This week, under the leadership of European Commissioner Thierry Breton, the European Commission sent a recommendation to all EU Member States’ governments to utilize telecom data and data technology in order to curb the spread of the coronavirus. This recommendation is largely based on the system which was launched in mid-March by the Belgian ‘Data against Corona’ taskforce.
The taskforce uses the telecom data of every person in Belgium with a mobile phone in order to map their movements. There is also a mobility app to trace people who are infected. This system is based on the know-how of tech entrepreneur Sebastien Deletaille from Brussels. Which he gained through his former company Riaktr while working in Liberia and Sierra Leone. There he helped the government combat the extremely deadly Ebola virus with the use of telecom data. The system he developed when he was there now needs to be deployed in Europe. However, privacy legislation is much stricter in Europe than in Africa. Innovation Origins asked Deletaille for a clarification.
How does the Belgian corona taskforce operate?
“Two Belgian ministers are in it. The Minister of Telecom, Privacy and Digitization, Philip de Backer, and the Minister of Public Health, Maggie de Block. They responded to an opinion piece in the Flemish newspaper L’Echo wherein fellow entrepreneur Frederic Pivetta and I posed the question: why don’t we use aggregated telecom data that has been made anonymous in order to defeat the virus? Within 24 hours, all the Belgian telecom companies declared: we are ready and willing to work on this. The two ministers then said: we are prepared to support this initiative. So, you have the government, the data providers (the telecom companies), us as entrepreneurs and experts, plus the Belgian Data Protection Authority.
We jointly said: let’s make a presentation of ‘use cases‘ whereby we outline how we are going to use the anonymized, aggregated data. The Data Protection Authority must first authorize what we are doing and establish that we remain respectful of individuals’ personal privacy. Bear in mind that the Belgian Data Protection Authority is an independent organization that can penalize the government and industry experts. So, we had all the people with the right skills and discretionary powers around the table. We also have a viable legislative framework. On top of that, we have added other governance mechanisms such as an ethics committee that oversees our work. We have scrutinized and reviewed all codes of conduct and confidentiality clauses contained in the contracts.”
Within 24 hours, all the Belgian telecom companies declared: we are ready and willing to work on this.
But I haven’t yet heard that we have a task force like this in The Netherlands …
“No, I don’t think this is happening in The Netherlands. [The Dutch Data Protection Authority has let me know that this is the case, ed.] When I say that I use telecom data from all over Belgium, some people fear that I have access to their name and phone number, all the numbers that they have called and places where they have been. But that’s not how it works. That’s what you see in movies, in Black Mirror [a Netflix series; the term ‘black mirror’ refers to a phone screen, ed.], that’s what you see in China. Which is not what we’re talking about. The telecom operators make an aggregate of their data. We’re only looking at trips made by over thirty people a day from one zip code area to another. Telephone numbers, names of people and individual locations are not registered. This way you get an anonymous aggregate of data. That creates a picture of the mobility trends within any given country.”
But what if you live in a very small town?
“Imagine you live in the countryside in a zip code area with only a hundred people. If ten of those go to a different zip code area, that data is filtered out and deleted.”
But do these regulations only apply to Belgium or does it apply to the entire European Union?
“To the entire European Union.”
Does this regulation originate from Belgium?
“No, this regulation comes from the GDPR (General Data Protection Regulation from the EU, ed.). It’s an anonymization technique known as k-anonymity 30. That’s the law. It says: if you display information within a geographical area, you are not allowed to disclose results based on a group of fewer than 30 people. If you look at national statistics, including those in The Netherlands, you see that they never give out any information about groups smaller than 30 people. They only state that the group is smaller than 30 people, but they never say exactly how many people the group is made up of. These rules are standard. They also apply to Belgium. That never causes any problems. If data shows that 2000 trips were made between Amsterdam Central Station and Schiphol yesterday, no one would say: yes, but that’s far too private.”
And yet the reaction to the use of telecom data was not particularly positive in The Netherlands.
“The Dutch Data Protection Authority has issued a major statement saying that telecom data can never be anonymous and that if the government is willing to work with that, it needs to draft new legislation.”
Is that not true then?
“They create a lot of confusion that way. Because we are not talking about the same thing. The telecom data which the Dutch DPA refers to is about your personal locational data. That is not what we are referring to. Besides, if the Dutch Data Protection Authority were asked to approve the use of anonymous, aggregated data, they would be obligated to say ‘yes’. Because that is what had been agreed on within the European Union. The GDPR does not cover impersonal data.”
But how come they weren’t aware of that?
