(Image by 贺 朱 from Pixabay )

The divisions over how best to utilise and deploy contact tracing technologies to fight COVID-19 are beginning to emerge in Europe, with experts, researchers and politicians beginning to better question privacy risks and effectiveness. 

Contact tracing apps - which use bluetooth technology via your smartphone to keep track of who you come into close contact with - have been touted as one of the ways to better manage the spread of the novel Coronavirus and help ease lockdown restrictions. 

The idea being that if you start to experience symptoms in line with COVID-19, you then self report these into an app and that then lets everyone you came into contact with know to self-isolate too. 

However, as reported last week on diginomica/government, theory and reality are two very different things. Experts have already laid out that the technology is open to trolling, that uptake is necessary but hard to ensure, and that errors are likely. 

The development of these contact tracing apps have been aided by Google and Apple coming together to develop an API - and a future platform built into their respective OS’s - that would allow for a solution that doesn’t rely on a central authority. 

A decentralised solution is considered to be a ‘pro-privacy’ approach as it doesn’t rely on location-based technology and would keep a central repository of data out of the hands of health authorities. 

However, organisations such as the NHS in the UK - and elsewhere in Europe - have already advocated for a centralised approach. Why? Because some governments are likely to believe that holding centralised location-based data on the spread of people with symptoms would help them better manage outbreaks. 

But there are significant privacy risks to that approach. Public trust and acceptance of authorities holding centralised data on peoples’ smartphone location data will likely be much less than a decentralised, anonymous approach. 

A new coalition of EU scientists and technologists has also emerged - dubbed The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) - which is advocating for both centralised and decentralised approaches (but ones that do not require location data). It’s worth reading this report on TechCrunch for a full rundown of how exactly that would work and the conflicts emerging as a result (the European Commission and Parliament have also signalled preference for a decentralised approach). 

Exit through the App Store

An excellent evidence review was published over the the weekend by the Ada Lovelace Institute in the UK, which delves into many of these issues. Enitled ‘Exit through the App Store’, the review states that there is no evidence to support the immediate deployment of digital contact tracing and calls for the establishment of a new Group of Advisors on Technology in Emergencies (GATE) to oversee the development and testing of any proposed application. 

Carly Kind, Director of the Ada Lovelace Institute said: 

The Government is right to explore non-clinical measures in its response to the COVID-19 crisis, but it must take action to ensure technological applications, such as the proposed NHS rollout of digital contact tracing, do not become counter-productive because of a failure to take account of both the barriers to deployment and the full impact on people and society.

It found that the NHS’ plans to use technology to help reduce the spread of COVID-19 will not be effective unless the government takes action to address the technical limitations, barriers to effective deployment and social impacts of the technology. 

In addition, it notes that premature deployment of ineffective apps could undermine public trust and confidence in the long-term, hampering uptake of tracking technologies which may be critical to their eventual success. 

The Institute argues that any deployment of COVID-19 technologies should be subject to the sign-off of the GATE advisory body. 

On digital contact tracing specifically, the review adds: 

If a digital contact tracing application is approved, the Ada Lovelace Institute recommends the introduction of primary legislation to regulate data processing and to impose strict purpose, access and time limitations on its use, which would also address concerns about other data-driven measures such as symptom tracking. 

Given the lack of evidence of effectiveness, the review concludes that installation of a digital contact tracing app should not be mandatory and that to make it so would likely fall foul of human rights standards. 

The ICO wades in

The UK’s data regulator, Information Commissioner Elizabeth Denham, has also (rightly so) begun to share thoughts on the approach to contact tracing technologies. Heading up the ICO, Denham said that as with any new technology, the public needs to have confidence that it is being used in a fair and proportionate way. 

Denham and her office have provided a series of questions to those using and developing new technologies to help fight COVID-19 to ask themselves, to ensure privacy implications are properly considered. These include: 

1. Have you demonstrated how privacy is built in to the processor technology? 

2. Is the planned collection and use of personal data necessary and proportionate? 

3. What control do users have over their data? 

4. How much data needs to be gathered and processed centrally? 

5. When in operation, what are the governance and accountability processes in your organisation for ongoing monitoring and evaluation of data processing - to ensure it remains necessary and effective, to ensure that the safeguards in place are still suitable? 

6. What happens when the processing is no longer necessary? 

It’s this last point that is especially pertinent. Denham notes: 

This is especially crucial: what is appropriate and proportionate in response to an international public health emergency looks quite different when that emergency ends. What consideration has been made to how data collection ends, and what happens to the data gathered? We appreciate that the answer to that may not be in the initial privacy impact assessment, which is why these assessments should be revisited and updated when possible.

This is especially crucial: what is appropriate and proportionate in response to an international public health emergency looks quite different when that emergency ends. What consideration has been made to how data collection ends, and what happens to the data gathered? We appreciate that the answer to that may not be in the initial privacy impact assessment, which is why these assessments should be revisited and updated when possible.

My take

In a time of emergency it’s very tempting to rush out technological solutions that you hope might bring an end to a crisis. However, the reality is that technology will never be a silver bullet to this public health crisis. It could well become a key pillar of a multi-pronged approach to better management of COVID-19, but politicians should resist the urge to say ‘technology is the answer!’. Furthermore, we should be especially careful about the precedents that are being set during this time. Just six months ago the thought of a public authority collecting location data on individuals in a centralised manner would have caused outrage. Whilst we all want to find a way out of COVID-19, we also need to think about the implications for a post-Coronavirus world.