There are many questions to be asked regarding digital contact tracing apps developed in response to the coronavirus crisis
Image by Markus Winkler from Pixabay
Author: Cansu CAGLAR, PhD Researcher, Queen Mary University of London 26 May 2020
As humans face one of the biggest global crises of our generation, it is not surprising that governments and private organisations have started to look for data-driven solutions to slow the community transmission of the coronavirus. They have begun to look for what contribution digital technology and data could bring to the fight against coronavirus. Current technological tools make it possible to monitor individuals and assist in every aspect of crisis response. They can be developed as a supplementary tool to make the transition from emergency lockdown measures to re-start the economy. Both public and private sectors are pitching in to find a solution to develop and launch an application available on smartphones and mobile devices – so-called “contact tracing apps” – to reduce the spread of the virus by informing users who have been in close proximity or contact, in the near past, with an infected person.
Many people are concerned that they could be part of the transmission chain. Contact tracing app would inform the users if they are under a risk to get infected and pass on before showing any symptoms so that they can take preventive actions such as self-isolating.
As it has been announced in the daily briefing on May 4, 2020, the UK would be piloting the contact-tracing app in the Isle of Wight. If the tests are successful, the application will be rolled out to the rest of the UK. The contact tracing app is intended to supplement the manual interviews carried out by humans to trace the individuals who could be potentially infected. The aim is to prevent a resurgence of Covid-19 once the lockdown measures are eased. The biggest problem with manual contact tracing conducted via interviews by humans is that infected individuals may not be able to remember whom they met for the last two weeks. It can be quite difficult to remember each store they been to, each person that showed up to their office for a scheduled and an unscheduled meeting or if the infected person is a teacher, for instance, each student that came into their office to ask a question briefly. On top of that, they might not know the person who has been in close contact with them – in the tube, on the bus, in the supermarket etc. However, the digital tracing app aims to extend the notification network and lifts these burdens. Nevertheless, there are many questions to be asked regarding digital contact tracing apps developed in response to the coronavirus crisis. Yet, we do not have any precise answers to many of them.
Very broadly speaking, the range of unanswered questions in relation to contact tracing app revolves around its societal, political, legal and ethical impacts. Among them, one matter that seems to specifically bother many experts is the ‘privacy’ concern. Many privacy experts are worried that this app will be used as an excuse to re-package surveillance systems of health services, technology companies and government authorities.
There are different types of technical mechanisms and protocols which digital contact tracing app can be built to collect and process information for detecting distance: Bluetooth, GPS, WiFi, mobile network signals. Each technical measure has its limitations. For instance, GPS is more efficient when used outside. It does not provide the same accuracy level inside of buildings or underground. It is also harder to anonymise this type of data. Similarly, the efficiency of mobile network signals will be based on mobile masts in that specific area. WiFi based tracking would also determine when individuals are connected to the same network; however, it will not necessarily provide precise information regarding the proximity of individuals. Bluetooth, which will be deployed in the contact tracing app in the UK as well, works both indoors and outdoors. It is suggested that Bluetooth provides a better approximate relation to contact proximity, yet it is not available in all devices. A study conducted at Oxford University indicates that the contact tracing app will be effective to stop the coronavirus if 60% of the population use the app, which is hard to achieve when the app is based on a voluntary approach and therefore relies on people downloading the app.
All contact tracing apps mainly try to define how close and for how long the user was with the other users. However, when there is no consensus on the transmission of the new coronavirus, it should be questioned what each country will set as alarming proximity. How many metres is close enough to catch the virus? Or how many minutes are required to be suspicious of the transmission? This information is kept on the mobile devices. However, the design choice of the app, is another topic where privacy concerns have been raised whether digital contact tracing should be centralised or decentralised, referring to where the initial data will be processed.
