Introduction

From the beginning of the COVID-19 pandemic, worries about surveillance were at the forefront of public debate about governmental responses to the pandemic. In response to public health measures such as the use of aggregated mobile phone location data (Grantz et al., 2020), the deployment of GPS-based home quarantine monitoring apps (e.g., Poland’s Kwarantanna Domowa app), and the introduction of proximity trackers (e.g., the Dutch “CoronaMelder” App), there has been significant and continuous social and political resistance that, at least in Western countries, forced governments to become explicit about the justification for these instruments and to regulate their legitimate and proportional use (cf. Blasimme et al., 2021). But with the public eye focused on the public health measures themselves, and on the direct consequences of governmental surveillance for people’s liberty and privacy, another development received less attention, namely the way in which various lockdown and home confinement measures significantly increased our shared reliance on private infrastructure and digital services in areas such as healthcare, education, retail, leisure, and the workplace. Moreover, there has been little public discussion of the implications of this shift to private services in terms of accountability and governance.

After laying out our terms (“Section I: Terms and concepts”), we will proceed to show that the public health measures for mitigating the COVID-19 pandemic increased the incidental surveillance of various “day-to-day” activities by these private actors (“Section II: The rise of incidental surveillance”), and thereby granted significant informational power to a select number of private actors (“Section III: Considerations about justifications and private power”). As a preliminary example, consider how the requirement to work from home has not only allowed tech giants to collect more data about logins and application usage but has also given employers more insights into workplace behaviour. To firmly establish this point, we will survey a range of examples of incidental surveillance practices in different domains.

Though this additional surveillance appears to have been generally socially accepted as an inevitable consequence of the pandemic, part and parcel of a larger conglomeration of emergency compromises, we contend that these practices may have lacked justification, as they were not directly justified by the same appeals to solidarity and public health used for justifying the instigating public health measures themselves. In light of this observation, we will argue in the final Section of the paper (“Section IV: The need for accountability and oversight”) that governments who enforce lockdown and work-from-home public health measures have a duty to determine how and to what extent collateral data disclosure and activity monitoring by private actors can, in fact, be justified—both in relation to the recent pandemic and in contexts of future public health emergencies. Moreover, given the enduring, increased reliance on private actors for maintaining the digital space, we will argue that these actors are de facto providing an essential service, and should therefore have their surveillance practices be regulated and be subject to accountability mechanisms and oversight on par with governmental essential services that engage in surveillance activities.

Section I: Terms and concepts

In this section, we will clarify how we are using particular terms. Note that we are not seeking to offer comprehensive or final definitions for the concepts denoted by these terms, but rather to establish the conceptual boundaries around the terms such that our use of them in the paper can be understood. In what follows, we offer descriptions of our use of ‘incidental surveillance’, ‘informational power’, and ‘accountability’.

As we will argue in “Section II: The rise of incidental surveillance”, the COVID-19 pandemic has brought about a range of different surveillance practices. We follow David Lyon’s description of surveillance in which the term denotes the “focused and purposive attention to objects, data, or persons” (Lyon, 2009). There are many instances and examples of how surveillance technologies and practices were used to monitor and arrest the spread of COVID-19, be it by public actors (e.g., public hospitals collecting COVID-19-related hospital admission data to support incident management), private actors (e.g., corporations offering COVID-19 tracking apps), or a via public–private partnerships (e.g., governments collecting mobility data through telecom providers).Footnote 1 These surveillance practices (and the underlying delegation structures) raise important questions of their own, including whether the collected data can be used for other purposes (including research and for-profit purposes) than they were originally collected for (“mission creep”; see, e.g., Pagliari, 2020; Gerlitz & Häring, 2023). However, those questions are not what we are concerned with here.

Instead, the focus of this paper is on ‘incidental surveillance’. By incidental surveillance we mean surveillance whose practices shifted because of the COVID-19 pandemic but were not concerned with a focused and purposive attention to COVID-19 itself. For instance, consider that, due to people working from home, the capacity for workplace surveillance increased. This surveillance was incidental to pandemic-related public health measures such as lockdowns, in the sense that the corporations facilitating remote “teleworking” were not tasked with collecting COVID-19-related data, and yet increased their surveillance as a result of the COVID-19-related public health measures. Incidental is significant here, as the surveillance practices that we are concerned with in this paper are incidental to the public health response to COVID-19. As we will argue, this creates a unique challenge in that the justifications for the public health measures themselves, including those for direct COVID-19 surveillance, do not necessarily transfer over to the incidental surveillance.

The second term to introduce is that of ‘informational power’. Here, we recognise that ‘power’ is itself a contested term. As Joseph Nye Jr. puts it, “[n]o one definition is accepted by all who use the word, and people’s choice of definition represents their interests and values” (Nye, 2011, p. 5). It is the subject of a debate that we cannot attempt to settle here.Footnote 2 However, we can give some background and explicate how we are using the term. Power can be understood in quite a general sense, where it “means the capacity to do things” (Nye, 2004, p.1). However, it is not just about getting things done but also about “the ability to influence behaviour of others to get the outcomes one wants”, be it through coercion, or inducement, or even by simply offering an attractive option (Nye, 2004, p. 2). Nye also recognises that power can be understood in two further ways. Policy makers, for instance, “frequently define power simply in terms of the resources that can produce outcomes” (Nye, 2011, p. 8). In contrast, “[b]ehavioral definitions judge power by the outcomes that are determined after the action [“ex post”] rather than before (“ex ante”)” (Nye, 2011, p. 4). So we may understand power as resources or as outcomes.

