Actions taken to slow the novel coronavirus have serious privacy implications which are starting to come to light. These negative outcomes were predictable, but most of us didn’t see them coming, proving that when considering policies affecting personal privacy, we must extend our imaginations into the edge cases – bad things that can possibly happen when personal information is gathered on a large scale.

Privacy advocates tell a horrific story to support their position.

In the first third of the last century government in the Netherlands built an impressive welfare state. The detailed files on every family kept by the Dutch assisted the government in supporting and protecting its people. For example, tracking every citizen’s religion allowed the authorities to provide an appropriate burial for someone who died without family left behind.

Of course, when the Nazis rolled into the Lowlands in May of 1940, they used those records for opposite reasons – to hunt down and kill Jewish and Roma people.[1] Viscerally driving home the point that once data has been collected, even for the best reasons, it is not inconceivable that the data is used for unsavory or even terrifying reasons.

We are not a very imaginative people. We nearly always see policy decisions in the light of current facts and we understandably don’t extend our thoughts much further than the likely outcome of events. Expecting and analyzing risks a couple of standard deviations outside the probably outcomes is usually wasted effort. It is also a professional trait and hazard of being a lawyer. We are asked by clients to consider even the more outlandish risks and guard against them in contracts, policies and disclaimers.

So privacy lawyers shouldn’t be surprised that COVID-19 contact tracing is demonstrating some negative effects where it unmasks people’s private activities and leads to backlash. For example, when a fresh cluster of novel coronavirus was linked to Seoul’s Itaewon district, South Korean media reported that the outbreak was tied to gay clubs.  According to CNN, “Multiple reports also specified the age, district, type and location of work of the coronavirus patient believed to be at the center of the cluster. While the patient's age and district were posted by the city, details about the individual's work information were attributed in local media to unnamed officials.”

The same CNN report also noted that “Homophobia is still rife in South Korea and the country is less accepting of same-sex couples when compared to nearby democracies like Japan and Taiwan.” In South Korea, homosexuality is illegal in the military, where nearly all men must serve, and same-sex marriage is not a legal option. So blaming gay nightclubs for spreading COVID-19 encourages discrimination and identifying an individual as both gay and responsible for spreading the virus inflames parts of the population against that person and the stigmatized group allegedly involved.

The South Korean government issued a warning against leaking personal information of coronavirus patients. A health ministry official stated that spreading baseless rumors or publicizing personal data could be punished as a criminal offense. 

In India, the government has issued a contact tracing application downloaded by more than 100 million smartphone users (out of 450 million Indian smartphones) and made use of the app mandatory for train travelers and people working in certain kinds of offices. The app is said to collect a broad range of information including Bluetooth connections and GPS data. The app works in tandem with India’s biometric identification system, which is nearly mandatory for Indian residents.

Some worry about the security of hoarding all this information linked to tens of millions of individuals in one place. The system has already been hacked and exposed by a white hat hacker. However, other have imagination to worry about what the current Indian government might do with it. 

While in Europe and other regions, data localization is anonymized as much as possible, India has not done this. CBS News reports that Indian opposition leader Rahul Gandhi called the app "a sophisticated surveillance system, outsourced to a pvt [private] operator, with no institutional oversight." The country has no data protection law that would apply to the information collected by this government app.

So no legal control on government that has a plan to roll out a National Register of Citizens with new citizenship law that singles out the 182 million Muslins in India. After recent deadly sectarian clashes in New Delhi some believe these attacks could mark the beginning of a larger pogrom in the country. Others call out Islamophobia of the Indian press spurred by the pandemic.

Stigmatized ethnic minorities should be concerned when the government using them as scapegoats now tracks people’s every movement. For many years the lack of government tracking programs and the existence of generally permissive societies throughout the Western democracies made it difficult to think that individual people could be threatened by their own government tracking their movements. Things have changed.

The COVID crisis has accelerated and normalized many governments’ tracking of their residents.  As to the other side of the equation, do we know anyone who might use government databases to scapegoat disfavored minorities like Muslims, immigrants and people identifying as LGBT? I think so.

It doesn’t take much imagination to see where this can go.

[1] See, for example, Etzioni and Rice, Privacy in the Cyber Age: Policy and Practice, page 115; Issues in News and Reporting: Selections from CQ Researcher.