Listening to Control? AI, Biosecurity, and the New Limits of Physiological Surveillance

At first glance, artificial intelligence applied to cough analysis seems like a discreet medical innovation. A mobile phone records a sound. An algorithm identifies acoustic patterns. The system estimates whether there is a respiratory risk. The result can help a person seek care, support remote triage, or improve epidemiological surveillance.

But the bioethical question begins precisely where the technological narrative ends. The relevant question is no longer simply whether a cough can indicate illness. It is about who can hear it, interpret it, store it, and act upon it.

Coughing ceases to be merely a clinical symptom and becomes a digital biomarker, that is, an involuntary bodily signal that can be captured, classified, and used institutionally. This transformation is especially sensitive when it leaves the voluntary clinical context and enters spaces of power: governments, defense agencies, security services, airports, schools, factories, hospitals, prisons, critical infrastructure, or labor relations.

The case of Swaasa AI is illustrative. In a study published in Scientific Reports , the platform was used for COVID-19 screening through cough sounds and symptoms, with high sensitivity but more moderate specificity; this reinforces the idea that these systems should be understood as probabilistic screening tools, not as conclusive diagnoses (Pentakota et al., 2023). (Nature )

The problem is not with prudent clinical use. It's with the insurance-related transposition.

It's one thing for a patient to voluntarily use an app to decide whether to seek medical advice. It's quite another for a public agency, a company, or a school to use acoustic systems to signal people, manage access, control health risks, or infer physiological vulnerability. At that point, technology ceases to belong solely to medicine. It enters the field of governing bodies.

The interest of security agencies

Defense, intelligence, and security agencies have clear reasons to be interested in these types of technologies. They promise early detection, environmental monitoring, protection of operational forces, assessment of biological threats, outbreak response, and mission continuity in critical contexts.

In the United States, this convergence between AI and security is already explicitly acknowledged. The Department of Homeland Security published an AI Roadmap in 2024 to guide the use of AI in its missions, while simultaneously affirming the need to protect privacy, civil rights, and civil liberties. The Department of Defense also has a responsible AI strategy, based on the integration of ethical principles, institutional trust, and governance of the systems' lifecycle. NIST, in turn, published the AI Risk Management Framework , designed to help organizations manage AI risks for individuals, organizations, and society.

This means the problem is no longer futuristic. AI is being integrated into the heart of public safety, defense, intelligence, and risk management. The question is whether physiological signals—cough, voice, breathing, fatigue, gait, temperature, sleep patterns, or stress—can be treated as simple operational data.

The bioethical response must be negative.

Physiological signals are not trivial data. When analyzed to infer disease, frailty, fitness, or risk, they become health data or, at least, data capable of generating health inferences. The World Health Organization emphasizes that AI in health must protect autonomy, well-being, transparency, accountability, inclusion, and sustainability (WHO, 2021). Its guidelines on public health surveillance also recognize that surveillance may be necessary, but must be accompanied by robust ethical safeguards (WHO, 2017).

The risk lies in functional expansion: a system introduced for public health can become a security instrument; a security instrument can become a workplace tool; a workplace tool can become a disciplinary mechanism; a tracking technology can become a permanent infrastructure for physiological surveillance.

From public health to biosecurity.

Public health has always involved some degree of surveillance: disease notification, contact tracing, outbreak investigation, quarantines, epidemiological statistics, and risk monitoring. This is legitimate. Without surveillance, there is no organized health response.

But algorithmic cough analysis shifts the scale of surveillance. Instead of observing confirmed cases, declared symptoms, or population patterns, it allows risk to be inferred from involuntary bodily signals. The boundary shifts from epidemiology to biosecurity.

This change has three consequences.

First , the body begins to produce actionable data without voluntary declaration. The person may not have said they are ill, but the system can infer that they might be.

Secondly , surveillance is no longer solely dependent on medical institutions. It can be operated by employers, schools, technology providers, airport authorities, security forces, or intelligence services.

Third , the decision may cease to be clinical. The outcome may not lead to care, but to exclusion, delay, isolation, loss of shift, further investigation, denial of entry, or institutional suspicion.

