Digital contact tracing is a vital tool in fighting the spread of the COVID-19 virus. The countries that have implemented the earliest and most aggressive measures tend to be the ones that have seen the most manageable infection curves. However, there is one major competing interest: privacy. While most people would probably not object to phone location data being traced solely for the purposes of tracking infection, there is widespread concern that temporary safety measures will turn into permanent tools of mass surveillance. Some countries are also making more personal data public than people are comfortable with. To address these concerns while keeping this useful tool at hand, developers around the world have turned their attention to privacy-focused contact tracing apps.
Can contact tracing apps really preserve privacy?
A number of countries around the world believe that large scale tracing can be done while assuaging privacy concerns, and have contact tracing apps in the works that have various data safeguards built in. These efforts tend to be taking place in nations that already have strong data privacy protection laws in place: EU countries that fall under the purview of the GDPR, Singapore, and even the United States (which has California’s strong state laws to consider even though a federal bill has yet to emerge).
In Europe, a coalition of eight countries is working on contact tracing apps and a protocol to track the spread that complies with the data protection standards of the GDPR. Most of the countries involved are actively developing one or two of these contact tracing apps, either through a private company or in partnership with the national government. The center of this effort is the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project, which is focusing on a Bluetooth-based approach that sends out automatic notifications to anyone in contact with a known infected person.
PEPP-PT would develop a central privacy standard that individual countries could then implement in their own contact tracing apps. The standard would mandate that location and movement data are not stored, that contact information is limited to the use of Bluetooth for individual notifications, and that end user devices cannot be individually identified. Users running the apps would be issued a temporary and locally encrypted ID that cannot be connected to their personal contact information. When a physician diagnoses someone with coronavirus, they would ask that the person voluntarily transfer their ID and contact list to the contact tracing apps’ central server. The PEPP-PT standard would allow the apps to hand off health data for tracking across national borders within the EU.
The PEPP-PT effort is also being funded with individual donations rather than contributions from any EU nation or private company, in a bid to eliminate concerns about who is funding and controlling the effort to stop the spread of the virus.
The United Kingdom has announced its own contact tracing app, which will be handled by the NHS and is expected to be available within weeks. This app would function in a similar manner, using bluetooth to trace contacts and send automatic notifications. However, NHS scientists are pushing for the inclusion of QR codes and GPS data to improve tracking range.
In the United States, researchers at the Massachusetts Institute of Technology recently debuted an app called Private Kit: Safe Paths. Once installed, the app logs user locations every five minutes for a period of 28 days. As with the PEPP-PT standard, a user diagnosed with coronavirus would have to voluntarily turn over this anonymized data for it to be used in contact tracking. The US government does not currently have any involvement with this app, but the MIT team is in talks with both a number of American cities and foreign nations.
Lessons to build on from Asia
A number of countries in Asia are among those that are handling the pandemic with the fewest fatalities, treatment issues and disruptions to daily life. That is no doubt owed in part to a sense of urgency and increased preparedness due to prior bouts with SARS and H1N1 in recent years.
But it also has a lot to do with contact tracing apps. In China, these measures are easier to implement because the concept of personal privacy was effectively dispensed with at the institutional level long prior to the coronavirus crisis. In democratic countries in the region, acceptance of these phone apps is due more to higher levels of social cohesion and trust in the central government, in addition to prior experience with similar outbreaks.
One example is Singapore’s TraceTogether program, which has essentially provided the template that some of the aforementioned Western contact tracing apps are building from. The app is voluntarily installed, and those infected with COVID-19 voluntarily provide their personal information after receiving a diagnosis. Public consent to and participation in measures such as TraceTogether has been naturally easier to obtain in a country of about 5.6 million people located on an island of about 278.6 square miles. Places like the U.S. and EU present an entirely different socio-political challenge.
Voluntary adoption is critical
As the more successful programs in Asia demonstrate, it takes either widespread voluntary adoption or strict authoritarian crackdown for these measures to work. The latter is highly unlikely in Europe and the US, but the former is a tall order when trust in the government is low.
Regardless of how the government packages it, the implementation of contact tracing apps leans on elements of end user compliance that are very difficult to police. At least half of the population needs to install the relevant app, carry their phone everywhere and have it on all the time, and self-report to health authorities after a diagnosis. Just getting a diagnosis is still a major challenge in many areas with a continuing shortage of tests. The Bluetooth method also has to contend with inherent connectivity issues in public places.
As far as privacy concerns go, the Imperial College of London has proposed a standard of eight points by which to judge the level of appropriateness of proposed contact tracing apps. As these apps roll out, Privacy International is tracking them and publishing responses.