20

Bulgarian authorities will have the power from March 24 to trace mobile phone traffic metadata and internet contacts without a court order, according to a tweet from Dr. Vesselin Bontchev.[49]

“The idea is to trace those in quarantine but this limitation is not spelled out in the law,” he said.

Pakistan – 24/03/20

Several residents across the country received a text message alerting them that they may have come into contact with someone with the virus, Ramsha Jahangir reported in March.

The message reportedly read: “It has been observed that you may have come in contact with a confirmed coronavirus case in the last 14 days. You are, therefore, requested to take necessary precautionary measures by self-quarantine.”[50]

It is thought the measure has been implemented via cell site location information (CSLI) and call detail record (CDR) data acquisition methods.

“Using CDR analysis, details such as locations visited by a confirmed Covid-19 patient as well as cell phone numbers of others who were in the same vicinity at the time can be obtained from the patient’s phone data,” the article stated.

Russia – 23/03/20

The Russian government released an announcement in March ordering the Ministry of Communications to develop a new contact tracing system to help monitor citizens thought to have come into contact with those that have the virus.[51] 56″The 57 [57] analyze specific individuals’ geolocation data from telecommunications companies,” Meduza reported.[52]

Morocco – 23/03/20

“Moroccan police have started using a mobile application in recent days to track violators of the kingdom’s lockdown in response to the coronavirus, according to the official MAP news agency,” Malaysian news site The Star reported.[53]

The mobile app was developed by the country’s national security force and allows the police to track which checkpoints a person has passed through.

“More than 53,000 people have been arrested since the start of a public health state of emergency on March 20.”

Spain – 23/03/20

Telecommunications giant Telefonica has been working with Spanish authorities to provide “mobility insights for monitoring 60, detecting infection 60, [60] prediction of virus propagation”, according to GovLab’s repository of data collaboratives.

The project went live on March 23, according to the listing.

India – 20/03/20

“People suspected of having the coronavirus in India have received hand stamps and are being tracked using their mobile phones and personal data,” Reuters reported in March.[54]

The indelible hand stamps, which have been applied to citizens arriving at airports in Maharashtra and southern Karnataka, include the date that the person may be released from self-isolation.

“In southern Kerala state, authorities have used telephone call records, CCTV footage, and mobile phone GPS systems to track down primary and secondary contacts of coronavirus patients.”

Poland – 19/03/20

Poland’s Ministry of Digital Affairs launched a new mobile app in March that relies on cellphone location data to coerce citizens into abiding by the terms of their quarantine.[55]

The app prompts its users to send a geolocated selfie at random times throughout the day, so that authorities can ensure that they are abiding by quarantine regulations.

Failure to comply with the orders to remain inside could result in a fine of PLN 5,000.

“The system checks both the person (using facial recognition) and the location, essentially replicating what would otherwise be a visit from a police officer,” Privacy International stated.[56]

UK – 19/03/20

On Thursday March 19, Sky News reported that the British government was working with major mobile network O2 to analyze its users’ location data.[57]

“The project will not be able to track individuals and is not to designed to do so,” according to the article.

A report published the same day by The Guardian revealed that EE, the country’s largest mobile operating company, was also in advanced discussions with the government about how best to share their users’ location data.

“Privacy campaigners worry that handing over such personally identifying information in large quantities crosses a line that may be hard to step back from when things return to normality.”[58]

Hong Kong – 19/03/20

All international arrivals to Hong Kong currently have to stay at home for 14 days. To track the new arrivals, authorities are now providing them with wristbands that log a user’s location and share it with relevant authorities.

Anyone violating the quarantine orders could face up to six months in prison and a fine of up to HK$25,000, according to Quartz.[59]

Italy – 18/03/20

Vodafone launched a five-point plan to help respond to the outbreak on March 18.[60]

The company was “already producing an aggregated and anonymous heat map for the Lombardy region in Italy to help the authorities to better understand population movements in order to help thwart the spread of COVID-19”, according to the press release.

Israel – 17/03/20

On Tuesday, 17 March, legislators approved new mass surveillance policies that allow the regime to track the location of citizens by monitoring their mobile phones.

Benjamin Netanyahu had outlined his plans the previous weekend.