In understanding informational power, then, we want to recognise both control over informational resources, and the ways in which that information can bring about particular outcomes. For instance, sharing or withholding one’s vaccination status is a form of informational power. Likewise, using one’s vaccination status to alter behaviour and thus outcomes is also informational power. Combining these two elements of power, informational power can thus be understood as the capacity to use, share, withhold, or manipulate information (as a resource) in order to bring about or prevent some outcome in the world.

For our purposes, this notion of informational power is not only relevant to the way information may be used by individuals to influence their own behaviour and that of others, but also more generally to the control over information that governments and corporations have.Footnote 3 If a governmental department has a database about COVID-19 infections in the community, and they control who can access that information, they have informational power. Likewise, if a private testing facility uses the results of analysis of COVID-19 infection patterns to offer advice to their government on COVID-19 policies, then they have informational power as well. Given the value that information now has in society, informational control can also confer social, political, economic, and legal power on those who have that control. In “Section III: Considerations about justifications and private power”, we discuss the implications of increased informational power arising from incidental surveillance.

The final concept we want to address here is accountability. In particular, we want to draw out the difference between accountability and oversight. Oversight is a process in which an overseer has access to, or some awareness of, the actions, decisions, or behaviours of some target of attention. In the context of governance, oversight is typically thought of as the review and evaluation of selected activities by governmental agencies.Footnote 4 In contrast, what is central to accountability of public actors is that it is “a relationship between an actor and a forum, in which the actor has an obligation to explain and to justify his or her conduct, the forum can pose questions and pass judgement, and the actor may face consequences” (author’s original emphasis, Bovens, 2007, p. 450). The relevant point here is that accountability involves some justification or explanation of actions, decisions, or behaviours, to a forum, with the relevant actor perhaps facing some consequence for their conduct. It is “the obligation to explain and justify conduct, [which] implies a relationship between an actor, the accountor, and a forum, the account-holder or accountee” (Bovens, 2007, p. 450). Accountability requires interaction between the actor and some others, viz. with those others having some power as a result of their position. As we will see, the notion of accountability as the need to offer a justification, coupled with changes in informational power, is crucial in relation to incidental surveillance.

Section II: The rise of incidental surveillance

In this section, we outline a wide set of areas in which the COVID-19 pandemic led to a rise in incidental surveillance. The first and very prominent domain is healthcare. Due to the increased strain on hospitals, combined with limitations imposed on people’s physical movement by lockdown measures, many healthcare services entered into collaborations with private companies to offer online consultations (Mann et al., 2020; Richardson et al., 2020), remote health monitoring of health biomarkers such as blood pressure, blood glucose levels, and heart rate (for review, see Lukas et al, 2020), and develop automated health monitoring and treatment apps (Gerli et al., 2021; McGreevey et al., 2020; Parviainen & Rantala, 2022). To an extent, this process of digitalization was already ongoing, but the pandemic acted as a catalyst for change in this regard (Shah & Schulman, 2021; Bloem et al., 2020; Lau et al., 2020). In Germany, for example, the largest doctor-patient portal “Jameda” reported explosive growth of the demand for their video consultation software at the start of the pandemic (Jameda, 2020). Likewise, the Barcelona-based start-up “Mediquo” reported significant increases in demand (ConSalud, 2020). Elsewhere, healthcare professionals took to popular commercial communication platforms such as Zoom, Microsoft Teams, and WhatsApp to offer online video consultations (Vargo et al., 2021), despite the known drawbacks of such platforms in relation to the protection of health data (Masoni & Guelfi, 2020).

As a result, increasingly large volumes of health-related data began to flow to private actors, increasing their surveillance and their informational power by allowing them to gain more insights into people’s health status as well as health-related preferences and behaviours. Depending on the type of platform, these insights may be inferred from actual health measurements (e.g., cardiovascular data from a home ECG monitor) or from mining access and event logs, from which plenty of commercially interesting information (e.g., for targeted advertisements) can already be gleaned (e.g., how frequently people interact with healthcare providers, whether they do so during business hours or in the evening, what type of healthcare they seek, whether they prefer a particular practitioner, etc.).

The transitions to remote healthcare solutions were responses to an urgent practical problem—namely how to continue offering adequate and appropriate healthcare to those in need during a public health emergency. It is therefore worth noting that our aim here is not to deny the effectiveness of these responses, nor to find fault with the motivation of the healthcare professionals or the willingness of patients to consent (which may be especially understandable if they felt there was no acceptable alternative; cf. Kamphorst et al., 2023). Rather, the aim is to draw attention to the phenomenon of incidental surveillance and, on a general level, to question the extent to which increased surveillance by private actors stemming from this shift to digital, remote healthcare solutions is justified.

