Health and privacy, can we get both?

The crisis forces us to choose between privacy and an efficient response. South Korea or Hong-Kong have demonstrated test-and-trace strategies can contain the virus at the cost of fine surveillance. On the other side of the world, the European Commission is gathering anonymized data from telcos to understand virus propagation. It will preserve privacy, but let’s look at what we can expect in terms of efficacy.

Location data is notoriously hard to anonymize. Strong anonymization requires high level aggregates and giving up on individual traces. You may study if people congregate somewhere or if curfews are respected, not much more. Looser anonymization gets you transportation patterns and a sense of disease propagation. If you include fine individual traces, you may map high risk areas and refine propagation models though such traces are probably not anonymous.

But none of the above seems likely to move the needle in terms of saving lives. You would want to join this data with test results, social connections, maybe credit card transactions too. Shall we forgo all our privacy principles to make a difference?

Unfortunately, there is a mathematical impossibility to make data both highly useful and strongly anonymous. The classic approach consists in making the data directly available to the application, and it cannot escape the privacy versus impact trade-off rule (cf illustration).

Luckily, a new generation of startups are challenging this. Federated learning does away with central data collection. Cryptographic tools (homomorphic encryption, multi-party computation) allow to manipulate data without seeing it. Differential privacy guarantees that computations no longer carry personal information and can be made broadly available. By combining those, applications can be built without accessing the data at any stage. It creates a unique opportunity to find a third-way between poor health innovation or no privacy. It’s time we move the curve up and to the right!