COVID-19 contact tracing: A potential threat to our personal privacy and data?
Governments around the world are turning to contact tracing apps to combat the spread of Covid-19. However, privacy concerns are well known because they are shared with other types of apps that use a centralized data storage model.
The Covid-19 pandemic is having huge impacts on the tech sector. Whilst network administrators are focused on keeping their networks agile and secure during the crisis, governments around the world are turning to contact-tracing apps to combat the spread of the disease.
Western governments’ enthusiasm for these apps can be explained, at least in part, by the early successes that were seen in South Korea and China in using them to “flatten the curve” of the pandemic. Both countries, however, have significantly more interventionist governments than those in the West, which has led many analysts to question whether privacy can co-exist with the data intelligence systems they rely on.
These concerns build on a growing consciousness of the lack of privacy that contemporary web systems afford citizens: before the pandemic, there were already concerns about browser-based tracking; now, say some commentators, these surveillance systems are being expanded under the cover of an “emergency”.
Contact Tracing in Asia
In order to understand these concerns, it’s worth looking at the way in which contact tracing has been deployed already. The most extreme example of this has been the system used in South Korea, in which data on the movement of citizens infected with the virus has been collected, and used to reconstruct their movements. These movements were then made public.
The privacy concerns raised by this kind of contact tracing app are well known because they are shared with other types of apps that use a centralized data storage model. The primary issue, say, campaigners, is that by collecting geolocation data on citizens, and storing it in one place, these data are vulnerable to both hackers and government surveillance.
At the moment, tech companies are able to claim that since these data are encrypted, they are safe both from theft and government snooping. However, in many countries, and particularly in Australia, governments have attempted to force tech companies to build “back doors” into their encryption schemes that would allow governmental access when “necessary”.
These measures threaten to end strong encryption, wherever this is currently used to protect data: not just in contact tracing apps, but insecure messaging services and even online backup systems for businesses, which could lead to personally and commercially sensitive data becoming less secure.
The Local Model
In response to these concerns, tech companies are exploring a different model for contact tracing apps: one that doesn’t store data centrally but instead relies on smartphones connecting directly to each other. This is the option that has been explored by Apple and Google’s, as well as in a proposal from researchers at the Massachusetts Institute of Technology. Both of these models use randomly generated IDs on devices, which then silently send out Bluetooth signals to other devices that have the app installed.
Governments in the US, the UK, and Singapore appear keen on this concept because it appears to offer contact tracing capabilities whilst also respecting citizens’ privacy rights. Proponents of this type of contact tracing app point out that the same kind of decentralized storage is already used in marketing automation, and that in this context users seem fairly comfortable sharing personal details in order that they can be presented with advertising that is more relevant to them.
The Ongoing Concerns
In reality, however, even de-centralized contact tracing apps are deeply problematic when it comes to data privacy, security, and the legal framework that will be required to make them work.
From a technical perspective, the issue with these apps is that the Bluetooth protocols they rely on have well-documented security vulnerabilities. Apple and Google have recently claimed to have improved the security of these protocols, and have promised to shut down automatic Bluetooth communication once the pandemic is over. However, many analysts insist that even when smartphones are protected by VPN encryption, hackers can still access the data being shared between devices.
Another issue with these apps, and the one that might ultimately defeat their adoption, is that they rely on a large proportion of the population downloading them in order to have an effect. Research indicates that contact tracing apps need to be installed on 60% of devices in order to be effective. Though adoption rates of pilot apps in France and Germany have been relatively high, they are unlikely to attain the same levels in countries whose citizens are more skeptical of governmental intentions.
In particular, the citizens of the UK and the US are both the most resistant to sharing their data with their government and have also been the populations worst affected by the virus.
Of course, it would be possible for governments to mandate the use of a contact tracing app, but it is notable that such a proposal – which would represent an unprecedented step in Western democracies – has not even been mentioned. In this context, the ACLU has even produced a set of guidelines for the roll-out of contact tracing apps, and here they insist that the adoption of them should be completely voluntary.
The problems raised by contact tracing apps are not new. They have characterized the debate on data privacy for decades. They do, however, point to the importance of ensuring privacy by design in smartphone apps, and caution against the rapid deployment of new data acquisition systems.
For now, it seems unlikely that contact tracing apps will be part of the fight against Covid-19. The primary reason for this is not technical, however, but social. It’s unlikely that citizens in the worst affected countries will be keen on using an app that tracks their movements, and it seems equally unlikely that their governments will mandate the use of such an app.