Opinion: technology can make contact tracing more effective, but there are privacy concerns around such massive surveillance and monitoring

An important tool in containing a disease such as Covid-19 during an epidemic is contact tracing. This means finding out who an infected person has met while infectious, so that these people can be warned, tested and asked to self-isolate if necessary. So far, contact tracing has mostly been done manually through paper-based questionnaires, but technology can help speeding up this process and making it more effective. Several countries are currently developing and introducing contact tracing smartphone apps, and technology giants Apple and Google have joined forces to help in this effort. 

These apps usually rely on either Bluetooth or localisation technology (such as GPS), or both. Bluetooth wireless communication works on short distances (normally a few metres), which makes it ideal for sending messages from a smartphone to other devices nearby. By exchanging such messages, contact tracing apps can record when two people are close enough for long enough that there is a risk of contagion, if one of them is later found to be ill. GPS can be used in a similar manner by comparing the location of people. Apps based on these technologies can trace how the virus spreads in the community and help limit contagion.

From RTÉ News, a report on the plan to introduce a contact tracing app in Ireland 

However, privacy concerns are being raised by experts and civil rights groups about the amount of data they collect. The European Data Protection Board has recently stated that "systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy".

While it is true that the HSE and health services around the world are well-used to deal with patient information in a confidential manner, the amount of data collected by a contact tracing app is well beyond anything a GP or hospital admission form has ever asked before. In fact, tracing people's social interactions and location at this level of detail is unprecedented. Even if some of us happily share a lot of our life on social media, we can select what we want to share and what we prefer to remain private. In contrast, a contact tracing app is on all the time.

In normal times, few people would be comfortable with an app keeping track of every person they meet and every place they visit. Even if in the current crisis we trust doctors to handle this information, there is a risk data could be stolen, hacked or leaked. Whether we like it or not, private information tends to stick around when it is made public. As celebrities whose private photos have been leaked online know all too well, it is practically impossible to remove information from the internet. Once the data genie is out of the bottle, it is impossible to put it back in.

From RTÉ Radio 1's Drivetime, how does the proposed contact tracing app work - and what are the concerns around privacy?

A simple solution would be to anonymise the information collected by the app, so that even if leaked it cannot be traced back to a specific person. Names and phone numbers could be replaced by anonymous identifiers, and only a trusted party such as the HSE could be able to de-anonymise the information in the case of a positive Covid-19 test result.

Unfortunately, things are not so simple. Research has proven that anonymity is almost impossible when large amounts of information about a person are collected. The reason is that the information collected is so personal and unique that it is very easy to guess the person to whom it belongs. For example, anyone able to track our location over time will learn where we live and where we work or study, and these places will easily reveal who we are.

A recent research article shows that only four spatio-temporal points (that is, information on the location of an anonymous person at a certain time) are enough to identify 95% of people. Similar research shows that social interactions, and information about people we meet (called social graph) is also highly unique and identifying. Therefore, anonymisation alone is not enough to guarantee privacy.

As we increasingly rely on medical experts to steer us through this crisis, it only makes sense to heed the advice of privacy experts when it comes to protecting personal data

Concerns about contact tracing apps are not limited to the possibility of data being stolen. Once data is collected, there is also a possibility it may be used for purposes other than the current Covid-19 emergency. For instance, if a suspect is arrested for drug-dealing, would gardai be given access to the list of contacts recorded in their app? If so, could a person get a knock on their door simply because they unknowingly sat close to the suspect in a cafe a week earlier? Would divorce solicitors be able to request contact tracing information to expose a cheating spouse? Would employers use it to track their employees’ attendance?

Extensive monitoring of people’s daily lives will only be accepted by the public if the information is exclusively used to fight Covid-19, and is deleted as soon as it is not needed anymore. The Irish people have already overwhelmingly shown they can step up to the challenge and play their part in beating Covid-19. They will do the same with contact tracing apps, but only if they are confident that their privacy and rights will be respected. Otherwise, few will install it, making it useless.

Studies reveal at least 60% of the population needs to participate in contact tracing for it to be effective. Singapore's TraceTogether app, which implements invasive monitoring of its users, currently has just 17% uptake. Making the app mandatory, or a precondition to return to work, would also be met with strong resistance, and would be in breach of human rights and most likely unconstitutional.

From RTÉ Radio 1's Drivetime, Barry Lenihan reports on concerns around contact tracing

Experts are increasingly concerned that current plans for contact tracing apps by national governments lack sufficient privacy safeguards. This has prompted the privacy research community to voice their concerns publicly. A large number of prominent academics from 26 countries, including winners of prestigious awards and fellowships, recently published an open letter listing four important principles that governments should follow in developing such apps.

First, the app must only be used to help contain Covid-19, and should only collect data that is necessary for this purpose. Second, it must be clear what information will be collected, where it will be stored and for how long. The technology must be transparent, and the source code should be published to allow independent analysis. Third, the design must put privacy first, and use the best encryption and security technologies available. Fourth, use of the app must be voluntary and the system must be switched off, and all data deleted, when the crisis is over.

The academics also recommend storing most sensitive data in a decentralized way on users’ phones, rather than collecting it into a central database. This solution is also preferred by Apple and Google, and is championed by the European Parliament. As a result, the German government is modifying their app design in this direction.

The coronavirus epidemic revealed how dependent we are on science and research to find a cure and save lives. At a time when we increasingly rely on medical experts to steer us through this crisis, it only makes sense to also heed the advice of privacy experts when it comes to protecting personal data.

The views expressed here are those of the author and do not represent or reflect the views of RTÉ