This is where bioethics must intervene. The issue is not about banning the technology. It is about preventing its clinical legitimacy from being used as a Trojan horse for security, labor, or political purposes.

The labor problem: consent under dependence.

The workplace is one of the most dangerous environments for this type of technology.

In theory, a company could argue that acoustic cough analysis protects workers, prevents outbreaks, reduces absenteeism, and increases collective safety. In certain high-risk contexts, this concern may be legitimate.

But workplace consent is rarely entirely free. A worker who depends on salary, shift work, contract renewal, or internal evaluation is unlikely to refuse a technology presented as a safety measure. Even when participation is formally voluntary, refusal can be interpreted as a lack of cooperation or a sign of risk.

The European Data Protection Board specifically warns about the fragility of consent in situations of power imbalance, including relationships where the person does not have true freedom of choice.

In a work context, cough analysis can create specific injustices. Workers with asthma, allergies, chronic respiratory diseases, exposure to dust, or infectious sequelae may be flagged repeatedly. Technology can confuse epidemiological risk with occupational condition. Worse: it can transform a problem in the work environment—poor ventilation, dust, chemicals, exhaustion—into an individual problem for the worker.

A factory where many workers cough doesn't necessarily need more acoustic monitoring. It may need better ventilation, respiratory protection, independent occupational medicine, and improved environmental conditions.

Therefore, in a work context, the rule should be restrictive: respiratory data or inferences should not be used for productivity, absenteeism, selection, discipline, progression, insurance, scheduling, or dismissal. Any sanitary use should be exceptional, temporary, justified, supervised by an independent medical authority, and separate from the work hierarchy.

The insurance risk

Use by defense and security agencies raises a second layer of risk.

In a pandemic, at an airport, on a military base, in a prison, at a border, or in critical infrastructure, it may seem reasonable to use AI to detect respiratory symptoms. The argument is strong: protect forces, prevent outbreaks, ensure operational continuity, and stop the spread of biological agents.

But the same infrastructure can be used for other purposes: identifying medical vulnerability, assessing fitness, classifying risk, monitoring groups, controlling access, or collecting strategic information.

Health becomes intelligence.

This risk is especially serious when it comes to high-profile individuals: presidents, ministers, military chiefs, diplomats, business leaders, operational commanders, or those responsible for critical infrastructure. Analysis of coughs, voices, or breathing from public recordings can be used to suggest illness, frailty, or incapacity. Even if the inference is wrong, it can have political, economic, or diplomatic repercussions.

Here, the bioethical issue intersects with national security. A leader's health may have public relevance, but that does not authorize informal biomedical surveillance. The assessment of functional fitness should occur through proper institutional mechanisms, not through opportunistic, media-driven, or adversarial algorithmic analyses.

Speaking in public does not equate to consenting to biomedical analysis of one's voice, cough, or breathing.

A practical matrix for agencies and institutions

A security, defense, public health agency, or large labor organization needs more than just abstract principles. It needs a simple framework to decide what is permissible, what is only permissible under strict conditions, and what should be prohibited.

The proposed matrix is based on five questions:

1. What is the real purpose: care, public health, security, discipline, or intelligence?

2. Does the person participate voluntarily or are they subject to a power dynamic?

3. Does the system identify individuals or only aggregated patterns?

4. What consequence results from the classification?

5. Is there a less intrusive alternative?

From this point, admissibility can be organized into five levels.

This matrix recovers the risk structure already developed in other research, but makes it more operational for internal use in organizations with decision-making power.

The central rule is simple: the further the system moves away from voluntary care and closer to individualized surveillance, the greater the requirement for proof, legitimacy, and control must be.

Minimum internal guide for security agencies

For defense, security, intelligence, public health, or critical entities, the matrix must be translated into internal governance rules. A physiological analysis system should only be authorized if it cumulatively meets the following requirements:

Limited purpose. The system must have a specific, documented, and sanitary purpose. “Safety,” “prevention,” or “efficiency” are categories that are too broad.

Prohibition of functional drift. Data collected for public health should not be reused for intelligence, criminal investigation, immigration, labor discipline, insurance, productivity, or policy evaluation, except under exceptional legal grounds and independent audits.