Importantly for this paper, the justifications for such surveillance differ from that of direct COVID-19 surveillance. In the former, the justifications are the need to provide access to essential clinical healthcare services. In the latter, the justifications are public health justifications explicitly linked to the need to monitor and ultimately mitigate the effects of the COVID-19 pandemic. This distinction between clinical medicine and public health is important as the two practices ultimately have different moral mechanics (O’Neill, 2004). We also note that the ethical justifications for clinical healthcare differ from the ethical justifications for public health. Clinical healthcare is primarily concerned with the rights of the individual patient, and the responsibilities that particular medical professionals have towards that individual. In contrast, public health ethics is more concerned with healthcare at a population level, with the professional responsibilities being directed towards the collective. “While medicine focuses on providing treatment and care for individuals as patients, public health focuses on preventing disease and disability for the greater population. Medicine involves a relationship between a physician and an individual as a patient. Public health involves relationships between members in the community, various professionals and the government” (Latheef, forthcoming). Clinical healthcare justifications will draw from moral value of the individual whereas public healthcare justifications will draw from the moral value of the population. Thus, given the different surveillance practices being discussed—clinical and public health—it must be ensured that both sets of surveillance practice are justifiable in general, and justified in the particular cases.Footnote 5

Shifting from the contexts of clinical and public healthcare, let us examine more domains where incidental surveillance increased because of the pandemic and the associated public health measures, beginning with the workplace. As the first lockdowns were implemented at the beginning of the pandemic, working from home became the norm for many “nonessential” workers around the world (e.g., Ipsen et al., 2021). For many, being able to work from home was–and frequently still is–facilitated by large-scale digital online platforms such as Zoom, Microsoft Teams and Office 365, Google Docs, Calendar and Meet, and various Virtual Private Network (VPN) solutions to access company documents.Footnote 6 This increase in the use of VPN services and cloud-based applications effectively resulted in people leaving an increasingly large digital footprint that details how they spend their work days.

Though these platforms existed before the pandemic, the scale at which they became used was unprecedented.Footnote 7 As such, the private actors running these platforms gained access to more behavioural data than ever before, which they could mine and use for commercial purposes. One way in which the collected data was commercialized was by selling it back to the organizations themselves. Office 365, for example, offered its pro-tier customers “usage analytics” to gain insights into how their organization is using the various services, which include individual user activity reports (Microsoft, 2022). As such, employers were given extensive tools of surveillance for checking on their employees. Workplace examples clearly demonstrate the rise of incidental surveillance.

Another consequence of the explosive use of video conferencing in the workplace was the normalization of making and sharing video content. Many professional meetings, including job interviews and assessments, started being recorded, often explicitly through the video conferencing software, but potentially also illicitly by participants making use of third-party software or smartphones to make screenshots and screen recordings. These recordings are then typically stored, not only on local devices and hard drives, but also in cloud-based storage, where they are possibly retained in perpetuity. And while these recordings may have legitimate uses, such as sharing past seminars with new colleagues, or re-watching meetings to extract action points, they also pose serious risks, as people cannot fully control what happens with the information they (inadvertently) shared (cf. Kamphorst & O’Neill, in prep.). As O’Neill has phrased it, digital recordings can be thought of as “digital wormholes,” with snippets and fragments of one’s past self showing up at unexpected times and in unexpected contexts (O’Neill, 2021).Footnote 8 Moreover, as we will discuss, the justifications offered for such surveillance are clearly different from any public health justifications related directly to COVID-19.Footnote 9

The worries about recordings also carry over to the domain of education. During the pandemic, online lectures by teachers and professors were often recorded, at times without permission. Students, too, partook in recorded seminars, and were frequently asked to prepare and submit video content to online assignment platforms. But perhaps the most noteworthy form of surveillance in this domain was the automated proctoring of exams (e.g., Kharbat & Abu Daabes, 2021). With automated proctoring software, university students were required to turn on their webcams, do a full scan of their surroundings—oftentimes including their personal belongings—and then make the exam while allowing a black-box algorithm from a private company to analyse the live video stream to detect suspicious behaviour (Coghlan et al., 2021). This controversial practice caused public criticism, with students in various countries making complaints, starting petitions, and even taking universities to court (Rechtbank Amsterdam, 2020).

Much remains to be said about the practice of online proctoring, but since it took shape in response to the significant challenge of ensuring academic continuity during lockdown, and its legitimacy has so far been upheld, we will not concern ourselves here with the (un)desirability of this particular kind of surveillance. Rather, our more modest aim is to consider this type of additional tracking and oversight as fitting a larger pattern of surveillance expansion that, on the whole, requires a particular set of justifications that are distinct from the justifications directly related to COVID-19 public health measures.

To complete the picture of incidental surveillance, let us consider the domains of online home entertainment and retail. Like the tech giants facilitating remote communication, large online media platforms such as Netflix, Disney+, Hulu, Amazon Prime and Apple TV, as well as major gaming platforms like Microsoft, Nintendo and Sony, reported tremendous growth in their subscriptions and sales as a result of lockdown and curfew measures.Footnote 10 With theatres, bars, restaurants, clubs, and gyms all closed, people “en masse” turned to on-demand video and gaming platforms as alternative forms of entertainment. Consequently, these platforms all saw huge peaks in the numbers of individuals whose viewing and usage behaviour and media preferences they could now track. Parallel to the rise in use, with unemployment high in various sectors and working from home the new normal, interactions (and therefore surveillance) were not restricted to “after hours”. As a result, these companies could build user profiles that not only detailed which kinds of content people like, but also when they take their lunch breaks, take time off from work, take care of their kids, and so on. Thus, the capacity for entertainment providers to engage in incidental surveillance significantly increased.

