Scoop has an Ethical Paywall
Licence needed for work use Learn More

News Video | Policy | GPs | Hospitals | Medical | Mental Health | Welfare | Search

 

Privacy And Public Health: The Dos And Don'ts For COVID-19 Contact Tracing Apps

Since late 2019, the world has been fighting the coronavirus disease (COVID-19). In response to the pandemic, governments around the world have been using data and technology in their efforts to contain the spread of the virus. In March, Access Now put forward privacy and data protection recommendations for governments to fight COVID-19 in a rights-respecting manner.

Building on these recommendations, we are now publishing a list of dos and don’ts for privacy-friendly COVID-19 contact tracing apps.

What is contact tracing?

Contact tracing is the process of identifying, assessing, and managing people who have been exposed to a disease to prevent onward transmission. Through this process, governments and health workers aim to help limit the spread of a virus, interrupt ongoing transmission, and learn about the pandemic.

Contact tracing has historically been conducted mostly manually by individuals but a large number of apps are currently being developed or are already in use to track the spread of COVID-19.

Is digital contact tracing necessary?

Tracing and tracking inherently lead to some interference with human rights, especially the right to privacy. Any interference with human rights should respect the legal standard of necessity and proportionality, and this applies as well to the development of a contact tracing app.

Advertisement - scroll to continue reading

The Ada Lovelace Institute recently released a report showing there is no clear indication that contact tracing apps will help curb the spread of the virus, based on the evidence available today. There are several issues that make the COVID-19 virus particularly difficult to track and that put in question the efficacy of contact tracing apps for this purpose.

First, the fact that the virus is highly contagious and many people are asymptomatic and therefore do not know they are infected makes it inherently difficult to track, whether or not you use digital technology. But there are also issues specific to the technology that is being used. One of the inventors of the Bluetooth technology that contact tracing apps leverage recently said that the technology is “not very accurate” at judging distance, as it was not built to be used for that purpose. It may actually produce a false “positive” or “negative” indication of contact, since physical proximity as detected over Bluetooth does not mean contact. For instance, you could be living in a building with a very thin wall and the Bluetooth signal of your phone might indicate that you interacted with one of your neighbors, even if you have not been in contact.

Another consideration for evaluating the efficacy of these apps is that many people classified as “high risk” for contracting the virus or experiencing severe health consequences as a result, such as the elderly, people with pre-existing conditions, those with disabilities, or people living in minority and low-income communities, may not own a smartphone or be able to use the application as few of them have been developed with accessibility in mind. That means the data from these apps may exclude information about some of the most important members of the population to track.

Experts from the World Health Organization have further explained that to date, we have only “anecdotal evidence” of the efficacy of contact-tracing apps, which cannot in any case replace manual contact tracing and other traditional public health measures. At best, contact tracing apps can be complementary tools, but given what we know, they should never substitute for the methods of public health experts that allow for guidance by doctors and health care workers for patients and those potentially infected by COVID-19.

Countries that already use app-based contact tracing have not necessarily seen better COVID-19 outcomes. For instance, governments around the world have been praising the work of Singapore in “flattening the curve” of the curve due to the use of the Tracetogether app, neglecting any other measure that the country may have taken. But despite the implementation of the app, last week the country had to extend its lockdown after a surge of new cases.

Even if using a contact tracing app proves beneficial as part of a public health response in one country, it may not work as well in another. The efficacy of such an app will depend on other factors, such as the health measures that a country has already put in place. That includes the number of tests that have been made available or are being conducted. Jason Bay, the product lead for Singapore’s TraceTogether app, recently said “[i]f you ask me whether any Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is, No.”

There is still much we don’t know about this virus and the pandemic is first and foremost a public health issue. While the concept of a “magic” technological solution may be appealing, there is real danger in techno-solutionism that may erode the public’s fragile trust in an evidence-based response to the COVID-19 crisis — and beyond.

As privacy advocates, our aim is to help governments and companies that are considering, developing, or implementing technology for fighting COVID-19, such as contact tracing apps, to do so in a way that will protect people’s rights — now and in the future. Otherwise, we risk this public health crisis becoming a human rights crisis. While we acknowledge that many governments have already decided to use contact tracing apps, we encourage lawmakers across the world to hold public debates as a first step in decision-making, to determine whether the use of such apps is in fact necessary as part of their response.

