Safeguarding privacy and lives in the present- and post-COVID-19 era
Privacy can easily take a back seat when governments are trying to help save lives with contact tracing apps. This, however, need not be the case.
It’s hard to fault governments for advocating, and implementing, the use of location surveillance powers to contain the COVID-19 outbreak. Especially, at a time when millions are infected and thousands are dying.
As many would argue, protecting lives is of paramount importance even as considerations like privacy may take a back seat in unprecedented times like these. The reason: Many people may not respect borders, self-isolation or quarantine measures if not enforced by the authorities concerned.
There is undeniably merit in these arguments. Hence, governments around the world have begun successfully using data and mobile technologies to track the spread of the virus, and mitigate wider social and economic impacts.
While countries such as China and South Korea are using individual-level location-tracking of people by states via their smartphones to contain the spread of COVID-19, the Government Technology Agency of Singapore (GovTech)–the in-house IT agency of the Singapore public service–uses a mobile app called TraceTogether in collaboration with the Ministry of Health (MOH), in a bid to reduce the spread of COVID-19.
TraceTogether works by exchanging short-distance Bluetooth signals between phones to detect other participating TraceTogether users in close proximity.
Similarly, in a country like India that is sharpening its focus on contact tracing, the Indian Institute of Technology (IIT)-Roorkee said on 6 April that it has developed a surveillance system to tackle COVID-19. According to Kamal Jain, a professor in the Department of Civil Engineering at IIT Roorkee, the institution has developed a mobile app that can track individuals and also can also do geofencing around the person.
The system will get an alert, if geofencing is violated by the quarantined person. In case GPS data is not received, the location will be obtained automatically through the triangulation of mobile towers.
If the internet is not working in a certain area, the location will be received through SMS. Administrators can view all reports on a map. If installed on the affected person, it can provide a history of all people in his vicinity for a defined period.
Meanwhile, tech companies are also urging countries like the US and Canada to adopt similar contact tracing apps. If these countries agree, though, they will have to work around their existing privacy laws.
Questions to address
Given that privacy is a fundamental human right, and remains central to the maintenance of democratic societies–at least in many countries around the world, it’s important to ask ourselves some important questions.
First, if the government gives itself new surveillance powers, are these “necessary and proportionate (also known as the 13 Principles)”?
Second, will these new powers adhere to existing human rights law in a digital world, and are in consonance with the 13 Principles that were launched at the UN Human Rights Council in Geneva in September 2013? Third, will these powers remain in force in a post-COVID-19 era?
What do contact-tracing apps do?
To be sure, the aim of contact tracing is to inform relevant contacts of infected cases as quickly as possible about the possibility of infection, in order for the right measures to be taken in a timely manner. It is a proven method to help contain the spread of infectious diseases.
In the case of SARS-CoV-2, which causes COVID-19, a large proportion of transmissions occur through droplets that travel only over a certain distance (about 2 metres). Thus, “contacts” are people that may have been exposed to the virus in this way, through physical proximity. That’s why the PEPP-PT initiative uses the term “proximity tracing”.
Our cellphones and smartphones have several means of logging our activity. GPS tracks our location, and Bluetooth exchanges signals with nearby devices. Hence, contact tracing apps can record interactions between people, and warn users if one of the people they have been recorded as being in contact with is later diagnosed with COVID-19 so they can take appropriate steps like self-isolation.
These apps could prove useful in avoiding long-term confinement measures. However, they also collect sensitive information like location data, Bluetooth-enabled proximity information, and whether individuals are infected.
To prevent abuse by such well-meaning apps, Dr Yves-Alexandre de Montjoye from Imperial College, London, has outlined eight questions that should be asked to understand how protective the privacy an app is.
The questions are: How do you limit personal data gathered by the app developers? How do you protect the anonymity of every user? Does the app reveal to its developers the identity of users who are at risk? Could the app be used by users to learn who is infected or at risk, even in their social circle?
Does the app allow users to learn any personal information about other users? Could external parties exploit the app to track users or find out who’s infected? Do you put in place additional measures to protect the personal data of infected and at-risk users? and How can users verify that the system does what it says?
Showing the way
There are ways, though, to safeguard privacy even while harnessing the power of surveillance technology.
Consider this. Ramesh Raskar, a professor at the MIT Media Lab, and colleagues are developing an app that would let people log their movements and compare them with those of known coronavirus patients, using redacted data supplied by the state or national public health departments.
Safe Paths gets around privacy concerns by sharing encrypted location data between phones in the network in such a way that it does not go through a central authority.
This lets users see if they may have come in contact with someone carrying the coronavirus — if that person has shared that information — without knowing who it might be. A person using the app who tests positive can also choose to share location data with health officials, who can then make it public.
Covid Watch is another smartphone app that allows an infected person to send an anonymous alert to others with the same app whom they may have infected.
The wireless technology that connects smartphones to headsets and other devices is at the heart of Covid Watch. Once a user downloads the app, if their phone approaches within 6 feet of another smartphone that also has the app installed, and maintains that proximity for 15 minutes or more, the two phones share a temporary contact number (TCN) that is stored on each device. So, no data ever leaves the phone, and the data that is stored locally is anonymous.
Covid Watch relies on self-reporting or voluntary disclosure, and the developers assume that no responsible person, knowing they were COVID-positive, would purposefully risk spreading the disease through prolonged contact with others.
However, if an app user is later confirmed positive, they can send their anonymous TCN data to a cloud storage repository. The app will, then, alert other app users who spent 15 minutes or more near the infected person.
University of Southern California (USC) Computer Science Professor Cyrus Shahabi and his team are working on a contact-tracing app. For the COVID-19 contact tracing app, the team is initially focusing on simpler privacy enhancements to mitigate privacy risks, while ensuring immediate public health impact.
Specifically, users can choose frequency of tracking, or manual check-in, as well as specificity of uploaded locations — for instance, downtown LA versus Grand Central Market — as their risk evolves. Future versions of the app will combine encryption and adding noise to strike a compromise between accuracy and speed.
At a broader level, the Pan-European Privacy Preserving Proximity Tracing (PEPP-PT) brings together 130 researchers from eight countries to develop applications that can support contact tracing efforts within countries and across borders.
The development of this technology is based on three basic principles. Firstly, it is the result of close European cooperation. Only in this way can we bundle the expertise on the continent in an efficient and targeted manner.
Secondly, the technology should be internationally applicable, i.e. interoperable across national borders. In doing so, the technology will facilitate the resumption of international business and personal travel. And thirdly, the technology should be in line with the General Data Protection Regulation (GDPR).
The anonymous IDs contain encrypted mechanisms to identify the country of each app that uses PEPP-PT. Using that information, anonymous IDs are handled in a country-specific manner.
Choosing the middle road
Technology, as is argued often, can be both used and misued. Technology, for instance, is transforming healthcare in today’s digital world. COVID-19 has unwittingly only helped more innovation. Besides, from AI to robotics, cutting-edge tech is being deployed to combat coronavirus.
In Massachusetts General Hospital, for instance, hospitals are deploying tablets and smartphones to protect staff, preserve personal protective equipment (PPE), and help patients connect with their loved ones.
Governments should take care that they do not misuse the very tool that can help in saving countless lives.