COVID-19 Digital Rights Tracker

This live tracker documents new measures introduced in response to COVID-19 that pose a risk to digital rights around the world.
Covid-19 Digital Rights Tracker Header Image - Man Walking In Shadow of Surveillance Cameras
Samuel Woodhams

UPDATED 25 March 2021 14:00 GMT to include the latest information on COVID-19 vaccine passport apps.

Key Findings

COVID-19 Digital Health Certificates

  • 73 digital health certificate apps are in operation globally
  • We consider 60 apps (82%) to have inadequate privacy policies
  • 32 apps (44%) monitor users’ precise location
  • Of the 20 most popular apps, 14 have potentially invasive permissions
  • There are now 14 vaccine passport apps, with 13.4M downloads

Contact Tracing Apps:

  • 120 contact tracing apps are available in 71 countries
  • 45 apps now use Google and Apple’s API
  • The U.S. has 23 apps, more than any other country in the world
  • 19 apps, with 4 million downloads combined, have no privacy policy

Digital Tracking Measures:

  • 60 digital tracking measures have been introduced in 38 countries
  • Telecom providers have shared user data in 20 countries

Physical Surveillance Initiatives:

  • 43 physical surveillance measures have been adopted in 27 countries
  • Drones have been used in 22 countries to help enforce lockdowns
  • Europe introduced more surveillance measures than any other region


Since the outbreak of COVID-19, governments around the world have implemented a wide range of digital tracking measures, developed dozens of contact tracing apps, and introduced new physical surveillance initiatives in a bid to slow the spread of the virus.

In the seven months since we began this index, we’ve recorded hundreds of new initiatives; from drones used to enforce lockdown measures in Australia, to the mass monitoring of mobile phones in Israel.

Some of these may well be proportionate, necessary and legitimate during these unprecedented times. However, some have dramatically threatened citizens’ civil liberties and right to privacy.

We will continue to update this live index and document new initiatives that threaten digital rights to help stem overreach, promote scrutiny, and ensure that intrusive measures don’t continue for any longer than absolutely necessary.

To view our complete findings, view this public Google Sheet.

COVID-19 Digital Health Certificates

In March 2020, China’s AliPay Health Code system made headlines around the world. The software assigned citizens a color code that represented their COVID-19 status and was used to determine whether or not a user could access public spaces.

Since then, apps designed to log and display the COVID status of an individual for domestic and international travel, access to academic institutions and workplaces have proliferated around the world.

In total, we recorded 73 apps currently in operation which have been downloaded almost 19 million times combined.

Intended to prevent infectious people from accessing public spaces and potentially spreading the virus, digital health certificates have been heralded as an important way of combating the virus and enabling societies to re-open.

However, like digital contact tracing apps, many of these apps have been developed in a haphazard way, putting users’ privacy and security at significant risk. They also face numerous limitations in terms of their efficacy and risk exacerbating existing inequalities on a huge scale.

Key Findings:

  • There are currently 73 digital health certificate apps in operation
  • They have been downloaded at least 18.8M times combined
  • 60 apps (82%) have inadequate privacy policies
  • U.S. developers have created almost half (35) of all apps
  • Employee screening apps (19) and venue access apps (19) are the most common, followed by international travel apps (17)

Their poor design not only puts users’ sensitive health information at risk, it has also created immediate real-world problems.

As one review of Indonesia’s mandatory travel app explained: “People [are] exhausted after their journey and they cannot leave [the] airport” because the app crashed.[1]

eHac Play Store review

eHac Play Store review.

A reviewer of another app complained that incorrect information on the app “caused [them] to unnecessarily spend money to change [their] flight.”[2]

iFly Play Store review

VeriFly Play Store review.

Digital health certificates are yet another example of developers, private companies, and governments attempting to solve a complex public health crisis with rushed and poorly designed technology.

Vaccine Passport Apps

As vaccines begin to be administered around the world, an increasing number of apps have been designed to log and display whether a user has received their jab.

Like all digital health certificate apps, developers have claimed these apps will encourage international travel to resume safely and allow domestic economies to reopen. However, few of these apps have adequate privacy safeguards.

Key Findings:

  • There are currently 14 vaccine passport apps in operation
  • They have been downloaded at least 13.4M times combined
  • 10 apps (71%) have inadequate privacy policies
  • 6 apps (43%) track users’ precise locations
  • 17 apps are expected to be released in the coming months

The following table shows details of vaccine passport apps available globally. Android download figures have been sourced from the Play Store, while the iOS monthly figures are from SensorTower for February 2021.

* Note: WeChat- Digital Health Certificate download figures may not reflect the true number of vaccine passport users as this feature is integrated into the wider WeChat application. It has therefore been excluded from the overall download figure provided in the key findings.

As well as having poor privacy protections, these apps also risk exacerbating global inequality. As vaccines are being distributed unequally around the world, some citizens will benefit from these apps while others won’t.

It’s also significant that receiving the vaccine doesn’t necessarily mean an individual can’t pass the virus on. As the UK Government stated: “We do not yet know whether [the vaccine] will stop you from catching and passing on the virus.”[3] Therefore, even if an individual has had the vaccine, this does not necessarily make them safe to travel or re-enter the workplace.

“We do not encourage at this stage that getting a vaccination determines whether you can travel internationally or not.” – Hans Kluge, WHO Europe[4]

Despite their many limitations, these apps are likely to become a prominent part of governments’ technological response to the pandemic as vaccines continue to be rolled out.

All Digital Health Certificates: Privacy Analysis

The following section provides privacy policy information on all of the digital health apps. These include apps that require users to submit vaccination status, PCR test results, antibody tests and self-symptom logs.

Privacy Policy Analysis:

  • 36 (49%) apps do not have dedicated privacy policies
  • 36 (49%) do not disclose exactly what personal information is collected
  • 59 (81%) do not disclose how long users’ data will be stored for
  • 42 (58%) share information with third parties in some way
  • 49 (67%) publicly state they will share user information with law enforcement agencies and authorities when requested.
  • None of the apps are open source

Some of the privacy policies were not just inadequate, they were potentially misleading.

