Contact tracing apps

There are two types of contact tracing apps: centralised and decentralised.

For a centralised contact tracing app, the data from a user’s cell phone is stored in an external database administered by the government and is to be used based on the discretion of public health authorities. The primary consideration for governments in this case is their ability to analyse data during and after the COVID-19 pandemic. The main concerns with centralised apps include the ability of governments to extend surveillance or to use the data collected for purposes other than the public health emergency at hand, risks associated with cybersecurity, and the privacy of users.

Many countries have therefore implemented decentralised contact tracing apps, or have switched from centralised to decentralised apps. In the case of decentralised contact tracing apps, the data is only stored on a user’s device. The app utilises Bluetooth to detect its proximity to other devices (i.e. ‘digital handshake’). The downsides of this model are the limitations of the Bluetooth technology itself, as the proximity of nearby devices can be measured inaccurately.

The debate on choosing between centralised or decentralised tracing apps has been most prominent in the EU. The Pan-European Privacy Preserving Proximity Tracing (‘PEPP-PT’) project was comprised of more than 130 members across eight European countries, including scientists, technologists, and other experts and was considered to be the leading European initiative for the development of a contact tracing app. However, it ran into a significant controversy around project transparency and centralised database storage, after which the participants abandoned it.

Apps based on the DP3T open protocol developed by École Polytechnique Fédérale de Lausanne and ETH Zurich, among others, store data in a decentralised fashion and are viewed as apps that can provide greater data security and are preferred by the European Parliament; such apps are already being used by countries like Austria and Ireland.

Apps developed based on Google and Apple Application Programming Interface (API) have privacy and security in mind. Inspired by DP3T, they are based on decentralised data storage and were adopted by countries such as Germany, Latvia, and Estonia.

​When the COVID-19 pandemic began, many countries resorted to implementing restrictions on the rights of their citizens in order to contain the spread of the virus and flatten the curve. Such restrictions included restrictions of free movement by imposing quarantine rules on large segments of population, closing borders and limiting travel, limiting the right of assembly by restricting large gatherings of people, and in some cases, infringing on the sanctity of one’s home by allowing for the entry of officials into homes for public health reasons. As countries return to normal and ease these restrictions, contact tracing apps come into play as a tool to help limit the spread of the virus in a potential second wave.

Any discussion involving contact tracing apps touches upon issues such as the protection of privacy, both in the cases of centralised and decentralised apps. The more types of data gathered, the longer it is gathered for, and the more parties have access to it, the greater is the intrusion into privacy. The type and amount of data collected from users varies heavily by country. The least amount of information is collected through anonymised location data via Bluetooth proximity tracing stored on users’ devices, therefore decentralised apps are considered the most privacy friendly. On the other hand, some countries, such as South Korea, Russia, or China, collect vast amounts of personalised information through centralised contact tracing apps: identifiable data about tax and personal identifications, credit card transactions, transportation and work, health conditions, facial recognition data, and GPS data, which are stored in a centralised database governed by state authority.

​

The data gathered by the contact tracing apps is subject to national laws and regulations, which varies widely. The implementation of contact tracing apps has highlighted the need to adopt or to amend data protection legislation.

The USA currently does not have federal legislation governing data protection, which would set standards for the whole country. The current crisis has accelerated discussion on the COVID-19 Data Protection Act, and the Exposure Notification Privacy Act in the US Senate. In the absence of federal laws, state data protection laws apply. Currently, only three US states are using contract tracing apps – all centralised – Utah, North Dakota and South Dakota. While these apps’ privacy policies regulate that they only release location data to public health officials when an individual is confirmed to be sick and that all of their data is deleted after 30 days, each of these states have breached their own privacy policies to some extent.

In South Korea the Personal Information Protection Act (PIPA) was enacted in 2011. The 2015 MERS outbreak, however, triggered amendments through the Contagious Disease Prevention and Control Act (CDPCA) that overrode certain provisions of PIPA and other privacy laws. In 2020, PIPA was amended to clarify the definition of data, its use and methods of its processing. As a result, South Korea, which has one of the most intrusive data collection practices through contact tracing app, allows for the automatic suspension of certain privacy and data protection regulations in the event of public health emergencies.

In Australia, the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) was enacted on May 15, 2020. The Act provides an addition to the Privacy Act 1988 (Cth) that specifically regulates the use and disclosure of data collected when people download and use the Australian government’s COVID-19 contact tracing app, COVIDSafe. It contains additional protections that provide the national privacy regulator — the Office of the Australian Information Commissioner (OAIC) — with oversight of the data collected by the app, thus addressing the privacy concerns.

