COVID exposure tracking apps and the data privacy implications for governments around the world
A few months ago, it would have been hard to imagine governments around the world launching public apps that have proximity tracking capabilities. But when COVID-19 changed the rules, government-backed COVID exposure tracking apps quickly became a viable way to control the pandemic. As a case in point, Israel’s government considered using cellular data to retrace the movements of people infected by the virus, but in the face of citizen pushback and privacy concerns, is rethinking their approach to COVID exposure tracking.
Location data is a double-edged sword
In theory, a COVID tracking app sounds like a well-intentioned and practical idea to thwart the spread of the virus. Almost every smartphone logs location data and movement history by default through GPS and Bluetooth, which provides a ready-made platform for COVID exposure tracking apps to tap into. Algorithms can sift through the aggregated data and instantly identify if a user has been in close contact with someone who has been infected, enabling proactive testing and precautionary measures.
However, with governments around the world rolling out their own versions of these apps, including Australia’s COVIDSafe app, it raises some uncomfortable questions about data privacy policies and security. In our previous podcast, we talked a bit more about Australia’s COVIDSafe app and the general lack of understanding around how it actually works. The common misconception is that COVIDSafe tracks a user’s location through their smartphone, but in reality, it doesn’t actually tap into phone data at all. The app creates a separate encrypted store of a subset of limited data specifically around proximity to other app users. Even then, the app only stores data for 21 days and doesn’t share location data. This is very different from logging the movements of each user, and that’s why education and awareness around how these apps actually work are so important.
Data privacy, security and jurisdiction are major policy considerations
This level of data collection poses a whole new set of risks. If the policies around the use of such data sets are not framed properly, there is a real danger of that data being used well beyond its intended purpose. What other parties will have access to the data? What other purposes can the data be used for? How will the government prevent its misuse? For example, while the data from Australia’s COVIDSafe app will remain in Australia, it will be held by US-based company Amazon, where the Cloud ACT could potentially allow US law enforcement to access it. Even though the government is taking steps to address this, there are still big questions with no clear-cut answers. Many people find this degree of surveillance too invasive, and question the will and ability of their governments to restrict the use of the data to just COVID exposure tracking.
Securing such a large data set is another challenge. A massive collection of data, like COVID exposure tracking apps would create, would be a tempting target for cybercriminals. Many governments are actively developing appropriate safeguards, but there will always be some degree of risk of breaches, leaks and attacks.
Privacy-by-design can help address some of the risks. For instance, the COVID-19 app developed by the Norwegian Institute of Public Health is designed to store location data only for 30 days. But the onus falls on governments to be transparent about how their apps handle user data and enforce clear policies on data privacy and protection.
How governments can win the trust of the people
Digital technologies are powerful tools for governments in their fight to control the pandemic, but their privacy and data protection implications must be recognised and addressed if governments want to see widespread adoption.
First, they need to clarify the legal basis of the use of these technologies, which can vary according to the type of data collected (e.g. personal, sensitive, anonymised, aggregated, etc). Beyond that, they need to provide full transparency on how the technology functions, what data is collected, and how it’s used. Independent third-party verification and testing are essential if they want to establish the safety and credibility of the app.
Governments must also have clear policies in place that define how the data can be used, stored, processed, shared, and with whom. The policies must also specify the time period in which the data will be collected and retained. Data should be retained only for so long as is necessary to serve the specific purpose for which it was collected.
Transparency and accountability will be the biggest factor in encouraging widespread adoption of the apps. Since these apps need the bulk of the population to opt in to be effective, governments need to offer the public every reason to do so, with full assurances that their data is in safe hands. The success of our war against this pandemic depends on it.