Essay #2 in the Data and Pandemic Politics series on data justice and COVID-19

Editors’ Note: The South African government has used the rise in mobile contact tracing during the pandemic to try to increase, and centralise control over, geolocation data through the participation of commercial tech firms. This is part of a trend toward ‘biometric capitalism’, where the state empowers itself through private data market actors and vice versa.

South Africa has had over 700,000 reported COVID-19 cases, in spite of a brisk and strict lockdown response. The first case of COVID-19 was reported on 5 March 2020 (which also marks the start date for contact tracing authority), and on 15 March 2020 a National State of Disaster was declared. South Africa’s COVID-19 response is worth critically examining, particularly given our huge inequality challenges; but perhaps underappreciated is the ‘history’, short-lived as it is, of the government’s approach to contract tracing. The government’s response to the coronavirus has been to prioritise expansive powers, in spite of its own inability to use these powers effectively. And deference to big tech can be seen as a strong signifier of future patterns in the power hegemonies of public-private collaborations in the future digital economy.

Until a vaccine for the coronavirus is widely available, the only “available infection prevention approaches are case isolation, contact tracing and quarantine, physical distancing, decontamination, and hygiene measures.” State responses have had to centre contact tracing as a necessary public health response. And from very early on, both contact tracing – and extensions into surveillance meant to gain greater visibility into the spread of COVID-19 – have alerted activists and the public to the balance between public health and privacy protection. Yet approaches to contact tracing vary significantly, with countries like Vietnam and the Indian state of Kerala using largely manual approaches to good effect, or Singapore launching a voluntary, centralised data application early but to ill effect, or countries like South Korea implementing a broad range of technology-centred contact tracing and surveillance to strong effect.

Initial Response: Centralise Data, Skirt Regulation

Rather than initiating efforts through any form of mobile phone application, the South African government quickly instituted vaguely worded regulations on 26 March 2020, which would empower the government to gather geolocation and other data from telecommunication service providers without a court order. There was immediate concern from digital activists on the regulations, which were quickly amended on 2 April 2020 to provide some more limitations, but also to include oversight by a well-respected judge, Justice Kate O’Regan, to supervise the process. Yet the response – almost immediate – from the state was quite illuminating: a state-centred, centralised database was the instinctive intervention to expanding the efficiency of contact tracing through a particularly low-tech, but high processing, solution. This “collect now, ask questions later” response notably completely excluded any attempt to include South Africa’s established Information Regulator in its process, with the regulator noting:

[The Office of the Information Regulator] was not consulted when the regulations were drawn up, not even on the sections on data, de-identification and the security of information, etc. There was no reference to [the Protection of Personal Information Act] in the regulation.

This is indicative of a response that notionally separates an understanding of the need and impetus for the mass collection of data from the requisite need for lawful data processing guidelines and standards. That this response to contact tracing was a political response, above a pragmatic one, was also evinced from many of the criticisms immediately felled at this form of data collection: geolocation data is not necessarily accurate, especially in areas where cell towers are farther apart – a concern raised by activists and academics immediately at the time. These concerns were realised: in April, the Department of Health (DOH) already began pivoting on its contact-tracing approach after geolocation data proved ineffective, with a representative stating:

The information that we got during the period that we collected data [17 April 2020 to 14 May 2020] was basically the RICA information.1 It was difficult to get the location information and it was even more difficult to get the movement as well as who a person has been in contact with, because it needed to come from the cellphone towers. It was complex to get toward individuals that were within a two metre radius of an individual.

Not only did they experience technical issues in collating and analysing the data, there were also practical challenges that arose from the inaccuracy of the geolocation data (with only accuracy of 100m in rural areas), and also the practical reality that many people were using phones that were not associated to their own personal details.

