UPDATED: 2020 Oct 29
In the fight to combat the spread of COVID-19, governments throughout the world have been considering the use of digital contact-tracing apps. Contact-tracing apps seek to interrupt the onward transmission of the coronavirus by identifying and notifying recent contacts of an infected person in an anonymous fashion. Privacy issues have been central to the considerations of how such technology should be implemented to achieve this important public health objective with the least impact on the privacy of individuals.
tl;dr the latest COVID Contact Tracing app is a solid effort that legitimately takes privacy seriously-enough to earn people's trust and become truly useful at scale.
By definition, digital contact-tracing models include location and identifying information, often sent to a central server for storage, processing, and further analysis. Sometimes these may be operated by government health agencies or NGOs. Additionally and alternatively, platforms could be decentralized where sensitive information have some level of control over their COVID-19 health status (positive test results, for example).
Question, what do you do if you want to ensure the maximum reach to achieve your goals?
Answer, get your contact-tracing app in as many devices as possible.
Bigger, more complicated question, how do you give yourself the best chance of achieving that?
Answer, put serious effort into your credibility, and devotion to a structurally-sound privacy model; ensure there is no possibility for a privacy or security breach. This is what the Government of Canada is hoping to succeed at in their recent COVID Response Team project released: contact-tracing Android and iOS apps built by Shopify volunteers and Blackberry, the now always-about-privacy company.
So how do you do this?
By sticking with only the most basic, simplest elements of data gives you a few final critical pieces: total anonymity and, ideally as a result, total public confidence.
- the user downloads the app and enables bluetooth on their phone
- the app sends out a unique, anonymous beacon via bluetooth to any nearby listening devices with the app. Two devices in proximity for a specified period of time, "sees" the token of the other device, and they record the anonymous token as a 'contact' identifier of the other device's app
- if any app holder is confirmed to be COVID infected, they can instruct their device (their manual action is required, this is not automatic) with their positive infection status
- the user's phone uploads the last 14 days of proximity-tokens - essentially the last 14 days of "contacts"
- each of the 14 days of contacts of the infected person are matched to uploaded contacts of registered users, and these contacts are sent a notification of their risk exposure
Why should people feel comfortable with this model?
That expression we sometimes use in frustration when we feel like we're not being treated well, like real people? "I'm just a number to ... [that person or company]". Well this is where you will be happy to be treated like a number; a big, long, complicated number.
Data is stored as a token only — anonymous — your "existence" is literally just a number. Each user's device, the government, your carrier; no one knows who the owner of that token is, except for the own of their own device. A positive contact event doesn't change that.
UPDATE 2020 Oct 29: With 3 million users and additional provinces on board nationally, adoption numbers show a solid but small confidence and awareness core group. But at best this represents a de facto early adopter sub-set and not nearly enough for critical mass. Not surprisingly, as we wrote in this piece originally, provinces are coming back with additional feature requests that get back at the heart of the core principle of this app effort: privacy must be absolute, without it, confidence will erode and the entire effort will crumble, including the original early adopters.
Other models that purport to achieve similar results have still proposed to use GPS data, heavy encryption for anonymous security, but they're still fallible. The personal data still exists; in this described model, it simply doesn't exist in any form. Very clever.
Apple and Google collectively proposed a model to jointly create a protected-identity, anonymized, consent-dependent basis. In contrast to the decentralized model of the contact-tracing app, They did confirm, however, that they would ban the use of location tracking in apps that use the new contact-tracing system.
Being "just a number" in this case is a very good thing
Privacy is a Legitimate Concern
To be fair, contact-tracing apps globally have not taken this absolute position on privacy. Areas flagged by security audits included exactly what you'd expect: location monitoring and centralized storage of user-identifiable data. In some cases, traced data was so easily linked with its user, that a simple game show could access it legally. Norway, specifically, found themselves going back to the drawing board almost immediately after releasing their version 1 for these exact reasons.
Taking the it's-good-to-be-second-to-market approach to software development, the Canadian COVID app has checked all these boxes, so much so that Michael Geist has given it his blessing already. Staying true to key provisions of the privacy safeguards have proven most important: only random anonymized user-device tokens and other de-identified data will be used; user's own consent can be declined; and, this is a good touch, data used for contact tracing is only stored for 21 days – adequately fitting the COVID currently-accepted incubation period.
One side-benefit of this approach is very much also about what this app is not. Taking the position that acceptance required that the app do only the bare necessity to monitor that a relationship exists anonymously, and trigger an event based on 21 days of stored anonymous relationships with other anonymous devices. Nothing more.
The social positioning success goal cannot be understated. If the powers that be legitimately demonstrate they can pull off this balance – first time, no less – they'll have the opportunity to get widespread contact tracing in place in a very short amount of time.
The flip side: Never Forget The People
Failure to demonstrate any of the above – government Privacy Commissioners issued a Joint Statement last week regarding the use and implementation of contact-tracing apps given the "important privacy risks" raised by such technology. Officials were understandably steadfast in asserting that the technology must provide an effective level of protection, location data in particular. Some curated points:
- Apps must be voluntary to install and use
- Core functionality must be science-based specific to that purpose
- Focus of reach must be used for this public health purpose only
- Anonymity, or "De-identified or aggregate data" should be used whenever possible
- Date should be time-limited. Information collected during this period should be destroyed when the crisis ends, and the application decommissioned. NOTE: this app exceeds this requirement
- Governments should be clear about how data will be stored securely and when it will be destroyed
- Ensure ongoing monitoring and evaluation plans are publicly available concerning the effectiveness
- Safeguards: Appropriate legal and technical security safeguard, including strong contractual measures with developers, must be put in place to ensure that any non-authorized parties do not access data, and that the data is not used for any purpose other than its intended health purpose.
It's Contact Notification not Contact Tracing
Advisors and officials behind the initiative push the position that this model of app is not about tracing. Tracing implies a mechanism watching its user with some form of personally-identifiable logging. This isn't the case with this app so "Contact Notification" is the more accurate name to convey the nature of users' ownership of their data and participation.
Some fundamental technology differences give this app its credibility. Primarily and probably most telling, is using Bluetooth instead of GPS. GPS, by its very nature is about location; Bluetooth is not (though it can be if you make it). Bluetooth is about communication first. Great that's an important first hurdle.
Second to Market
Contact-tracing (or notification) apps have already been developed in various jurisdictions. Privacy advocates and regulators watching efforts in some parts of the world (such as Indonesia, China, South Korea, Taiwan, India and Norway), governments have already voiced concern about privacy violations with these app models.
That's not lost on the developers of this app, nor the policy-makers.
The COVID-19 pandemic has issued challenges to our sense of social interaction and cohesion in unimaginable ways. Healthcare and privacy considerations have always been a primary concern, probably even more than financial; these circumstances have forced innovation and data protection to be constant bedfellows. The success of initiatives like this are going to speak volumes about how we can rethink our comfort in balancing innovation, policy, privacy on how it best helps society look out for one another - respectfully.