The Centre for Internet and Society recently released a groundbreaking paper on the practical, legal and ethical implications of using mobile phone data (CDRs, or Call Detail Records) in emergencies, with Liberia’s experience of the recent Ebola epidemic as the case study. Written by Sean Martin McDonald, the paper is brilliant, insightful and well researched, and is creating a much-needed debate in the humanitarian and responsible data communities. This post is a contribution to that debate. It reflects on just one of the ethical issues surfaced by the analysis, that of consent to data-sharing in the context of humanitarian emergency.
CDRs, as McDonald writes, are one of the most sensitive kinds of digital data available. They are intensely revealing of personal characteristics, showing all kinds of information that not only make people identifiable, but also make it possible to track, locate, monitor and influence behaviour. Consent is key to data protection law, as is understanding the purpose for which data will be shared. The logic of the paper is that for mobile operators to pass such data on to humanitarian organisations (most likely with the national government as intermediary compelling the sharing of the data), individual-level consent would be the most important factor in making sharing possible.
McDonald argues thus:
‘Obtaining consent at point of collection is both a legal requirement in the Liberian context and a commercial practice that has significant precedent for less altruistic means. There is no question that building emergency data use clauses into commercial and public service contracts is both the most straightforward and the most legal way to facilitate the sharing of CDRs, and minimizes virtually every other question that the law compels.’
This argument, although in line with all existing data protection rules and norms, is problematic in a practical context. Consent without purpose limitation – knowing what one is consenting to – is widely judged to be legally (and practically) meaningless. Furthermore, the kinds of context in which mobile data may be shared under ‘emergency data use clauses’ are exactly those where purpose limitation is unlikely and a chain of sharing and reuse may be established under the same premises of urgency that made data shareable in the first place.
For example, a hypothetical case where a large-scale attack, such as an instance of bio-terrorism, occurs in a country, affecting a large portion of the population. The country’s government may authorise data sharing for public safety reasons, allowing international authorities access to CDRs to track who is in need of help or may infect others. National security challenges often, by their nature, lead to national political and governmental instability, so that data released for purposes of care may soon also be seen as necessary for purposes of control – in fact, control often becomes defined as care in emergency situations. Crowd control and disease quarantine are just two obvious examples of this.
In a situation such as this, mobile data may initially be shared in order to track and help people. But in a context of raised control such as military or emergency rule, such data may also become invaluable for tracking and preventing unauthorised population movements, flows of resources and financial transactions, or protest and activism. In these cases, the data would gradually become repurposed in a process that the surveillance field terms ‘function creep’, making people’s consent meaningless if they were only consenting to the data’s use for purposes of care.
To tackle this, lack of consent may in fact be the best strategy. To all intents and purposes, data sharing without consent is illegitimate. However, the argument is precisely that some emergency contexts may make it necessary to share data without being able to get people’s consent. So instead of effectively extending meaningless consent to this kind of data-sharing, perhaps it is more ethical to acknowledge that it is happening without explicit individual consent.
Removing consent from the picture has two implications. First, it puts full accountability on the authority sharing the data, and removes the ability to claim that individuals consented to the process – because in cases such as those currently hypothesised, they have not. Second, because it underlines the enormous potential for violating people’s fundamental rights, and (most likely) turns the sharing of such data into a high-profile event that attracts political consequences and is discussed on the international level.
It will be argued that in this scenario mobile operators will not share data because their liability is too great. However, if a government has requisitioned the data the operator is no longer liable and cannot be held accountable for any misuse of the data along the line.
Such a strategy would make it sensible to nominate data protection authorities, possibly on the international level, that can act as ethical intermediaries in cases where national data governance has broken down, as McDonald posits happened in Liberia’s case. They should have access to advice from country officials with knowledge of the local context and concerns, and should be responsible for obliging national authorities to let people know how their data is being used, for example through local radio.
Sharing CDRs in their raw form is the data protection equivalent of suspending constitutional rights. When such rights are suspended it is usually on a temporary basis, but in contrast when data is let out of the box, it is out for good – it will only replicate and be re-shared. Furthermore, the kind of context where there is an urgent case for sharing such sensitive data is also the kind of context most likely to give rise to repurposing and further sharing. A principle of non-consent and acknowledgement that privacy is being violated may, ironically, be the most appropriate and ethical way to approach such a situation.