If just three months ago anyone had suggested that Western governments would be launching apps to track the movements of their citizens and record who they had met, the reaction would have ranged from hilarity to outright revolution. And yet these apps are arriving with hardly a ripple.
These unprecedented and devastating times put the state at the centre of all our lives. Governments around the world have been making exceptional decisions, taking control over economies and societies in a bid to save them. At least in the West, there’s been nothing like this in living memory.
Changes usually reserved for months or years have accelerated to just a few days: communication tools have been adopted overnight; tracing apps are being rolled out across the world, and life-or-death hardware and software is being installed at breakneck speed.
But in this new age of democratic surveillance, it’s important to question whether these “war-time” decisions should remain in peace time. We also need to find an acceptable model for mediating privacy between governments and individuals in a world where millions of lives are literally on the line. How could we go about this, and what do we need to bear in mind?
The privacy backlash
As the dust settles, states and citizens alike are putting these newly adopted technologies under intense scrutiny from a security and privacy perspective:
- Who ultimately controls this platform?
- Where is my data stored?
- Could a government (domestic or foreign) get access to my data with, say, a court order?
- Can other people listen in to my calls or read my messages?
- Is my activity being tracked, and can I opt out?
This backlash has thrown open a market for companies providing ultra-secure, privacy-first instant messaging and video conference tools such as Riot, Mattermost and Rocket.chat. Riot, which is built on the Matrix.org protocol, allows users to host their own data—rather than trust it to foreign servers—and because Matrix is open source, anyone can check for backdoors and malicious code.
Crucially in this new world, states and individuals have exactly the same tools at their disposal: national security-grade communications are democratised, giving the public the same guarantees over their own privacy and security as nation states enjoy. From a tech perspective, the playing field is level; whether the public cares enough about privacy remains to be seen.
Security in the spotlight
Similarly, in the cyber attack landscape, individuals are at least on par with governments—and often ahead. Yet traditionally, even high-profile cyber attacks have been received by the public with a remarkable degree of apathy (does it really matter if an attacker stole my easyJet login details?).
But as national infrastructure, from power grids to transport to hospitals, becomes front-of-mind, the real-world consequences of cyber attacks are more evident, shining an ever-brighter spotlight on the security of our key services.
Global ransomware attacks on hospitals — now increasingly under the control of states — have, during this period, remained largely the stuff of nightmares. But as a reminder, the 2017 WannaCry attack paralysed hospitals’ Microsoft systems. Police are patrolling parks, and we should expect the same step-up in the virtual world. So far, there hasn’t been a rallying cry for better cyber security, but this could soon be a crucial part of the dialogue.
But security is not just about locking things down, important though that is: it’s also about ensuring that people have the right tools to work as efficiently as possible — while also remaining secure and compliant. Following the spur of Covid-19, sharing healthcare data will be greatly improved in future.
Our portfolio company Zivver, which has its HQ in the Netherlands, enables medical and government workers to send secure messages and files to each other. It’s designed to feel invisible to frontline workers whose attention is understandably directed elsewhere.
Meanwhile, UK online medical consultation startup AccuRx built a video chat tool in one weekend in March that is now being used for 35,000 appointments per day. It built in encryption at the outset, keeping patients safe.
The new normal: privacy and security by default
Software was eating the world; it now is the world. If every company is a software company, then in response to the changing dynamic, every company must now also be a privacy and security company.
Any product that impacts our lives will need to have security and privacy baked into it by default, rather than added on as an afterthought. Software must help the state without growing it—protecting and empowering individuals, but only by capitalising on their data to the minimum extent necessary to deliver the core service. This is in stark contrast with the prevailing approach whereby data is mined and resold for commercial purposes, in ways that are impossible for the end user to fathom or trace.
The idea of surveillance, even democratic surveillance, likely sits uneasily with many of us. The question lingers: in the face of complete access to personal data being essential for the common good in times of war, plague and general disorder, does the state’s right supersede all else? How can technology help central powers collate and learn what they need to manage this pandemic, while also protecting civilians from intensifying surveillance?
Western democratic nations are now following less-liberal counterparts’ leads: France’s “Stop Covid” tracking app will reportedly be ready next month, and here in the UK, the government has been trialling a tracing app on the Isle of Wight — to mixed reviews. But private and independent groups and organisations started building months ago.
There are apps like Zoe, which, launched by epidemiologists at King’s College London, enables individuals to track their own symptoms and see the spread of Covid-19 in their area, all the while providing that data to scientists. And privacy-by-design projects like US-based Safe Paths have developed free, open-source tools for individuals, public health officials and communities to “prevent a surveillance-state response to the pandemic”. Apple and Google have announced a partnership to build a system based on anonymised data shared between their two platforms.
Software can enable institutions and individuals to benefit in unison. If tracking and monitoring spread can be of use to individuals and governments and also have privacy and transparency architected into the product itself, the them-versus-us dichotomy diminishes. In the face of all this, that feels like a saving grace. And, hopefully, for a good handful of entrepreneurs, an opportunity to build.