Finally, the lockdown and social distancing measures accelerated the transformation of the retail landscape. With people unable to go out, many “nonessential” businesses with physical stores, including restaurants, saw themselves forced to further develop their digital presence by opening web shops, and consumers were quick to get on board. Established online retailers such as Amazon, Walmart, and Zalando benefited tremendously from the lockdowns.Footnote 11 And though “essential” stores such as supermarkets, pharmacies, and drugstores mostly remained open, they too saw a substantial increase in their online sales (cf. Tyrväinen & Karjaluoto, 2022). In effect, this meant that an increased number of consumers started sharing more and more information about their consumer preferences and spending habits with more parties and with an increased frequency. And since these online transactions were processed by payment gateways such as PayPal or Stripe, and online orders were subsequently delivered by parcel delivery companies such as DHL, UPS, DPD and FedEx, they too gain insights into consumer behaviour (e.g., who orders from what stores, with what frequency, etc.).

The picture that emerges from the surveyed domains shows that incidental surveillance by private actors has become ubiquitous and is likely to stay that way for the foreseeable future. Before moving to a discussion of the implications of this development, there are three further remarks we would like to make. First, the breadth of the domains we surveyed shows just how pervasive the phenomenon really is. At the same time, it should be emphasized that the domain contexts have different characteristics.Footnote 12 As scholars such as Nissenbaum (2009) and O’Neill (2022) have argued, different contexts may have different ends or purposes, which will co-determine by which standards to evaluate certain techno-social changes in those contexts. For example, in workplace contexts–as opposed to leisure contexts–there will be social structures in place that could make a relevant difference to whether (an increased degree of) surveillance can be justified. Likewise, the type of data that is collected (e.g., intimate, identifiable, health-related information in healthcare) may affect the analysis of whether increased surveillance is ethically permissible or ethically problematic, as well as the types of accountability structures that would be appropriate. We will return to this point in “Section IV: The need for accountability and oversight”.

Second, it should be noted that, with few exceptions, the digital services we referenced already existed before the pandemic. As such, it may be questioned whether the increase of data collection resulting from various home confinement and social isolation measures by the private parties offering these services makes a qualitative difference in comparison to how it was before the pandemic. We cannot do full justice to this question, as the differences between contexts may lead to different answers, but we would like to make a general point that goes some way towards a positive response. The pandemic-related public health measures created a situation in which individuals, including those who had never used these services before, saw themselves compelled to join the trend towards remote working, online entertainment, and online retail. The emergency status of the pandemic inspired an attitude of hard work and sacrifice (“we all have to do our part”) aimed at re-establishing a sense of normalcy (e.g., continuing work, still getting together (virtually) with friends to play games, etc.), that invited, nudged, or mandated people to use (a subset of) these services. This meant that these private actors had, as a result of the public health measures, a larger, wider, and more diverse audience than they otherwise would have had; an audience that they could–either directly or through the sale of advertisement placement–target with, say, product recommendations or political campaign ads. Having a substantially larger audience could thus mean substantially more influence on individuals as well as on societal processes. Moreover, in many cases, there would have been an expansion of the amount of data that was collected per individual, which means these private parties could uncover more individual behavioural patterns, idiosyncrasies, and susceptibilities, which they could, in principle, exploit for their own purposes (e.g., offering targeted, persuasive discount messages at specific times to increase sales). Now, we do not mean to claim that the corporations who facilitated society’s needs during lockdowns, in fact, misused their position. Instead, what we are pointing to is that the shift towards online providers brought with it a shift in informational power, and that this shift in turn has implications for accountability.

Third, our examples would suggest that, in certain contexts and under certain conditions (including people’s health, employment status, social environment, etc.), some (groups of) people would have consented to terms of service they would not have agreed to were it not for the pandemic and the public health response to the pandemic. Moreover, even the people who had consented to the terms of service before the pandemic, may not have anticipated the sheer volume of data and the corresponding behavioural patterns they would share with these parties. This points to difficult questions about the role, value, and voluntariness of (one-time) informed consent in these cases (see, e.g., Andreotta et al., 2022; Gefenas et al., 2022). At the same time, we recognize that, in some instances, for some individuals and for some services, informed consent may sufficiently protect these individuals’ interests. Our aim here is to look at the bigger picture and show that the shifts towards online providers are best seen not as coincidental changes in consumption preferences, but rather as part of a pattern in which private companies essentially assumed or were granted the role of essential service provider (much like power or water suppliers). This wider view has implications for informational power and accountability, which we will discuss below.

