As the world deals with many challenges due to the 2020 outbreak of COVID-19, I talked to data protection expert Julian Hayes from Veneto Privacy regarding the prominence and development of contact tracing apps and how society can combat some of the privacy and data protection concerns that these platforms can entail.
Julian Hayes is Managing Director of Veneto Privacy Services, a specialist data protection and security firm based in Dublin, Ireland. He has worked in the sphere of data protection for more than 16 years and is a specialist in app privacy & security design for major consumer service industries.
Minttu: What are the main challenges you see with the uptake of contact tracing apps?
Julian: I think it is good that there is a healthy debate on the subject of contact tracing apps at this time as we have seen much analysis on the implications for users of the app and what plans authorities plan to use with the data. From the outset, we must be mindful that the main objective of such app analysis is to protect society from the risk of infection or transmission of COVID-19. With that in mind we must make sure that a balance is struck as much as possible to be able to protect individual citizens’ data, with that of protecting society from the virus.
There are two predominant models that are used for COVID-19 possible contagion detection that would be good to analyse from a security perspective.
- De-centralised App Models: This model utilises Bluetooth or other common device-to-device based connectivity solutions, where there is no collection point of information other than on the users’ devices. A typical experience would be a confirmed COVID positive user would activate their status on the app as having currently or once tested positive for COVID. Other devices in the user’s proximity would then be alerted when and, importantly, where they had encountered a close contact with the tested-positive user’s device.
- Centralised App Models:The centralised app model is a central point of storage for all COVID app users, detailing all close encounter contacts that the user has come in close proximity to, again via Bluetooth or other near field communication technology. Broadly speaking, it will again require an action by a user to enlist themselves on the app as having contracted COVID previously or presently, although in some models some data regarding temperature checks etc. may be processed in the service to automatically categorise individuals based on specific protocols. The centralised model would be the preferred model for those agencies tasked with fighting the pandemic as it will give them a detailed, holistic view as to the spread of infection. Centralised comprehensive models can be more effective but are also open to much criticism for overreaching in the data that they process or, in extreme cases, abuse of data that is processed surreptitiously for other purposes by the state or other third parties.
Some points to note here:
- Both models are likely to have better valid detection and performance in rural areas rather than urban areas due to spatial issues – i.e. less devices per square metre and generally reduced concentration of user interaction.
- The de-centralised model is clearly more privacy friendly as it alerts from device to device, rather than through a central source, but we must consider how effective it is for reporting possible COVID infections.
- The centralised model will have better detailed visibility for health authorities or intermediaries tasked with operating the detection tools.
- GPS and Cell ID data (often available open source, see here) are really required for both solutions so as to allow geo-graphic identification of the user, even in the centralised model where it is not to be shared by the device.
- Some research is needed into historical Bluetooth proximity – whether a device can recall Bluetooth device encounters prior to downloading the app.
M: Will these apps be the ‘silver bullet’ to combatting COVID-19?
J: I think it is important see this type of technology as part of the strategy to help fight this disease, along with the other more traditional methods such as social distancing, personal hygiene and the promising developments of vaccines recently. These solutions are only a part of the suite of tools that public health authorities are recommending.
M: What about concerns regarding data privacy and how the data will be used?
J: Clearly there are concerns regarding the approach of the centralised model relating to how data will be processed. However, we must remember that these state authority initiatives are undertaken with the objective to protect society in the detection of close encounters of people who have contracted COVID-19. We must also be cognisant that the apps in place are being developed on the basis that they will be downloaded voluntarily by people who will be informed on the permissions that are entailed in using the service. Provided that contact tracing apps provide good information to the user on what data is processed, for what purpose and why, and what controls they can utilise within the service, it should enable transparency and privacy-by-design.
M: What are some of the mitigations on a privacy engineering basis that can be put in place as a privacy safeguard?
J: There are many options regarding the protection of identities or processing of other personal identifiers that can be utilised in the development of these app services.
Some items would include:
- Provide robust Privacy Notice and Consent upon download of the app, detailing its access rights to Bluetooth, GPS, Cell-ID or other positioning information required for effective use of the service.
- Assigning a digital ID solution for app users that does not allow for direct identification of users of the app. This will allow for the users to share pseudonymous data rather than direct identifiers, bringing some privacy protection.
- Digital IDs assigned to each individual user will allow for non-identifiable information to be processed as encounters occur, allowing users to pass each other and be informed of a contagion risk where necessary, whilst protecting each other’s identity. An example of this can be seen with Finland’s contact tracing app.
- Rotation of digital IDs over a reasonable period will also add protection so as to not allow for retrospective analysis of encounters with other COVID tracing app users. Clearly there needs to be a balance struck between the efficacy of encounter detection and user privacy.
Find Julian on LinkedIn.