Nearly all public health experts say we will have to employ testing and tracing on a massive scale to combat the spread of COVID-19. This has led a number of countries and tech companies to develop coronavirus contact tracing apps for smartphones. The idea is that such an app would allow someone who tested positive to share a complete record of who they had been in contact with.
While some questions have been raised(new window) about whether this type of tracking is the solution, it could be an effective tool in any national test-and-trace program. However, if the idea of a government agency monitoring you makes you uneasy, you are not alone. Such apps represent a type of surveillance that many are uncomfortable with.
Some developers have taken this into consideration and are building systems that protect the privacy of their users. Other contact tracing apps have done little to keep user data secure and private, opening the door to the misuse of data and abuse of privacy.
Our core mission is to protect the rights to privacy and freedom, so our security team has examined the most popular contact tracing protocols to assess their potential for abuse. This article will give examples of good, flawed, and bad approaches to contact tracing from a privacy perspective. This is not meant to be an exhaustive list of all the contact tracing protocols. Rather, it should help you identify the key points that bolster or undermine a protocol’s privacy protections.
Why this is important
Given the enormity of the challenge COVID-19 poses, it is important we get this right. We must do what we can to control the spread of the virus while still protecting our fundamental human rights.
History has shown us that surveillance regimes are easier to build than they are to dismantle. The Snowden revelations taught us that we must always be vigilant when protecting our right to privacy. We must design any contact tracing system with care to ensure we do not create an invasive data collection system that could be used to monitor citizens after this crisis is over or for activities that have nothing to do with containing the virus.
Additionally, privacy protections are crucial to the efficacy of any contact tracing program that uses apps. To have a measurable impact, a contact tracing app will need to have near-universal uptake among smartphone users. If users refuse to download or use an app because of privacy concerns, it will be less useful in preventing the spread of the disease.
Approaches that are private by design
There is currently a race to develop an app that can quickly register if you spent enough time around someone in close enough proximity that disease transmission could have taken place. Governments, academics, and private businesses are all working on protocols, or the set of instructions that governs how electronic devices communicate, for these apps. The slight differences in how these protocols collect and report data can have profound impacts on their users’ privacy.
Two protocols that have done a good job avoiding some of the privacy pitfalls that are inherent in any contact tracing app are the Decentralized Privacy-Preserving Proximity Tracing(new window) (DP-3T) and Temporary Contact Numbers(new window) (TCN) protocols.
Although these protocols were developed by different teams, they take similar approaches to the problem and, therefore, have similar strengths. Both protocols are open source, minimize the amount of data that is collected, and do not collect geo-location information. They rely on temporary ID codes that the app shares via Bluetooth with other devices within a six-foot radius to log encounters between individuals. The primary difference between these two protocols is how they generate and log these temporary ID codes.
Both of these protocols store your contact log (the record of the people you encountered throughout the day) locally on your device. But the feature that sets DP-3T and TCN apart from other Bluetooth-based contact tracing apps is that they use a decentralized report processing protocol. If you test positive for COVID-19, these apps share their secret keys from the time period you were contagious with a central server. Using those keys, the server can derive all the temporary IDs your app encountered and create a report. The apps on all devices then check their local contact logs against that report. If the app detects a match, that user will know they should quarantine themselves. Because the reports are verified locally on users’ devices and not by the central server, the central server cannot identify any contact log or user.
If it is still unclear how this system works, this comic does a good job explaining it(new window).
This decentralized approach makes it very difficult for any one organization or actor to abuse the data. The data that is public is anonymous, and the sensitive data never leaves an individual’s device. Another critical aspect of both these protocols is that the app deletes data after 14 days (which is the amount of time someone can be asymptomatic while still being sick with COVID-19). This means that once the coronavirus outbreak has been dealt with, there will not be any database left behind for governments or corporations to use.
