Why we should be slow to use tracking apps in coronavirus response

Net Results: Far greater transparency and evidence required for public to hand over data

Could the use of tracking, health or distancing apps solve – or even just improve – the coronavirus situation in Ireland? Globally?

Such apps, in varying forms, have been in use in China, South Korea and Singapore for weeks now. The HSE has promised its own tracing or tracking app, though has not been very clear on what it will actually purport to do. More are popping up, often with no formal connection to any official project.

Many feel these will be a significant part of the toolbox as nations seek a slow return to, if not normality, then at least some freedom of movement, better containment of inevitable further Covid-19 outbreaks, and a reboot of economic activity.

And yet, little evidence exists that such apps help (in any other conformation than the prospective dystopian state setting). They may seem as if they should help – alerting us to areas of greater infection concentration, or sending off all our personal health readings, or determining “contacts” with extremely vague mobile location data.


But “seems” is not actual evidence, and there’s often a chasm between what people think apps can do, and what they actually can do with any meaningful accuracy, even setting aside data protection and privacy rights. As technologists should remember, mountains of data, while very interesting to sift through, don’t necessarily translate into useful (or even, ahem, money-making) insights.

However, as a piece in the Economist on creating such a surveillance "coronopticon" recently noted, efforts in Asia, "like others elsewhere, are experimental. They risk failure; they also risk adverse side-effects, most obviously on civil liberties".

Recently, two countries with widely-touted apps, Singapore and South Korea, have seen further coronavirus outbreaks, suggesting apps are no silver bullet.

More worrying is the growing array of apps from individuals, companies and researchers that are asking for people to enable location tracking, or input their own health data (data given special protections under the General Data Protection Regulation), with no proper indication of how the data will be used or protected.

The HSE has not been transparent about its own pending app

In Ireland, it isn't clear which existing projects and apps are officially connected to the HSE, for example, raising a larger question: how is anyone to tell who is actually gathering data, for what purpose? Many apps do not seem to have been put through the GDPR's mandatory data protection impact assessment (DPIA) process.

In addition, the HSE has not been transparent about its own pending app. Yes, the national health service has many serious things to worry about right now, but it is proposing apps that would potentially surveil the entire Irish population. If they want our voluntary buy-in, we require far more detail.

The name of the company apparently producing it, Waterford-based NearForm, was only revealed on Tuesday, when Enterprise Ireland put out its own PR story on the issue. The story also mentioned another company, Taoglas, which has a "platform" that can "measure, monitor, predict, alert and notify public gathering and social distancing breaches". It's already in one Irish hospital and will "in time" be offered to local and national governments.

It would be helpful to know if DPIAs have been done for these surveillance and tracking applications.

While some complain that European GDPR and e-privacy rights are preventing the use of data, this is simply not true

Concern is valid, and part of driving good governance. Organisations often fail to implement needed protections. Just this week, the Data Protection Commissioner released a damning report noting that many Irish websites, including those specifically gathering health data, may be sharing details of users’ illnesses and other health data with third parties and advertisers without any lawful basis. Health-related websites were a “particular cause for concern” in the report.

"Good decisions and good outcomes require good quality information. Both data protection law and data quality principles require us to do the proper groundwork in designing apps and processes so that we can maximise benefit and minimise harm, identifying how to collect quality data that is fit for purpose to support our goals we want while identifying and prevent undesirable outcomes," says Katherine O'Keeffe, director of training and research at data consultancy Castlebridge.

“Rushing out an app that collected data unfit for purpose without transparency . . . would also reduce the public’s trust and willingness to share data for a good purpose.”

A leaked document from the European Commission this week expresses concern about the existing grab-bag approach to producing national apps. Thankfully, it also indicates the intention to co-ordinate a pan-European approach on apps precisely because "a fragmented and unco-ordinated approach risks hampering the effectiveness of measures aimed at combating the Covid-19 crisis, whilst also causing serious harm to the single market and to fundamental rights and freedoms".

While some complain that European GDPR and e-privacy rights are preventing the use of data, this is simply not true. Some restrictions can be, and already have been eased in this time of crisis, to enable the use of data for potential tech solutions. But all solutions need to be balanced and proportionate – and provide some indication of successfully satisfying a societal need.