According to Canada’s ArriveCAN privacy policy, the app “doesn’t use GPS or other technology on your mobile phone to track your location.”[5] Yet our analysis showed the app contained the ACCESS_FINE_LOCATION permission which could allow the app to monitor a users’ precise location via GPS. The app has been downloaded almost 200,000 times.

We also discovered some apps have potential vulnerabilities. Scans of Brunei’s BruHealth app, for example, showed that it potentially contained malware. The app has been downloaded over 100,000 times.

Even when apps are developed with privacy in mind, there is always a risk that they will be misused in the future.

In January, it was reported that law enforcement agencies in Singapore had been given access to data from the TraceTogether app, despite clear indications on the original privacy policy that this would not happen.[6]

In our analysis, more than half of all apps explicitly state they will share users’ personal information if asked by a relevant authority.

Privacy advocates have warned of this type of mission creep since the beginning of the pandemic and digital health certificate apps are similarly at risk of serving more nefarious purposes in the future.

This is particularly true given the potentially invasive permissions embedded within the apps and their poor privacy policies.

The following table shows the 20 most popular COVID digital health certificate apps around the world with information on their privacy policies and potentially invasive permissions. Android download figures have been sourced from the Play Store, while the iOS monthly figures are from SensorTower for February 2021.

Contact Tracing Apps

Contact tracing apps have become a defining feature of the digital response to the pandemic. In total, we have documented 120 contact tracing apps in 71 countries, with many more scheduled to be rolled out in the coming weeks.

Key Findings:

  • There are currently 120 contact tracing apps available globally
  • India’s Aarogya Setu is the most popular, with 100 million downloads
  • The U.S. has 23 contact tracing apps, more than any other country in the world
  • 30 apps (25%) use GPS as the primary contact tracing method
  • 58 apps (48%) use Bluetooth and 26 (22%) use Bluetooth and GPS
  • 45 (37.5%) contact tracing apps are now using Google and Apple’s API
  • 19 apps, with over 4 million downloads combined, have no privacy policy

Much like VPN apps, contact tracing apps have provoked heated discussions in regards to their privacy and inclusivity.

The privacy concerns raised have gradually eased in recent months by the increasingly widespread adoption of Google and Apple’s Exposure Notifications API. That’s because Google and Apple’s API requires app developers to adopt a decentralized approach if they want to utilize the API’s functionalities.

The decentralized system provides users with randomly generated, anonymous temporary keys. Upon a positive test result, the users’ app will share the temporary codes it’s used to a central server. These codes are then sent to every other device with the app installed to perform contact matching risk analysis and, if the random key matches one that the app has previously logged and meets the specified risk exposure criteria, it will send an alert and ask the user to self-quarantine.

Unlike the centralized approach, the decentralized approach protects users’ anonymity by performing the contact matching analysis at the local level, rather than at the point of the central server.

Overall, 45 contact tracing apps are currently using Google and Apple’s API, including 13 contact tracing apps in the US. There are also plans in another 6 States to use the API in the future.

While an increasing number of countries have adopted the decentralized approach, an alarming number still put users’ privacy at risk. 19 contact tracing apps, which have been downloaded over 4 million times combined, don’t even have a dedicated privacy policy.

Contact tracing apps often use GPS technology to monitor your precise location – a VPN that spoofs GPS is among the only consumer technology that can prevent this from happening.

The efficacy and inclusiveness of contact tracing apps also remains in doubt. According to a recent WIRED report,[7] the UK’s contact tracing app “risks leaving out people with older phones, in particular those without the money to buy a newer one,” as it requires users to have a phone running Android 6.0 or iOS 13.5 or later.

However, the greatest hurdle facing contact tracing apps is ensuring enough people download and use them. One recent study claimed that at least 60% of citizens would need to download the app for it to work effectively. Since then, however, the researchers have stressed that these apps may still help save lives with lower levels of uptake.[8]

However, even if the apps are downloaded by a large section of society, that doesn’t guarantee success.

In France, the country’s contact tracing app was downloaded 1.8 million times and yet it only sent 14 notifications, according to TechCrunch.[9] In Iceland, the app was downloaded by 40% of the population and yet, “it wasn’t a game changer,” according to Gestur Pálmason,[10] who is overseeing the country’s contact tracing efforts.

Even the Product Lead of Singapore’s lauded TraceTogether has highlighted the limitations of contact tracing apps.

Issues surrounding the interoperability of contact tracing apps are likely to dominate the debate in the coming weeks. The EU Commission has announced[11] that European apps would begin to be interoperable from October 17, with the German and Italian apps the first to connect.

Similarly, in the U.S. an increasing number of contact tracing apps are using the national key server created by The Association of Public Health Laboratories.[12]

As international travel begins to increase, it’s imperative that apps from various countries and regions can work together to help coordinate an effective global response to the virus.

Ultimately, contact tracing apps have played a marginal part in the global effort to bring the virus under control. From the beginning, experts have warned that they would not be a silver bullet and, to date, they certainly haven’t been.

Contact Tracing Apps: In-Depth Analysis

We analysed 47 contact tracing apps in 28 countries in detail and found that many put users’ privacy at risk.

  • 25 apps (53%) do not disclose how long they will store users’ data for
  • 28 apps (60%) have no publicly stated anonymity measures
  • 24 apps (51%) contain Google and Facebook tracking
  • 9 apps contain Google AdSense trackers
  • 11 apps contain Google conversion tracking and re-marketing code
  • 7 apps include code from Facebook

We found code relating to Google’s advertising and tracking platforms in 17 contact tracing apps . This includes AdSense, Google’s advertising network that allows publishers to make money by showing ads to their users, and also the much more powerful Google Ad Manager, formerly known as DoubleClick for Publishers, which allows publishers to show ads from a huge array of sources.