To reiterate, the aim here is not to question the legality of the digital services offered by these companies, nor is it to admonish consumers for their choices. Moreover, we do not want to suggest that such incidental surveillance is unable to be justified in general cases, or in specific circumstances. Rather, we want to inquire after the justification for, and societal desirability of the enduring power increases of private parties as a result of increased incidental surveillance resulting from governmental responses to the pandemic. Subsequently, in “Section IV: The need for accountability and oversight”, we aim to initiate a discussion about the increased informational power of these private parties and the duties of governments to provide accountability mechanisms for and oversight over the ways in which this power is wielded. We turn to considerations about private power now.

Section III: Considerations about justifications and private power

From the observations about the increased surveillance by private actors in various domains, a general pattern can be discerned that looks like this. In response to the pandemic, governments implemented liberty-restricting measures in service of public health. These effectively created urgent practical problems in need of solving (e.g., how to continue providing healthcare, education, etc.). Organizations and individuals alike looked for solutions to these problems and found them in existing, tried-and-tested commercially available solutions. Given the urgency of the situation, and the scarcity of non-commercial (e.g., government-run or non-profit) alternatives, the additional data disclosure—insofar as it was explicitly considered—was accepted as a necessity.

What such a stylized narrative about societal dynamics and psychological mechanisms offers is an explanation of the turn of events that led to the increase of incidental surveillance. The fact that organizations and individuals were put in a position in which they had to rapidly find solutions to the practical problems caused by the public health measures, including how to remain economically viable and societally relevant, explains why many organizations opted to outsource the management of remote communication and collaboration tools to experienced commercial parties, and why employees of these organizations in turn had little choice but to disclose data to these commercial parties. It also suggests that the limitations that lockdown measures placed on people’s liberty to choose leisure activities (e.g., to meet with friends and family, to visit the cinema, to go to concerts or sporting events, etc.), explains, at least in part, their decision to use certain entertainment and retail services.Footnote 13

Now, it may be that better, more nuanced explanations for the rise of incidental surveillance can be thought of, but that is beside the point. What we want to draw attention to is that having an explanation of a phenomenon does not mean the phenomenon is justified (cf. Nelson, 1986). That is, even if an account of the dynamics between public and private entities against a backdrop of existing societal structures helps provide an understanding of why things happened in the way they did, it may still be asked, from a normative standpoint, whether they should have.

More concretely, this means that even if a plausible explanation can be given of why governments allowed private actors to increase incidental surveillance in return for the use of services and infrastructure (e.g., an explanation in terms of expediency), it may be questioned whether this was the right trade-off to make. This is of course not to say that a justificatory story cannot be given, but rather to point out that thus far it has not been provided explicitly.

What governments have given are justificatory accounts of the instigating public health measures themselves; mostly in terms of the protection of public health and the principle of solidarity (e.g., Moss & Sandbakken, 2021; Pattyn et al., 2021). But this is only part of the story needed to justify incidental surveillance. First, as emphasized before, the surveillance we are interested in here is incidental to the COVID-19 pandemic public health measures. While direct pandemic surveillance is potentially justifiable by reference to public health reasons, the incidental surveillance is not necessarily nor immediately justified by the same public health reasons. If a person’s personal movements and behaviours need to be known as part of contact tracing, that reason does not justify the surveillance of one’s entertainment habits in order to increase company profits. That is, direct COVID-19 surveillance makes its justifications by reference to public health, whereas indirect surveillance of one’s entertainment choices makes its justifications by reference to a company’s responsibility to shareholders, stakeholders, or the like. The two justifications differ, and in this case, differ significantly.

A second part of this story is whether, from a normative point of view, the particular surveillance actors should have the authority to conduct such surveillance. Government surveillance, insofar as it can be justified, is typically justified by reference to the social contract and the responsibility of governments to provide security to its citizens.Footnote 14 In contrast, another mechanism must be found that grants private actors the authority to engage in such incidental surveillance. One such mechanism is that the subjects of surveillance have consented to surveillance, but as we already mentioned, when people are prohibited from leaving their homes but expected to work from home, keep the household running, and facilitate the remote schooling of children, it may be questioned whether consent to the various online services was informed and given voluntarily. Our more general point here, however, is that it needs to be critically assessed whether private companies’ authority to conduct incidental surveillance was justified.Footnote 15

Furthermore, it is important to note that increases of incidental surveillance by private actors cannot be justified by governments by appealing to necessity. After all, as certain subgroups of the population may attest (e.g., certain pensioners), it is possible, under favourable conditions—financial, social, and otherwise—to stay at home and practice social distancing for the sake of solidarity and the promotion of public health without being the subjects of direct or incidental surveillance. Moreover, it would have been possible for governments to offer financial compensation to organizations who deployed non-commercial communication tools, or for supranational institutions like the European Commission to instantiate non-profit, privacy-preserving communication platforms.Footnote 16 Had they done so, the situation may have been different. Since governments did take precautions to minimize governmental surveillance, the onus lies with them to justify why they have not taken additional steps to protect their citizens from increased incidental surveillance by private actors as a result of the lockdown measures they implemented.

These justificatory discussions matter due to the informational power that private companies have as a result of incidental surveillance. While the information gathered in this incidental surveillance varies in content and degree of ethical significance—after all, healthcare data gathered from telemedicine is of a different kind to the data that entertainment companies collect—they are all ethically relevant because of the informational power they grant the respective private actors. That is, the information arising from incidental surveillance, including the information emerging from aggregation and analysis,Footnote 17 places these private parties in privileged positions from which they can help or harm individuals, and support or disrupt societal structures.

