Data Security In A Time Of Virus Contact Tracing Tools

In an attempt to keep the pandemic under control, more and more countries are turning to contact tracing technology to track people who have been tested positive for COVID-19. The objective is to heighten awareness of the virus’ path, effectively minimising potential points of contact and granting citizens the freedom to resume part of their normal routines once restrictions are eased. Yet, with this use of technology comes privacy concerns that cannot go unaddressed. Where is the line to be drawn before these apps are considered an infringement on data privacy?

A promising option to traditional methods

Back on April 29th,  Apple and Google released their first versions of the contact-tracing tool set in preparation for the system they launched in mid-May. Google has provided a helpful diagram to explain how this tool works:

Image courtesy of blog.google

Image courtesy of blog.google

Image courtesy of blog.google

Image courtesy of blog.google

This automates a responsibility originally assigned to health workers. The longer the delay between symptom onset and isolation, the harder it is to control exposure. Instantaneous contact alerts allow public health resources to be focused on confirmed cases. 

But this approach necessitates a fine balance of privacy protection and effective application. Northeastern University law professor, Woodrow Hartzog, believes that addressing privacy concerns is crucial to the success of these apps. While both companies plan to shut down the tool once the pandemic ends, there remains a danger that the anonymous identifier beacons can still be linked to real identities. “It’s absolutely a way to leverage the technology in phones in a way that will benefit public health,” says the privacy and data protection law specialist.

Centralised data collection – effective contact tracing or state surveillance?

The app’s success depends on the willingness of citizens to cooperate. An Ipsos MORI poll suggests that 65% of Britons favour the app over lockdown. This will require governments to ensure that the tool will not, via mission creep, allow for unprecedented surveillance of society. 

So far, companies are unwilling to provide governments access to the data these apps collect. The Centre for American Progress has released a list of recommendations that would make it possible for apps to be built in a maximally privacy-protective approach; most important of which is transparency.

Apple and Google, as well as privacy campaigners, have pressed public health authorities to adopt a decentralised approach. The former has increased privacy protections for the tool by adding encryption and imposing a limit of 30 minutes for possible recorded exposure time for alerts. The Bluetooth contact logs are stored on individual phones rather than central servers, for now. 

It cannot go unsaid that governments will need to overcome these privacy and practical concerns of digital contact tracing. Amongst recommendations, expert opinions, and examples of other countries conducting these initiatives, there is a clear idea of how this can be done. But proper resource allocation and commitment to certain principles are fundamental to its success.

By Nicole Woo