Aside from the ethics of monetizing public health in this way, the presence of such tracking code in contact tracing apps raises privacy red flags due to the targeting options offered by Google’s ad platforms.

We also found code that enabled varying levels of integration with Facebook in seven apps. This ranges from direct integration with Facebook’s advertising platform to functionality allowing users of the apps to link their Facebook accounts, or to share content from the contact tracing apps to Facebook.

The general lack of privacy preserving features in these apps exacerbates concerns that contact tracing apps may be used to harvest citizens’ personal information.

Access this Google Sheet for our complete findings.

Global Contact Tracing App Details

The following table shows the 10 most popular contact tracing apps from around the world. Download figures provided are from Google’s Play Store.

* For full list of developers, please refer to this Google Sheet.

All Measures - Regional Analysis

The following table summarise measures being adopted by region that threaten digital rights. For details of individual measures skip ahead to the following sections:

Digital Tracking

As governments around the world implement measures to help slow the spread of the virus, many have turned to digital tracking initiatives to help monitor their populations.

Measures have included the use of aggregated mobile location data to track citizens during lockdowns, apps designed to help identify the location of those with the virus, and the deployment of advanced mobile monitoring technologies.

Below is a reverse chronological list of confirmed digital tracking measures being adopted around the world.

Singapore – 14/09/20

Singapore introduced Bluetooth contact-tracing tokens for its residents in September in an attempt to help slow the spread of the virus. The tokens were an important way of expanding contact tracing efforts to those without smart phones.

As the BBC reported, “The initial rollout is happening in areas with a greater concentration of elderly people, who are both at a greater health risk from Covid-19 and less likely to own a smart phone.” [13]

Brazil – 10/07/20

In a positive move, Brazil’s Supreme Court overruled a government order that forced telecommunications companies to share user data with authorities.

According to the Global Data Review: “Privacy advocates have hailed the judgment has a historic win, but warned that the court’s decision could lead to unintended consequences – by allowing other government agencies to set precedent on data protection issues before the country’s data protection authority is established.”[14]

New Zealand – 07/07/20

Hamish Walker, a New Zealand politician, leaked the personal details of COVID-19 patients to the media in July. The data was acquired by Michelle Boag, the chief executive of a rescue helicopter trust, who then passed it to the politician. According to the Guardian: “The incident has shocked New Zealanders and is being viewed as the first smear attempt of the upcoming general election.”[15]

Israel – 24/06/20

Just a matter of weeks after the controversial tracking measure was halted, Israel’s parliament voted to reintroduce Shin Bet’s Covid-19 digital tracking initiative on June 24.[16]

hile – 19/06/20

Telecommunications companies in Chile confirmed they were passing user data to public authorities in a bid to monitor the movements of citizens. According to one report, the data is “aggregated and anonymous.”[17]

Israel – 09/06/20

On Tuesday 09 June, an Israeli official announced that the country’s internal security service had brought its cell-phone tracking operation to an end.

The official, who requested anonymity, told Reuters: “This (tracking) will be renewed only if there is a big outbreak, at which point snap legislation would be required in parliament.”[18]

The use of the technology, which was originally designed to counter terrorism, had previously been challenged in court.

Morocco – 29/05/20

In an article published on 29 May, entitled ‘Morocco’s coronavirus surveillance system could tip into Big Brother,’ Aziz Chahir argued that the country’s recently deployed digital tracking apps risked plunging the country “further into a hyper-surveillance system.”[19]

According to the article, Morocco had purchased much of the technology from Israel.

China – 26/05/20

On May 26, the Guardian reported that authorities in Hangzhou had announced their intentions of making a COVID-19 app permanent.[20]

According to the article, the app is similar to many deployed around the country that displays a “QR code with an individual’s virus status, which can be used to determine the extent to which the individual is allowed to move about.”

The new, broader app is thought to provide every citizen with a score out of 100 and record information including the number of cigarettes smoked, hours slept and steps taken by the user.

India – 11/05/20

On May 11 it was reported that an app used by the Madhya Pradesh government designed to track COVID-19 patients had leaked personal information online.

According to an article published by the Hindustan Times: “The database contained the names of people who are meant to be quarantined, information about the type of phone they used and their last known location – at times as accurate as within 5 meters – and was available for download on an website.”[21]

After its discovery, the database was quickly taken offline.

Jordan – 08/05/20

On May 8, the Prime Ministry of Jordan Facebook’s page posted a video announcing a new app called Cradar.[22]

The app is designed to allow citizens inform authorities about unauthorized gatherings and warn them if they suspect someone of having the virus.[23] It is one of many apps developed by authorities in Jordan.

Other apps include a contact tracing app[24] and an app designed to help authorities enforce quarantine measures.[25]

Hungary 04/05/20

In early May, EURACTIV reported that the Hungarian government had announced plans to temporarily suspend parts of the European-wide General Data Protection Regulation (GDPR).[26]

According to the article, the new measures “include the suspension of the rights to access and erasure of personal information, and those who lodge a complaint or exercise their right to a judicial remedy will also have to wait for the proceedings to start until after the government proclaims an end to the state of danger.”

Opposition politician Bernadett Szél responded by saying, “restricting data rights is unnecessary and disproportionate, and furthermore does not help, even hinders the fight against the epidemic.”

In a recent report by Freedom House, the NGO said that “Prime Minister Viktor Orbán’s government in Hungary has … dropped any pretense of respecting democratic institutions.”

Turkey – 07/05/20

According to Human Rights Watch, Turkey’s health minister announced on April 7 a mandatory app for people thought to be infected with COVID-19.[27]

According to the organization: “The app follows the movement of people instructed to self-isolate, and if they leave their homes, they receive a warning via SMS and are contacted instantly through automatic call technology and told to return to isolation.

“Those who fail to comply with the warning and continue to violate the quarantine are reported to relevant law enforcement and face administrative measures and sanctions, which can include jail time ranging from two months to a year in accordance with Article 195 of Turkish Penal Code.”