“You should ask them that question. In any case, it has caused quite a bit of confusion.”
The telecom data which the Dutch DPA refers to is about your personal locational data. That is not what we are referring to. They create a lot of confusion that way.
What is the value of having information regarding any trips made when it comes to containing the virus?
“Every government in Europe has imposed restrictive measures. Like you have to stay at home. If you’re the Prime Minister of a country and you set these rules, you don’t have any data that shows whether citizens are respecting the rules or not. Should we tighten the rules, or relax them? So how do you go about making that decision? Using the data we have, we create national mobility indexes. These showed that before the crisis, Belgians made about three trips a day outside their zip code area. That average has dropped to one trip a day. Some days it was down by 50 %, other days it was 70 % less. This enabled the government to establish that they did not have to resort to a stricter model such as France, for example.
This approach has also been included in the European Commission’s recommendations to the Member States: analyze data in order to collect feedback on the effects of restrictive measures. Then you can adjust them in a targeted manner. This is extremely important. And it will become even more crucial in the exit strategy whereby restrictive measures will slowly but surely be lifted. When the schools open, you want to know how this will influence the epidemic.”
How can you correlate mobility data with the spread of the virus?
“If you combine the mobility patterns with data from infected people, for instance, where the confirmed cases of COVID-19 are located, you can create models that are able to predict the spread. This is called ‘spatial epidemiology‘. You can predict where a virus outbreak will spread in a certain part of a city based on the mobility in that area. We share all this data practically in real-time. Epidemiologists in Belgium were still using mobility patterns from 2001. How could that ever work?”
From 20 years ago?
“Yes. While they need the latest data available to create distribution maps.”
Can you alert people that they’re approaching an infected area?
“Yes. In Belgium, you had two infection clusters with a relatively high number of infected individuals. Hasselt and Bouillon. We can issue an ‘alert’ to people whose phones have been spotted in that area: be extra careful with social distancing and hygiene, there is a virus outbreak in this area. Avoid this area if you can.”
You want an app that is used by every inhabitant of all the European Member States. If you want to fight infectious diseases, you have to track contacts.
Do you already use this method in Belgium?
“Yes, the taskforce started on March 13th. We presented our first results relating to mobility data and high-risk areas ten days later. The text messaging service to send people alerts via their mobile phone is ready to go but is not yet in use.”
This approach is exactly what the European Commission is proposing for the entire EU.
“That’s right. There are two pillars that this is based on. One is the use of aggregated anonymous telecom data. How we did that in Belgium was very usable for the European Commission. The second pillar is the use of mobile apps. When people are sick you should want to collect their data. You want to know the progression of their symptoms over time. And you want to prioritize who gets tested and who doesn’t. You want an app that is used by every inhabitant of all the European Member States. If you want to fight infectious diseases, you have to track contacts.
Doctors did that manually up until now. They would ask you: who are you in contact with? Who lives in your home? Who do you work with at the office? Give me their phone numbers and e-mail addresses because they need to be tested. That doesn’t work that way anymore. If you are infected, Europe has Bluetooth technology to track your contacts who you sometimes don’t even know. Such as someone who you sat next to on a train.”
But can that be done anonymously?
“Yes. Via the data on your phone. You’ll receive an SMS text alert via the app that says: ‘You’ve been near someone for a while who is infected. You might want to get tested.'”
You’ll receive an SMS text alert via the app that says: ‘You’ve been near someone for a while who is infected. You might want to get tested.”
So how is this information sent anonymously?
“Your phone is constantly detecting WiFi hotspots. Your phone lists the names of those hotspots. For example, if the hotspot at your home bears your name, that’s not really anonymous. Except if it’s a number instead, you’d refer to that as a pseudonym. The same goes for Bluetooth. The app can detect that “Lucette Bluetooth” was 20 meters away from an infected person. It only detects Lucette Bluetooth. The app turns your name into an anonymous Bluetooth ID, for instance S123. That anonymous Bluetooth ID remains on your phone until you report that you are sick. Then the app alerts the central platform that contains all the Bluetooth ID codes. It then sends a message via those Bluetooth ID codes to the phones of the people who have been in your vicinity.”
But who owns the data on the central platform?
“There are only anonymous Bluetooth ID codes on that platform. The administrators don’t know who these codes refer to or who the phone belongs to. That information is only on the mobile phone. The app is only used to track and map routes. It does not provide any other information. That’s why it’s extremely secure. The government doesn’t have a list of names. They can’t force you to get tested. They can’t force you to answer your phone. All they can do is send you an SMS text alert.”