Introduction of surveillance technologies in the name of responding to infectious diseases
International organisations including the United Nations and human rights institutions in many countries have proposed human rights principles in the face of the COVID-19 pandemic. Basic rights may be restricted to achieve public health goals, but any policies adopted to achieve these goals should be based on law, should use the least rights-infringing means to achieve their purpose, and should not be imposed arbitrarily or applied in a way that discriminates.
Korea is one of the countries that has introduced and operated various monitoring and tracking systems in the name of controlling and preventing infectious diseases. Rights-infringing policies that would not have been introduced before the COVID-19 crisis were introduced without sufficient discussion due to urgency. Human rights organisations have voiced their criticism, but not many of their demands have been reflected in actual policies.
Although the policies discussed in this report changed after Omicron became the dominant variant and the number of confirmed patients with the virus increased rapidly – thereby making the policies ineffective – there is still a need to evaluate the process and impact of the invasive quarantine policies that were put in place. Otherwise, rights-infringing policies implemented in the past can be justified as meeting human rights standards, and when similar situations occur in the future, further rights-infringing policies can be introduced easily without sufficient consideration.
Korea's quarantine model
Korea's quarantine model for responding to COVID-19 was described as the “3T” model (test-trace-treat). This meant the model involved the diagnostic testing of people suspected to have contracted the virus, the identification of contacts through precise epidemiological investigations of infected patients, and the isolation and treatment of patients and contacts.
In order to conduct a precise epidemiological investigation, interviews with infected patients were conducted, and objective data was collected to track patients' past movements and identify close contacts, such as mobile phone location information, the use of credit and transportation cards, and CCTV footage. In this process, sensitive personal information such as location information and information on habits and personal preferences and relationships was inevitably collected and processed. As the obsession with the accuracy of identifying infection routes and contacts increased, the vast collection of personal information and the introduction of advanced analysis technologies such as profiling and facial recognition were required.
In addition, the entire nation was regarded as “potential patients”, so people's movements had to be recorded in advance for epidemiological investigations that may have been required in the future. In order to ensure the certainty of quarantine, criminal penalties were imposed for violating the Infectious Disease Control and Prevention Act, and technical measures such as self-quarantine apps and wristbands were also introduced.
Such technologies that collect personal information and track people limit the right to the self-determination of personal information and the right to privacy. In the face of an infectious disease crisis, these rights restrictions can be justified to a certain extent, but they need to be within the limits allowed by international human rights norms.
Could Korea's quarantine policies be justified in light of the international norms?
Monitoring technologies and policies introduced in the name of responding to infectious diseases
Introduction and advancement of the COVID-19 Epidemiological Investigation Support System
On 26 March 2020, the Ministry of Land, Infrastructure and Transport, the Ministry of Science and ICT, and the Korea Disease Control and Prevention Agency (KDCA) introduced the COVID-19 Epidemiological Investigation Support System. The system was developed based on a smart city technology system, and automates epidemiological investigation procedures. It links 28 institutions, including the KDCA, the Credit Finance Association, three telecommunications companies, and 22 credit card companies.
Currently, the KDCA is working with the Ministry of Science and ICT and the National Information Society Agency to develop an "in-depth epidemiological investigation support system" that enhances the current system. The in-depth epidemiological investigation support system plans to further link personal information held by various ministries such as resident registration information (Ministry of the Interior and Safety), immigration records (Ministry of Justice), medical institution access history (Health Insurance Review and Assessment Service) and health insurance subscriber information (National Health Insurance Service).
Meanwhile, the city of Bucheon is developing an intelligent epidemiological system using artificial intelligence and CCTV footage. The project aims to analyse close contacts through facial recognition in street CCTV footage controlled by the city and identify contacts through mobile phone numbers recorded in nearby mobile base stations.
The epidemiological investigation support system is linked to a number of databases and enables profiling based on various personal information. Through this, other sensitive information such as sexual preferences, religion and union membership can also be derived. For example, individual characteristics can be inferred through whether a confirmed patient has visited a gay bar or a specific religious facility.
