Contact Tracing Smartphone Apps Raise Privacy Concerns
Before the COVID-19 pandemic, the idea that the U.S. government would track the location of American citizens via smart phone data seemed like a conspiracy theory from the tinfoil hat crowd. But as other Western governments institute phone-based contact tracing, the idea may start to gain traction in the U.S.
Smart phones have become a critical tool in the effort to track to the movement of citizens during the COVID-19 crises. China, for instance, required citizens to download an app that tracked their movements if they wanted to move from their private quarters into public spaces. Government officials use the data collected from the app (a plug-in for WeChat and Alipay apps) to inform the level of enforcement on public movement.
Until now, these sorts of programs have been avoided in the governments of Western nations that adhere to classic ideals of liberty and restraint of government intrusion into the daily lives of its citizens. But with the COVID-19 pandemic threatening to kill millions of people, these nations are bending the cost-benefit analysis curve in favor of protecting public health, even if it means violating its citizens’ privacy.
In the UK, the National Health Service (NHS) is preparing to release a smartphone-based contact tracing app that will tell the government who the subject has been near to. According to a report in Sky News last week, the app will use short-range Bluetooth radio waves to detect other phones that are nearby, and will log that data.
If a subject is found to have COVID-19, the app will streamline the process of identifying and contacting other people that the subject has been around, and who may have been infected. The app will be released just prior to or just following the expected peak in COVID-19 cases, and its use will be voluntarily, the news site says.
Other European countries are planning contact-tracing apps of their own – all of them on a voluntary basis. Last week, the German government backed a technology standard that it’s calling the Pan-European Privacy Preserving Proximity Tracing (PEPP-PT). This app is based largely on technology that’s been put to use in Singapore via its contact-tracing application. Called TraceTogether, the application keeps a rolling 21-day view of a person’s close contacts, which is available to government authorities.
The European Commission is backing the German approach and calling for a single application that can be used across the entire European Union to prevent the proliferation of various apps and standards. “Given these divergences, the European Data Protection Supervisor calls for a pan-European model COVID-19 mobile application, coordinated at EU level,” said Wojciech Wiewiorowski, the head of the European Data Protection Supervisor (EDPS).
The rush to roll out contact-tracing apps has spurred a debate over the privacy of data and the role of government in our increasingly connected lives. According to a report in WIRED, the NHS developers have explored the possibility that the app could be retooled to calculate how long a person stays out of their homes and “nudge” them back to their homes. It could also warn the user if he or she is coming too close to others who have downloaded the app, the report says.
The WIRED author, Gian Volpicelli, who reportedly viewed internal documents, says these social distancing features are just hypothetical at this point. The app could also be modified to function as an “immunity passport” for those who have already had coronavirus and no longer contagious.
In addition to threats to citizens’ privacy, the apps pose a direct threat to their security. According to a story in ThreatPost, the new COVID-19 apps are rife with security vulnerabilities and backdoors. An app backed by the government of Iran, for example, was apparently designed solely to harvest personal information.
A government’s decision to make a contact tracing app mandatory or voluntarily is a key aspect of whether it adheres to emerging data privacy guidelines. The U.S. lacks a centralized data regulation but eschews government activities that would put privacy at risk. American companies are freer to gather and act upon potentially sensitive data, including location data, but seem to be getting less willing to act upon them following the enactment of the California Consumer Privacy Act (CCPA) in January of this year.
While the Federal Government doesn’t appear close to sanctioning a national contact-tracing app anytime soon, it is using anonymized and aggregated data from phones to track people’s movement, which provides a rough outline of people’s movement.
Google, which has started providing disaggregated data from Android phones to the U.S. government, recently launched a website to provide details on people’s movement in the post-COVID-19 world. According to the Community Mobility Report, movement in the state of New York is down by 32% in grocery and pharmacy, 62% in retail and recreation, and 47% in parks.
As smartphone-based contact tracing apps become widespread in Europe and beyond, proponents of strict data privacy laws will come under pressure to prove that individual rights trump the public good, or to allow an exception for public health emergency like COVID-19.