COVID19 and IT: tracing apps and the risk privacy violations
Our expert's opinionExactly half a year ago Belgium entered its national lockdown due to the COVID-19 threat in the country. Back then, the virus was new and little information was known. Governments throughout the world were seeking effective solutions to stop the spread of the virus. To be able to trace those who might have been contaminated countries set up call centers where employees focus on the contact tracing of the positive tested person. However, many countries were struggling with the set-up of contact tracing call centers and leaders started looking into the use of contact tracing applications.
However, this immediately brought up concern regarding privacy threats and data leaks. Nature Medicine, a medical journal, published a conducted study on tracing apps. Conclusion: 30 out of 50 required permission for access to the user's mobile device. Some of them explicitly stating they will use personal information such as number/postal code and continuous GPS-monitoring. Some governments such as the Netherlands therefore decided to use a de-centralized approach to prevent data-storage on a centralized server. Nonetheless, most governments still prefer a centralized approach where data is stored on a server which eases access to this data, stating that in this case, national health overweighs privacy.
As an expert in the field, do you think Belgium will dive deeper into the possibilities of the use of mandatory COVID19 tracing apps after facing difficulties with the effectivity of contact tracing call centers in the country?
- Yara Snikkers, Associate Consultant
Data Privacy Issues in COVID-19 Contact Tracing Apps
In response to the coronavirus (COVID-19) pandemic, technology companies and public health authorities around the world have been developing contact tracing apps as a way to track and thus slow the spread of the virus. Implementation of those apps, however, can raise privacy and cybersecurity considerations.
How does it work?
Contact tracing apps essentially work by gathering information from individuals who have tested positive for the virus and then locating and notifying people with whom those individuals have been in close contact, frequently by use of GRP, Bluetooth, or wireless technology.
To better understand how contact tracing apps use and access personally identifiable information, of 50 COVID-19-related apps in May 2020. The study found that across the apps, the most common functionalities were "live maps and updates of confirmed cases; real-time location-based alerts; systems for monitoring and controlling home isolation and quarantine, direct reporting to government, and self-reporting of symptoms; and education about COVID-19. Some more-advanced services include self-assessment of daily physiological status; monitoring of vital parameters, such as temperature, heart rate, oxygen and blood pressure, through the use of Bluetooth-enabled medical devices; virtual medical consultations (ADiLife Covid-19 in Italy); social science–based interventions based on predictive analysis of diseases in specific locations (OpenWHO); and community-driven contact tracing (TraceTogether and mfineRadar)."
Of the 50 apps analyzed in the Nature Medicine study, 30 required permission for access to the user's mobile device. Some of the apps explicitly state that they will use "information about the person’s age, email address, phone number and postal code; the device’s location, unique device identifiers, mobile IP address and operating system; and the types of browsers used on the mobile device." Others "demand access to contacts, photos, media, files, location data, the camera, the device ID, call information, the WiFi connection, the microphone, full network access, the Google service configuration, and the ability to change network connectivity and audio settings."
Despite all of the data being used and collected, the study found that only 16 of the 50 apps analyzed stated that users’ data would be made "anonymous, encrypted and secured and will be transmitted online and reported only in an aggregated format."
The question on a lot of minds is, “Who will have access to the data and for how long will it be stored?”
Keeping data safe
Contact tracing apps use either a to logging data. In a centralized approach (used by contact tracing apps in the United Kingdom, Singapore, and Australia), a user’s data is uploaded to a main server where public health authorities can review and analyze it. In a decentralized approach (used in Holland’s contact tracing app), data remains on the user’s mobile device with a "minimal amount of information uploaded to the server."
Apps that use a centralized approach have more privacy risks (as data could be stolen or used for other purposes), but say it gives authorities better insight into the spread of the virus. Apps that use a decentralized approach are more privacy friendly, as the data stays on users' devices.
The United Kingdom, Singapore, and Australia have to use a centralized approach, saying that healthcare needs at this time outweigh a lot of privacy concerns. in the United States, however, announced a plan in April to create the technical framework for decentralized apps.
Tracing apps today
Since the initial announcement of this plan, only six states in the United States have launched apps using the framework. In response, this week, the tech companies announced that they will also provide the technology for "sending and receiving alerts, no outside app required." The companies have said they remain committed to protecting users' privacy: They “won’t collect any identifying data, instead relying on anonymous identifiers to keep track of which phones are near each other. And although the feature is baked into the operating system, [certain device] users in states where it is made available will be required to opt in."