While it is not clear whether digital contact tracing is effective in fighting COVID-19, what should governments and companies consider if they are developing or deploying apps and APIs?

The list of recommendations below aims to guide decision-makers, developers, and auditors in their evaluation of contact tracing apps. The goal is to ensure that any apps developed or used are as privacy-friendly as possible.

Dos

Do: implement a voluntary use and sunset clause policy

  • The use of contact tracing apps and related technology developed in the context of COVID-19, such as a wearable, must be voluntary.
  • Apps and APIs must have sunset clauses, meaning that they will be removed from phones and app stores and the data deleted as soon as it is no longer necessary for COVID-19 contact tracing, or at minimum, when the crisis is over.

Do: develop or use apps that have privacy, data protection, and security by design, and that ensure accessibility

  • Technical design choices should fortify the protection of its users’ privacy and safety.
  • In particular, the apps should include built-in security measures to prevent third-party access to data or data leaks.
  • Any app or technology should be designed to enhance accessibility to encourage broad use. It should be buttressed by non-technical measures to prevent populations that may not have equitable access to technology from being excluded.

Do: develop and implement informative user experience

  • The apps should onboard their users by walking them through what user data is used and how it is stored or shared with health authorities or other users in a clear, transparent, and concise user interface.
  • The apps should also ask explicitly for consent before collecting additional data from their users.
  • The apps should ensure that data collections from the users are opt-in, and indicate an easy pathway to withdraw consent to data collection that is not necessary for public health purposes.

Do: use open source protocols and make the code available for auditing

  • When building new applications, developers should rely on open-source protocols that are commonly understood, accessible, and can be audited.
  • Apps and APIs should be made available for public and transparent audits, even after the sunset for use, to ensure they can be examined to determine how they were used.

Do: develop or use apps that adhere to data protection laws

  • Apps must respect data protection laws, where they exist. In any case, the collection, use, and storage of data should be limited to what is necessary. This means that apps should process only the data that is essential to make the tracing work.

Do: limit data storage

  • Data should be stored and processed locally on the user’s device as much as possible.

Do: use decentralised protocols

  • Developers should use decentralised protocols or models to reduce the risks from potential breaches.
  • Do: ensure clarity, transparency, and remedy for potential breaches or abuse
  • Apps should indicate who is responsible for handling the data and provide expedited avenues for users to exercise their rights and get remedy if their data protection rights are violated.
  • Data protection and privacy violations should be considered a serious infringement and should be communicated to the relevant supervisory authority and any users who are affected.

Don'ts

Don’t: monetize app data

  • Companies should not sell or otherwise monetize the data processed by contact tracing apps and APIs and governments should ensure it is not sold or monetized.

Don’t: develop or use apps that give users access to, or enable sharing of, personal information about other users

  • App users should not have access to personal information about other users, including infected patients.

Don’t: develop or use apps that interfere with or reconfigure devices automatically

  • Apps and APIs should not execute automatic changes in the configuration of a user’s phone. In particular, they should not have the capacity to turn on location tracking/GPS without permission.

Don’t: develop or use apps that enable unauthorized disclosure of data

  • Apps should not authorize the disclosure of data to third-party platforms.
  • The permissions an app requires must be kept to the minimum necessary for enabling tracing.

Don’t: allow repurposing of the app or data

  • The apps, APIs, and data processed should not be repurposed once the crisis is over.

Don’t: enable or allow targeted ads

  • Targeted ads should not be authorised for contact-tracing apps.

Don’t: work with companies with a track record for facilitating human rights abuse.

  • Companies with a track record of violating or facilitating violations of human rights must be excluded from participating in calls to develop contact tracing apps or other technological tools for addressing the crisis.

© Scoop Media

Advertisement - scroll to continue reading
 
 
 
Culture Headlines | Health Headlines | Education Headlines

 
 
 
 
 
 
 

LATEST HEADLINES

  • CULTURE
  • HEALTH
  • EDUCATION
 
 
 
 

Join Our Free Newsletter

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.