The legal basis of the epidemiological investigation support system is also unclear. The Infectious Disease Prevention Act only has grounds for collecting personal information processed through this system, but does not stipulate the system itself. Ambiguous regulations, such as the current legislation, can justify the introduction of an intelligent epidemiological system such as the one being developed in Bucheon. However, monitoring CCTV with the naked eye is different from that using facial recognition technology.
Trawling base station access information
Health authorities have used base station access information in the name of identifying potentially infected people when there is a concern that a large number of infected people may be found in a specific area. It is a method of identifying people around a mobile base station through a list of mobile phone numbers connected to the base station in a specific area.
For example, in order to identify the people who were nearby after a mass infection at the Itaewon Club in Seoul, in early May 2020, the Seoul Metropolitan government requested base station access information from mobile operators. The list of people who stayed for more than 30 minutes between midnight and 5 a.m. every day from 24 April to 6 May was provided based on their access logs to 17 base stations around the club. In this way, the number of people selected reached 10,905. It is obviously far-fetched to consider more than 10,000 people as suspected patients of an infectious disease in such a short period of time, given that it does not align with data collected in the virus’s infection trajectory.
Originally, investigative agencies have used so-called "base station investigations" to identify people around a specific base station (e.g. to identify participants in rallies held in a specific area). However, on 28 June 2018, the Constitutional Court ruled that base station investigations were unconstitutional, judging that it was against the principle of proportionality to allow investigative agencies to receive large amounts of communication metadata just because it was necessary for an investigation. Since then, the National Assembly has revised the Communications Secret Protection Act in the direction of strengthening the requirements for base station investigations and stipulating procedures to inform subjects of the investigation. However, in the case of collecting base station access information under the Infectious Disease Prevention Act, it is not necessary to obtain permission from the court. The requirements for providing information are not strict, and there is no procedure to inform subjects.
Introduction of the wristband location tracking device
On 27 April 2020, the government introduced a wristband called "safety band", which was linked to the Self-Quarantine Safety Protection App, for the purpose of preventing people from leaving self-quarantine areas without authorisation. The app has a motion detection function, so if there is no mobile phone movement for two hours, a notification window appears twice, and if there is no confirmation from the quarantined person, a dedicated public official calls to check up on him or her.
A safety band is a location tracking electronic device similar to an electronic anklet attached to sexual violence offenders. In conjunction with the app, if a quarantined person deviates more than a certain distance or damages the wristband, a dedicated official is notified. The government says that wearing the device is based on consent, but if people do not agree with wearing the wristband, they will be quarantined at a facility and charged the cost of quarantine.
The safety band can constantly monitor the location of individuals, resulting in serious implications for privacy. Although Article 42 of the Infectious Disease Prevention Act allows the collecting of location information, it is difficult to say that it creates the specific legal basis for the safety band. In the case of electronic anklets attached to sexual violence offenders, their use is based on the Electronic Device Attachment Act. In addition, strict procedures exist for their use, such as an investigation by the probation office before requesting an attachment order, a prosecutor’s request for an attachment order, and an attachment order from the court. In comparison, the safety band policy does not comply with the principle of legality.
It is also insufficient in terms of the necessity and proportionality principles. The government forced self-quarantined people to install the app and assigned dedicated public officials to check in on them on a regular basis, and the authorities threatened to criminally punish violators. Since there are already quarantine controls in place and the proportion of violators is not high, it is difficult to justify the introduction of rights-infringing measures such as a safety band.
Mandatory entry log
As in other countries in the world, the Korean government ordered that a list of people entering and leaving certain facilities such as restaurants and cafés be kept to facilitate the identification of contacts when infections occur. Originally implemented without a clear legal basis, the Infectious Disease Prevention Act was revised on 12 August 2020, specifying that the head of a local government can order "compliance with quarantine guidelines such as making a list of entrants and wearing masks."