The technology, which was originally developed to assist in counter-terrorism operations, is thought to be able to track the physical location of all mobiles in the country, as well as monitor calls and messages.

According to digital rights group, 7amleh, it is also capable of accessing citizens cameras and headsets. 68

68 [68] committing mass violations of digital rights, especially the right to privacy, under the pretext of managing the health crisis caused by the Coronavirus – 7amleh[61]

Thailand – 17/03/20

Arrivals to high risk areas of Thailand were given a SIM card that tracks their location for 14 days.

Ecuador – 17/03/20

Interior Minister María Paula Romo announced that police would begin to use satellite tracking to ensure citizens did not breach the “epidemiological fence”, according to a report by Ecuador TV.[62]

Privacy International later reported that the measure “authorized tracking mobile phones via GPS satellite to ensure that citizens do not break mandatory quarantine after six violators were identified”.[63]

Germany – 17/03/19

Deutsche Telekom, the German mobile operator, announced that it was passing anonymized location data of its users to the Robert-Koch Institute, a research institute and government agency responsible for disease control and prevention.[64]

The move came after GDPR-enabling legislation was altered to allow the processing of personal data during an epidemic.

Austria – 17/03/20

Austrian mobile operators reportedly began sharing anonymized mobile location data with Austrian authorities.[65]

Like the initiatives in Germany and the UK, the measure uses location data to determine whether or not citizens were restricting travel and following government advice.

South Korea – 16/03/02

Korean telecommunication companies and credit card companies reportedly shared data with public health authorities to assist tracking the movement of its citizens.[66]

It followed earlier reports that South Korea had launched a location-tracking mobile app to monitor citizens on lockdown to help contain the outbreak.[67]

In a story by The Guardian, text messages sent by health authorities and local district offices were also reportedly exposing “an avalanche of personal information and are fueling social stigma”.[68]

Italy – 14/03/20

Like Germany, the UK and Austria, Italian mobile operators have also been shown to be sharing aggregated location data with health ministries.[69]

The location data is thought to have to helped local authorities monitor citizens’ compliance with lockdowns.

Over 40,000 Italians have been found to be violating the lockdown, The Guardian reported.[70]

Belgium – 12/03/20

The Belgian government confirmed in March that it would allow local mobile operators to share anonymized location data with a third party to help track infections.[71]

The following week, a group of technology entrepreneurs argued in favor of creating a mobile app to track and regulate individuals’ movement based on their health status.[72]

Kenya – 08/03/20

“Authorities in Kenya have been tracking mobile phones of people suspected to have Covid-19 as a way of enforcing a 14-day mandatory isolation period,” the BBC reported.[73]

South Korea – 06/03/20

A new mobile app in South Korea used location-based services to track citizens’ movements. The app “will also use GPS to keep track of their location to make sure they are not breaking their quarantine”, according to the MIT Technology Review.[74]

Iran – 03/03/20

Iranian citizens received a notification in early March about a new mobile app supposedly from the Ministry of Health.

The app, called AC19, was created by the same developer that has made clones of Telegram in the past.

The app is thought to have collected citizens’ live location data and may have shared that with the authorities in Iran to track users’ movement.

“Of course, the app couldn’t tell citizens if they had coronavirus. But what it could do is hoover up huge amounts of data on citizens, including names, addresses, dates of birth, and even track people’s location in real time.” – VICE[75]

The following week, the app was removed from Google’s Play Store.

Singapore – 01/03/20

Singapore’s Ministry of Health made information about victims of the virus available to the public at the end of February. A developer then turned this location data into an interactive map so that citizens’ could track the location of those infected.

The map quickly went viral, raising fears that it could lead to discrimination, stigmatization and gross digital privacy violations.

“We must demand more from authorities as the role of big data and technology in humanitarian response matures.” – Access Now[76]

Taiwan – 18/02/20

All medical facilities were granted access to patients’ travel histories by combining data from the National Health Insurance Administration and Immigration Agency on February 18, ABC News reported.[77]

The report also suggests that those required to self-quarantine were “monitored through their cellphones”.

The cabinet spokeswoman told The Guardian that they “are not using advanced surveillance technology. It’s simply tracking based on their phone’s SIM cards and their nearby base stations.”[78]

The country’s response to the virus has been praised by many, although concerns regarding the high degree of mass surveillance remain in some quarters.[79]

Netanyahu referenced Taiwan’s use of accessing cellular location data in his address to the nation that outlined his more draconian approach.