In relation to the individual, consider again incidental surveillance arising in the workplace. By tracking their online activities (e.g., the duration of their use of Microsoft Word, Excel, and Teams), an employer may now be able to put pressure on an employee to work longer hours, or engage in a wider range of tasks because they know more about the employee’s working habits. Vice versa, the employer could also use their gained informational power to assess which employees seem overburdened or have an unevenly distributed workload.

In relation to society more broadly, the informational power that corporations gained typically manifests itself as derived economic and market powers. The market value of remote entertainment providers, for example, rose during the first two years of the COVID-19 pandemic not only because there were more customers buying access to their services and products. These company’s market value is derived, in part, from the fact that they gather large amounts of information on user habits, which they aggregate and analyse to glean potential insights into users and products that they can then monetize. The informational power derived from incidental surveillance thus leads to increased economic power. But note that behavioural analyses of user data can serve other derived purposes too, as illustrated by various cases in which surveillance data arising from entertainment services, specifically social media, were used for political purposes or ends (for an example, see the discussion of the Cambridge Analytica scandal in the next section). Because surveillance information can serve different purposes (Henschke, 2017), it grants informational power across a range of spheres of influence.

The overall point of this section is to show that justifications matter. The rise of incidental surveillance during the COVID-19 pandemic has led to a shift in, and increase in, private informational power. While the collection and use of surveillance information might be justifiable, different justifications may be needed depending on who is performing the surveillance and why. To look to government use of surveillance information as being justified by reference to public health reasons is not enough. Incidental surveillance by private actors requires a different set of justifications. The implications of changing informational power and the need to justify it in relation to incidental surveillance are discussed in the final section of this paper.

Section IV: The need for accountability and oversight

This brings us to the final aim of this paper, namely to examine the governance implications of the increased reliance on private actors for providing and maintaining certain infrastructure and services, and the de facto increase in incidental surveillance by private actors. Supposing that our claims are true, what is in the balance, and how do we, as a society, want to proceed?

A first observation is that what we refer to as “incidental surveillance” is by no means “accidental surveillance”. As surveillance scholars have pointed out, controlling the flow of information is increasingly important in our current economic system to gain power over people and institutions, and to direct behaviour (surveillance capitalism; e.g., Zuboff, 2019; Henschke, 2022). Seen in this light, the increase of surveillance by private actors that we describe is not mere happenstance resulting purely from the turmoil of the pandemic. Nor, on this perspective, should the absence of non-commercial digital infrastructures and government-run communication platforms be considered an unfortunate contingency.Footnote 18 Rather, there are major political and economic forces at play, including neoliberalist ideals about deregulated, free markets and small governments, that work in concert towards the transfer of informational power from governments to a relatively small number of public and private entities. This process, which Henschke (2022) has called the “oligopologisation” of informational power, diffuses informational power and thereby weakens the position of governments.

Whether such a development in itself should be deemed problematic is contestable, with the debate involving a multitude of nationally and culturally dependent considerations, including the current form of government, the level of political trust, the presence (or absence) of privacy-related legislation, and the extent to which citizens can exercise their human rights.Footnote 19 It is worth noting, therefore, that making claims in favour of one direction or the other is beyond the scope of this paper. Rather, what we wish to emphasize here is the more general point that informational power, when left unchecked, can have severely negative consequences for society, for example by disrupting the relations between citizens and state (cf. Henschke, 2022).

As an illustration, consider the way in which Cambridge Analytica, a daughter company of the SCL group, used the informational power they had gained by illicitly scraping people’s Facebook data to influence the 2016 U.S. presidential election (Isaak & Hanna, 2018). Or consider the role social media played in targeting individuals with propaganda and “fake news” that led to the 2021 U.S. capitol riots (Riley, 2022). Or, to give a slightly different example, consider how the lack of transparency (“opaqueness”) inherent in bulk data collection and subsequent algorithmic processing by private parties have led to citizens being unfairly disadvantaged by automated decision making without the opportunity to inspect and appeal the underlying reasoning (e.g., Ferrer et al., 2021; Obermeyer et al., 2019; see also Robbins & Henschke, 2017).

This leads to a second observation, which is related to but distinct from the first, namely that power requires accountability and oversight. As noted in “Section I: Terms and concepts”, accountability is more encompassing than oversight. Whereas oversight is concerned with the review and evaluation of selected activities, accountability involves an “account giver” offering an explanation for their activities, and a particular forum passing judgment on that explanation (and potentially bringing about consequences if the explanation is not deemed to be sufficient).

