“There’s an app for that”: Contact Tracing and new Data Security and Privacy Concerns

Since the World Health Organization declared COVID-19 a global pandemic on March 11th, 2020, national governments around the world have sought to battle the virus through a variety of testing, quarantining, and contact tracing initiatives.  While the former two are often featured and discussed regularly in provincial and federal press briefings in Canada, a prominent discussion of contact tracing, and particularly the use of new technology to conduct it, ought to be given paticular attention. The WHO defines contact tracing as “the process of identifying, assessing, and managing people who have been exposed to a disease to prevent onward transmission”. The identification of potentially infected persons plays a key role in a nation’s ability to track the spread of the virus and isolate those that may have been exposed.  Around the world, nations such as Singapore, South Korea, Israel, and the United Kingdom have all introduced mobile contact tracing apps, each of which represents a novel use of tracing technology, all the while raising unique privacy and data security concerns for individuals and governments. 

How do contact tracing apps work?

The majority of contact tracing apps currently used around the world can be divided into two broad categories: those using geolocation data, and those using Bluetooth connectivity technology.  While the former records location data from a smartphone’s GPS system, the latter relies on a “Bluetooth handshake” that occurs when smartphones interact with other devices in the near vicinity.  Despite there being advantages to both technologies, it is widely held that a Bluetooth-based app presents a lesser encroachment on individual rights and privacy.  This is largely due to the high degree of anonymization afforded by Bluetooth-based apps, as well as the ability to create time-varying token IDs and encrypt user data.  Furthermore, by not collecting location data, these apps minimize the risk of re-identification of positive diagnoses by the general public.  Ultimately, despite the various benefits of a Bluetooth-based app, this technology still presents major concerns for privacy watchdogs and individuals, raising questions regarding the storage, use, and security of user data.        

What are the privacy concerns regarding contact tracing apps?

Within the context of contact tracing apps, privacy must be understood as a broad term to include not only privacy from other app users, but also privacy from hackers, as well as privacy from a central government authority.  While privacy concerns may be addressed through the use of random temporary identification numbers, privacy from a central authority or government presents unique challenges for contact tracing, particularly due to the multi-departmental management of the global pandemic. As a result, privacy consideration can be overlooked or neglected, resulting in a serious threat to human rights and data privacy.  For example, while Singapore’s app, TraceTogether, creates anonymized time-varying tokens for exchange between mobile phones, upon the confirmation of a positive diagnosis by a health professional, all of these tokens must be uploaded to a government database.  This centralization can ultimately result in the data’s re-identification, and the sharing of all user data with a government agency.  A refusal to share this information with the Health Ministry is punishable by fine under the state’s Infectious Diseases Act.

This system is commonly referred to as a centralized model, whereby the data of infected users is transferred to a central server, allowing public health officials to access the data and contact users who may have been exposed to the virus.  This database organization has also been adopted in other nations’ apps including the United Kingdom’s and France’s. 

Despite the organizational benefits of centralizing the data and tracing process, many privacy advocates have warned about the potential for abuse of the system by government officials, or mission creep, which could see user data used for non-medical purposes including law enforcement and immigration.  With those concerns in mind, on April 29th, Apple and Google, working in partnership, released their application programming interface (API) for use by developers to launch their own contact tracing apps. The technology giants’ API uses Bluetooth technology, and operates on a decentralized model, whereby anonymized data is stored on a user’s phone, and then encrypted before being sent to a central server, typically managed by a public health agency or government.  Contrary to a centralized system wherein a central authority contacts all affected users, in a decentralized system, it is the individual users who connect to the server to determine whether they have been exposed to the virus.  By placing the onus on users to contact public health authorities and get tested, a decentralized model has proven to be less intrusive and more compatible with current privacy and human rights regimes.

How should governments respond to user privacy concerns?

While the use of Bluetooth technology operating on a decentralized system can increase privacy and data security, these measures can only mitigate the negative impacts of the sharing of potentially millions of users’ data on central servers.  Critical to the rollout of a contact tracing app are strict limitations and regulations on the collection, storage, and use of user data, as well as dialogue and transparency between public health officials, privacy watchdogs, and the general public. 

Ultimately, in order to address privacy concerns, the development of a contact tracing app must adhere to four key principles: transparency, specificity, compliance, and accountability. A commitment to transparency must include not only transparency in the means through which an app’s operations are disclosed to the user, but also transparency in the way that the app was developed.  This can be accomplished by releasing the app’s code as open source software.  Second, specificity ensures that any user data is only collected and stored for a specific purpose and only for a limited timeframe.  Third, compliance ensures that all data complies with applicable provincial, federal, and international laws regarding the collection and use of personal data.  Finally, accountability ensures that all means are taken to protect user data and an avenue for redress exists should user data be stolen, used, or sold without consent. 

The application of these four principles will require regular updates from the government and public health officials on contact tracing technology, as well as proactive government measures such as the conduct of privacy impact studies and risk assessments to identify and respond to concerns such as cyberattacks, mission creep, or re-identification of data.  While seemingly tedious and inconsequential, these measures create an invisible barrier that prevents a complete loss of individual privacy and allow all of us to better safeguard our personal data and information.  Ultimately, despite the extraordinary challenges presented by COVID-19, it is imperative that all Canadians remain vigilant to encroachments on privacy and other civil liberties, and support programs that work within our current privacy framework and reflect the values of national and international human rights regimes.

Written by Alexander Chan, an incoming second-year J.D. Candidate at Osgoode Hall Law School.