Digital contact-tracing: The Trojan horse in the battle over data

In mere months coronavirus has changed everything. Authorities across the world are grappling with its implications for public life, scientists are struggling to understand and counter it, and frontline workers are forced to risk their lives in the process; however, amid this exceptional pressure, another, more technical issue is focusing minds: the development and deployment of contract-tracing apps to monitor and contain the spread of the virus by registering public interactions.

As promising as these technological solutions may appear, researchers have pointed out they should only be seen as supplementary to manual contact tracing, with others flat out rejecting the idea they can actually bear results. Nevertheless, citizens across the world are being asked — or until recently in the case of India forced — to trust public authorities and their private partners with the stewardship of their personal data.

Countries vary in their approach to app development, reflecting their distinct social contracts. South Korea’s approach would appear invasive to privacy-aware Europeans for example, as it has been criticized by Human Rights Watch for disclosing personal information about individuals that have tested positive, even leading to discrimination against the LGTB community. Singapore’s TraceTogether has been characterized as having “a strong baseline of privacy” by researchers at the Alan Turing Institute in London, but the fact only one in five people has downloaded it speaks to the difficulty in getting enough people to use it to render the endeavor successful.

Public buy-in tends to rely heavily on trust. In that context, a series of controversies relating to the UK’s NHSX contact-tracing app can be instructive in terms of how this much-needed trust can be compromised. More specifically, comments by both digital rights expert Michael Veale and the technical director of the National Cyber Security Centre, Ian Levy, indicate that the use of the term “anonymous data” in public messaging might have been misleading.

Just last week, members of the NHSX app’s ethics advisory board tasked with oversight, expressed their frustration for the imposition of limits on their function, while confusion about the existence of a second app following a decentralized approach persists — the current direction NHSX is taking is a centralized system. Also, despite pledges of data protection, an investigation by Privacy International discovered data could be leaked to Microsoft and Google at a future date.

The UK, still a member of the EU, follows the regime of the General Data Protection Regulation (GDPR) through its Data Protection Act 2018, so it’s subjected to scrutiny that’s absent in other parts of the world. The European Data Protection Board also highlighted how fundamental trust is for the success of the app deployments: “Data protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures.”

The debate in the EU is just heating up, revolving around the choice between a centralized or a decentralized approach to contact-tracing. These relate to two main protocols developed at European level, the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) and the academia-led Decentralized Privacy-Preserving Proximity Tracing (DP-3T). Countries such as Germany, Austria or Switzerland, that had initially opted for the former have been performing U-turns and turning to DP-3T, deemed more privacy-preserving as personal data are kept on individual phones, rather than a centralized server. The absence of a central processing center that collects social graphs also doesn’t leave much room for accidental mission creep, nor governments or malicious actors surreptitiously accessing and re-purposing data sets.

The public needs to be meaningfully informed about all the risks involved in being subjected to digital surveillance, such as the cybersecurity threats or the possibility of re-identification through data linkage — by merging different data sets — or by inferences.

The current framing of digital contact tracing development as a false dichotomy of privacy versus health security has proved unhelpful as it undermines a proper evaluation of the trade-offs involved. Instead of a trade-off between privacy and health for example, we may have to consider a trade-off between containing the virus while preserving privacy on one hand and understanding transmission rates using indiscriminate surveillance while impinging on fundamental rights.

Even though digital contact tracing holds promise, without the appropriate technological, legal, political and societal determinations, it can open the floodgates to relentless — and in a state of emergency, legitimized — data harvesting practices, persistent surveillance and a seismic shift in the balance of power between the individual, the state and private actors. According to Lawfare for example, PwC, Salesforce and NSO Group are already building apps that will enable employers to track their employees.

Regions with more permissive or non-existent data protection regimes should consider the implications of mission creep, as despite good intentions, surveillance infrastructures don’t tend to go to waste — and malicious actors tend to seek access.

The pandemic offers an opportunity for governments around the world to test how much surveillance the public is willing to accept in the name of public safety. Democracies with robust systems of checks and balances are likely to test those limits to a different degree than more autocratic ones, but in an era where data can garner economic and political power, just asking for more may seem like a no-brainer to both. Concerningly, analysis conducted by UK-based Tortoise on the privacy policies of 48 contact-tracing apps indicates privacy is often an afterthought.

In the U.S., various states including North and South Dakota and Utah have released their own apps with diverging requirements in terms of access to personal data. While Americans seem divided on whether tracking users’ movement to understand the pandemic is acceptable, the U.S. government has already started collecting location data from mobile ad companies to understand the spread of the disease.  The coronavirus economic relief bill also allocated $500 m to the Centers for Disease Control and Prevention (CDC) for the purposes of “data surveillance and analytics infrastructure modernization.”

Both in the U.S. and in the global context, the patchy data governance landscape — diverging political priorities and technical issues such interoperability to guarantee systems can work across borders — means inter-state and international cooperation is paramount to ensure efficiency and gain trust. Despite the understandable speed in which states feel compelled to act, they should bear in mind that following Silicon Valley’s old motto to “move fast” may actually “break things” — and public trust is extremely fragile at the moment.

Sophia Ignatidou is an Academy Associate at the International Security Programme of the Royal Institute of International Affairs (Chatham House), one of the world’s leading independent think tanks focused on major international issues and current affairs. Follow her on Twitter @SophiaIgnatidou