In liberal democracies, it is generally held that states need to have processes that ensure protection from authoritarianism and assure the public of these protections (Robbins & Henschke, 2017). In the context of surveillance, this means that governmental agencies in liberal democracies that engage in bulk data collection must both ensure that such data collection is justified, and offer the public justifications for this to assure the public that the data collection is done in a way that is best practice.Footnote 20 One partial explanation for this is the social contract—in recognition of the power that the state has over its citizens, governments owe those citizens mechanisms to ensure and assure that such power is used appropriately. That is, mechanisms of accountability are necessary for the social contract to remain valid. As Iyad Rahwan notes, modern forms of the social contract follow Jean Jac Rousseau, in which “the sovereign implements the general will… of the people, and is held in some way accountable for violations of fundamental rights” (author's original emphasis; Rahwan, 2018, p. 8). The particular mechanisms that ensure accountability will differ, but regular, open, free, and fair elections are one obvious mechanism to ensure such accountability.Footnote 21

For those less convinced of the social contract, accountability can also be expounded in terms of power and fairness. If one party has power over another, then it is simply in the interests of the other party to know how that power is being wielded and why. Either way, liberal democracies devote significant resources to ensuring and assuring their citizens that power is not being abused. To this end, typical governmental surveillance is subject to significant formal processes of oversight and accountability (Lester, 2015). Moreover, there are a range of informal social norms that can, and should be, inculcated in governmental surveillance practices to ensure they are justified and proportionate to those justifications (Henschke, 2018, 2021).

While there are major national differences in how accountability for surveillance activities is regulated and enforced, and these mechanisms have frequently been found inefficient or malfunctioning (cf. Gill, 2020), there does seem to be a systematic difference in how governmental agencies are held accountable compared to private actors. State intelligence agencies, for example, are typically subject to significantly more stringent constraints than private information companies (Henschke, 2022; Lester, 2015).

Private actors, in contrast, are typically (and historically) left free to significant extents to pursue their economic ends, including mining and selling various forms of data, provided they have the consent of their customers and stay within the boundaries of the (locally applicable) law. This is especially true in non-European countries like the United States, where there is no unified data protection regulation in place and data protection is regulated differently for public and private entities (Levin & Nicholson, 2005).

Such regulatory differences between the public and private spheres can, in general terms, be traced to governmental commitments of non-interference aimed at limiting the influence of the state on both individual lives (i.e., negative obligations to refrain from infringing on human rights) and market dynamics (i.e., commitments to open, competitive markets in which the laws of supply and demand operate with no or limited governmental intervention). These commitments essentially pull in different directions: on the one hand, commitments to non-interference in people’s personal lives pull in the direction of creating accountability structures that protect individuals from undue interference by public actors; on the other hand, commitments to non-interference in the marketplace pulls in the direction of letting private actors in their respective markets regulate themselves.

In recent years, following economic and financial crises, and in response to digital innovations, many democratic states have come to realize that some degree of market regulation is needed for most markets for them to function properly and to protect consumers from various malpractices (Cafaggi & Renda, 2012). However, the degree to which such protections are offered in different legal contexts varies substantially, and frequently, developments in the direction of governmental market regulation are actively opposed by corporate lobby groups and free market advocates who favour self- and co-regulatory solutions (Saurwein, 2011). As a result, even in the EU, which has some of the strongest consumer protection laws like the General Data Protection Act (GDPR), the Digital Services Act (DSA) and the Digital Markets Act (DMA), there remain asymmetries between how public and private actors are regulated.

In the context of the COVID-19 pandemic, regulatory asymmetries could be observed between, on the one hand, governmental agencies who engaged in direct COVID-19-related surveillance, and, on the other hand, private parties who increased their surveillance as a result of COVID-19 public health measures. Most liberal democratic states placed limitations on the various government departments that could access pandemic surveillance data. For instance, in Australia, police were prevented from accessing QR code check-in data for non-COVID-19 surveillance purposes (Greenleaf & Kemp, 2021). These efforts were recognised and responded to by actors like the Australian Information Commissioner, and various state law makers, who suggested more active oversight and accountability in relation to direct COVID-19 surveillance. In the Netherlands, temporary legislation was drafted to provide a legal basis for the use of the national contact tracing app “CoronaMelder”, appoint oversight bodies and stipulate explicit limitations to data collection and data use. In contrast, the private companies who engaged in incidental surveillance were by and large allowed to increase their surveillance without any comparable changes in accountability or oversight.Footnote 22

There is reason, however, to question whether this difference should be upheld in relation to the large tech companies that we are considering. As was underlined by the COVID-19 pandemic, private digital infrastructure and services have become critical for facilitating processes that sustain the functioning of society (cf. Aradau, 2010). Institutions and individuals became increasingly dependent on that infrastructure and the provision of those services, to the point that they would be at a considerable disadvantage if they did not have access to them. Functionally, then, the private actors responsible for maintaining the relevant infrastructure and digital services acted as essential service providers, comparable to governmental agencies responsible for water and wastewater management, energy provision, public transportation, and public infrastructure.Footnote 23

This essential services perspective suggests that the de facto dependency between states and these digital service providers is not an informal and non-committal relationship, but resembles a public–private partnership (Pongsiri, 2002). This indicates that these service providers, in certain contexts and under specific conditions, have responsibilities to ensure that the use of these services is attainable for all who wish to make use of them, that the services are of a certain quality, and that the infrastructure and services are reliably available. Vice versa, it implies that governments have duties to the public to ensure that these private actors indeed deliver the critical services and maintain the infrastructure. Importantly, it also suggests that governments have a role to play in regulating and providing oversight over the surveillance activities of these actors to secure and protect the privacy of all citizens, including those who have no choice but to rely on these services.

