Public must have confidence in Covid-19 contact-tracing app

Design decisions can make apps either respectful of user privacy or invasive

In a state of public-health emergency such as the current pandemic, most would agree that measures taken by European governments to curtail freedom of movement are both justified and proportionate. However, as the Covid-19 global pandemic enters its second month, and governments across the world are anxiously drawing plans for exiting confinement, talk of mass testing and effective contact tracing has quickly led to concerned debate on the balance between public-health interests and an individual’s right to privacy.

Asian nations have demonstrated a response to the Covid-19 emergency which using technology and tracing has translated into low death rates: Taiwan recorded six deaths (for a population half the size of Spain), Singapore only nine (same population as Switzerland, which has more than 1,100 deaths and rising) and South Korea successfully managed to stop the virus in its tracks despite a sharp initial rise.

Whether the same can be achieved in Europe will depend on the extent to which we accept contact and tracing methodologies using technology for potential life-saving reasons. To date, use of such technology has drawn heated debate from those concerned about personal privacy. However, successful strategies elsewhere have included mass testing and efficient contact tracing as core elements and seem to offer the best solution available to restricting further spread of the disease.

Key decisions

Ensuring public confidence in any app, whether the South Korean model or the most recent Italian model, depends on the technology chosen, how this information is handled, what key decisions are made regarding the software architecture, who controls and manages this data, the options used in terms of encryptions and anonymisation and guarantees about data redundancy once this crisis has passed.

Most contact-tracing methodologies share one factor in common: they are all based on the use of smartphone technologies to provide location services and (typically) peer-to-peer proximity detection. Beyond these similarities though, key design decisions can make these types of apps either very respectful of their users’ privacy, or very invasive.

The Italian government recently announced the launch of its own app with a key design feature to keep user data on the handset itself to maximise privacy. The Italian app looks promising from a data-protection perspective. Much of the decision-making rests with the user of the handset implemented in a way that, as it has been described, preserves the anonymity of all involved. Public concerns are alleviated by the source code of the app being open for review by the government, a measure which will become truly effective only if comprehensive security and compliance audits follow.

The Italian government indicated that a minimum uptake of 60 per cent in the population would be necessary to deliver the necessary levels of effectiveness. Furthermore, the Italian software architects recognised the importance of continuity of service across national borders by implementing guidelines for interoperability set out by the European Commission to provide interoperability across European Union member states.

In assessing the suitability of any app there are a number of tests to consider in relation to security of data. Bluetooth technology provides a convenient tool for proximity detection while also preserving data privacy. It is the same mechanism used by smartphones to seek devices to pair with. In the case of a contact and tracing app it would simply track proximity of other phones and share their unique identifier (each Bluetooth device has a unique identifier). The management of data once it is collected is where legitimate concerns about privacy arise. This data can be pseudo-anonymisation or it could lead to full exposure of your personal details (as well as data on the smartphone).

A Bluetooth-based app is most likely to be the option considered for use in Ireland. Recent research by a team of computer scientists based in Stanford University outlines how a Bluetooth model can operate as a means of contact tracing “using randomly generated numbers to allow the system to function without any private data being stored or transmitted”.

Software architecture

Decisions on the software architecture will also have a significant impact on privacy. For example, will the app just push your personal data on to a centralised service on a periodic basis? Or will the data be kept on the device, and pulled by the centralised service only if the risk of contagion has been detected? Will the processing be fully centralised, or partially distributed with a peer-to-peer model?

There are also varying options in terms of encryptions and anonymisation. Each decision point will impact on privacy and sometimes (but not always) on the effectiveness of the app – the assumption that further lowering of privacy thresholds result in improved effectiveness is not correct.

One of the key decision points is data control. Should this be by public authorities, or one of their agents, or by smartphone owners? If the former is true, who is providing this service on behalf of public authorities? This is a key area of concern: should part of the service be subcontracted to private companies, which enforcement measures would be implemented to guarantee full compliance with data governance? The majority would have far greater confidence in an app developed and operated by government bodies such as the Health Service Executive, on the condition that use of subcontracting is kept to an absolute minimum – ideally with none.

Finally, it is crucial that any contact-tracing app rolled out during this pandemic is both time limited and fully reversible not just in standby for future use, but the handsets restored to their original state.

Convincing individuals to install a contact and tracing app will be easier if some of the tests above can be met. Security of personal data is achievable with encryption software, reassurances from the Government regarding specific arrangements for data governance and punitive measures for non-compliance (beyond those offered by GDPR) can be imposed. A centralised and managed service is achievable. Outsourcing any aspect of personal data capture, use or storage to third parties would undermine the Government’s efforts with obvious consequences for post-containment public-health measures.

Jean-Christophe Desplat is director of the Irish Centre for High-End Computing