Mass Surveillance

Authorities around the world are also adopting increasingly extensive physical mass surveillance measures that significantly intrude on individuals’ right to privacy.

These include the deployment of facial recognition cameras equipped with heat sensors, surveillance drones used to monitor citizens’ movements, and extensive CCTV networks in a bid to help enforce curfews.

UK – 08/10/20

“Artificial Intelligence cameras are being used in London and other cities in the UK to monitor social distancing,” The Evening Standard reported.[80]

The cameras are located across the country in cities including Manchester, Cambridge, London and Nottingham. Peter Mildon, Chief Operating Officer of Vivacity, the company that make the cameras, said: “The [cameras] enable us to provide anonymous data on how the road is being used. There are huge benefits in understanding how that space is being used and how that can be improved or how it can be made safer.”

U.S. – 11/08/20

The University of Oakland, Michigan, showed interest in adopting wearable devices to monitor the health of its students.

According to a report in Inside Higher Ed, the university plans to introduce BioButton, a device that’s “meant to be stuck onto the skin, near the upper chest. The button collects heart rate, skin temperature and respiratory rate at rest. Using a proprietary algorithm, the company claims the button can alert the wearer to very early signs of COVID-19, before symptoms arise or a diagnostic test would return positive.”[81]

According to the report, the university would not be able to actively monitor a specific student’s data.

U.S. – 01/08/20

Several sports stadiums in the U.S. are now using facial recognition technology as a means of establishing contactless entry, according to the WSJ.[82]

The New York Mets and the Los Angeles Football Club are currently testing the technology, while Los Angeles FC is using an app called Clear that asks fans to upload an image of themselves and link it to their existing profiles.

“At the stadium, one camera would measure the fan’s temperature, while a second would determine whether the fan is wearing a mask. The fan would pull down their face covering to allow the camera see their faces and admit them if they have purchased a ticket,” Axios reported.[83]

U.S. – 28/07/20

According to a report by CNN, “As the pandemic rages across the globe, a growing number of companies like Camio are repositioning themselves to offer AI to track whether people are keeping a safe distance in offices, warehouses and schools.”[84]

In a previous Top10VPN study, we found that demand for employee monitoring software had increased by 59% since March 2020.

Australia – 07/07/20

Drones were reportedly being used to monitor the NSW-Victoria border as local lockdowns came into effect.[85]

UAE – 19/05/20

Police in Dubai have been testing facial recognition cameras equipped with thermal screening technology to help identify infected individuals, Al-Monitor reported.[86]

“The project dubbed Oyoon — Arabic for ‘eyes’ — will also be used to ensure residents are practicing social distancing.”

Rwanda – 20/05/20

“As the coronavirus pandemic continues to spread across sub-Saharan Africa, Rwanda has deployed five state-of-the-art humanoid robots to aid its efforts against the virus.,” according to the Telegraph.[87]

The robots can be used to deliver medication and food, as well as screen citizens temperatures.

Greece – 17/05/20

Tourists on beaches in Greece were under mass surveillance by drones to help enforce social distancing, the Guardian reported.[88]

France – 04/05/20

“Video surveillance cameras in France will monitor how many people are wearing masks and their compliance with social distancing when the coronavirus lockdown is eased next week,” according to the BBC.[89]

The company responsible for developing the software has said it does not violate EU privacy legislation and is not facial recognition technology. Instead, it is apparently intended to provide alerts to city authorities and police when face mask and distancing rules are being violated.

UK – 30/04/20

Bournemouth Airport will begin a trial of smart thermal imaging cameras as it looks to reopen. In a video clip posted by the BBC, the camera appears to be made by Hikvision, a controversial Chinese company that is on the US’ trade blacklist due to alleged human rights violations in Xinjiang, China.[90]

Croatia – 27/04/20

The City of Rijeka used drones for mass surveillance of public areas to ensure social distancing measures were being followed. A similar initiative had been adopted in Virovitica earlier in the month.