Based on this perspective, we submit as a guiding principle that the corporations providing essential services should at least be held to same standards of oversight and accountability as comparable governmental agencies that are tasked with surveillance, especially in times of crisis. Certainly, the bodies responsible for oversight may be different, and the details of the accountability processes for public or private actors could come apart, but the level of protection offered to individuals should, in principle, be comparable.

This suggestion entails challenging conceptual and practical matters that will need to be addressed, most likely in national or supranational contexts, including determining which private parties could reasonably be said to function as essential service providers, what governmental bodies or independent institutions would be most suitable to be tasked with oversight, and what accountability structures would be appropriate in a given context.Footnote 24 Drawing a parallel with the structures that are applicable in the public domain, these accountability structures would, in broad terms, need to ensure that the increased informational power stemming from incidental surveillance is either justified by a non-public health reason or limited when those justifications are no longer compelling. Moreover, the accountability structures would need to assure account keepers and other relevant stakeholders that any such changes meet societal standards.

Though the specific characteristics of the different contexts and the different legal systems which govern those contexts will co-determine which accountability structures are appropriate, options include instantiating more extensive (algorithmic) transparency obligations, mandating opt-in rather than opt-out policies for data use and resale, prescribing accessible review and complaint procedures, and strengthening possibilities for sanctions and remedial action. Other possibilities include directives to limit the for-profit use and resale of data profiles that were created during public health emergency measures such as lockdowns, or to require service providers to ask people who subscribed to an online service during a lockdown to reconfirm their consent after the lockdown ended. More stringent reporting, monitoring and documentation requirements could also be considered.

For guidance, it will be instructive to review the “Guiding Principles on Business and Human Rights (UNGPs),” endorsed in 2011 by the UN Human Rights Council, which outline the corporate responsibilities businesses have to protect human rights (including the right to privacy).Footnote 25 Another relevant development in this space is the European Commission’s proposal for a Corporate Sustainability Due Diligence Directive (CSDDD), which aims to require EU companies and non-EU companies operating in the EU to establish due diligence procedures to address potential adverse impacts of their actions–as well as the actions of their subsidiaries and business partners located in and outside of the EU–on human rights. At present, the directive is under negotiation, but if this directive comes into effect, it will strengthen corporate accountability for human rights, including privacy, in the EU and beyond. Moreover, if adopted, the directive may set a precedent for other countries as well to create a legal basis for more corporate accountability.

Given the complexities involved, there is a clear need for further research and broad legislative debate about incidental surveillance and its implications for society. Our contribution has been (1) to foreground the phenomenon itself, (2) show that justifications have so far been lacking for the resulting increase in surveillance, and, (3) through an argument of consistency, suggest that the private parties who functionally fulfill a role akin to a public service provider–at least during public health emergencies–may need to be subjected to accountability structures and oversight mechanisms on par with those applicable to public actors engaging in surveillance.

Conclusions

As we have discussed, the COVID-19 pandemic has given rise to a special situation in which certain surveillance practices, including the sharing and analysing of Google location data and cell tower information, were deemed necessary for reasons of public health. Many people accepted surveillance due to the real and significant risks faced by individuals, communities, and indeed governments, by COVID-19. However, as we have argued, the surveillance that arose incidentally to the public health measures is not automatically justified by the same justifications. To reiterate, the point is not that no such justifications could be given, but rather that important work remains to be done with regard to assessing, with respect to specific legal and societal contexts, the desirability and permissibility of the shifts in informational power we have identified.

Of course, if it turns out that the increased incidental surveillance cannot be (wholly) justified, there will be difficult practical issues to resolve, for example about developing alternative revenue models for the corporations that provide critical infrastructure but currently rely predominantly on data mining to remain financially solvent.Footnote 26 Alternatively, if political choices are made to shift certain responsibilities to public agencies, there may be issues concerned with the design, development, and maintenance of large-scale, privacy-preserving alternative services in the public domain. But the prospect of having to deal with these complex challenges should not deter from having a public debate about the desirability of having the critical digital services and infrastructure that individuals and institutions are required to rely on be paid for with the private and personal data of citizens.

Relatedly, and much along the same lines, we have argued that, given the increased informational power that private actors have in fact accrued as a result of the public health measures instituted and enforced by governments around the world, there is an increased need for oversight and for mechanisms for holding these private actors accountable for the way they collect, process, and potentially monetize the data flowing from their surveillance practices. With confidence among experts growing that zoonotic viruses like SARS-CoV-2 will be among us for years to come, and that lockdowns and isolation measures will remain effective public health interventions when new disease outbreaks occur, the time for the debate about incidental surveillance is now.

Finally, we suggest that our paper has implications that are wider than the context of COVID-19, or even public health responses more generally. As the internet has generally made us more dependent on information and communications infrastructures, and private actors are in fact essential for maintaining those infrastructures and for providing (or preventing) access to crucial digital services on top of those infrastructures, questions about oversight and corporate accountability are becoming increasingly urgent. In order to ensure and assure that the increased informational power by private actors is not abused, we must be vigilant in checking and assessing the justifications for such power.