The UK is one of the few countries which has decided to deploy a centralised approach for the contact tracing app in Europe. Countries like Germany and Switzerland have adopted a decentralised approach for proximity tracing arguing that a centralised approach would not be able to adequately protect user’s privacy. The contact tracing app that will be rolled out in Switzerland, is one of the first that incorporates a technology by Apple and Google that deploys a decentralised system. The decentralised app initially processes the data on the device so that no central server has information about whom the user met or how many people he/she met or about the location data of the user. This model allows initial processing to be conducted locally. The users do not need to register to a central service. The apps would regularly download the keys of infected persons to match locally if the user has been in close contact with him/her. However, the keys generated and exchanged via Bluetooth are publicly distributed, which creates a risk to match previously collected data to identify individuals.
On the other hand, the centralised model registers its users at a central service. While this information can be useful to enhance knowledge about the virus and contain the epidemic, it allows large-scale behaviour monitoring. The service matches the uploaded contacts of the infected person and sends them a notification if they have been exposed to risk of getting infected. The data is processed centrally, and the service sends the notifications to its users. The centralised system can enable servers to be updated regularly to tweak and alter precautions to be taken based on regularly updated tables. Hence, the local health authorities are worried if the contact tracing app is not centralised, the system will remain strained and would not be as efficient compared to decentralised designs. This design choice would allow more up-dated and tailor-made advice to be provided to the user; nonetheless, it increases the risk of privacy invasions and requires extraordinary organisational and technical measures to be implemented to protect users and justify the processing under a centralised system. However, it does not clearly mean that one design choice is better than the other. Privacy and data protection risks remain with both systems. Additionally, it is still not clear once the lockdown is eased and non-essential travelling is allowed globally again, whether local authorities would encourage visitors to download the local app supported by the government of that specific country and how such data collection, processing and erasure would take place.
As is seen, there are a lot of different segments of contact tracing apps. They all have to comply with the laws and redress balance in terms of efficacy, privacy, governance and transparency. In order to ensure this, robust expert debate is a must to tackle every possible risk that may infringe our rights and freedoms. This new digital measure to fight against coronavirus has to be able to cope with any attempts encroached upon users’ civil liberties. It has to take measures to mitigate discrimination, inequality and incorporate human values because the way applications are developed right now will have profound implications in the future. It may open a gate to a new ecosystem, which may deem surveillance capitalism permissible and necessary. In that regard, these unprecedented questions raised regarding the protection of privacy and other humanitarian values should be analysed.
Another worrying matter is about the cooperation taking place between governments and private organisations. Understandably, governments have turned to private organisations to benefit from their technical know-how for sufficiency and fast pace environment in implementing new technological tools, yet the implementation of the public scrutiny and independent auditing mechanisms are unclear when the private and public sector are cooperating. The real danger to find a balance between individual rights and economic hit starts when governmental authorities provide space for private organisations to determine flexibility on a matter such as the type of data to be collected and how it will be processed.
Moreover, once the application is ready to be launched, another problem that could be faced is that the governments may not be able to go ahead and release the so-called contact tracing app to the market with their preferred protocols. They may have to lobby with companies like Apple and Google for them to permit the current version of the app, since they have a significant number of smartphones in their ecosystem. Otherwise, their application may face severe limitations when in use. As a company policy, Apple and Google may have a limitation on the collection of location data or they may restrict tracking by not permitting Bluetooth to exchange small data packages in the background when the app is not open. This would likely cause incredible inconvenience for the users to keep their app constantly open when in public spaces. Apple and Google have stated that they would include a new software tool – an ‘API’ (application programming interface) – that would allow these apps to use to access Bluetooth Low Energy. Although companies are developing a software tool to fix this problem, not all application users will be able to benefit from this tool. Apple and Google will allow applications to use this tool only if they do not collect and process certain information, such as location data and other restricted information. That being said, countries that decide to deploy the centralised model may continue to face problems in terms of efficacy of contact tracing apps. 