UK – 27/04/20

AI cameras originally designed to track potential criminals were repurposed in Bristol Airport to monitor the temperature of travelers. The company reportedly “said it has attracted interest from health businesses, schools and universities, along with food retailers.”[91]

U.S. – 27/04/20

There was a sharp rise in interest for thermal imaging cameras across the U.S., Reuters reported.[92]

“Shops and workplaces eager to avoid spreading the novel coronavirus are equipping existing security cameras with artificial intelligence software that can track compliance with health guidelines including social distancing and mask-wearing.”

Ireland – 26/04/20

In April, it was reported that drones had been used to monitor compliance with movement restrictions in County Wexford, Ireland.[93]

“The county council has redeployed its fleet of half a dozen UAVs from patrolling for illegal dumping to monitoring compliance with movement restrictions,” the Irish Examiner reported.

UAE – 24/04/20

“Police in the United Arab Emirates are deploying smart helmets that can scan the temperatures of hundreds of people every minute in their effort to combat the new coronavirus,” according to Reuters.[94]

U.S – 23/04/20

“Police in Westport, Connecticut, announced this week that they’re testing a so-called ‘pandemic drone’ that can detect when people on the ground have fevers,” according to Gizmodo.[95]

This technology will reportedly be used to monitor those that violate social distancing rules and can “detect everything from heart rate to respiratory abnormalities in people on the ground”.

The efficacy of this type of mass surveillance technology remains unclear.

Chile – 22/04/20

Communities in Chile benefited from the use of drones to deliver medicines, disinfectants and masks. This video from Deutsche Welle published in April shows the technology in action.

Oman – 17/04/20

Health authorities in Oman announced in April that they would use drones equipped with thermal imaging equipment. According to the Arab News, “A joint team of researchers and academics has developed a drone system that can measure and register human temperature remotely.”[96]

Brazil – 15/04/20

Drones were used in Brazil to alert citizens of the latest public health messages. “A drone equipped with a loudspeaker began to fly over the… city today, alerting citizens to the importance of staying home and maintaining social distance in case it is unavoidable to go outside, following the guidelines of the Ministry of Health,” La Vanguardia reported.[97]

India – 14/04/20

Authorities in Chhattisgarh, India, recently released a mobile app that requires citizens to register for an “e-pass” to authorize travel.[98]

The app requires applicants to submit a “Photograph, Id Proof (Aadhaar Card) and Business proof.”

It has over 100,000 downloads and was last updated on April 14.

South Africa – 12/04/20

“Police and municipal officials of the Greater Tzaneen Municipality last week deployed a drone fitted with powerful speakers that broadcast Mangena’s coronavirus messages as it hovered above busy streets and dusty pavements,” local media reported.[99]

India – 10/04/20

Drones were used in Bengaluru district to help monitor and enforce social distancing and spray disinfectant. According to The Quint, “Bengaluru is one of the many cities in the country to deploy drones to manage the coronavirus outbreak. Apart from spraying disinfectant, state administrations are using drones for crowd management, enforcement of social distancing and heat mapping.”[100]

Italy – 10/04/20

“Italian police have started using drones with heat sensors to take people’s temperature and send the information to authorities,” AFP reported.[101]

“Some Italians have had enough of the buzzing machines and their heat maps.”

Bahrain – 08/04/20

“The Kingdom of Bahrain is keeping track of its active cases of COVID-19 via electronic bracelets,” according to Mobi Health Matters.[102]

The bracelets are connected to a contact tracing mobile app via Bluetooth and are used to ensure infected citizens remain quarantined.

“Violators will face legal penalties, potentially being sentenced to imprisonment for a period of not less than three months.”

India – 06/04/20

“Police forces are increasingly turning to drones or unmanned aerial vehicles (UAVs) to surveil populations and prevent the buildup of crowds during the three-week lockdown,” Live Mint reported.[103]

“In the national capital, police now rely on drones as a key surveillance instrument to keep tabs on people’s movement during the lockdown.”

UAE – 06/04/20

“Dubai Police will use Artificial Intelligence before deciding whether or not to issue fines to people for moving about during the 24-hour coronavirus sterilisation programme, an official said on Monday,” the Gulf Times reported.[104]

U.S. – 06/04/20

Authorities in West Virginia approved the use of ankle monitors to track citizens that refuse to quarantine, The Associated Press reported.[105]

Jordan, Israel, Kuwait, UAE, Saudi Arabia, Qatar – 05/04/20

Drones were being used across the MENA region, including in Jordan, Israel, Kuwait, the UAE, Saudi Arabia and Qatar in early April, according to France 24.[106] Drones were being used for a variety of reasons, including “to enforce curfews, deliver public health announcements and even monitor people’s temperatures”.

