Are contact tracing apps just surveillance tools that invade privacy and disclose sensitive information?
When an individual is found to be infected with the coronavirus, the race is on to find those who have come into contact with them, as these people could be carriers or even be infected.
This has led to hundreds of coronavirus contact tracing mobile applications being developed worldwide and backed by various governments and national health authorities, as well as guidelines by the EU and special protocols developed by the two major smartphone OS vendors Apple & Google.
In some places, the usage of such applications has been made mandatory for people who want to gain access into public spaces.
Read more: How COVID-19 spreads in crowded offices
What do contact tracing apps do?
While the technology and algorithms differ between applications, the promise of most coronavirus contact tracing apps is the same:
First, the ability to detect close contact between individuals (i.e. within several meters) over a period of time. The parameters differ from one application to another, but as a guideline, the time interval is about 15 minutes.
Proximity, in the majority of applications, is measured using either Bluetooth or GPS technology. In the case of Bluetooth, each device broadcasts packets with some unique ID periodically, allowing other devices to monitor them. In the case of GPS, the exact location of the user is logged for at all times.
Second, when a person tests positive for coronavirus, they can use the application to advertise either their locations or the Bluetooth identifiers from registered contacts.
Applications notify users that have appeared to be in close proximity with an infected person. The information around contacts made by the users of the applications is eventually shared with the local health authority, and/or with other users.
Of course, if such a system is to be effective in breaking infection chains, the application must have high adoption rates.
These observations, naturally, raise many questions around the privacy of individuals’ data that the app may access and the potential abuse of such systems.
Read more: COVID-19: 6 apps to monitor employee health
Privacy and security concerns
Some are concerned that contact tracing apps are surveillance tools that invade individual privacy and disclose sensitive information. Therefore, any such app and tracing system must maintain a delicate balance between privacy and security, since poor implementation of security standards may put users’ data at risk.
This comes down to questions on what data is collected, how it is stored and how it is distributed. For example, is the data encrypted? Is there a proper authorisation or verification process to protect against abuse? Is user anonymity preserved given that personal identifiers such as phone number, name and IDs are being collected?
Another aspect is user consent – does the user submit their data voluntarily, or is the data being collected and uploaded without the user’s knowledge?
Is the use of contact tracing apps inevitable?
When we look at the adoption rates of coronavirus contact tracing applications in different countries, India’s Aarogya Setu leads the way with more than 100 million downloads from Google Play Store. This is largely because public and private workers in India are required to use it.
Gerak Malaysia has more than a million downloads from Google Play Store, while Singapore’s TraceTogether and Australia’s COVIDSafe have over 500,000 downloads each respectively.
In Europe, UK’s NHS COVID-19 has yet to be deployed across the country, but is currently being piloted on the Isle of Wight. It currently has more than 50,000 downloads. Austria’s Stopp Corona has been downloaded more than 100,000 times, as has Norway’s Smittestopp.
Germany and France have yet to release an application, but there are plans to do so soon.
It looks like coronavirus contact tracing applications are here to stay. But in order for them to be successful, it is essential that people have full trust that their privacy is being preserved and their data is protected from misuse.
Given the abundance of frameworks and protocols that have prioritised privacy and security, and the fact that many official applications have their sources published, it looks like things are going in the right direction.
With the recent release of the Google|Apple “Notification Framework” we expect more applications based on this framework to be released, as well as existing applications shifting to this approach.
We strongly recommend government agencies to rely on sound protocols and offer open source for their apps in order to increase user confidence and acceptance.
As multiple fake apps have already been detected during the pandemic, our recommendation for end users is to install only contact tracing coronavirus applications from official app stores, since they only allow authorised government agencies to publish such apps.
We also recommend users to download and install a mobile security solution to scan applications and protect the device against malware, as well as verify that the device has not been compromised.