Contact tracing – breach of data protection?
15 May 2020
In the rush to lift the lockdown with safeguards, the government has given a green light to “contact tracing” via bluetooth apps on our smartphones (provided we own them and are willling to take up the app). See Rafe Jenning’s post on the technology behind this project.
Just to remind us what contact tracing via bluetooth apps means, I will recapitulate what Lord Sandhurst says in his introduction.
The government propose a centralised model, under which, I download the centralised app on to my phone. I will keep the phone, and the app, switched on at all times. It will record the identity of the phone of any person to whom I pass close and save that information. If I learn that I am infected I get that phone to pass that information to the central server of NHSX. The server then sends a message to all people with whom I’ve been in contact within a relevant time period, that tells them that they are at risk of infection but not directly, and from whom
This is a fast moving development and indeed this post may be rendered otiose in a week’s time, particularly as the UK does not, as yet, have entirely reliable antibody tests ( news just in is that this may change.) But on 13 May we had the benefit of a virtual gathering of legal experts in data protection, human rights and constitutional law facilitated by, amongst others, Lord Sandhurst (formerly Guy Mansfield QC of 1 Crown Office Row), on the results of the first test run of the tracing app in the Isle of Wight, courtesty of the Society of Conservative Lawyers.
I give the You Tube link to the webinar at the end of this post, but as developments in this area change so fast I would urge you to read in full the papers written by the panellists. Lord Sandhurst QC’s paper can be found here.
Dr Michael Veale at the Faculty of Laws, University College London, has published a paper analysing the the data protection impact assessment (DPIA) released by NHSX in relation to their contact tracing/proximity tracing app. The essence of Dr Veale’s argument is that a decentralised system would be the only proportionate response to the need to trace the spread of COVID-19, rather than the the centralised system proposed. He has grave doubts about the assurances given by the impact document. “The DPIA claims that you do not give data to the central server without your permission”, he says; “it’s only when you diagnose as positive that the data goes from your phone to the central server.” The impact assessment document maintains that this serves as a barrier from having your privacy invaded. Unfortunately, says Dr Michael Veale, the NHSX system, like all centralised systems, is designed so that other people provide data about you. He posits this scenario as an example:
[say] you were in a cafe, sitting at a table, and there are two people at a table next to you, your phone saw that these people were next to each other at a certain period of time. Say you later get a test, you would be sending that data up to the cloud, and that data would say “person A and person B were colocated at once.” and that’s how the social graph is built up in the cloud.
so, says Dr Veale, there are questions about anonymity; and reading the DPIA there seems to be a war between people who, for PR reasons, want to say this data is anonymous and the data protection and governance people who say that legally this data is not anonymous and really far from it.
Erasure and access issues
The government has claimed that there would be no way to re-identify the data in the server because it was technically impossible; but that’s only because they’ve designed it out of the system. It would be a simple step to design it back in.
The need for legislation
Where automated decision making has an effect on an individual, it needs a legal basis. In Dr Veale’s view, this legal basis is lacking in this particular situation.
Risks to fundamental rights and freedoms
Data protection law is meant to deal with power imbalances in the information world. The government released a register of “low” risks to data protection, including the possibility that every single bluetooth tracing app you could design allows any “tech savvy user”, to identify whether the person next door tested positive for coronavirus. This is not “low risk”. This is confidential patient information. A statute should be passed to lend legal basis to this system.
Professor Lillian Edwards, specialist in technology law at the University of Newcastle, has serious concerns about the assumption that “code replaces law”. As author of the Bill to protect the data privacy of citizens should contact tracing become a thing, she points out that
Data protection was once a very technical and nerdy matter; now it’s become a highly political matter and the Information Commissioner, though reasonably resourced within Europe, is fighting a “David and Goliath battle” with companies like Google and Facebook. To put this entire enforcement burden on the Information Commissioner seems unhelpful in this strange emergency situation where human rights are under threat.