However, what is interesting is that Apple and Google are pushing applications launched by governmental authorities or private organisations to adopt more privacy-friendly approaches, which feels like they are becoming as if they are the administrators and regulators. It should be questioned if we are at a point where tech giants can act as 'private governments' and press public authorities for developing services for the society that complies with their own policies. Would their strong position in the market and privacy-friendly approach put them in a situation where individuals could demand and approach them for protection of their rights? Would some private organisations act as a bridge between individuals and governmental authorities (and other private organisations who are cooperating with governments) to protect certain rights and freedoms?
The General Data Protection Regulation in the EU is deliberately flexible to be adopted to various technological developments and scenarios. However, this flexibility is not sufficient especially when it comes to its application to exceptional circumstances. This extremely invasive technology of contact tracing app, which will be carried around with users cannot be used as an experiment to verify whether it will help stop the spread of the coronavirus or not. Robust measures have to be implemented specifically for this situation in order to avoid exploitation of data beyond its purpose such as for employment, insurance or visa and immigration related matters. It has to be guarded against function creep and further processing. In this respect, sunset clauses that would suspend data tracking beyond its initial purpose have to be put in place. If technical and legal infrastructures are not built in place at this stage in relation to critical matters such as real-time auditing mechanisms, prevention of further processing of data, enforcement of sunset clauses, it may be difficult to dismantle once it is over. As Yuval Noah Harari said, it is vital to keep in mind “This storm will pass. But the choices we make now could change our lives for years to come”  when building this invasive technology to avoid its irreversible impacts.
 Ada Lovelace Institute Report, Exit through the App Store? (Rapid Evidence Review, 20 April 2020), 26.
 Albertgotti R and Harwell D, ‘Apple and Google are Building a Virus-Tracking System. Health Officials Says it will be Practically Useless’ The Washington Post (15 May 2020) <https://www.washingtonpost.com/technology/2020/05/15/app-apple-google-virus/> accessed 16 May 2020.
 European Data Protection Supervisor TechDispatch, ‘Contact Tracing with Mobile Applications’ (Issue 1, 2020) 3 <https://op.europa.eu/s/n6Rs> accessed 15 May 2020.
 Harari Y N, ‘The World After Coronavirus’ Financial Times (20 March 2020) <https://www.ft.com/content/19d90308-6858-11ea-a3c9-1fe6fedcca75> accessed 12 May 2020.
 Hern A, ‘NHS in Standoff with Apple and Google over Coronavirus Tracing’ The Guardian (16 April 2020) <https://www.theguardian.com/technology/2020/apr/16/nhs-in-standoff-with-apple-and-google-over-coronavirus-tracing> accessed 3 May 2020.
 Kelion L, ‘ Coronavirus: First Google/Apple-Based Contact-Tracing App Launched’ BBC (26 May 2020) <https://www.bbc.co.uk/news/technology-52807635> accessed 26 May 2020.
 Kelion L, ‘Coronavirus: UK contact-tracing app is ready for Isle of Wight downloads’ BBC (4 May 2020) <https://www.bbc.co.uk/news/technology-52532435> accessed 4 May 2020.
 Murphy H, ‘US and Europe Race to Develop ‘Contact Tracing’ Apps’ Financial Times (San Francisco, 3 April 2020) <https://www.ft.com/content/d42acff2-b0b5-400b-b38f-ec621d4efd95> accessed 3 May 2020.
 Privacy International, ‘Covid Contact Tracing Apps are a Complicated Mess: What You Need to Know’ (19 May 2020) < https://privacyinternational.org/long-read/3792/covid-contact-tracing-apps-are-complicated-mess-what-you-need-know#centraldecentral> accessed 21 May 2020.
 Romm T, Harwell D, Dwoskin E and Timberg C, ‘Apple, Google Debut Major Effort to Help People Track if They’ve Come in Contact with Coronavirus’ The Washington Post (10 April 2020) <https://www.washingtonpost.com/technology/2020/04/10/apple-google-tracking-coronavirus/> accessed 15 May 2020.