Contact tracing is a key weapon in any global pandemic, and it was only a matter of time before we started harnessing the power of mobile devices and digital technology for that purpose. After all, smartphones are essentially personal surveillance devices stores and provides access to our entire digital footprint, to include detailed data of every place we’ve physically been. (If you’re an Android user and you’ve never looked at your Google Maps Timeline, I recommend it – it’s as mind-blowing as it is frightening.)
But while applying those capabilities to contact tracing make sense, the current heightened awareness of data privacy means that governments who want to mandate contact tracing apps have to (or at least ought to) be sure the apps don’t violate local or international data privacy laws. The trouble is, the mad rush to develop and release apps quickly may result in mistakes that sacrifice both privacy and accuracy.
But it doesn’t have to be that way.
I recently attended a virtual webinar hosted by Straits Interactive in which privacy experts vetted six contact tracing apps currently available in the ASEAN region:
- PeduliLindungi (Indonesia)
- MyTrace (Malaysia)
- StaySafe (Philippines)
- TraceTogether (Singapore)
- MorChana (Thailand)
- BlueZone (Vietnam)
The research focused strictly on the privacy protections of each app, with three specific criteria:
According to the webinar’s panel of experts from Straits Interactive’s Data Protection Excellence (DPEX) Network, only TraceTogether meets all three criteria, despite one small point of confusion about whether the app collects location data (it does – from Bluetooth – but the wording of the privacy notice doesn’t make this 100% clear).
The findings are interesting, but they’re focused on a narrow aspect of the privacy issue: transparency. This an important aspect, to be sure – it was a blatant lack of transparency that made data collection and privacy a major problem to begin with.
On the other hand, the transparency issue with contact tracing apps extends well beyond the user knowing what the app does once it’s on your phone. For example: is the entity collecting the data sticking to their end of the agreement? Is there anything stopping, say, the local health ministry that collects the data from handing it over to law enforcement or intelligence agencies if they ask? And would you be informed in advance and/or asked for permission if they did?
Gauging the trade-offs
Another important question is whether privacy problems outweigh the benefits of automated contact tracing. After all, in the midst of a global pandemic, it’s crucial to track down people who have been in contact with a patient as quickly as possible. Isn’t it worth giving up a little privacy if it means saving lives?
Well, that arguably depends on whether the apps actually make contact tracing easier and more efficient. At the moment, we don’t really know. Anecdotally, reports surfaced last month that while Iceland’s overall contact tracing program had been a success in keeping the spread of COVID-19 under control, the government’s contact tracing app (Rakning C-19) had very little to do with it.
That’s just one app in one country – the experience in other countries will depend on the details of each app. Even so, in the mad rush to stay ahead of COVID-19’s spread, contact tracing apps are being developed and rolled out quickly – and at scale – which means their effectiveness and privacy protections are mostly being tested in the field in real time. False positives are already a problem, and there are questions over things like the quality and governance of the data being collected and the accuracy of Bluetooth’s location tracking abilities (as its range is considerably further than the 1.5 meters typically recommended for social distancing).
So for now, it’s hard to evaluate whether the privacy trade-offs are worth it.
But at least we can track the progress of the apps themselves. MIT Technology Review has launched a Covid Tracing Tracker – a database with information on automated contact tracing apps. The database is updated as new information is available, and covers basic information such as:
- Who produced it?
- What technologies does it use?
- Is it mandatory?
- Is the data collected minimal to serve the app’s functions?
- How will the data be used, and who has access to it?
- How long is the data stored, and what happens to it after that period expires?
- Is the overall process transparent?
Meanwhile, to further address the privacy issues, MIT recently announced a project to develop open-source tools and platforms that it says can help contact tracing apps slow the spread of COVID-19 without sacrificing anyone’s privacy. You can read about them here and here, or check out this video that explains how the system uses Bluetooth “chirps” to locate potentially infected people anonymously.
So we know that it’s at least possible to develop automated contact tracing without sacrificing privacy. It remains to be seen whether governments are interested in adopting such a system.