The Coronavirus (Safeguards) Bill came out on 13 April. Professor Edwards was warned that there was “no way” this would ever be passed. To her surprise, Australia passed a very similar privacy law vis a vis their own centralised tracing app on the same day. It has legal safeguards which are now effectively being trailed.
You shouldn’t have to have a smartphone (20% in UK society do not own smartphones, and therefore should not be further excluded and disempowered)
…For this incursion into privacy to be justified, there has to be very high takeup
But for example a private sector employer is free to refuse to employ someone unless they have a smartphone with the app.
Is this a “responsible thing for a society to allow?” That kind of compulsion is not “ruled out by current data protection law”.
So what do we do? Take a GP’s waiting room – it may be justified to stipulate that people have this app on their phones. This is proportionate. But the Australian bill says that there should be no coercion at all.
There are other choices. How do we legislate for “immunity passports”? Given that we are not even sure that antibodies confer immunity, the contact tracing app and immunity passport may become an instrument for discrimination. What kind of discrimination or exclusion are proportionate to the benefits they confer on society as a whole?
Dr Michael Veale responded to Professor Edwards’ points by alerting us to the fact that we focus on privacy perhaps to the detriment of other issues. This app, Dr Veale stresses, is tending towards a platform for a coercive programme for individuals, neighbourhoods, communities, civil societies, leading to “programmable populations” –
You render the world legible and then try to manipulate it. This is an unprecedented change. This is trying to get at some of the power that Google and Facebook have had online, but trying to give it to the state in this situation.
Dr Veale expressed great concern about this “mission creep”
Anyone watching the You Tube recording of this webinar may be interested by the questions put the panel:
This app is for self-asserted symptoms, not certified test results. Is this a justification for going down the centralised route. In other words, is it that the tests are not proving reliable enough, quickly enough in the UK? Therefore should we be willing to take on the risk of false reporting?
But as Dr Veale points out, this enables people to target particular individuals, such as children pointing at their parents, employees their employers, identifying celebrities on the Dark Web and downloading and sharing identifiers online in order to place them into quarantine. Dr Veale’s team does not accept that it is not possible to detect abuse, small or medium scale fraudulence in this context.
So where does this take us? The NHSX app at the moment is , in Dr Veale’s words,
one step away from permanent identifiers that connects your name or your real identity explicitly rather than implicitly as they do right now.
So this has implications for quarantine control. It’s very easy for the government to introduce bluetooth sensors in supermarkets and railway stations to assess how often we go out, and this is a reason for concern.
Another question put to the panel was whether there are any existing laws that can prevent discrimination against individuals that choose not to download the contact tracing app. Barrister Simon Murray did not think that there is any legislative protection, even under the Equality Act, that would provide a ground for a legal challenge. Infection with Coronavirus is not a protected ground under the Equality Act.
What about the consequences of this app’s action? What happens to those who’ve been alerted as to proximity, will they be penalised if they leave their home? In Taiwan, quarantine is enforced by an app on your own phone – so if you leave your home, the app reports your actions to authorities.
Professor Edwards did not think the route taken by China and Taiwan would be acceptable in this country. It will “always be disproportionate to impose sanctions on somebody for failing to self isolate, or breaking self isolation, on the basis of not even your own self reported symptoms but the self reported symptoms of somebody else” –
In the Coronavirus Regulations and in the primary emergency legislation (CA2020) there is a loophole: if a direction is given to a potentially infected person then they can be fined or sanctioned for breaking that direction. So the question is what becomes of the direction at that point.
Enforcing quarantine on a particular individual under a direction made under the Regulations which in turn were made under the 2020 Act gives no right to appeal. A police officer can direct you back to your residence but he can’t keep you there; can he direct you to be quarantined? This is not clear.
In conclusion, the panellists noted that Germany, the Republic of Ireland and other countries are pursuing a decentralised system of information via smartphones. Only France and Norway are pursuing a centralised system like we are proposing to do.
You can replay the webinar “The Covid-19 App – does it threaten privacy rights” via You Tube.