Russia – 05/05/20

According to an article published on May 5, citizens of Moscow who have developed symptoms of the virus have been asked to send three selfies daily to authorities to prove that they are remaining inside.[28]

According to a tweet by journalist Mathew Luxmoore, failure to comply could lead to fine of 4,000 roubles, approximately US$55.[29]

Malaysia – 04/05/20

Authorities in Selangor have introduced a new COVID-19 digital tracking system aimed at preventing the spread of the virus as the city emerges from a lockdown.

According to an article in the Malay Mail, “The system aims to support registered business or commercial premises owners by providing them with unique QR codes that can be placed on posters and scanned by visitors who enter their premises.”

Customers will then be required to scan the QR code before entering and, if they later test positive for the virus the businesses will be alerted.

Pakistan 23/04/20

On April 23, Prime Minister Imran Khan announced that the country’s Inter-Services Intelligence (ISI) was helping monitor citizens with technology originally designed for tracking potential militants.

According to VOA: “Rights activists say they fear the surveillance method could be misused by authorities to gain more access into the lives of Pakistani civilians, particularly those who are critical of the government.”

Morocco – 23/04/20

An app that monitors citizens location was launched in Morocco in April to assist police forces with enforcing lockdown measures.

According to MAP officials quoted in The Star, the app lets police “know which checkpoints a person has passed through, allowing them to trace their movements” but “conforms to the rigorous security criteria used by the DGSN in its databases.”

Brazil – 17/04/20

On April 17, the Brazilian government passed legislation to allow the passing of telecommunication data to public bodies. The legislation was later struck down by the Supreme Court.

Finland – 14/04/20

Mobile operator Telia published a press release stating that it had passed on anonymized phone location data to the government, prompting a review from the Office of the Chancellor of Justice.

According to one report, “The cabinet’s coronavirus war room uses the data provided by the app to analyze situations such as traffic flows in various parts of the country.”[32]

Kazakhstan – 08/04/20

According to Privacy International, the “Kazakhstani ministry of health requires the 8,000 or so Kazakhstani citizens currently under quarantine to use the SmartAstana tracking app, which enables officials to ensure that they remain in isolation.”

In Almaty, the country’s largest city, authorities are also using video surveillance to help track those breaking quarantine orders. The technology is produced by Korkem Telecom, a local telecommunications firm, according to an article by the Jamestown Foundation.[33]

Sweden – 08/04/20

According to a report by Computer Sweden published on April 8, “The Swedish Public Health Agency will use mobile data from Telia to analyze how people have moved in Sweden in connection with the spread of the coronavirus in the country.”

Australia – 05/04/20

According to an article published by The Sydney Morning Herald: “Vodafone has provided the mobile phone location data of several million Australians in an anonymized and aggregated form to the federal and NSW governments to monitor whether people are following social distancing restrictions amid the coronavirus pandemic.”[35]

“To date, governments, medical experts and the media have used location data from transport apps such as CityMapper, which shows how people move throughout cities like Sydney and Melbourne using public transport, in an attempt to determine whether people’s movement has reduced,” the story continues.

India – 05/04/20

On April 5, India Today reported the introduction of a new contact tracing app created by the Karnataka government.

According to the article, “the app aims to track the movement history of persons tested positive, before their detection in order to take precautions and to contain the coronavirus outbreak.”[36]

According to an article published the following day in Citizen Matters, “the governments of Kerala, Karnataka, Punjab and Tamil Nadu, the Ministry of Electronics and Information Technology (MeitY) and the National Informatics Centre (NIC) have released various mobile apps.”[37]

Rohini Lakshane writes that “while desperate times understandably call for desperate measures, many of these mobile phone-based interventions raise concerns about the privacy of users and that of persons directly affected by the novel coronavirus, overboard surveillance, and eventually, “function creep”.

U.S.- 04/04/20

On April 4, CNN reported that two tech startups had tracked citizens visiting the beach in Fort Lauderdale, Florida, by monitoring mobile phone location data.[38]

One of the companies involved then posted a heat map on Twitter to show their findings.[39]

Despite claiming to only use anonymized data, it has been repeatedly been shown that even large anonymized data sets are at risk of re-identification.

New Zealand – 02/04/20

In an article published on April 2, it was reported that police authorities in New Zealand were asking returning Kiwis to give consent to authorities to track their location via their mobile phones.[40]

According< to Police Commissioner Mike Bush, returning citizens "get a text from us [saying] 'please reply, turn on your location services and if it is okay with you we will be able to monitor where you are.'"[41]

India – 31/03/20

On March 31, it was reported that the Andhra Pradesh government was tracking mobile phones of those in quarantine. According to one report, the technology uses signals of mobile towers to track people’s location and monitor whether or not they are abiding with the lockdown measures.[42]

India – 31/03/20

According to an article by India Today, authorities in the state of Andhra Pradesh are using a range of digital tracking technologies to ensure infected citizens remain in quarantine.

“The first tool which is called the Covid alerting tracking system is being used by the authorities to track over 25,000 people who have been placed under home quarantine by tracking the location of their phones on a real-time basis with the help of telecom service providers and mobile tower signals,” the article states.[43]

Argentina – 30/03/20

At the end of March, the big data firm Grandata released a heat map showing the movement of citizens around Argentina to monitor compliance with new lockdown measures.

Privacy International have written: “this is the perfect example of the data exploitation industry and data brokers, using data that users probably where not aware they were sharing with third parties like Grandata”[44]

U.S. – 28/03/20

According to a report by the Wall Street Journal on March 28, “Government officials across the U.S. are using location data from millions of cellphones in a bid to better understand the movements of Americans during the coronavirus pandemic.

“The data — which is stripped of identifying information like the name of a phone’s owner — could help officials learn how coronavirus is spreading around the country and help blunt its advance.”[45]

It is thought the data has been acquired from the mobile advertising industry, instead of mobile operators.