Various methods are being used to keep these lists, such as relying on handwritten lists, electronic entry logs, and safe calls (a method in which the caller's mobile phone number is recorded when calling a unique phone number for each facility). On 1 July 2020, the government introduced a QR code-based electronic entry log system called KI-Pass. This is because people did not accurately record their personal information on a handwritten list.
The electronic entry log system operates as follows: a user receives a QR code from Naver or Kakao, two Korean portal giants, and provides the QR code when entering a facility. The facility information and QR code are then recorded in the Social Security Information Service. The record of visits will be destroyed after four weeks for the protection of privacy.
The mandatory entry log is a general monitoring measure targeting all citizens, and is not only confined to specific subjects in certain situations, such as people who have contracted an infectious disease or are suspected to have done so. In other words, this puts every move of all citizens on record and traceable at any time. It is questionable whether the establishment of a regular surveillance system for the entire nation can be justified at a time when it is possible to track patients' movements and identify contacts through other means, such as mobile phones and credit cards.
In light of international human rights standards, Korea's quarantine policy as a whole has the following problems:
- First, excessively invasive technologies and policies were introduced in violation of the principles of necessity and proportionality. Base station access information was collected through trawling; the wearing of the safety band, a location tracking device, was effectively enforced; and an entry log was required to record the movements of the entire population.
- Second, many of the policies introduced do not meet the principle of legality. The introduction of the COVID-19 Epidemiological Investigation Support System, the use of base station access information, and the Self-Quarantine Safety Protection App and safety band lack legal grounds. Some policies, such as the mandatory entry log, were implemented ahead of any legal basis, which was then created through the revision of the Infectious Disease Prevention Act.
- Third, the supervisory functions of the National Human Rights Commission of Korea and the Personal Information Protection Commission were insufficient. The National Human Rights Commission of Korea did not actively respond to the overall human rights violations of quarantine policies, other than announcing its position on the disclosure of people’s movements and the safety band. The Personal Information Protection Commission played its role as a supervisory body to some extent, but failed to go beyond this by providing detailed measures for improving the legality, necessity and proportionality of quarantine measures. If the supervisory body does not play its role, then invasive policies can be justified.
- Fourth, Korea's quarantine policy was possible because a social monitoring system that could easily track the activities of people was already in place, such as the resident registration number system, and the nationwide installation of CCTV cameras. Without the information that had been accumulated and stored through these systems, the Korean quarantine model would not have been possible. From the government’s response to COVID-19, we can easily see how vulnerable Korea's social system is to surveillance.
Korean civil society has voiced its opinion on the human rights aspects of quarantine policy, but sufficient discussions have not always taken place due to the urgency of quarantine. Even the National Assembly only played a role in justifying hasty quarantine measures carried out by the administration through post-mortem revisions. Unless the problems of policies already introduced are reviewed, similar and even more restrictive measures outlined in this report can be justified in future infectious disease crises.
The following steps are necessary in Korea:
- Korea's quarantine policy needs to be critically evaluated from the perspective of international human rights norms.
- In the face of an infectious disease crisis, the quarantine authorities should establish a governance system that can reflect the voices of civil society and national human rights institutions.
- The Infectious Disease Prevention Act should be revised so that quarantine policies can be implemented from the perspective of human rights, including the right to privacy.
- Civil society needs to address the breaches of rights in amended laws and policies in a sustained way so that any rights-infringing revisions are properly addressed ahead of any new health emergency.
This report was originally published as part of a larger compilation: “Global Information Society Watch 2021-2022: Global Information Society Watch 2021-2022"
Creative Commons Attribution 4.0 International (CC BY 4.0) - Some rights reserved.
Global Information Society Watch 20121-2022 – print
APC Serial: APC-202211-CIPP-R-EN-P-343
Global Information Society Watch 2021-2022 web and e-book
APC Serial: APC-202211-CIPP-R-EN-DIGITAL-342