Contact-tracing approaches diverge worldwide
As governments and people across the world seek an exit strategy to coronavirus lockdown, contact-tracing apps have been touted as a powerful tool – but data privacy concerns have led to differing approaches by health authorities.
A hotly contested debate is about whether to use decentralised or centralised apps – the latter of which involves the creation of centralised databases, causing privacy advocates to raise concerns about data breaches and the purposes for which such a database could be used.
Apple and Google have teamed up to offer a decentralised approach in which data is stored on users’ phones, but the UK’s NHSX – the health service’s digital unit – has opted for a centralised approach. Both solutions face questions over their efficacy.
On 24 April, UK health officials said they had “prioritised security and privacy” throughout the app's development. But a few days later, 170 scientists and researchers working in information security and privacy signed a letter outlining their concerns that the app could be subject to “mission creep” – such as being used as a surveillance tool once the pandemic has died down.
The UK’s decision to adopt its own centralised approach – as well as how such an approach would work with other countries’ apps – came under scrutiny at a parliamentary committee meeting on Monday.
Legislators challenged Michael Gould, chief executive of NHSX, on the centralised system’s inability to interoperate with other systems and highlighted this as a particular concern for Northern Ireland – part of the UK – and the Republic of Ireland, which is expected to roll out a decentralised system.
Despite Gould’s assurances that his team “has put privacy right at the heart of how the app works”, he said that there is no guarantee or legislative guidance ensuring the data sent to NHSX will be eventually deleted. “It can be retained for research in the public interest or by the NHS for planning and delivering services, obviously in line with the law,” he said.
Google and Apple said they have put user privacy at the “forefront” of their app’s design and have established strict guidelines to ensure that privacy is safeguarded. The tech giants said in draft documentation for their “Exposure Notification system” that the decision to use the app will rest with the user and can be turned off at any time.
They also said that the app does not collect location data and does not share identities with other app users or Apple and Google. The companies said users will control all the data they want to share. In addition, people who test positive are not identified by the system to other users, or to Apple or Google, and that access to the technology will be granted only to public health authorities, the companies said.
Approaches
Wojciech Wiewiórowski, the European Data Protection Supervisor, said on 27 April in response to questions from the French Committee for European Affairs that contact-tracing applications being considered in individual member states are primarily governed by the GDPR, and the ePrivacy Directive and its implementing national legislation.
“As the virus knows no borders, the need to ensure a pan-European approach is clear. As a matter of fact, it was the EDPS who first publicly called for such a pan-European approach in relation to contact tracing applications.”
Reuters reported that Germany will adopt a decentralised approach to digital contact tracing, abandoning a home-grown alternative that would have given health authorities central control over tracing data.
Australia’s CovidSafe app encrypts the information it gathers and that encrypted identifier is stored securely on users’ phones. The contact information stored is deleted every 21 days, the government’s health ministry said. It added that this period takes into account the covid-19 incubation period and the time it takes to get tested.
And last Thursday, South Korea reported no new cases – the first time since 18 February. This success has been attributed to the country’s comprehensive contact tracing; the South Korean government said it was able to “flatten the curve” without resorting to curbing individual freedoms. News reports suggested that by using GPS phone tracking, CCTV and credit card transaction monitoring, the country’s comprehensive universal contact tracing strategy sent automated alerts to people who may have been exposed to covid-19 via text message.
Protections
Michael Veale, a digital rights lecturer at University College London, told the UK’s Joint Committee on Human Rights that in a decentralised approach, “slightly more data needs to be transferred around the system” but that an advantage of such a system is that it helps prevent “mission creep”. Veale said that “because everything is created and stored on individual’s phones, you can audit what is happening on them. No change can happen behind the scenes that you might not be aware of. It does not leave a central database that can be hacked. That is a positive benefit.”
Veale also noted another important issue when considering centralised and decentralised systems, saying “they do not play well with each other across borders. You cannot make them work together without the worst of both worlds. Really undesirable things happen when you interoperate them, or try to.”
He highlighted the example of the Republic of Ireland, which has announced that it will use a decentralised system, “so there will be questions of interoperability [with the UK’s approach], as well as across Europe”. Veale said that Apple and Google have been inspired by his DP-3T system, “which is a decentralised way of doing contact tracing with the same benefits and goals as a centralised model but with the benefit that you have not created a centralised database of sensitive data, so we expect that to be the case more widely.”
Ursula Pachl, deputy director-general of European consumer rights organisation BEUC, told GDR that despite governments across Europe pinning their hopes on contact-tracing apps to facilitate the end of lockdowns, “it is important to understand what apps and mobile data can and cannot do for covid-19 mitigation”.
For example, contact-tracing apps may not be able to distinguish between high-risk contacts such as family members, and low-risk contacts such as people passing each other on the street, she said. They may also not be able to identify whether individuals are wearing masks during encounters. “Thus, information might be incorrect and have little value for covid-19 management,” Pachl said.
She said governments must thoroughly and independently assess the necessity and effectiveness of contact-tracing apps and be clear about what can be expected from using these tools.
Pachl said that covid-19 tracing apps must comply with the GDPR, ePrivacy Directive and the recommendations of the European data protection authorities and should only be used on a voluntary and temporary basis.
“Consumer privacy and public health must go hand in hand. Given the sensitivity and quantities of the generated data, the risks of cyberattacks will be high. People will only use these apps if they can trust that they are safe to use. It would be particularly damaging for this trust if governments would recommend consumers download apps which might turn out to be unsafe.”
Estelle Massé, senior policy analyst at digital rights organisation Access Now, told GDR that contact-tracing apps, whether decentralised or centralised, create inherent privacy and data protection risks given the underlying data collection and tracking of people needed for them to function.
“If governments decide to use digital contact tracing apps, decentralised protocols offer greater privacy protections than centralised ones, in particular because a centralised system creates higher risks of identification of users and could make apps users more vulnerable to targeting,” Massé said.
She said that apps must use an open-source, decentralised model to ensure audits are possible, and added that the apps should be voluntary and limited to the time of the pandemic. “If this is not the case, and without additional clear limitations on use, access to data, and time-limit, the apps and data collected could be repurposed and used to track people.”
Massé noted that many EU countries – having publicly debated the use of these apps – are now deciding to rely on voluntary apps based on decentralised models. These are “positive steps”, though users would benefit from greater debate on the need for these apps prior to their development and roll-out, Massé said.