Brazil – 27/03/20

According to a report from ZDNet on March 27, “The mayor of Recife said the city is tracking at least 700.000 smartphones to identify where the lockdown rules are being followed.”

“Governments across Brazil are looking to roll out a system developed that uses geolocation tracking to support actions around the lockdowns intended to slow the spread of COVID-19.”[46]

The system is developed by InLoco, a Brazilian startup, and geotracks users “through a location map that doesn’t use GPS or beacons, which InLoco claims to be 30 times more accurate than GPS”.

Switzerland 26/03/20

According to a report by Reuters, “Switzerland has asked state-controlled Swisscom for day-old mobile phone data to help judge whether measures to restrict people’s movements and slow the coronavirus’s spread were working.”[48]

Daniel Koch, head of infectious diseases at the federal health agency, said it “it had nothing to do with […] surveillance” as they were only acquiring data from the previous day.

South Africa – 24/03/20

On Wednesday 24 March, South Africa’s communications minister Stella Ndabeni-Abrahams told reporters, “It is important to look at the individuals that are affected [by the virus] in order to be able to help the department of health to say that we know, in a particular area we have so many people that have been infected.

“The [telecommunications] industry collectively has agreed to provide data analytics services in order to help government achieve this.”

According to a report by Business Insider, “She did not provide further details, and regulations that will govern South Africa’s national lockdown, and methods of curbing the spread of the virus, have not yet been published.”[49]

Guatemala – 24/03/20

Authorities in Guatemala have released an app to help spread information regarding the virus to its citizens, according to Privacy International. The app also collects “each user’s email address, social media account handles, age, personal interests, and geographic location, and asks permission to access files, calls, and audio, among others.”[50]

According to an article published a week later, the app was developed in collaboration with Google and Friends of Israel.[51]

UK – 24/03/20

Researchers from King’s College London and St. Thomas’ Hospitals, in collaboration with a health company ZOE, have released an app that allows citizens to self-report their health to provide data on the spread of the virus.

According to the project’s listing on GovLab’s living repository of data collaboratives in response to COVID-19: “This data, protected by the European Union’s GDPR, is then sent to King’s College London and the NHS.”

Bulgaria – 24/03/20

According to a tweet from Dr. Vesselin Bontchev, from March 24 Bulgarian authorities will have the power to trace mobile phone traffic metadata and internet contacts without a court order.[52]

“The idea is to trace those in quarantine but this limitation is not spelled out in the law,” he wrote on Twitter.

Pakistan – 24/03/20

On March 24, Ramsha Jahangir reported that several residents across the country had received a text message alerting them that they may have come into contact with someone with the virus.

The message reportedly read: “It has been observed that you may have come in contact with a confirmed coronavirus case in the last 14 days. You are, therefore, requested to take necessary precautionary measures by self-quarantine.”[53]

It is thought the measure has been implemented via cell site location information (CSLI) and call detail record (CDR) data acquisition methods.

“Using CDR analysis, details such as locations visited by a confirmed Covid-19 patient as well as cell phone numbers of others who were in the same vicinity at the time can be obtained from the patient’s phone data,” the article stated.

Russia – 23/03/20

On March 23, the Russian government released an announcement ordering the Ministry of Communications to develop a new contact tracing system to help monitor citizens thought to have come into contact with those that have the virus.[54]

“The system [will] analyze specific individuals’ geolocation data from telecommunications companies,” Meduza reported.[55]

Morocco – 23/03/20

“Moroccan police have started using a mobile application in recent days to track violators of the kingdom’s lockdown in response to the coronavirus, according to the official MAP news agency,” Malaysian news site The Star reported.[56]

The app was developed by the country’s national security force and allows the police to know which checkpoints a person has passed through.

“More than 53,000 people have been arrested since the start of a public health state of emergency on March 20,” according to the article.

Spain – 23/03/20

According to GovLab’s repository of data collaboratives, telecommunications giant Telefonica have been working with Spanish authorities to provide “mobility insights for monitoring restrictions, detecting infection hotspots, [and] prediction of virus propagation”.

According to the listing, the project went live on March 23.

India – 20/03/20

On Friday, 20 March, Reuters reported, “People suspected of having the coronavirus in India have received hand stamps and are being tracked using their mobile phones and personal data.”[57]

The indelible hand stamps, which have been applied to citizens arriving at airports in Maharashtra and southern Karnataka, include the date that the person may be released from self isolation.

“In southern Kerala state, authorities have used telephone call records, CCTV footage, and mobile phone GPS systems to track down primary and secondary contacts of coronavirus patients,” the Reuters story continued.

Poland – 19/03/20

On March 19, Poland’s Ministry of Digital Affairs launched a new app for quarantined citizens.[58]

The app prompts its users to send a geolocated selfie at random times throughout the day, so that authorities can ensure that they are abiding by the quarantine measures.

Failure to comply with the orders to remain inside could result in a fine of PLN 5,000.

According to Privacy International: “The system checks both the person (using facial recognition) and the location, essentially replicating what would otherwise be a visit from a police officer.”[59]

UK – 19/03/20

On Thursday March 19, Sky News reported that the British government was working with major mobile network O2 to analyze its users’ location data.[60]

“The project will not be able to track individuals and is not to designed to do so,” according to the article.

A report published the same day by The Guardian revealed that EE, the country’s largest mobile operating company, was also in advanced discussions with the government about how best to share their users’ location data.

“Privacy campaigners worry that handing over such personally identifying information in large quantities crosses a line that may be hard to step back from when things return to normality.”[61]

Hong Kong – 19/03/20

All international arrivals to Hong Kong currently have to stay at home for 14 days to help slow the spread of the virus. To track the new arrivals, authorities are now providing them with wristbands that log a user’s location and share it with relevant authorities.

