Contact tracing apps – Private and Private-er?
The Harvard Business Review (HBR) has an interesting article about how a combination of culture and technology, is helping to slow the spread of the coronavirus.
It reports that East Asia countries like China, South Korea, Taiwan, and Singapore have managed to flatten the curve at some point, and this could be due to a “collectivist spirit” which “encourages civic-minded embrace of and a more willing compliance with governments’ infection control.”
This attitude, as well as active deployment of technology actually reinforce each other and have been successful in staggering the number of new cases over a longer period of time, HBR observed.
What kind of technology are we talking about here?
Technology companies and governments have been announcing/releasing a range of technologies to facilitate contact tracing, an important step in a nation’s healthcare efforts to stem the virus tide.
And contact tracing technology is not a new idea.
The use of mobile technology to track infectious diseases, is a concept that is at least a decade old, and the FluPhone app is one example from 2011. But its take up was dismal compared to adoption of similar apps in the East Asia region. But besides culture, the technologies behind how to detect infections, store data and who to notify about it, can play a key role in the public’s acceptance of a contact tracing apps.
Basically, how these apps work is by identifying the persons that an infected person, comes into close contact with. With this information, individuals/ health authorities can do the necessary to try slow the rate of infection.
The Conversation, reported that according to Oxford University research, these type of apps can effectively stop the epidemic if 60-percent of the population use them.
By now, you may have noticed that the tracking nature of apps like these, are of concern to privacy advocates. You won’t be wrong. The HBR article I referenced earlier, alludes that East Asia countries tend to be more accepting of these apps. But Western democracies that tend to prize individual privacy over collective benefit, have been resistant.
And, if we zoom in a little further into how these apps work, we discover there are technologies, that can guide how data is handled. These technologies, protocols/architectures for contact tracing apps, are currently at the centre of privacy debates, particularly in Europe.
Consider the usage of location data versus Bluetooth chatter.
One good example, is Singapore’s TraceTogether app, which uses Bluetooth technology to detect proximity of an infected person with other persons. The Australian government has reported it is building its own app based on TraceTogether, and Government services minister, Stuart Robert basically tried to allay concerns around privacy by explaining that people in close proximity would have their phone numbers automatically swapped via Bluetooth.
If one of those persons has tested positive, the phone number of the other person would be provided to health professionals, with the first person’s consent.
“Those numbers will be on your phone, nowhere else, encrypted. You can’t access them, no one else can,” he also said.
So, the use of Bluetooth technology to detect proximity is less invasive than say, location tracking via cellular signals. The way that Google and Apple has architected it, also sees data being encrypted and processed locally on mobile phones, instead of being sent to health authorities.
Other technologies being used for contact tracing applications include facial recognition, geo-fencing, and even LoRaWAN.
So, just as no two apps are created equal, what technologies each app is based on, and how each app chooses to leverage these technologies can determine how privacy-invasive they potentially become.
Private and Private-er
On April 10, Google and Apple announced a collaboration to build API technology that enable digital contact tracing apps to be built upon their respective operating systems; Android and iOS. But this collaboration sets strict limits on what data can be sent back to public health authorities.
Techcrunch also reports that Apple and Google’s API is designed to block contact matching on a central server. Instead, the onus to match contacts, is upon the persons who have been in close proximity. If person A is diagnosed with the coronavirus, he updates his status in the app and gives consent to share his “anonymised key” or ID on a database. Person B who regularly downloads the database would be alerted she has been near someone who is infected.
Ironically, France wants this decentralising-based limit to be lifted so they can develop a sovereign European health solution that will be tied to their health system.
The use of proximity contact via Bluetooth technology, is less intrusive than location-tracking tools. But while the flavour of the day seems to be Bluetooth technology over location tracking, there is no agreement yet about how collected data should be managed.
Indeed, there seems to be two privacy camps forming in Europe, one that is in favour of centralising the data, and another that backs Apple-Google’s decentralising method.
The former means IDs are uploaded to a trusted server, likely controlled by a health authority; while a decentralised method means IDs are held locally on devices, where the infection risk is also calculated.
Techcrunch reported, “The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) , calling for developers of contact tracing apps to get behind a standardised approach to processing smartphone users’ data to coordinate digital interventions across borders.”