As countries begin to lift lockdowns from COVID-19, they are relying on contact tracing apps to identify and break the transmission chain of the disease. While some Asian countries have implemented their contact tracing apps with strict surveillance measures, Europe and the U.S. are scrambling to build apps with privacy in mind. Countries are working with app developers and technology companies to develop contact tracing in hopes they can contain the transmission of COVID-19.
While more privacy-conscious countries are implementing voluntary, Bluetooth-enabled contact tracing apps that have a decentralized model, countries with strict surveillance measures are seeking centralized models that collect more sensitive information and use GPS technology to give the government more control and access during this pandemic. While contact tracing apps have different variations according to a country’s view on privacy, they are being widely adopted to break the chain of transmission of COVID-19 after lockdowns are being lifted.
Below are contact tracing apps from around the world and some of the privacy concerns associated with them.
US
Apple and Google revealed plans to implement privacy-preserving Bluetooth technology to support contact tracing beginning mid-May. The process does not use location data or contain identifiable information. Bluetooth identifiers are built into the operating systems of Android devices and iPhones and change every 15 minutes so there is no extended tracing. If two phones are near each other for about 10 minutes, the phones exchange anonymous Bluetooth identifiers. Later, if one person is diagnosed with COVID-19, the Public Health Authority may, with the individual’s consent, broadcast an alert to phones that have come in contact with the individual.
While some are skeptical about the tech giants’ access to the data, Apple and Google say they will disable this technology when it’s no longer needed. The American Civil Liberties Union is cautiously optimistic, stating in its report, “there are risks to fundamental civil liberties posed by poorly designed systems in this space” and “location tracking and massive centralized surveillance should be off the table, but proximity tracking could be useful.” Although the U.S. has not implemented any contact tracing apps, a look into other countries’ contact tracing apps may give insight into what’s to come.
EU
On April 16, the European Commission released guidance for EU member states on privacy-compliant tracing apps. It stated, “Contact tracing apps, if fully compliant with EU rules and well coordinated, can play a key role in all phases of crisis management, especially when time will be ripe to gradually lift social distancing measures.” The guidance lays out eight essential requirements for these contact tracing apps. They must be:
- Fully compliant with EU data protection and privacy rules.
- Implemented with and approved by public health authorities.
- Voluntarily installed and dismantled as soon as no longer needed.
- Equipped with privacy-enhancing technology, like Bluetooth proximity.
- Based on anonymized data.
- Interoperable across borders.
- Based on epidemiological guidance and include cybersecurity and accessibility.
- Secure and effective.
South Korea
South Korea has two apps: Corona 100m and Corona Map. Corona 100m is an app created by private developers that alerts users if they come within a 100-meter radius with someone who has COVID-19. It has been downloaded more than 1 million times in a few weeks and collects data such as the “patient’s diagnosis date, nationality, age, gender and prior location.” The second most downloaded app, Corona Map, plots the location of diagnosed patients so others can avoid those locations.
Singapore
TraceTogether is a voluntarily downloaded contact tracing app used in Singapore. When a user signs up, TraceTogether collects the person’s mobile number and a random anonymized user ID, and no location data is collected. The app exchanges Bluetooth signals between phones that are within close proximity by exchanging a temporary, encrypted user ID. If a person is diagnosed with COVID-19, the Ministry of Health is the only one with the private key to allow decryption and notify people who have been in close proximity to the COVID-19 patient. While the random, temporary encrypted key protects an individual’s identity, the government’s access to the key gives it power that may be misused or easily abused.
India
Indian Prime Minister Narendra Modi recently launched Aarogya Setu, a contact tracing app that gained 50 million users in 13 days. It uses Bluetooth signals, GPS location data and collects sensitive information from users, including names, birthdates and biometric information. With India’s lack of data protection law and citizens' fears about government use of their data, Aarogya Setu updated its privacy policy to address these privacy concerns. It specified that the app will use unique IDs to keep information anonymized, data would only be securely shared on the server when someone tests positive, and data will not be used by third-party organizations. While Aarogya Setu has been widely downloaded, many people are concerned about the government’s potential misuse of the app and the sensitive information collected.
Israel
Israel’s health ministry unveiled HaMagen, which uses “location data from a person’s phone and compares it with the information in Health Ministry servers regarding the location histories of confirmed cases during the 14 days before their diagnosis.” The ministry’s website and Telegram channel publish the movements of COVID-19 patients. While the app is voluntary to use, there are privacy concerns since it grants the government access to location data that may easily be hacked, critics say.
Hong Kong
The Hong Kong government is requiring people arriving in the country to undergo a 14-day quarantine at home. Individuals are mandated to download the StayHomeSafe app, which is paired with a wristband to notify the government if they leave their dwelling. The app uses environmental communication signals, such as Bluetooth, Wi-Fi and geospatial signals, in the neighborhood to determine if a person has left quarantine. Further, it requires the individual to scan the QR code on the wristband to calibrate the app. While other contact tracing apps focus on the chain of transmission, Hong Kong’s app seeks to restrict the movement of citizens.
Italy
With the world’s second-highest death toll, Italy is planning to roll out a contact tracing app with a Milan-based startup called Bending Spoons. The company is part of the Pan-European Privacy Preserving Proximity Tracing initiative, promoting national tracing across borders. In line with the European Commission’s guidance, the app will be voluntary to download and uses Bluetooth technology.
The development of contact tracing applications poses a significant catch-22. On one hand, they help keep the public informed and attempt to stop the transmission of the virus, but at the same time they invade individuals' privacy rights. As governments around the world implement contact tracing apps, it looks like it's consumers who will need to remain conscious of how a country's approach to privacy affects its implementation of these systems and ultimately the privacy of their constituents.
Photo by Julian Tong on Unsplash