Anyone violating the quarantine orders could face up to six months in prison and a fine of up to HK$25,000, according to Quartz.[62]

Italy – 18/03/20

Vodafone launched a five-point plan to help respond to the outbreak of COVID-19 on March 18.[63]

The company was “already producing an aggregated and anonymous heat map for the Lombardy region in Italy to help the authorities to better understand population movements in order to help thwart the spread of COVID-19”, according to the press release.

Israel – 17/03/20

On Tuesday, 17 March, Israel’s government approved new surveillance measures that will allow the regime to track citizens by monitoring their mobile phones.

Benjamin Netanyahu had outlined his plans the previous weekend.

The technology, which was originally developed to assist in counter-terrorism operations, is thought to be able to track the physical location of all mobiles in the country, as well as monitor calls and messages.

According to digital rights group, 7amleh, it is also capable of accessing citizens cameras and headsets.

Israel [is] committing mass violations of digital rights, especially the right to privacy, under the pretext of managing the health crisis caused by the Coronavirus – 7amleh[64]

Thailand – 17/03/20

Arrivals to high risk areas of Thailand were given a SIM card that monitors their location for 14 days.

Ecuador – 17/03/20

According to a report by Ecuador TV, on March 17 Government Minister María Paula Romo announced that the government would begin to use satellite tracking to ensure citizens did not breach the “epidemiological fence”.[65]

Privacy International later reported that the measure “authorised tracking mobile phones via GPS satellite to ensure that citizens do not break mandatory quarantine after six violators were identified.”[66]

Germany – 17/03/19

Deutsche Telekom, the German mobile operator, announced on March 17 that it was passing anonymized location data of its users to the Robert-Koch Institute, a research institute and government agency responsible for disease control and prevention.[67]

The move came after the government altered its GDPR-enabling legislation to allow the processing of personal data during an epidemic.

Austria – 17/03/20

In Austria, reports emerged on March 17 claiming that Austrian mobile operators had begun sharing anonymized mobile location data with the government.[68]

Like the initiatives in Germany and the UK, the measure is intended to be used to track whether or not citizens’ were restricting travel and following government advice.

South Korea – 16/03/02

On March 16, it was reported that Korean telecommunication companies and credit card companies were sharing data to the government to assist tracking the movement of its citizens.[69]

It followed reports from earlier in the month that the government had launched an app to monitor citizens on lockdown to help contain the outbreak.[70]

In a story by The Guardian, text messages sent by health authorities and local district offices were also reportedly exposing “an avalanche of personal information and are fueling social stigma.”[71]

Italy – 14/03/20

Like Germany, the UK and Austria, Italian mobile operators have also been shown to be sharing aggregated location data with health ministries.[72]

In a bid to control the virus in a country that has now registered more Coronavirus-related deaths than China, the location data is thought to have to helped local authorities monitor citizens’ responses to its lockdown measures.

Over 40,000 Italians have been found to be violating the lockdown measures, The Guardian reported.[73]

Belgium – 12/03/20

On March 11, the Belgian government confirmed that it would allow local mobile operators to share anonymized data with a third party to help track the spread of the virus.[74]

The following week, a group of technology entrepreneurs argued in favor of creating app to track and regulate individuals’ movement based on their health status.[75]

Kenya – 08/03/20

“Authorities in Kenya have been tracking mobile phones of people suspected to have Covid-19 as a way of enforcing a 14-day mandatory isolation period,” the BBC reported.[76]

South Korea – 06/03/20

On March 6, Max S. Kim published a story in the MIT Technology Review that covered a new app being used in South Korea to track citizens’ movements.[77]

According to the article, the app “will also use GPS to keep track of their location to make sure they are not breaking their quarantine”.

Iran – 03/03/20

On Tuesday, March 3, Iranian citizens received a notification about a new app supposedly from the Ministry of Health.

The app, called AC19, was created by the same developer that has made clones of Telegram in the past.

The app is thought to have collected citizens’ live location that it may have shared with the regime to track users’ movement.

“Of course, the app couldn’t tell citizens if they had coronavirus. But what it could do is hoover up huge amounts of data on citizens, including names, addresses, dates of birth, and even track people’s location in real time.” – VICE[78]

The following week, the app was removed from Google’s Play Store.

Singapore – 01/03/20

At the end of February, Singapore’s Ministry of Health made information about victims of the virus available to the public. Following this, a developer turned the information into an interactive map so that citizens’ could track the location of those infected.

The map quickly went viral, raising fears that it could lead to discrimination, stigmatization and gross digital privacy violations.

“We must demand more from authorities as the role of big data and technology in humanitarian response matures.” – Access Now[79]

Taiwan – 18/02/20

Taiwan’s government granted all medical facilities access to patients’ travel histories by combining data from the National Health Insurance Administration and Immigration Agency on February 18, ABC News reported.[80]

The report also suggests that those required to self-quarantine were “monitored through their cellphones”.

The cabinet spokeswoman told The Guardian that the government “are not using advanced surveillance technology. It’s simply tracking based on their phone’s sim cards and their nearby base stations.”[81]

The country’s response to the virus has been lauded by many, although concerns regarding the high degree of surveillance remain in some quarters.[82]

Netanyahu referenced Taiwan’s use of accessing mobile phone data in his address to the nation that outlined Israel’s more draconian approach.

Physical Surveillance

In an attempt to slow the spread of COVID-19, governments around the world are also adopting increasingly extensive physical surveillance measures.

These include the deployment of facial recognition cameras equipped with heat sensors, surveillance drones used to monitor citizens’ movements, and extensive CCTV networks in a bid to help enforce curfews.

UK – 08/10/20

“Artificial Intelligence cameras are being used in London and other cities in the UK to monitor social distancing,” reported London news site The Evening Standard.[83]

The cameras are located across the country in cities including Manchester, Cambridge, London and Nottingham. Peter Mildon, Chief Operating Officer of Vivacity, the company that make the cameras, said: “The [cameras] enable us to provide anonymous data on how the road is being used. There are huge benefits in understanding how that space is being used and how that can be improved or how it can be made safer.”

