Data Privacy Concerns in COVID-19 Contact Tracing Apps
Technology - May 04, 2020
One of the smartest weapons in our fight against the pandemic have been the Contact tracing apps. The app uses Bluetooth to determine whether we are in the vicinity of a COVID-19 infected person and it aids authorities to identify and isolate possible cases.
In spite of its efficiency and its usability, the concept behind contact tracing apps has attracted privacy and security concerns. The concerns stem from the notion that the app encourages and aids governments to perform mass surveillance on its own people. In addition, our data is exposed and therefore is vulnerable to attacks from hackers and trolls.
In order to understand the vulnerabilities, let us first understand how contact tracing apps work. Using Bluetooth technology, the apps identify COVID-19 affected individuals and hotspots and they give alerts if it finds that you have been in that vicinity. It does that by matching your Bluetooth signals with a person who is already known to be infected. The alerts enable you to take appropriate steps like isolation and testing so that you don't end up infecting other people.
The data privacy camp is worried that in the absence of any specific guideline, the data released from our Bluetooth devices can be exposed to systems which might not have adequate security. For e.g. the United Kingdom's health service NHS which is developing its own COVID tracing app has been the victim of frequent attacks by trolls and hackers in the past.
Another major worry is active surveillance where the government who now has hold of your data can actively monitor your whereabouts even after the pandemic is over. Your every activity- offline or online can be watched and authorities can use that information unlawfully. Critics are worried that if the pandemic lasts for long then this intrusion will become the new normal as governments would likely not give up on these applications. This is especially true for authoritarian governments where human right abuses are common.
Protocols for Contact Tracing apps
In Europe where data privacy is of paramount importance, the subject of information security and contact tracing apps has encouraged many debates. In 2018, European Union implemented the General Data Protection Regulation (GDPR) which regulates the various attributes of personal data such as collection, alteration, storage, share etc. On many accounts, the concept of Contact Tracing apps doesn't accord with the regulations laid down as part of GDPR. Concerns were raised and a Pan-European Privacy-Preserving Proximity Tracing also known as PEPP-PT was established. PEPP-PT consists of scientists and engineers who are formulating a standard protocol by which standard mobile data will be processed to trace the COVID-19 cases.
The objective is to mitigate the privacy risks associated with unauthorized and intrusive navigation apps. Apple and Google who are collaborating to develop a Covid-19 contact tracing app have been advised by PEPP-PT to include the standard protocol in the app algorithm.
Cryptography might be the answer to Privacy concerns
Since the outbreak, Massachusetts Institute of Technology (MIT) and World Health Organization (WHO) have been working on Private Kit: Safe Paths project. The objective of the project is to minimize surveillance while extracting maximum benefits from the GPS technology. It works by sorting the COVID-19 positive cases into specific block areas. The app then cryptographically "hash" the data related to each sub-area within that block. The data includes location and time. The hashing transforms each location and timestamp of a user into a unique number. This number cannot be generated again as that specific hashing is irreversible. This way no one can use the hashing to extract user information.
We are in the middle of a pandemic and every day this disease is taking countless lives. Technology has been at the forefront of our battle against the virus and the COVID-19 apps are assisting the authorities every day to determine and isolate cases. The data collected as a result of the process is enormous and data privacy isn't a burning concern at this moment. The pandemic is sweeping the globe and countries are jumping on every possible means to curb the virus.
Nevertheless, privacy related to the data, collected in order to prevent the pandemic can become a pain if we don't deal with it now. Authorities have the keys to contact tracing applications and they can extract your entire personal information and whereabouts. Activists fear that authorities are not going to give up this power after the pandemic ends. This can create mass surveillance and would lead to countless cases of data and privacy breaches. In order to prevent this from happening, it is imperative that we setup a thorough privacy protocol and include them into the algorithms of the contact tracing apps.