Data privacy vs public safety: contact tracing apps face hurdles

Schools, offices and restaurants have begun to reopen as countries around the world start easing COVID-19 lockdown measures. This has led public health officials to seek ways to minimize the risk of a resurgence of the virus.

One of the ways governments and other entities have been attempting to mitigate this risk is by developing contact tracing apps. These apps are designed to track users’ locations and their potential exposure to those who are infected with the virus, notifying them if they’ve come into contact with anyone who has tested positive for COVID-19.

Experts believe that contact tracing could help more effectively determine who needs to be tested, rather than simply relying on a patient’s memory of where they were and who they might have come into contact with over a given time.

In the past few months, the United Kingdom, Singapore, China, Australia, Iceland, Switzerland, France, Israel, Norway and New Zealand, among others, have rolled out contact tracing apps.

Thus far, the United States has opted for individual state operated apps, instead of one nationwide tracing app. Alabama, Utah, South Carolina, South Dakota and North Dakota have all developed apps.

Privacy issues

The release of these apps has coincided with a variety of concerns, the biggest being the attempt to balance public safety and data privacy.

While the developers of some tracing apps have attempted to put a high priority on privacy and user information, some apps have been more invasive.

China’s system collects a wide array of citizens’ personal data, including lifting their identities and locations from apps like WeChat and Alipay, an online payment platform, in order to ensure that citizens have abided by the rules of their quarantines.

North Dakota’s contact tracing app, called “Care-19,” launched in early April but was only recently revealed to have been sharing users’ location and advertising data with third parties, including Google and data intelligence company Foursquare, despite stating in its privacy policy that users’ data will be kept private.

India’s contact GPS-based tracing app, known as “Health Bridge” or “Aarogya Setu,” allows users to spoof their location and request the locations of those infected with COVID-19 within any 500 meter radius.

India’s government has made it mandatory for citizens to download Aarogya Setu or risk losing their jobs, being fined or going to jail. Within two weeks of its launch, Aarogya Setu became the fastest app ever to reach 50 million downloads and now has over 100 million users.

Mandating use of a contact tracing app, as India does, highlights the voluntary nature of other countries’ apps and the possibility that people will opt out of using them, decreasing the app’s effectiveness.

An Oxford University study estimates that the number of COVID-19 cases and deaths can be significantly reduced if approximately 60% of the UK population uses a contact tracing app and adheres to its recommendations.

A few weeks after its first case, Iceland developed a contact tracing app that was downloaded by nearly 40% of the country’s 364,000 population. It was later shown that Iceland’s tracing app largely failed to have an impact on the number of cases in the country.

Potential problems with using different tracing apps

In April, Apple and Google partnered to develop a decentralized application programming interface (API) to be used in contact tracing apps.

According to the two tech giants, several US states and 22 countries requested access to the technology. But with the responsibility of developing contact tracing apps left up to US states and governments, implementation issues appear likely.

For users within the US, moving between states could be a particular issue if each state uses different apps that themselves operate using different systems. This could result in important notifications regarding a user’s contact with a potentially infected individual being missed.

Issues are also likely to result when international travel resumes.

In places where people regularly cross borders for work or vacation, like Europe, users would have to download the apps for their destinations. Neighboring states and countries would then have to coordinate with one another to develop a standard or build interoperability between their apps, ensuring that users are able to move across borders without encountering issues.

Both the UK and France have stated that they will not be using Apple and Google’s API, which could further complicate matters for travelers to those countries.

Other cases could arise out of places that don’t use a Bluetooth-based system, as that is how many contact tracing apps operate. Utah, for example, has opted for a location-based system, while Australia uses a centralized one.

When privacy concerns conflict with public safety

Apple and Google’s software offers a privacy-preserving option that uses Bluetooth signals to detect users’ proximity to other people who have opted into the API.

This software doesn’t collect personal information, such as a user’s identity, nor does it collect a user’s phone location data, which could help public health officials determine who else might have been exposed to the virus if the user tests positive. All positional data collected is not geographic, but relative to other app users near you.

The standards set for the system have led to calls from public health officials and governments for the two companies to relax their rules and allow access to the API for the purposes of contact tracing. Officials believe the restrictions put into place by Apple and Google will limit the technology’s effectiveness and that technology used to fight the coronavirus should be designed and evaluated by democratically elected governments.

Jeffrey Kahn, director of the Johns Hopkins Berman Institute of Bioethics, recently published a book along with a group of colleagues on the ethics of digital contact tracing services. In it they highlight Apple and Google’s role in effectively setting national policy and claim that the companies are essentially saying that users’ privacy is more important than vital public health concerns.

“The public has values, too, which includes privacy, but not only privacy,” Kahn says. “This needs to be driven by public health, which may or may not be the same as what Apple and Google have decided are the terms of contact.”

Have a tip or story? Get in touch with our reporters at tips@themilsource.com

Sign up for daily news briefs from The Millennial Source here!