U.S. – 11/08/20

The University of Oakland, Michigan, showed interest in adopting wearable devices to monitor the health of its students.

According to a report in Inside Higher Ed, the university plans to introduce BioButton, a device that’s “meant to be stuck onto the skin, near the upper chest. The button collects heart rate, skin temperature and respiratory rate at rest. Using a proprietary algorithm, the company claims the button can alert the wearer to very early signs of COVID-19, before symptoms arise or a diagnostic test would return positive.”[84]

According to the report, the university would not be able to actively monitor a specific student’s data.

U.S. – 01/08/20

Several sports stadiums in the U.S. are now using facial recognition technology as a means of establishing contactless entry, according to the WSJ.[85]

The New York Mets and the Los Angeles Football Club are currently testing the technology, while Los Angeles FC is using an app called Clear that asks fans to upload an image of themselves and link it to their existing profiles.

“At the stadium, one camera would measure the fan’s temperature, while a second would determine whether the fan is wearing a mask. The fan would pull down their face covering to allow the camera see their faces and admit them if they have purchased a ticket,” Axios reported.[86]

U.S. – 28/07/20

According to a report by CNN, “As the pandemic rages across the globe, a growing number of companies like Camio are repositioning themselves to offer AI to track whether people are keeping a safe distance in offices, warehouses and schools.”[87]

In a previous Top10VPN study, we found that demand for employee monitoring software had increased by 55% since the outbreak of the virus.

Australia – 07/07/20

In a story published by Australian Aviation, it was reported that drones were being used to monitor the NSW-Victoria border as local lockdowns came into effect.[88]

UAE – 19/05/20

Police in Dubai have been testing facial recognition cameras equipped with thermal screening technology to help slow the spread of the virus, Al-Monitor reported.[89]

“The project dubbed Oyoon — Arabic for “eyes” — will also be used to ensure residents are practicing social distancing.”

Rwanda – 20/05/20

“As the coronavirus pandemic continues to spread across sub-Saharan Africa, Rwanda has deployed five state-of-the-art humanoid robots to aid its efforts against the virus.,” according to the Telegraph.[90]

The robots can be used to deliver medication and food, as well as screen citizens temperatures.

Greece – 17/05/20

Tourists on beaches in Greece were being monitored by drones to help enforce social distancing, according to a report published by the Guardian.[91]

France – 04/05/20

“Video surveillance cameras in France will monitor how many people are wearing masks and their compliance with social distancing when the coronavirus lockdown is eased next week,” according to BBC reports.[92]

The company responsible for developing the software has said it does not violate EU privacy legislation and is not facial recognition technology. Instead, it is apparently intended to provide alerts to city authorities and police when face mask and distancing rules are being violated.

UK – 30/04/20

Bournemouth Airport will begin a trial of smart thermal imaging cameras as it looks to reopen. In a video clip posted by the BBC, the camera appears to be made by Hikvision, a controversial Chinese company that is on the US’ trade blacklist due to alleged human rights violations in Xinjiang, China.[93]

Croatia – 27/04/20

The City of Rijeka used drones to monitor public areas to ensure social distancing measures were being followed. A similar initiative had been adopted in Virovitica earlier in the month.

UK – 27/04/20

AI cameras originally designed to track potential criminals were repurposed in Bristol Airport to monitor the temperature of travelers. The company reportedly “said it has attracted interest from health businesses, schools and universities, along with food retailers.”[94]

U.S. – 27/04/20

There was a sharp rise in interest for thermal imaging cameras across the U.S., Reuters reported.[95]

“Shops and workplaces eager to avoid spreading the novel coronavirus are equipping existing security cameras with artificial intelligence software that can track compliance with health guidelines including social distancing and mask-wearing.”

Ireland – 26/04/20

In April, it was reported that drones had been used to monitor compliance with movement restrictions in County Wexford, Ireland.[96]

“The county council has redeployed its fleet of half a dozen UAVs from patrolling for illegal dumping to monitoring compliance with movement restrictions,” the Irish Examiner reported.

UAE – 24/04/20

“Police in the United Arab Emirates are deploying smart helmets that can scan the temperatures of hundreds of people every minute in their effort to combat the new coronavirus,” according to Reuters.[97]

U.S – 23/04/20

“Police in Westport, Connecticut, announced this week that they’re testing a so-called ‘pandemic drone’ that can detect when people on the ground have fevers,” according to an article in Gizmodo.[98]

The article states the technology will be used to monitor those that violate social distancing rules and can “detect everything from heart rate to respiratory abnormalities in people on the ground”.

The efficacy of this type of technology remains unclear.

Chile – 22/04/20

In April, it was announced that communities in Chile had benefited from the use of drones to deliver medicines, disinfectants and masks. This video from Deutsche Welle shows the technology in action.

Oman – 17/04/20

In April, health authorities in Oman announced that they would use drones equipped with thermal imaging equipment. According to a report by the Arab News, “A joint team of researchers and academics has developed a drone system that can measure and register human temperature remotely.”[99]

Brazil – 15/04/20

Drones were used in Brazil to alert citizens of the latest public health messages. La Vanguardia reported, “A drone equipped with a loudspeaker began to fly over the… city today, alerting citizens to the importance of staying home and maintaining social distance in case it is unavoidable to go outside, following the guidelines of the Ministry of Health.”[100]

India – 14/04/20

The Government of Chhattisgarh, India, recently released an app that requires citizens to register for an “e-pass” to authorize travel.[101]

The app requires applicants to submit a “Photograph, Id Proof (Aadhaar Card) and Business proof.”

It has over 100,000 downloads and was last updated on April 14.

