By Tse Hao Guang
Governments and other organisations are using technological solutions to safely resume economic and social activity amidst the COVID-19 pandemic. Some solutions, such as track-and-trace technologies to complement manual contact tracing, have been criticised for having limited utility in controlling COVID-19 transmission. Nonetheless, there are signs that bio-surveillance regimes — including immunity certification and the use of contactless biometric authentication like facial and iris recognition — are increasingly being considered as additional pandemic management measures. Beyond the usual trade-offs between safety and privacy, bio-surveillance may have surprising implications both for organisations using them, as well as people subject to them. Bio-surveillance is one area that governments should examine closely now, in order to better understand future trends to come.
The unfulfilled promise of digital contact tracing
Governments have turned to tech-assisted contact tracing, with mixed results. Some such methods rely on Bluetooth technology to track physical proximity between smartphones, alerting those whose phones have been in close contact with phones of confirmed COVID-19 cases. Others rely on some combination of Global Positioning System (GPS) data; blacklists of viral hotspots; user-provided personal, health (i.e. symptoms) and travel information; or existing government-held data on citizens. Some methods rely on centralised data storage; others use a decentralised system where data is stored only on users’ devices. Some solutions are dependent on users downloading an app (voluntarily or mandatorily); others mandate “check in” to venues.
Many of these solutions are proving insufficient. In the first three weeks of France’s StopCovid app launch in June, only 68 people had used it to report a positive covid-19 test; 14 contacts were traced from these reports. As of 10 June, Australia’s Covidsafe app had not found anyone not already discovered by manual contact tracing. Governments of countries using Bluetooth mobile apps, including Germany and Switzerland, are unable to find out how many people have actually been warned by the apps. Several other initiatives, such as in Japan and the UK, have been hampered by bugs and/or delays. To complement its TraceTogether app, the Singapore government has implemented the SafeEntry “check-in” system, and will soon distribute physical, “always-on” Bluetooth tokens nationwide to address smartphone battery, app compatibility and other usability issues.
Towards more effective bio-surveillance
The trend towards bio-surveillance had already been underway pre-COVID-19 with the adoption of biometric e-passports and the EU’s iBorderCtrl initiative, which would require incoming travellers to undergo lie-detection tests that analyse “micro-gestures” such as subtle nonverbal facial and bodily cues. The benefits of authenticating bodies seem clear: it appears much more difficult to evade bio-surveillance or forge biometric identification, even though low-tech methods to get around bio-surveillance are already in use. With COVID-19, the importance of bio-security has become even more widely accepted.
A significant example of a bio-surveillance regime accelerated by COVID-19 is China’s use of Health Quick Response (QR) Codes. In early February, when China was beginning to see exponential increases in COVID-19 cases, the city of Hangzhou tapped on Chinese digital giants to create the health QR code system. It combines personal and health data provided by users with data collected and stored by the government; relies on Artificial Intelligence (AI) to determine blacklists of “high risk areas”; stores data centrally; and assigns users safety statuses that determine access to venues. The system is not fully transparent; it is not clear to the users precisely how their statuses are determined. Chinese citizens have largely accepted Health QR codes and other bio-surveillance technology such as AI fever detection systems, backed by the belief that these measures have helped the country to quickly contain the pandemic.
In a similar manner, digital immunity passports, or a presentable proof of immunity to COVID-19, have been suggested as a means to safely restart international travel and return to work. This is despite the World Health Organisation’s warning that there is no evidence that those who have recovered from COVID-19 are protected from a second infection. Reports are emerging of “reinfected” individuals in Hong Kong, Belgium, the Netherlands and the US. Regardless, proposals for immunity passports have been made in the UK, Germany, Indonesia, Italy, Israel, Colombia, Argentina and the US, and companies like contactless hotel booking platform Sidehide have announced partnerships to deliver booking systems making use of such passports. Ahead of the curve, Estonian NGO Back to Work is already testing smartphone-based digital immunity passports in partnership with local companies.
COVID-19 is creating even more demand for contactless identification and verification technologies like facial recognition and iris scanning. The global facial recognition market is expected to grow from USD3.8 billion in 2020 to USD4.5 billion by 2021, and the global iris recognition market from USD2.3 billion in 2019 to USD4.4 billion by 2024; both driven by increasing government and corporate interest. 98 countries already use facial recognition, and both facial and iris recognition technology is used to secure mass-market smartphones. Closer to home, Singapore’s Universal Studios now requires visitors to pass through facial recognition scanners to enter the park, in order to provide contactless and seamless verification of tickets and ticketholders. Changi Airport also recently introduced facial and iris recognition to replace fingerprint scanning for immigration clearance, utilising the enrolment of such data with the Immigration and Checkpoints Authority since 2017.
Considering the unintended implications of bio-surveillance
Bio-surveillance regimes are prone to mission creep, persisting and increasing their reach even after the epidemiological threat subsides. For example, Hangzhou proposed to expand Health QR Code use to rate citizens on exercise, eating, drinking and smoking habits. This provoked widespread criticism on Weibo, adding to lingering concerns that the Chinese government would use QR codes and facial recognition technology as a means of long-term social control.
Bio-surveillance could also lead to unnecessary restrictions on people in public spaces. The Shin Bet augmented contact tracing in Israel with counterterrorism methods; however, these methods sent thousands of healthy Israelis into quarantine. Smartphone-based solutions could also lead to the physical isolation of those without access to them such as the elderly, rural populations, and the low-income. One Chinese man reportedly walked 600 miles to relatives in another province as he had no smartphone and was not allowed to use public transport. Another woke up at home after a night out to find his phone and ID card stolen; he could not pay for new ID because he used mobile payments. He did not leave his apartment until a new phone ordered by his friend arrived. Of course, physical tokens can be stolen or lost, too.
