Contact tracing is a proven way to control the spread of Covid-19 and the idea of using a smartphone-based contact tracing app is gaining traction. As politicians face pressure from citizens who are demanding solutions, an app that can keep track of who’s infected with COVID-19 is being presented as a way for everything to return to normal. But as idyllic as this sounds, the reality is not that simple.
It raises many questions. Can we be sure that an app will slow the spread of the virus? How do we know we can trust the information? What are the larger implications of sharing all that data? To weigh the privacy concerns against public safety, let’s start by look at both companies and countries behind the push towards tracing apps. Then we can consider whether the benefits are worth the risk.
The two technology giants employ some of the brightest minds in the industry. Long-time competitors, they’ve decided to put their differences aside to collaborate on a tracing app for the public good. Since iPhones and Android phones account for close to 100% of all smartphones and smartphone penetration is above 75% in most developed countries, the thinking is that by collaborating Apple and Google should be able to provide us with a technological solution to help contain COVID-19.
So how would it work? People would download the app and log their status – if and when they come down with coronavirus. Then using Bluetooth, if someone using the app comes in contact with an infected person, they’d receive an alert. To work, app users would need the app open and Bluetooth enabled. Also, to be effective a large quantity of people would have to commit to using it. In Tomas Puyeo’s “Coronavirus: Learning How to Dance” he explains the failings of Singapore’s TraceTogether app because of its low uptake. If people don’t trust how their data will be processed, they won’t use the app and it will be valueless.
Like with all early stage projects the details are lacking right. Some of those are not even related to the app – a lack of adequate Covid-19 testing would also render the app ineffective. But these limitations will not and should not slow this collaborative effort. In any conceivable future, apps will play larger role in healthcare.This collaboration between Apple and Google will merely escalate the trend and help bring forward the important conversation about trust and privacy linked to it.
From what we do know, Bluetooth Low Energy (BLE) would be the root of the system – using short bursts of connectivity rather than continuous transmission. By saving power wherever possible, the hope is for the contact tracing app to work on all smartphones without killing the battery. However, the details of the range and precision of the app are still unclear.
Once you enable the app, you’ll be notified if you came close to someone infected with Covid-19. But what the distance would be, how quickly you’d be notified, and other details will take more time to work out. If you’re interested in understanding the technology’s risks and limitations, I suggest reading “Does Covid-19 Contact Tracing Pose a Privacy Risk?” in Wired.
Virologists believe almost half of all transmissions occur when people are still pre-symptomatic (showing no signs of infection). If this is true it makes traditional manual methods for tracing ineffective. Several national institutes for public health are collaborating to develop criteria for contact tracing applications that may be more effective.
Norway’s Smittestopp app collects anonymized data about movement patterns, so the Norwegian Institute of Health can monitor who infected people come in contact with and how the virus spreads across society. The app is will also send notification alerts to inform individuals, if they’ve interacted with someone infected with COVID-19, so they can self-isolate.
The UK, France, Belgium and Germany are also looking at introducing an app for tracing infections. While NHS has already declined giant tech companies app, French data protection authority has released a statement (in French) on what the app should be and do.
These apps are gaining traction because they are seen to benefit researchers, politicians and individuals. Medical researchers can use the data to understand how the virus is spreading. Politicians can use the data to decide how to scale public safety measures. And individuals will feel more comfortable about going out into the world.
While it’s easy to imagine wide-spread adoption of these apps, the reality may not be straightforward. True, in complying with social distancing orders people have shown they are willing to sacrifice some freedoms for their health. It is reasonable to assume they would be willing to sacrifice some privacy for the sake of their health. But there are reasons to raise some red flags.
Any app would be voluntary, so any lack of trust in the app or misinformation spread about how it uses the data would quickly reduce its uptake and effectiveness. Bad press or trolling the app could quickly discourage its usage. An app hastily rolled out could have security flaws which would quickly lead to a loss of trust. False positives could lead to people having to self-isolating needlessly and generate resentment. It would only take a few negative stories before people stop logging on reducing the apps effectiveness.
We argue that while many of the technical concerns can be addressed, the success of any tracing app will hinge on how it handles data protection and data privacy concerns. App developers and researchers say that contact-tracing will protect people’s privacy, but we need to believe this. Governments, Google and Apple can state that it’s not some kind of a big brother app and that it will not reveal the user’s identity or location, but they’ll need to be transparent and provide specifics as to how this will be accomplished.
Under the auspice of the GDPR in Europe, there is legal framework to backstop these concerns. Involvement of the European Data Protection Board and member states supervisory authorities in reviewing and approving data protection impact assessments that will have to be submitted on any of these apps can engender trust, but in addition to being thoroughly reviewed the responses and approval of these assessments should be made publicly available.
Ensuring transparency and accountability through features to protect user’s data will be paramount. Can personal data on a tracing app be completely anonymised? Most likely not.
The tech giants Google and Apple already have access to large amounts of data about each of us – including our location. Linking health data to that creates an additional risk. So as researchers and software engineers scrambling to bring these apps to market, they must make sure that data protection and data privacy are fundamental to the design of any of these apps. Whatever privacy is sacrificed today, will most likely become part of all future health apps.
Data protection is not just about technology. It’s about business practices and having an organisational framework to ensure data protection is core to what an organisation does. We developed PrivIQ to provide that framework. Protection of individuals’ privacy and personal data is a requisite to any data processing activity — to be successful any contact tracing apps needs to begin with this as one of its first principles.