Privacy Must Come First with COVID-19 Contact Tracing Technology, Warn Scientists

One measure that can be used in the fight against COVID-19 that has been attracting a great deal of worldwide attention in recent weeks is contact tracing apps. These apps allow individuals to be notified if they have come into contact with someone that has been diagnosed with COVID-19 and may have contracted the disease.

Both Google and Apple have announced they are developing contact-tracing technology for Android and iOS devices and by mid-May they will provide APIs to public health agencies to allow contact tracing apps to be developed on both of their platforms.

The contact-tracing functionality will be provided using Bluetooth technology. When someone with the contact-tracing app comes within a certain range of another person who has opted in, a unique code will be exchanged between the users’ devices. If one of those users is later diagnosed with COVID-19, a notification will be generated and sent to the other users’ app, and to any other individuals that have come within a preset range of the infected person– 6 feet for example.

There are certainly benefits to the apps, but in order to achieve their aims, a large percentage of the population need to download the apps onto their smartphones, and those individuals will then need to go into self-isolation if they are at risk of having contracted COVID-19.

One major problem with the apps is privacy. If an app is being used to track large numbers of individuals, there is considerable potential for user data to be used for other purposes. In order to get the numbers of people using the apps to make them effective, people must be sure that their data will be secured and they will also need to trust the developer of the app not to use personal data for purposes other than contact tracing to control the spread of COVID-19.

The privacy concerns associated with the apps have been raised by more than 300 of the world’s leading scientists in an open letter. The scientists accept that the apps are important in the fight against COVID-19, but the privacy risks cannot be ignored. “The current COVID-19 crisis is unprecedented, and we need innovative ways of coming out of the current lockdowns,” explained the scientists in the letter.  “However, we are concerned that some ‘solutions’ to the crisis may, via mission creep, result in systems which would allow unprecedented surveillance of society at large.” To reduce risk, the scientists suggest four principles that must be adopted by developers of these apps.

First, the apps should only be used for the purpose of supporting public health measures to contain COVID-19. The apps should only collect the minimum necessary information to achieve that purpose. They should not collect, process, or transmit any other data.

Second, all apps must be totally transparent and all protocols, components, and sub-components must be made available for public analysis. It must be made clear what data is collected, processed, and stored, and for how long data will be retained.

Third, if there are multiple options available to implement a component or functionality, the most privacy-preserving option should be chosen, unless an alternative option must be implemented to allow the app to achieve its purpose more effectively. In such cases, the decision must be clearly justified with sunset provisions.

Finally, use of the app must be voluntary and clear and explicit consent should be obtained from users. Further, when the COVID-19 crisis comes to an end, all data collected through the apps must be deleted.

The scientists also warn against the use of GPS for determining the location of individuals and state that Bluetooth must be used. Not only does GPS lack accuracy, GPS data is sent to a central location which could place the privacy of users at risk.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.