Covid-19 contact tracing apps: the privacy questions governments should ask
Image credit: Kriscole | Dreamstime
Computing experts at Imperial College London have posed eight privacy questions governments around the world should consider when developing coronavirus contact tracing apps.
As part of a widespread effort to slow the outbreak of the coronavirus and 'flatten the curve', governments, research institutions and industry are coming together to develop contact tracing apps to record encounters between people.
These apps in question warn users if one of the people they have been recorded as being in contact with is later diagnosed with Covid-19. This alert will allow people to take appropriate measures, such as self-isolation, to help reduce the potential spread of the virus.
According to experts, such apps could prove useful in avoiding long-term confinement measures. However, these programs collect sensitive information such as location data, Bluetooth-enabled proximity information, and whether individuals are infected.
To challenge these privacy concerns, a new white paper by Imperial College London’s Dr Yves-Alexandre de Montjoye has outlined eight questions that should be asked to understand how protective of privacy an app is.
“We need to do everything we can to help slow the outbreak,” said Dr de Montjoye, of Imperial’s Department of Computing. “Contact tracing requires handling very sensitive data at scale, and solid and proven techniques exist to help us do it while protecting our fundamental right to privacy. We cannot afford to not use them.
“Our questions are intended for governments and citizens to help evaluate the privacy of apps,” he explained. “They could also for app developers when planning and evaluating their work.”
The questions disclosed by the team at Imperial are as follows:
1) How do you limit personal data gathered by the app developers?
Dr de Montjoye (YDM): “Large-scale collection of personal data can quickly lead to mass surveillance. We should ask how much data the app gathers – like the whole disease trajectory and real-life social network of infected users.”
2) How do you protect the anonymity of every user?
YDM: “Special measures should be put in place to limit the risk that users can be re-identified by app developers, other users, or external parties. Because location traces are unique, they might easily be linked back to a person.”
3) Does the app reveal to its developers the identity of users who are at risk?
YDM: “The goal of contact tracing is to warn people who are at risk, so there’s no need for app developers to know who these people are.”
4) Could the app be used by users to learn who is infected or at risk, even in their social circle?
YDM: “Personal health data is very sensitive. Digital contact tracing should warn those who are at risk without revealing who might have infected them.”
5) Does the app allow users to learn any personal information about other users?
YDM: “Having access to small amounts of information could help users identify who is infected, so apps shouldn’t disclose information on a user’s location or social networks to other users.”
6) Could external parties exploit the app to track users or find out who’s infected?
YDM: “Apps should consider the risk of external adversaries, including well-resourced ones. External entities could install Bluetooth trackers to cover a city, or install malicious code on phones, and record the identifiers that they observe in specific locations. This can be avoided by regularly changing and re-anonymising identifiers like location data.”
7) Do you put in place additional measures to protect the personal data of infected and at-risk users?
YDM: “The app design may require revealing more personal information about users who are infected or exposed, but these are often the people who are more vulnerable and at risk. It’s important to consider what additional measures can be taken to protect their information.”
8) How can users verify that the system does what it says?
YDM: “Large-scale contact tracing is too sensitive an issue to rely on blind trust. Technical measures should be used to guarantee public scrutiny on the functioning of the app. Transparency of the system (app code, protocol, what is being broadcast, etc) is fundamental to guarantee privacy. This requires that the app be open source and app versions distributed on mobile app stores be verifiable, enabling developers to confirm that they’re running the public, auditable code.”
Contact tracing apps are currently being developed around the world and some are already available. If they are proven useful, governments, health authorities and users will have to evaluate the different approaches and decide whether to widely adopt them. According to the researchers, privacy is a crucial component in this decision.
“These questions are meant to be a starting point for an informed conversation on privacy in contact tracing apps,” said Florimond Houssiau, also from Imperial’s Department of Computing.
The questions, however, do not cover every potential vulnerability of contact tracing protocols, such as security issues. “Our questions focus on privacy, but the security side is equally important,” said PhD student Andrea Gadotti. “This means, for example, encrypting the apps, evaluating how mobile malware could affect the app’s behaviour, and assessing the resilience of the app developer servers against intrusion.”
The questions outlined above were developed by a team which include Imperial PhD students Florimond Houssiau and Andrea Gadotti, and Florent Guepin at École normale supérieure de Lyon, a higher education institution in France.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.