Coronavirus: Contact tracing app raises privacy concerns

Two types of very revealing data – location and health information – will be gathered

Government staff demonstrate Singapore’s contact-tracing smarthphone app. Photograph: Catherine Lai/AFP via Getty

Government staff demonstrate Singapore’s contact-tracing smarthphone app. Photograph: Catherine Lai/AFP via Getty

Your Web Browser may be out of date. If you are using Internet Explorer 9, 10 or 11 our Audio player will not work properly.
For a better experience use Google Chrome, Firefox or Microsoft Edge.

 

As the HSE prepares a coronavirus contact tracing app for voluntary download in the next 10 days, the Irish public should expect to have numerous questions clearly answered before placing it on their own phones.

Several countries, primarily in east Asia, are already using government-sanctioned tracking apps for a variety of purposes, including contact tracing, enforcing quarantine rules, controlling movement across public transport and neighbourhoods, and modelling the spread of the virus.

Some apps are mandatory, some are voluntary. All are issued on the basis of an emergency public health need. In some cases, it’s not entirely clear what data is being gathered or how it is being used, or could be used in future.

These are important questions.

Location data is so revealing that it effectively offers governments the ability to place citizens under intrusive but invisible surveillance

Such apps gather and utilise two types of very revealing data – location and personal health information. Health data is particularly sensitive and has special protections under the EU’s General Data Protection Regulation (GDPR).

Location data is so revealing that it effectively offers governments the ability to place citizens under intrusive but invisible surveillance, the European Court of Justice found half a decade ago in its Digital Rights Ireland case, when it invalidated the EU Data Retention Directive and mandated tighter protections.

However, GDPR allows some flexibility during a time of national and international crisis, as we face with a pandemic. Thus, the European Commission has allowed states to make use of properly safeguarded mobile communications data.

Efficacy unknown

So far, little hard evidence exists that such apps make any significant contribution to limiting the spread of the virus. It’s not that they do not, or will not in future; it’s more that we just do not know.

But there’s plenty of evidence that states often deploy large-scale technology projects in ways that are not properly secured, and that are eventually found to violate civic and human rights. States also have a bad habit of bringing in broader population surveillance and special powers during emergencies that are never reversed when the crisis ends.

“Can the app coherently or meaningfully contribute to containing Covid, such that its deployment is worthwhile?”

Irish privacy advocates have concerns.

“The HSE app might lead to two separate outcomes,” warns Elizabeth Farries, technology and human rights expert at the Irish Council for Civil Liberties. “The first is to trace contacts in order to fight Covid-19. The second is to further normalise surveillance.

“We are no longer in the initial stage of Covid spread, and Ireland is already under general restrictions. How will the app further contribute to efforts already in place? How will it result in different behaviours from people who have signed up? Can the app coherently or meaningfully contribute to containing Covid, such that its deployment is worthwhile?”

Antóin Ó Lachtnáin, director of Digital Rights Ireland, an organisation that seeks to defend people’s civil, human and legal rights on digital issues, notes that while an emergency may demand allowing data usage in ways that would not otherwise be acceptable, a clear process exists for validating that such an app complies with privacy requirements, including a legally required Data Protection Impact Assessment.

Long-term worries

Although the HSE has stated its app is being produced in consultation with the Data Protection Commission, at present there is little detail on who is coding it, how transparent the code is and whether it has been or will be properly assessed for compliance with GDPR protections.

Longer-term worries arise, too, Ó Lachtnáin says.

“We are concerned that a health-reporting app for epidemiological purposes, which is what HSE seem to be proposing, will somehow become a health status app and become a requirement for certain jobs or to go certain places. This is the ‘mandatory but not compulsory’ trap.”

“We must avoid magical thinking during times of crisis in order to realistically assess how and if tech can specifically help us”

The Irish app is apparently based on the one used in Singapore, widely seen as a good privacy and transparency model. But, as of yet, too little is known about what is being proposed.

Given the State’s poor record on data privacy, as demonstrated by the Digital Rights Ireland decision in the Court of Justice of the European Union, and the Data Protection Commission’s condemnation of the implementation of the public services card, the HSE needs to get this right.

“We must avoid magical thinking during times of crisis in order to realistically assess how and if tech can specifically help us – and how our rights will be protected at the same time,” says Farries.

News Digests

Stay on top of the latest newsSIGN UP HERE
The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.