A Pivot to Apps

Whilst it carried on somewhat fruitless collection of geolocation data for some time, in May the Praekelt Foundation, a South African non-profit, approached the government with a solution, and in July 2020 they launched COVIDConnect: a WhatsApp and SMS-based self-service portal run by the DOH. For contact tracing, it allows those who have tested positive for COVID-19 to digitally provide the names and contact details of those they have been in close contact with through WhatsApp or SMS chat. The contacts are then alerted that they may have been exposed to COVID-19 without disclosing who tested positive. It is important to consider the foundations of this partnership: Praekelt and the DOH already collaborate on a project called MomConnect that, with over 2 million registered subscribers, provides WhatsApp-based maternal health support. Seeking to leverage an existing political success, the DOH launched a new technological approach, but at the expense of the ability to establish “weak links” between potential patients. And further, the service “…was limited by the fact that not everyone knew or remembered those they had been in contact with. Also, between 30% and 40% of people in South Africa don’t use WhatsApp. The ‘journey’ on the portal costs less than 2c but this is a barrier if there is no data or airtime on a phone”. Yet again, the realities of South Africa’s digital inclusion, and the mechanics of human engagement, were underappreciated in the implementation of a solution, which preferred an already entrenched public-private partnership.

Whilst these initiatives were all underway, a cross-disciplinary, university-led coalition began developing a decentralised, QR code-based system focused on the creation of COVID-19 credentials called “COVI-ID”. Instead of using technology for contact tracing directly, the solution focused on credentials for controlling movement. However, integration with the GAEN protocols of Google and Apple that would allow for push notifications and alerts using Bluetooth, with decentralised data, remain possible within the app. Local academics and technologists were industriously looking for context-responsive solutions. Yet, the DOH had other ideas: on 1 September 2020 the COVID Alert SA application was launched. Seven months after the first infection, the DOH pivoted to a partnership with the big tech giants of Google, Apple, and Discovery Health along the lines of the decentralised models Google and Apple had been promoting since the beginning of the year. By mid-October, it had been downloaded by around 600,000 subscribers – well below the average of around 65% of the population that is required for digital, automated contact tracing to be effective.

Big Tech Partnership And Digital Sovereignty

It is worth considering Discovery Health’s role as South Africa’s major big data player. The dominance of Discovery’s data activities have coincided with its pivots into banking and other services, leveraging its own brand of what Keith Breckenridge calls “biometric capitalism” in a manner much admired by state actors. And it knows the value of its data – with a civil dispute between it, and a rival company Liberty Holdings, centring on the ‘ownership’ of aspects of the beneficiary of data at its disposal. Discovery is one of South Africa’s most data-centric, big tech players – and it is thus no coincidence to see it at the core of the state’s technology strategy. The stage for digital sovereignty in South Africa is being set, with only big tech and the state as the envisioned future actors.

What the ‘history’ of contact tracing has demonstrated so far is that emerging data-driven technologies in South Africa will be launched in a context in which the government’s primary instinct is still to centralise data en masse, with a failure to adequately acknowledge lawful processing standards first. This political instinct is prioritised over technical efficiency and capacity. And when shortcomings in capacity are acknowledged, the public-private partnerships veer toward established relationships and big tech, over more collaborative efforts. This means two priorities moving forward for data governance in South Africa: ensuring public sector compliance with data governance standards, as well as expanding accountability in public-private partnerships for data technology projects that err to the big tech collaborations that can be immensely disenfranchising for citizens. If nothing else, the COVID-19 crisis has provided us with a teachable moment – we should remember these lessons and change our course. What is needed in South Africa’s digital and data governance landscape is not the reinforcement of existing unequal hegemonies, but rather the dispersion of decision-making and powers to the full extent of stakeholders necessary for the achievement of good outcomes: from states to the private sector, data subjects to data collectors, citizens to technologists.

Gabriella Razzano is a Senior Research Fellow at Research ICT Africa, and a Senior Atlantic Fellow in Social and Economic Equality. She is a founding director of the open data civic tech hub OpenUp, and also acts as legal consultant on issues of transparency, open data, privacy, technology and law.

1 The Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (RICA) is the South African law that regulates the interception of communication and obliges certain telecommunication service providers to obtain and keep certain information from people who enter into a contract with them, namely: his or her full name, identity number, residential and business or postal address. The address needs to be confirmed generally with documentation as proof of residence, and should be updated as relevant, though this doesn’t always happen in practice.

Suggested citation: Razzano, G. (2020, November 5). Digital Hegemonies for COVID-19. Data and Pandemic Politics, 2.