South Africa – 12/04/20

“Police and municipal officials of the Greater Tzaneen Municipality last week deployed a drone fitted with powerful speakers that broadcast Mangena’s coronavirus messages as it hovered above busy streets and dusty pavements,” local media reported.[102]

India – 10/04/20

Drones were used in Bengaluru district to help monitor and enforce social distancing and spray disinfectant. According to The Quint, “Bengaluru is one of the many cities in the country to deploy drones to manage the coronavirus outbreak. Apart from spraying disinfectant, state administrations are using drones for crowd management, enforcement of social distancing and heat mapping.”[103]

Italy – 10/04/20

“Italian police have started using drones with heat sensors to take people’s temperature and send the information to authorities,” according to AFP.[104]

“Some Italians have had enough of the buzzing machines and their heat maps.”

Bahrain – 08/04/20

“The Kingdom of Bahrain is keeping track of its active cases of COVID-19 via electronic bracelets,” according to an article in Mobi Health Matters.[105]

The bracelets are connected to a contact tracing app via Bluetooth and are used to ensure infected citizens remain quarantined.

According to the article, “Violators will face legal penalties, potentially being sentenced to imprisonment for a period of not less than three months.”

India – 06/04/20

Live Mint reported on April 6 that “police forces are increasingly turning to drones or unmanned aerial vehicles (UAVs) to surveil populations and prevent the buildup of crowds during the three-week lockdown.”[106]

“In the national capital, police now rely on drones as a key surveillance instrument to keep tabs on people’s movement during the lockdown.”

UAE – 06/04/20

“Dubai Police will use Artificial Intelligence before deciding whether or not to issue fines to people for moving about during the 24-hour coronavirus sterilisation programme, an official said on Monday,” the Gulf Times reported.[107]

U.S. – 06/04/20

The Associated Press reports that authorities in West Virginia approved the use of ankle monitors to track citizens that test positive for COVID-19 but refuse to quarantine on 6 March.[109]

Jordan, Israel, Kuwait, UAE, Saudi Arabia, Qatar – 05/04/20

France 24 reported that drones were being used across the MENA region, including in Jordan, Israel, Kuwait, the UAE, Saudi Arabia and Qatar in early April.[109] Drones were being used for a variety of reasons, including “to enforce curfews, deliver public health announcements and even monitor people’s temperatures.”

Tunisia – 03/04/20

According to the BBC, “A police robot has been deployed to patrol areas of Tunisia’s capital, Tunis, to ensure that people are observing a coronavirus lockdown.”

“If it spies anyone walking in the largely deserted streets, it approaches them and asks why they are out. They must then show their ID and other papers to the robot’s camera, so officers controlling it can check them.”

Poland – 31/03/20

At the end of March TVN 24 reported that, “Police drones are already controlling parks, forests and river areas, looking for those who ignore the ban on gatherings” across Poland.[110]

“The devices used by the services are often equipped with thermal imaging cameras. Therefore, even after dark, you can quickly spot where the clusters of people are.”

Australia – 30/03/20

On March 30, Australia’s 9 News reported that the West Australian police force are to begin using drones to help enforce the lockdown measures.[111]

“Drones fitted with flashing police lights and sirens will be used to patrol beaches, parks and other areas, and will be able to deliver warnings to people disrespecting social distancing rules.”

U.S. – 27/03/20

According to a tweet from Spectrum News NY1 on March 27, the NYPD have been using aerial footage to help enforce public gathering restrictions.[112]

From the video, it appears helicopters, rather than drones, are being used.

UK – 26/03/20

On March 26, Derbyshire Police uploaded a video to Twitter that showed the use of drones to monitor visitors to the Peak District, a national park in the UK.

The police force are also likely to have used Automatic Number Plate Recognition (ANPR) technologies to track the visitors. According to a following tweet: “Some number plates were coming back to keepers in #Sheffield, so we know that people are travelling to visit these areas.”[113]

In a later tweet, the police force said: “We understand that people will have differing views about this post, however, we will not be apologetic for using any legal and appropriate methods to keep people safe.”[114]

Belgium – 21/03/20

A tweet by Raphael-Antonis Stylianou, the EU Commission’s Online Communications Officer, appeared to show the use surveillance drones in Brussels on March 21.[115]

The video shows a drone emitting a warning through its speakers, urging citizens to respect social distancing measures.

France – 19/03/20

A video showing the use of drones in Nice, France, to help enforce lockdown measures, was released in March.

Spain- 14/03/20

On March 14, Madrid’s Police Force tweeted: “We will not hesitate to use all the means that we have to ensure your security.”

The tweet included videos of new surveillance drones that the police force are being used to enforce the ongoing lockdown.

The drones are equipped with speakers and have been filmed urging citizens to stay at home.

Charlie Wood wrote for in Business Insider that “Spain’s tactics bear some resemblance to reported surveillance tactics used by China”.[116]

Russia – 21/02/20

On Friday, 21 February, Reuters reported that Moscow’s mayor had announced the use of facial recognition to help ensure people remained at home.[117]

The mayor reportedly wrote on his website: “Compliance with the regime is constantly monitored, including with the help of facial recognition systems and other technical measures.”

According to one report, over 200 people have been found to be disobeying the self-quarantine orders by the city’s ‘Safe City’ surveillance system.[118]

China – 20/01/20

Since the outbreak of the virus, the Chinese regime has used a host of surveillance measures to try and stem the spread of the disease.

This has included the use of drones, facial recognition cameras and mobile phone monitoring.[119]

Two of the country’s largest state-owned telecommunication operators, China Unicom and China Telecom, asked citizens in Wuhan to provide the personal information in order to link them to their devices and allow more effective monitoring.

It is hardly surprising that China, the country with the most sophisticated surveillance infrastructure in the world, would deploy these measures in response to the outbreak.

However, many are concerned these new measures will become the new normal and remain in place after the virus subsides.

As Wang Aizhong, an activist based in Guangzhou, told The Guardian:[120]

“This epidemic undoubtedly provides more reason for the government to surveil the public. I don’t think authorities will rule out keeping this up after the outbreak.”

Supporting Documents & Additional Resources

For more updates on proposed and confirmed developments from around the world, follow Privacy International’s live tracker, Tracking the Global Response to COVID-19, and this document created by Dr. Andrew Dwyer.