What are the data privacy considerations of Contact Tracing Apps?
1 May 2020
Latest news: GCHQ has published a detailed blog article which seeks to explain (and defend) the new NHS contact tracing app, which the Government regards as the key to a controlled exit from lockdown.
Coronavirus presents a serious threat to society, legitimising the collection of public health data under Article 9:2 (g) of GDPR regulations, which allows the processing of such data if “necessary for reasons of substantial public interest”. Some of this collection will take the form of contact tracing apps, which have been used in containing the spread of coronavirus in countries such as Singapore.
They work by broadcasting a bluetooth signal from a smartphone which is picked up by other smartphones (and vice versa), meaning that if one user contracts coronavirus, those who have been in contact with that user can be effectively warned and given further advice to stop the spread.
NHSX, the body responsible for setting NHS data usage policy and best practice, has been developing a contact tracing app which is currently undergoing effectiveness trials at RAF Leeming. As it stands, the app either tells you “You’re okay now” or “You need to isolate yourself and stay at home”. It seems likely that this or a similar app will be rolled out over the UK in the coming months.
Centralised vs. Decentralised Contact Tracing
Two general architectures have been proposed for a contact tracing app: centralised and decentralised. On a decentralised architecture, after a positive diagnosis, one’s personal identifier is uploaded to a server which then broadcasts the identifier to all other phones running the app. One’s proximity contacts are recorded on one’s phone; if there is a match between a proximity contact and an identifier received by a phone, the user is alerted to the possibility that they may have contracted coronavirus. The central server therefore does not contain information regarding who may have contracted coronavirus from the matches. On a centralised model, one’s proximity contacts are uploaded to a central server, where the matches are made and then sent to the relevant phones.
Imagine a supermarket queue: John sees his friend Ben and irresponsibly goes to talk to him, ignoring social distancing rules. They both have contact tracing apps installed on their phones. If those apps are built on the centralised model, the contact between them will be sent to a central computer. Then, if John gets coronavirus, the central system can check through all of John’s contacts, and issue Ben a warning to take precautions. The central system records all of the contacts between everyone using the app.
On a decentralised model, the contact between John and Ben is not stored on a central server; rather, it is stored on both of their phones. If John gets a positive diagnosis, the central server broadcasts that to all the phones with the app. Ben’s phone receives this information, checks its memory to find that it has been in contact with John’s phone, and tells Ben to take precautions. Crucially, on the decentralised model, the central server (and thus the relevant health, government authority, or hacker attempting to steal health data) does not know that Ben has been in contact with John, and does not know Ben is at risk unless he decides to report it.
The NHSX contact tracing app is built on a centralised architecture. As such, it will collect the contacts of those who use the app. One significant advantage of the centralised architecture is that the relevant public health authority, such as the NHS in Britain, has access to a fairly complete picture of the spread of coronavirus among those who have adopted the app, via the ‘social graph’ created on the central server. This is a dataset which charts all the interactions between people, and can be used to track the spread of coronavirus. However, data privacy activists worry about “mission creep”: how long will this dataset be kept, and could it be used for other purposes than tracking the spread of coronavirus? Could the system be engineered to order individuals to self-isolate even if they had no symptoms, if for example they’d had too many contacts? The answer to these questions is unclear, which is one of the reasons why a group of 177 academics working in information security and privacy* have called for an immediate Data Protection Impact Assessment (DPIA).
Cyber security watchdogs the Information Commissioner’s Office and European Data Protection Board have both said that they marginally prefer the decentralised model as it limits the data open to potential attack. However, they have also both said that either can be consistent with the necessary data protection requirements of Art. 25 (1) of GDPR, which requires data controllers to “implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation”.
Professor Lilian Edwards, Professor of Law, Innovation & Society at Newcastle University, has argued for the need for new statute to enshrine basic data safeguards regarding the use of contact tracing apps and other digital tools to fight coronavirus. The proposed statute focuses on three main areas: First, that there shall be “No sanctions for failing to carry personal devices, install or run application”. Secondly, there should be “No mandatory requirement to install application or display messages received by application without due safeguards” . Thirdly, there should be “No repurposing or sharing of personal data derived from symptom tracking and contact tracing apps”. The proposed legislation also reiterates cybersecurity experts’ calls for an immediate DPIA.
Motivating the proposed legislation are a number of concerns. First, a significant minority of British people do not own smartphones with the necessary Low Energy bluetooth technology to employ contact tracing apps. Contact tracing apps, the legislation holds, must not be used to further exclude the already digitally excluded. Secondly, contact tracing apps depend on uptake for their success. Since the government estimates around 50-60% of the population needs to download contact tracing apps for them to be successful, then it needs close to universal adoption from those who can use them. Restating in hard law the privacy entitlements could reassure people of their rights and encourage them to adopt the apps.
Equally significant is the danger of “scope creep”. The ICO argues that purpose limitation is a “core principle of data protection internationally”. Professor Edwards’ proposed legislation particularly draws attention to the data subjects Chapter 3 rights under GDPR, such as the right to access data, right to rectification, right to erasure, and right to restriction of processing. Reinforcing those rights in the context of contact tracing apps could reassure the public that data protection considerations were being put front and centre. Such a concern is also present in the clause that calls for an immediate DPIA.
Similar legislation has been passed in Australia to coincide with the rollout of their national contact tracing app CovidSafe, the Biosecurity Determination 2020. Significantly, it specifies that:
“(2) A person must not:
(a) refuse to enter into, or continue, a contract or arrangement with another person (including a contract of employment); or
(b) take adverse action (within the meaning of the Fair Work Act 2009) against another person; or
(c) refuse to allow another person to enter premises; or
(d) refuse to allow another person to participate in an activity; or
(e) refuse to receive goods or services from another person; or
(f) refuse to provide goods or services to another person;”
Much like Professor Edwards’ proposed legislation, the Biosecurity Determination 2020 explicitly states that the purpose of the statute “is to make contact tracing faster and more effective by encouraging public acceptance and uptake of COVIDSafe”, rather than to implement novel legal protections.
Of course, any use of contact tracing apps is reliant upon widespread availability of testing. To limit false positives, which could spread quickly through a contact tracing system, positive diagnoses of coronavirus would have to come from sanctioned tests. As the government’s testing program remains fairly limited in extent, the use of contact tracing apps and their privacy limitations remains fairly theoretical. Moreover, their effectiveness has been somewhat limited so far where they’ve been trialed. In Singapore, where uptake of the app was compelled among armed forces, uptake was only around roughly 12% of the population. To illustrate the point, if as much as 40% of the population downloaded the app, for any given encounter there would only be a 16% chance that both people would have the app and therefore benefit from digital contact tracing. It therefore remains to be seen how useful digital contact tracing will be compared to traditional contact tracing methods – simply asking people who they’d been in contact with.
*Privacy activists has been updated to academics working in information security and privacy. Thank you to Professor Boiten for the correction.