Data Protection – Another COVID-19 Casualty?

With a third of the planet’s population still under COVID-19 related restrictions, the wider social and economic impact of ‘lockdown’ is becoming apparent. However, with a vaccine still 12-18 months off according to the Wellcome Foundation, governments around the world are weighing the apparent trade-off between easing restrictions and maintaining public health.

To prevent a second infection wave, countries have been exploring how to harness technology to automate contact tracing, releasing the remainder of the population to go about daily life.

Though simple-sounding, such technology is far from straightforward. It also brings serious practical and ethical concerns already playing out in some countries, and risks pitting health care against data protection.

What is contact tracing?

Contact tracing is a key tool in preventing the spread of communicable diseases. It involves tracking down and alerting those who have been in contact with a confirmed sufferer. However, it has limitations: with airborne diseases such as COVID-19 where symptoms are delayed, it is difficult to identify everyone who may have been exposed.

It is also time-consuming and works best with low infection levels. In March, the UK Government stood down Public Health England’s 290 contact tracers, believing them already overwhelmed by the coronavirus spread.

In April, however, the Government reversed its decision, announcing plans to train 18,000 contact tracers and to support their efforts through automation using a contact tracing app developed by NHSX (the NHS’ digital arm) downloaded to smartphones to ‘track-and-trace’ those exposed to the virus.

How would automated contact tracing work?

Individual nations are developing their own contact tracing apps but, broadly, two methodologies exist: one employing the user’s geo-location, often in conjunction with credit card data and surveillance camera records, and a more privacy-friendly version based on Bluetooth.

In the Bluetooth version, as the user moves about, their phone connects with others within a certain range. A ‘Bluetooth handshake’ would take place in which connected phones exchange and each store a unique ‘key’ signifying physical proximity.

In the UK, when users subsequently display symptoms they may choose to allow the app to inform the NHS which would then alert other app users whose smartphones hold the infected person’s key, indicating that those other users should self-isolate. The key would be anonymous and would not reveal the personal identity or location data of the infected individual to those receiving alerts.

To facilitate automated contact tracing, Apple and Google are collaborating to release interfaces enabling Android and iOS devices to work together using apps from public health authorities.

How effective is it?

Although elementary, automated contact tracing has significant practical limitations. Bluetooth is an imprecise tool and risks false positives such as proximity through a wall. Necessarily it is ‘blind’ to disease transmission in spaces vacated by infected individuals moments before, where no Bluetooth handshake between handsets would take place.

Crucially, automated contact tracing relies on uptake. In the UK, 60% of the population would need to download the app for it to make a positive difference, and with 20% of Britain’s population estimated not to own a smartphone and many older devices with limited app capability, many people would be excluded.

A further difficulty arises from the multiplicity of contact tracing apps currently under development – how will they work together? Moreover, once international travel resumes, will national contact tracing apps be interoperable? Finally, there is a risk that automated contact tracing will be seen as a panacea by ‘fanboys’ for utopian technological solutions, whereas in reality, it can only be part of the answer, along with adequate infection testing and traditional confirmatory contact tracing which are essential components of any useful roll-out.

Authoritarian regimes around the world have been quick to use the pandemic to restrict their citizens’ freedoms, with China introducing a “traffic light” system to control citizens’ movements, and Russia deploying aggressive surveillance methods to enforce lockdown.

Even in more libertarian states, contact tracing apps risk morphing into ‘immunity passports’ as a means of easing ‘lockdown’, determining access to amenities based on apparent health status and further widening the ‘digital divide’.

Against this background, automated contact tracing has raised acute privacy concerns. Whereas many prefer a decentralized model where the Bluetooth handshake keys are stored only on a user’s handset, many health authorities around the world, including the NHS, wanted centralized records of anonymized data. However, centralized systems permit re-identification by governments or even hackers.

In the UK, such concerns were highlighted when a draft Government memo was leaked in March suggesting Ministers may be empowered to order the re-identification of individuals from their smartphone data where they viewed it as proportionate, fueling pre-existing worries over excessive state surveillance, in particular from the Investigatory Powers Act – the so-called ‘Snooper’s Charter’.

To alleviate such risks, Apple and Google limited the operability of their proposed interface for centralized systems. The UK, however, pressed on with a centralized system, bypassing the deliberate limitations imposed by Apple and Google, albeit at a cost to phone battery life and necessitating that phone screens remain unlocked, risking data security.

Beyond practical concerns, an automated contact tracing app raises wider issues. Could those downloading it, for example, become liable for failing to self-isolate if the app notifies them of potential infection? While such notions sound far-fetched, South Korean authorities have launched a murder investigation into ‘Patient 31’, a woman who refused to test and allegedly infected thousands with COVID-19. In this time of heightened anxiety, might we see existing UK criminal legislation deployed to ‘police’ the app’s use?

Data protection laws – help or hindrance?

In a straight contest between health and data privacy, polls show the public in favor of allowing the Government to use mobile phones to track coronavirus carriers and inform others of potential infection.

Regulators have been at pains to say that data protection laws are not incompatible with public health safety: both the UK’s Information Commissioner and the European Data Protection Board (EDPB) have expressed their support in principle for a data-driven solution as part of the response to the health emergency.

On 4th May, the Information Commissioner submitted evidence to Parliament’s Human Rights Committee about the NHSX app and, while fence-sitting about whether or not the database should be centralized, emphasized the need to observe essential principles of transparency, data minimization and purpose limitation. The EDPB has stated that, such is the privacy intrusion of monitoring location and contacts, only voluntary adoption could legitimize it - those who cannot or decide not to use contact tracing apps should suffer no disadvantage.

With concerns already emerging about the app’s ‘function creep’ and who may be given access to its database, a group of leading human rights lawyers highlighted the significant interference with human rights inherent in the Government’s proposals, warning of potential litigation to come.

Facing such legal headwinds, the Government has found itself out of step with much of the rest of the world and is reportedly exploring a switch to a decentralized model after all, with Communities Secretary, Robert Jenrick all but confirming the move if necessary.

Conclusion

Despite the controversy surrounding it, data protection law is remarkably malleable. Although the legislative framework is complicated there is a path through which, if navigated carefully, permits the potentially life-saving benefits of automated contact tracing whilst simultaneously guarding against governmental overreach and maintaining trust.

With the NHSX app now being trialed on the Isle of Wight before national roll-out in weeks, it remains to be seen whether the practical problems and legal hurdles can be overcome to help restore a semblance of normality to our lives and allow the UK and the rest of the world to begin the path to recovery after this extraordinary period.

What’s Hot on Infosecurity Magazine?