Bio-surveillance can provoke non-compliance and malicious or perverse behaviour. In India, a programmer successfully hacked the Aarogya Setu tracing app so that he always appeared safe; other workarounds include flashing screenshots of the app’s “green badge” to authorities. Pakistan’s Patient Zero became a pariah after his name, photograph and home address were leaked on social media. A suite of low-cost hacks has been developed to bypass facial recognition, such as 3D-printed face masks, makeup, infrared light, and printing complex patterns on clothing. In some cases, hackers can fool facial recognition software into recognising a completely different person. Iris recognition hacks involving photos and contact lenses have also been successful. Immunity passports, if implemented, could lead to perverse outcomes; a Daily Mail poll found that 19% of respondents would consider deliberately infecting themselves if such passports were introduced.
Another aspect of bio-surveillance relates to the nature of biometric and health data that such regimes generate and use. Such data is particularly vulnerable to identity theft, as it is in most cases impossible to replace, unlike credit card data or even one’s address. A global consensus on the legal, policy and ethical issues surrounding the collection and handling of such data is still far-off. As bio-surveillance becomes more widespread and pervasive, it is likely that such issues will come to the forefront, especially when security vulnerabilities emerge or data beaches occur. For example, facial recognition company Clearview AI’s entire client list was stolen in February 2020, leading to pressure on the company to stop collecting publicly available images of faces online.
Governments should prepare for the “biodigital convergence”
Canadian think-tank Policy Horizons has recently articulated the potential for a “biodigital convergence”, where biological and digital systems interpenetrate to change the way we live, work, and even define what is natural or human. The rise of bio-surveillance, accelerated by COVID-19, is undoubtedly one undercurrent of this driving force. The need to ensure safety and order through more direct and fine-grained monitoring of human bodies has led to these new methods of sensemaking. Technological advances will not only improve them, but also build upon them to generate further novel applications. In order to understand what a biodigitally converged world might look like, it is crucial for governments to look at the unintended implications of bio-surveillance now. Developing ethical, legal and policy frameworks in response could equip countries to face this future with more confidence.
Tse Hao Guang is Strategist at the Centre for Strategic Futures.
The views expressed in this blog are those of the authors and do not reflect the official position of Centre for Strategic Futures or any agency of the Government of Singapore.
“COVID-19 Impact on the Facial Recognition Market by Component, Vertical, and Region — Global Forecast to 2021”. Research and Markets, June 2020.
“Iris Recognition Marker by Component, Product, Application, Vertical, and Region — Global Forecast to 2024”. Markets and Markets, Oct 2019.
Andrew Tarantola. “Clearview AI leak names businesses using its facial recognition database”. Engadget, 27 Feb 2020.
Andrew Webb. “Coronavirus: How ‘immunity passports’ could create an antibody elite”. BBC News, 2 Jul 2020.
Ayelet Shachar. “Bio-surveillance, invisible borders and the dangerous after-effects of COVID-19 measures”. opendemocracy.net, 22 Jun 2020.
Craig Timberg, Steve Hendrix, Min Joo Kim and Piona Weber-Steinhaus. “Cellphone apps designed to track covid-19 spread struggle worldwide amid privacy concerns”. Washington Post, 18 August 2020.
Elise Thomas. “How to hack your face to dodge the rise of facial recognition tech”. Wired, 1 Feb 2019.
Ian Morris. “Samsung Galaxy S8 Iris Scanner Hacked In Three Simple Steps”. Forbes, 23 May 2017.
Iman Ghosh. “Mapped: The State of Facial Recognition Around the World”. Visual Capitalist, 22 May 2020.
John Geddie and Aradhana Aravindan. “Singapore’s Universal Studios deploys facial recognition for entry”. Reuters, 3 Aug 2020.
Jordan Schneider. “How China Created Its Health QR Codes”. Chinatalk, 29 Apr 2020.
Josh Horwitz and Brenda Goh. “As Chinese authorities expand use of health tracking app, privacy concerns grow”. Reuters, 26 May 2020.
Joshua Briones, Esteban Morales and Adam B. Korn. “Preparing for Biometric Litigation from COVID-19”. Risk Management Magazine, 16 Jul 2020.
Justin Meneguzzi. “Will you need an ‘immunity passport’ to travel?” BBC Travel, 31 Aug 2020.
Kristel Van der Elst. “Exploring Biodigital Convergence”. Policy Horizons Canada, 11 Feb 2020.
Nicole Wetsman. “A case of coronavirus reinfection shows the complexities of the pandemic”. The Verge, 29 Aug 2020.
Pranav Dixit. “India’s Contact Tracing App Is All But Mandatory. So This Programmer Hacked It So That He Always Appears Safe”. Buzzfeed News, 12 May 2020.
Ramsha Jahangir. “‘I became a pariah.’ Coronavirus victims’ data is leaked on social media in Pakistan”. Coda, 1 May 2020.
Rory Cellan-Jones and Leo Kelion. “Coronavirus: The great contact-tracing apps mystery”. BBC News, 21 July 2020.
Tarmo Virki. “Estonia starts testing digital immunity passport for workplaces”. Reuters, 23 May 2020.
Tautevile Daugelaite. “China’s health code system shows the cost of controlling coronavirus”. Wired, 17 Jul 2020.
Toh Ting Wei. “Covid-19: Eye and face scans part of touch-free travel at Changi Airport”. The Straits Times, 1 Jul 2020.