As Covid-19 spreads around the globe, so does the idea of using smartphones to track everyone to help contact tracing

Posted on Mar 19, 2020 by Glyn Moody

It seems extraordinary that it was only a month ago that this blog wrote about the new coronavirus, also called Covid-19. At that time, it was not yet clear whether it would turn into a full-blown pandemic. Now, there is no doubt on the matter. As that blog post reported, Covid-19 began in China, and the authorities there deployed an array of stringent measures to bring it under control, many of which impacted negatively on privacy. The question posed was whether other countries would adopt the same techniques when faced by coronavirus. The answers are starting to come in.

For example, in South Korea, the government is sending out “safety guidance texts” to its citizens, alerting them to new cases of coronavirus. Some of these include detailed personal information, as the Guardian reports:

“A woman in her 60s has just tested positive,” reads a typical text, “Click on the link for the places she visited before she was hospitalised,” it adds. Clicking on the link takes the user to the website of a district office that lists the places the patient had visited before testing positive.

These alerts are being used as the basis of smartphone apps that provide visual representations of where Covid-19 patients have been, and how close users were to them. Although that helps people determine if they are at risk, it often means that the identity of the person concerned can be worked out as well.

In the EU, matters are complicated by the General Data Protection Regulation (GDPR), which places strict controls on how personal data can be gathered and used, even during a pandemic. To help companies address that problem, national data protection agencies have issued some guidance, for example Ireland, Denmark, and France, which warns employers not to implement things like the following:

mandatory readings of the body temperatures of each employee/contractor/visitor to be sent daily to their management;

or the collection of medical files or questionnaires from all employees/contractor.

The main approach to tackling the coronavirus outbreak is to apply digital technology to contact tracing: finding everyone who came into close contact with a person who has been diagnosed with the coronavirus so that they can be tested and quarantined if necessary. A team of medical research and bioethics experts at Oxford University have proposed a contact-tracing system based on a smartphone app. People install the app on their phone, and if they become infected, they use it to inform a central service, which then alerts other users of the app that were in the proximity of the newly-infected person. The team recognizes that privacy is a key issue if this approach is to be ethical.

German epidemiologists are thinking along the same lines. A German startup is already working on a similar app. But a traditional German concern about privacy means that many are wary of these moves. The Belgian government, by contrast, has no qualms, and plans to use data provided by telecoms providers to help track people. Israel too has just authorized the analysis of a hitherto secret trove of phone data to identify people who have been close to those who are infected.

As in Germany, the risk to personal freedoms is a major issue in the US. The Electronic Frontier Foundation says that:

Special efforts by public health agencies to combat the spread of COVID-19 are warranted. In the digital world as in the physical world, public policy must reflect a balance between collective good and civil liberties in order to protect the health and safety of our society from communicable disease outbreaks.

Google and Facebook are considering the idea of analyzing the collective movements of millions of their users to help model how the coronavirus spreads. The idea is that aggregated and anonymized data from smartphones would be shared with government agencies. Naturally, there are concerns about the granularity of the data that would be provided, since it could easily allow the authorities to track everyone if too much detail is available.

There is an open source project called CoEpi – Community Epidemiology in Action – that tries to enable digital contact tracing while making strenuous efforts to protect privacy. For example, the CoEpi app will ask for permission when sharing sensitive data, and private data will only be shared if a user becomes unwell. In this situation, the system is designed to permit only the minimum necessary information to be revealed, so that the actual identity of the volunteer participants is “maximally” concealed:

There will be a main publicly-available server run by the CoEpi community to handle new app registration, symptom and test reporting, etc. This server will endeavor not to retain any [personally identifiable information] from individuals. Client IP addresses will not be stored in a database or recorded in log files any longer than necessary. Phone numbers and email addresses will not be linked to the user in any way. There will be no “user accounts” on the server with usernames and passwords: if someone gets a new phone, they’ll need to re-register all their close contacts the next time they come in contact.

That’s a hopeful sign that digital technology can be used for contact tracing without people needing to give up all their privacy. Whether governments are interested in achieving this balance is more doubtful.

Featured image by John Ingle.

VPN Service