Tunisia – 03/04/20

“A police robot has been deployed to patrol areas of Tunisia’s capital, Tunis, to ensure that people are observing a coronavirus lockdown,” the BBC reported.

“If it spies anyone walking in the largely deserted streets, it approaches them and asks why they are out. They must then show their ID and other papers to the robot’s camera, so officers controlling it can check them.”

Poland – 31/03/20

“Police drones are already controlling parks, forests and river areas, looking for those who ignore the ban on gatherings” across Poland,” TVN 24 reported.[107]

“The devices used by the services are often equipped with thermal imaging cameras. Therefore, even after dark, you can quickly spot where the clusters of people are.”

Australia – 30/03/20

The West Australian police force were to begin using drones to help enforce lockdown, according to Australia’s 9 News.[108]

“Drones fitted with flashing police lights and sirens will be used to patrol beaches, parks and other areas, and will be able to deliver warnings to people disrespecting social distancing rules.”

U.S. – 27/03/20

According to a tweet from Spectrum News NY1 on March 27, the NYPD have been using aerial footage to help enforce public gathering restrictions.[109]

From the video, it appears helicopters, rather than drones, are being used.

UK – 26/03/20

On March 26, Derbyshire Police uploaded a video to Twitter that showed the use of drones to monitor visitors to the Peak District, a national park in the UK.

The police force are also likely to have used Automatic Number Plate Recognition (ANPR) technologies to track the visitors. According to a following tweet: “Some number plates were coming back to keepers in #Sheffield, so we know that people are travelling to visit these areas.”[110]

“We understand that people will have differing views about this post, however, we will not be apologetic for using any legal and appropriate methods to keep people safe,” the police force said in a later tweet.[111]

Belgium – 21/03/20

A tweet by Raphael-Antonis Stylianou, the EU Commission’s Online Communications Officer, appeared to show the use surveillance drones in Brussels on March 21.[112]

The video shows a drone emitting a warning through its speakers, urging citizens to respect social distancing.

France – 19/03/20

A video showing the use of drones in Nice, France, to help enforce lockdown, was released in March.

Spain- 14/03/20

Madrid’s Police Force tweeted: “We will not hesitate to use all the means that we have to ensure your security.”

The tweet included videos of new surveillance drones that the police force are being used to enforce the ongoing lockdown.

The drones are equipped with speakers and have been filmed urging citizens to stay at home.

“Spain’s tactics bear some resemblance to reported surveillance tactics used by China,” wrote Charlie Wood for Business Insider.[113]

Russia – 21/02/20

On Friday, 21 February, Reuters reported that Moscow’s mayor had announced the use of facial recognition to help ensure people remained at home.[114]

“Compliance with the regime is constantly monitored, including with the help of facial recognition systems and other technical measures,” the mayor reportedly wrote on his website.

Over 200 people have reportedly been found to be disobeying the self-quarantine orders by the city’s ‘Safe City’ surveillance system.[115]

China – 20/01/20

The Chinese regime has used a number of mass surveillance techniques from the outset, including the use of drones, facial recognition cameras and mobile phone monitoring.[116]

Two of the country’s largest state-owned telecommunication operators, China Unicom and China Telecom, asked citizens in Wuhan to provide the personal information in order to link them to their mobile devices and allow more effective monitoring.

It is hardly surprising that China, the country with the most sophisticated mass surveillance infrastructure in the world, would deploy such initiatives given the circumstances.

However, many are concerned these new mass surveillance practices will become the new normal and remain in place long term.

As Wang Aizhong, an activist based in Guangzhou, told The Guardian:[117]

“This epidemic undoubtedly provides more reason for the government to surveil the public. I don’t think authorities will rule out keeping this up after the outbreak.”

Supporting Documents & Additional Resources

For more updates on proposed and confirmed developments from around the world, follow Privacy International’s live tracker, Tracking the Global Response to COVID-19, and this document created by Dr. Andrew Dwyer.