Belgium is currently considering a draft law for the creation of a database for COVID-19 tracking. According to the draft law, Sciensano (the Belgian research institute and public health institute) would be responsible for collecting and saving the health and medical data of patients from various sources (e.g. doctors or medical/healthcare organisations) in a database along with the personal data of individuals. The Belgian Data Protection Authority voiced many concerns and criticisms regarding the draft law and has asked for its amendment.

Oversight by data protection authorities and national agencies over data collection through contact tracing apps is essential for privacy protection. More than 60 global data protection authorities and governmental agencies have issued specific guidance on health data collection, COVID-19 diagnosis disclosure, work-at-home practices, and return-to-work approaches.

Countries that have launched contact tracing apps without impact evaluations are being called out by privacy groups. This is the case in the UK, which launched a centralised contact tracing app developed by the National Health Service envisioning the retention of collected data for 20 years. Now privacy groups are preparing a legal challenge against the UK government stating that it failed to provide a legally required impact evaluation and that the proposed data processing and storage breaches users' privacy.

The impacts of contact tracing apps go beyond privacy considerations and potentially infringe on other rights. There has been backlash against certain groups who are accused of spreading the virus based on the information from contact tracing apps. For instance, an LGBTQ club in South Korea, through the use of contact tracing, has been suspected to have created a hotspot for the spread of COVID-19, which resulted in social backlash against the LGBTQ community in an already conservative and traditional society. In the USA, statistics show that COVID-19 has been hitting poorer communities harder; particularly the African-American and Hispanic communities, resulting in these groups being socially stigmatised. In the state of Michigan, 40% of COVID-19 related deaths were African-American, who only make up 14% of the state’s population.

Also, over the course of the social unrest in the USA and beyond, several human rights organisations have expressed concerns about the misuse of contact tracing apps for the surveillance of protestors, activists, and demonstrations resulting in the infringement of rights such as the right of association, right to unionise, and the freedom of speech and expression.

Additional global concerns are related to the segments of population that do not have access to Internet and/or are not digitally literate, women, as well as vulnerable groups such as disabled persons, older persons, refugees, and displaced persons. These segments of the population are disproportionately affected by the lack of access and are also in a higher risk category for the COVID-19.

The question of how the data is used and how long it should be stored is on national regulatory agendas as well. The concern here is the possibility of surveillance by the state, particularly should data use and storage not be limited. While most countries have mandated that data be deleted after a certain amount of time (i.e. a number of weeks or after the pandemic is over), some countries do not have such regulations. As previously noted, the UK intends to keep collected data for 20 years and use it for analysis that could contribute to the prevention of other health crises. China, where the contact tracing app collects a wide variety of personal information and is required to access buildings and public transportation, has also implied that it does not intend to stop collecting data when the COVID-19 pandemic is over.

Contact tracing apps, like any technology, are subject to cybersecurity concerns.

On the state level, the large amounts of data collected through centralised apps on a server are likely to attract cyber-attacks. Looking at contact tracing apps from the point of view of the users’ cybersecurity, there are several concerns that have been voiced by the privacy groups.

India’s Health Bridge app (Aarogya Setu), for example, is designed to let users check if there are infected people nearby. However, the app allows users to deceive the app by faking their GPS location in order to learn how many people reported themselves as infected within any 500-meter radius. ‘The developers of this app didn’t think that someone malicious would be able to intercept its requests and modify them to get information on a specific area’, said a French researcher known in part for finding security vulnerabilities in the Indian national ID system known as Aadhaar. ‘With triangulation, you can very closely see who is sick and who is not sick. They honestly didn’t consider this use of the app’.

In relation to the Google and Apple API app, the American Civil Liberties Union and about 200 scientists, among others, warned of the potential to overreach, and called for developers to ensure proper technical measures are taken to ensure the app is secure.

Electronic Frontier Foundation (EFF) has now raised similar concerns, focusing on cybersecurity risks. Specifically, the nonprofit advocacy group is worried that hackers can target the data sent from the app and undermine the system. ‘Any proximity tracking system that checks a public database of diagnosis keys against rolling proximity identifiers (RPIDs) on a user’s device — as the API app does — leaves open the possibility that the contacts of an infected person will figure out which of the people they encountered is infected’, EFF wrote.

The risk could be lowered by shortening the time that the diagnosis key is used to generate RPIDs. EFF also warned that API app raises the risk of cyber-attack because there is currently no way to verify the device sending an RPID. As a result, bad actors could collect RPIDs from other devices and re-broadcast them from their own device.