Countries that have adopted or support apps that use DP-3T or TCN (or a similar protocol that uses decentralized report processing) include:
- Switzerland
- Austria
- Estonia
- Finland
- Italy
The Google/Apple Exposure Notification system, which is an application programming interface designed to make it easier for contact tracing apps to work with the Android and iOS operating systems, requires decentralized storage of data and is inspired by DP-3T(new window).
Flawed approaches
Similar to DP-3T and TCN, the Pan-European Privacy-Preserving Proximity Tracing(new window) (PEPP-PT) and BlueTrace(new window) protocols rely on Bluetooth to send and receive temporary ID codes to log encounters between individuals. They also are open source, minimize the amount of data collected, and do not collect geo-location data. However, PEPP-PT and BlueTrace rely on a centralized server to generate the temporary ID codes, which an analysis from the DP-3T developers(new window) claims could let the server identify the individual behind any temporary code and trace their movements.
PEPP-PT and BlueTrace also rely on centralized report processing. If you test positive for COVID-19 and you are using one of these apps, you must upload your entire contact log to a central server. The central server then matches your log to the contact details of everyone you encountered and sends out a warning. While this does allow health professionals to verify encounters, which can reduce the number of false positives, this creates a massive database that can be exploited or abused. Moreover, whoever operates this database has access to far more data than is needed to prevent the spread of the virus.
Countries that have adopted or support apps that use PEPP-PT or BlueTrace (or a similar protocol that uses centralized report processing) include:
- UK
- France
- Australia
- New Zealand
- Singapore
While apps built on protocols that use centralized report processing are not ideal from a privacy standpoint, they could still prove useful in slowing the spread of the virus. It is possible, if there are strong data protection policies and good governance in place, for a contact tracing program to respect privacy and use these apps.
Approaches that undermine privacy
There have also been contact tracing apps that make no effort to protect privacy. South Korea(new window) used a combination of cell phone data, credit card purchase history, and surveillance cameras to track individuals. Using these methods, the government had access to troves of personal information, including people’s age, gender, nationality, and occupation. Authorities also made much of this information public in attempts to alert people that local citizens had COVID-19.
Israel’s approach was even more extreme(new window) — such that it has been put on hold(new window) because of legal challenges. In this case, the government would have received geo-location data from phone companies. The government would then use a new interface designed by the surveillance firm NSO to download contact information and call records from mobile phones, allowing authorities to track, identify, and contact anyone that may have come into contact with someone who was sick.
China has taken one of the most invasive approaches(new window). It introduced a nationwide effort to force citizens to download an app that determines whether they should be quarantined. This app can access personal data on an individual’s phone, including their geo-location, link it to an ID number, and report it back to a government server. There are also reports that this data has not just been used for public health administration but has also been shared with law enforcement.
Conclusion
COVID-19 is a global emergency, and lives are at risk. We need to take action. However, we must also try to reduce the negative side effects of any solutions we introduce. We wrote this article to raise awareness of the potential privacy risks posed by contact tracing apps so that citizens can pressure their government to make the correct choice.
It is also important to note that protecting our privacy will require more than just technical solutions. It will require good governance and data protection policy. Legislation, like the draft of Britain’s Coronavirus (Safeguards) Act(new window), will be required to ensure that all data is handled responsibly and that the benefits of contact tracing also reach those who do not have a smartphone.
Society is at a crossroads. We need to act to stem the spread of COVID-19; however, we must act responsibly. A contact tracing protocol that is private by design, coupled with mass testing and responsible data governance, could not only help us halt the spread of this virus, but ensure we come out of this crisis with even stronger privacy protections in place.
Updated May 28, 2020, to clarify how DP-3T and TCN share positive tests.
Updated June 30, 2020, to add details about the Google/Apple Exposure Notification system.
You can get a free secure email account from Proton Mail here(new window).
We also provide a free VPN service(new window) to protect your privacy.
Proton Mail and Proton VPN(new window) are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.
Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).