Separation between health and command. In a military, police, or work context, health issues should be handled through medical or public health channels, not directly through the operational hierarchy.

Technical minimization. Whenever possible, raw audio should not be stored. Processing should be local, temporary, and limited to the necessary inference.

Preference for aggregation. In public or semi-public spaces, the rule should be aggregated and non-identifiable monitoring. Individual identification should be exceptional.

Real human oversight. No restrictive decisions should be made solely by algorithms. The system can provide signals; it shouldn't decide alone.

Right to contest. Anyone affected by a classification should be able to know that it has been reviewed, understand the result, and request a review.

Contextual validation. A model validated in a clinical setting should not be automatically used in factories, airports, military bases, or schools.

Independent audit. The agency or entity must maintain sufficient records for scrutiny, without turning the audit into a new accumulation of sensitive data.

Expiry clause. Exceptional uses in a health emergency must have a defined end. The technology should not remain active due to inertia.

These rules are consistent with the risk management logic advocated by NIST: the risks of AI should be assessed based on their impact on people, organizations, and society, not just on the technical performance of the system.

The crucial question

AI-based cough analysis reveals a broader transformation. Contemporary society no longer collects only administrative, behavioral, or digital data. It is beginning to collect ordinary physiological signals and convert them into actionable information.

Coughing is just the simplest example. The same debate will arise with voice, gait, fatigue, sleep, facial expression, heart rate, temperature, stress, typing patterns, and digital biomarkers of mental health.

The bioethical question must therefore change. It is not enough to ask whether the system works. It is necessary to ask:

What power becomes possible when this works?

If the answer is care, access, prudent screening, and proportionate protection of public health, the technology may be admissible. If the answer is control, discipline, targeted surveillance, exclusion, or biomedical intelligence, the presumption should be inadmissibility.

The future of digital health should not be decided solely by the ability to listen more. It should be decided by the institutional wisdom of knowing when not to listen, when to listen only in a limited way, and when to listen only to care.

References

Amoore, L. (2020). Cloud Ethics: Algorithms and the Attributes of Ourselves and Others . DukeUniversity Press.

Beauchamp, T. L., & Childress, J. F. (2019). Principles of Biomedical Ethics (8th ed.). OxfordUniversity Press.

Department of Defense. (2022). Responsible Artificial Intelligence Strategy and Implementation Pathway . US Department of Defense. ( US Department of War )

Department of Homeland Security. (2024). Artificial Intelligence Roadmap . US Department of Homeland Security. ( Department of Homeland Security )

European Data Protection Board. (2020). Guidelines 05/2020 on consent under Regulation 2016/679 . ( edpb.europa.eu )

Foucault, M. (1978). The History of Sexuality, Volume 1: An Introduction . Pantheon Books.

Gostin, L.O., & Wiley, L.F. (2020). Public Health Law: Power, Duty, Restraint (3rd ed.). University of California Press.

Klingler, C., Silva, D.S., Schuermann, C., Reis, A.A., Saxena, A., & Strech, D. (2017). Ethical issues in public health surveillance: A systematic qualitative review. BMC Public Health , 17, 295.

Lyon, D. (2007). Surveillance Studies: An Overview . Polity Press.

Mittelstadt, B. D., Allo, P., Taddeo, M., Wachter, S., & Floridi, L. (2016). The ethics of algorithms: Mapping the debate. Big Data & Society , 3(2), 1–21.

Nissenbaum, H. (2010). Privacy in Context: Technology, Policy, and the Integrity of Social Life . StanfordUniversity Press.

NIST. (2023). Artificial Intelligence Risk Management Framework (AI RMF 1.0) . National Institute of Standards and Technology. ( NIST )

Pentakota, P., Rudraraju, G., Sripada, N. R., et al. (2023). Screening COVID-19 by Swaasa AI platform using cough sounds: A cross-sectional study. Scientific Reports , 13, 18284. (Nature )

World Health Organization. (2017). WHO guidelines on ethical issues in public health surveillance . WHO. ( World Health Organization )

World Health Organization. (2021). Ethics and governance of artificial intelligence for health: WHO guidance . WHO.