This article is the first installment in a two-part series. Unlike South Korea’s centralized approach to contact tracing, other democracies faced legal impediments to similar approaches. The second installment reviews alternative, non-centralized approaches currently being implemented in these countries and their limitations.
It often surprises many to know South Korea and the United States both reported their first COVID-19 cases on the same day: January 20, 2020. Despite the early exposure, South Korea has successfully maintained a very low number of cases, logging a total of only 23,812 by the end of September. In contrast, the United States experienced an average of over 41,000 newcases per day in September, for a total of 7.4 million by the end of that month. These glaring differences persisted despite the fact that South Korea has a fairly large population of 51.3 million (a sixth of the United States) and a population density that is fourteen times higher.
Much of South Korea’s success in virus containment can be attributed directly to its consistent and comprehensive mitigation program, which was instituted almost immediately after its first outbreak in the city of Daegu. The ongoing program consists of many interacting components, including rapid testing, detailed procedures for protecting healthcare workers, rules for isolating foreign travelers away from domestic, an aggressive advertising campaign to inform the public about useful mitigation practices, and real-time cell phone alerts about exposure risk distributed by geographical region.
In many respects, the centerpiece of this program is contact tracing, the process in which people who have encountered COVID-19 patients are identified. “Contact” includes both proximal coincidence (i.e. visiting the same coffee shop at the same time) and physical transference (i.e. receiving a package handled by an infected worker). Since contacted individuals are the most likely to be infected next, their swift identification allows for two important opportunities. First is the prioritization of testing. Given that COVID-19 testing is always limited, albeit to different degrees in different countries, it becomes important to optimize that supply so as many high-risk individuals are tested as possible. Second is the chance to quickly quarantine high-risk individuals, inhibiting further virus dissemination. Short of a vaccine, this is the only real reliable way to protect uninfected populations.
South Korea’s approach to contact tracing is often referred to as “centralized.” This means a national authority is allowed, by law, to collect and use information about all COVID-19 patients and their contacts for the purposes of infectious disease control. In South Korea, this authority is the Ministry of Health and Welfare (MHW). This centralized architecture is in stark contrast to the United States, United Kingdom, Germany, and a host of other countries that, so far, have not exercised a centralized approach, leaving contact tracing a largely unsupported burden for local governments, hospitals, and businesses, who often have to resort to the time-consuming and laborious process of calling people individually to identify contacts.
Effective tracing essentially requires four steps: 1) identification of new patients, 2) identification of contacts, 3) outreach to contacts, and 4) subsequent testing and/or quarantine. In South Korea, the identification of new patients is automatic, as the MHW retains a full list of all new patients as soon as they are diagnosed. The identification of contacts, on the other hand, requires a more complex process, employing the integration of three main types of information: credit card transactions, cell phone location logs, and surveillance camera (CCTV) footage.
Prior to the pandemic, the Korean government was already collecting large amounts of transaction data to identify and prosecute tax evaders. Every single credit card and bank transaction in South Korea is automatically recorded on government databases for this purpose. In a pandemic context, the MHW is allowed to access this data, retroactively tracking where newly diagnosed patients recently spent their money. This allows the identification of everything from restaurants to buses to subways, the latter two most often being paid for via cashless means. Once locations are identified through a process that takes about ten minutes, government disinfection teams are dispatched so each location can be cleaned and reopened within twenty-four hours.
Even with GPS and other locational features disabled, cell phone service providers can track the approximate locations of any phones they serve with an accuracy of a few hundred meters. Mobile service is inherently localized, with transmission towers dispersed across a geographical area creating different “cells” that provide signal. In South Korea, it is mandatory for providers to log the connections between towers and phones, making this information available to law enforcement officials for use during criminal investigations. Under pandemic conditions, the MHW also receives access, allowing the construction of trace records to corroborate credit card data and identify potential contacts.
Surveillance footage has undergone a similar repurposing amid the pandemic. Much like mobile locations, Korean law enforcement has long had access to such footage for investigative purposes. In a pandemic context, health authorities are granted access to determine the minute-specificity of infected individuals’ activities: for instance, when they first entered a restaurant, where they sat, with whom they were, and whether they were wearing masks. These details allow authorities to identify additional contacts, especially those without phones, and better assess the risks experienced by each individual, facilitating better prioritization of subsequent mitigation activities.
The legal basis for the MHW’s access to such a diverse array of private information is established explicitly in several pieces of legislation, including the Infectious Disease Control and Prevention Act and the Personal Information Protection Act. These documents specifically outline permitted end-use applications and the conditions for access. The specificity is largely a consequence of South Korea’s prior experiences with the MERS virus in 2015, which caused thirty-eight deaths. During MERS, the government lacked a centralized approach to contact tracing, forcing municipal authorities to step in and make do on their own. This lack of guidance and support from the central government resulted in significant public outrage, precipitating the current legislation.
The inability of many Western countries to adopt similarly centralized approaches is eerily reflective of the South Korean situation during MERS. Germany and Israel are good examples of countries that tried and failed to adopt centralized approaches because existing privacy laws do not contain explicit exceptions for public health emergencies. Germany and other European Union (EU) countries are bound by rules stipulated in the union’s General Data Privacy Regulations (GDPR), which states personal data may not be processed unless there is an established legal basis to do so.
Article 6 of the GDPR defines six domains of legal basis: an explicit “preexisting legal requirement,” “informed user consent,” “contractual obligation,” “public interest task,” “vital user interest task,” or “vital interests of a data controller or third party.” In theory, either the “public interest” or “user interest” tasks could be adapted for use in a pandemic context. Unfortunately, establishing the necessity of a “public interest” in legal terms can often be a complex and lengthy process, one that does not guarantee resolution rapid enough to be relevant within the timeline of an infectious disease outbreak. The “user interest” domain, on the other hand, has generally only been implemented on a case-by-case basis for individuals, such as when children wish to collect the data of a deceased parent. This precedent makes it difficult to justify the application to entire populations, again pointing to a lengthy and difficult legal process that most governments have thus far been loath to initiate.
With both cultural and political obstacles impeding swift legislative changes to privacy laws, many countries have opted instead for non-centralized approaches to contact tracing. These have generally involved cell phone apps that pair informed user consent with less invasive data collection methods to track proximal coincidence. This combination allows for many legal pitfalls to be avoided, circumventing the need for legislative reform. Although these alternatives may appear, at first glance, to be attractive compromises for achieving similar results, a closer examination quickly reveals critical limitations that threaten the potential to deliver desirable mitigation outcomes. These alternative methods and their limitations will be the focus of the second installment in this series.
. . .
Justin Fendos is a professor of cell biology at Dongseo University in Busan, South Korea. He conducts research on a wide range of topics including education, science, culture, and maritime trade. Since the beginning of the pandemic, he has been studying South Korea’s response to COVID-19, contributing articles to a variety of publishers including The Diplomat, National Interest, and Brookings Institution.
The SolarWinds and Microsoft Exchange hacks highlight serious problems with cybersecurity in the United States. The hacks also expose geopolitical and ideological challenges for US approaches to cybersecurity and cyberspace.