Coronavirus: Contact tracing app raises privacy concerns

Two types of very revealing data – location and health information – will be gathered

As the HSE prepares a coronavirus contact tracing app for voluntary download in the next 10 days, the Irish public should expect to have numerous questions clearly answered before placing it on their own phones.

Several countries, primarily in east Asia, are already using government-sanctioned tracking apps for a variety of purposes, including contact tracing, enforcing quarantine rules, controlling movement across public transport and neighbourhoods, and modelling the spread of the virus.

Some apps are mandatory, some are voluntary. All are issued on the basis of an emergency public health need. In some cases, it’s not entirely clear what data is being gathered or how it is being used, or could be used in future.

These are important questions.

Location data is so revealing that it effectively offers governments the ability to place citizens under intrusive but invisible surveillance

Such apps gather and utilise two types of very revealing data – location and personal health information. Health data is particularly sensitive and has special protections under the EU’s General Data Protection Regulation (GDPR).

Location data is so revealing that it effectively offers governments the ability to place citizens under intrusive but invisible surveillance, the European Court of Justice found half a decade ago in its Digital Rights Ireland case, when it invalidated the EU Data Retention Directive and mandated tighter protections.

However, GDPR allows some flexibility during a time of national and international crisis, as we face with a pandemic. Thus, the European Commission has allowed states to make use of properly safeguarded mobile communications data.

Efficacy unknown

So far, little hard evidence exists that such apps make any significant contribution to limiting the spread of the virus. It’s not that they do not, or will not in future; it’s more that we just do not know.

But there’s plenty of evidence that states often deploy large-scale technology projects in ways that are not properly secured, and that are eventually found to violate civic and human rights. States also have a bad habit of bringing in broader population surveillance and special powers during emergencies that are never reversed when the crisis ends.

"Can the app coherently or meaningfully contribute to containing Covid, such that its deployment is worthwhile?"

Irish privacy advocates have concerns.

“The HSE app might lead to two separate outcomes,” warns Elizabeth Farries, technology and human rights expert at the Irish Council for Civil Liberties. “The first is to trace contacts in order to fight Covid-19. The second is to further normalise surveillance.

“We are no longer in the initial stage of Covid spread, and Ireland is already under general restrictions. How will the app further contribute to efforts already in place? How will it result in different behaviours from people who have signed up? Can the app coherently or meaningfully contribute to containing Covid, such that its deployment is worthwhile?”

Antóin Ó Lachtnáin, director of Digital Rights Ireland, an organisation that seeks to defend people’s civil, human and legal rights on digital issues, notes that while an emergency may demand allowing data usage in ways that would not otherwise be acceptable, a clear process exists for validating that such an app complies with privacy requirements, including a legally required Data Protection Impact Assessment.

Long-term worries

Although the HSE has stated its app is being produced in consultation with the Data Protection Commission, at present there is little detail on who is coding it, how transparent the code is and whether it has been or will be properly assessed for compliance with GDPR protections.

Longer-term worries arise, too, Ó Lachtnáin says.

“We are concerned that a health-reporting app for epidemiological purposes, which is what HSE seem to be proposing, will somehow become a health status app and become a requirement for certain jobs or to go certain places. This is the ‘mandatory but not compulsory’ trap.”

"We must avoid magical thinking during times of crisis in order to realistically assess how and if tech can specifically help us"

The Irish app is apparently based on the one used in Singapore, widely seen as a good privacy and transparency model. But, as of yet, too little is known about what is being proposed.

Given the State’s poor record on data privacy, as demonstrated by the Digital Rights Ireland decision in the Court of Justice of the European Union, and the Data Protection Commission’s condemnation of the implementation of the public services card, the HSE needs to get this right.

“We must avoid magical thinking during times of crisis in order to realistically assess how and if tech can specifically help us – and how our rights will be protected at the same time,” says Farries.