Contact tracing apps: Are they worth the privacy risk?

As the COVID-19 pandemic spread around the world, many countries developed contact-tracing apps to track and mitigate community transmission of the virus.

While these apps have become essential tools in slowing the spread of the virus, they have also ignited privacy concerns around the mass surveillance of citizens, and what could happen if contact tracing data fell into the wrong hands.

In this article, we’ll explore the top privacy issues with coronavirus tracking apps that cybersecurity experts are talking about.

1. Location tracking

Most mobile users are wary of GPS location-tracking technology, given that this data can be used to pinpoint one’s physical location. Throughout the pandemic, there have been multiple cases where people’s location data was collected and shared without their consent.

In May 2020 last year, it was revealed that the developers of the Care19 contact tracing app used in North and South Dakota had shared user location data with the third-party app Foursquare — a direct violation of their own privacy policy.

Other instances of contact tracing apps have attempted to use less invasive methods to keep records of people’s whereabouts, but it’s quickly become apparent how difficult this is in practice. For example, Google and Apple partnered to create a contact tracing system that relies on Bluetooth signals to alert users when they are in close proximity to others who may have been exposed to COVID-19.

While the companies claimed their new technology would not track users’ location, it was later reported that the implementation in Android operating systems would require it to continue collecting GPS data.

2. The amount of data collected by contact tracing apps

The types and amounts of personal data collected by different contact tracing apps is inconsistent, which has led many users and privacy advocates to scrutinise whether government and big businesses are collecting data for other, more insidious purposes.

Consider that one of Vietnam’s top information security engineers found that the country’s main contact tracing app, Bluezone, was “fully capable of silently harvesting information on who users have been meeting with”.

From Southeast Asia Globe:

The implications of a government having access to such information on millions of citizens through Bluezone are particularly worrisome in a state which has become increasingly hostile to rights campaigners and journalists in recent years.

State surveillance in Vietnam has traditionally been run with a ‘boots on the ground’ approach, combining police with Communist Party cadres and neighbourhood wardens to keep an eye on their areas. But according to Vietnam-focused human rights organisation the 88 Project, authorities are increasingly making use of “surveillance monitoring and special relationships with technology companies” to quash dissent.

Meanwhile in Norway, health authorities were forced to delete all user data collected through Smittestopp, their contact tracing app, after failing to demonstrate why it was necessary for them to collect people’s location data.

Despite claims from app developers around what a given contact tracing app can and can’t do, many independent investigations revealed how much more information these apps are actually collecting in the background without a real legal basis — a clear GDPR violation.

3. Data centralisation vs decentralisation

A major threat posed by contact tracing apps is where and how millions of people’s sensitive personal data gets stored. When a user downloads a contact tracing app, the user’s device is assigned a randomised numerical identifier. As they go about their day and come into contact with other app users, their phone picks up and records their unique device IDs too.

If it turns out that a user was infected with COVID-19, they can then report their status on the app. The app will then search through their data records to notify everyone who was in close proximity with the infected user.

Under a centralised model of data collection, these records are generated, stored, and processed on a central remote server managed by public health authorities. Under a decentralised model, this data is gathered and matched with records of other people’s IDs that is generated and stored on their own device – giving users more control over their own information.

So far, the consensus amongst privacy experts is that a decentralised model of data collection is more secure and aligns with most data protection regulations.

In Qatar, for example, Amnesty International uncovered how the nation’s compulsory contact tracing app had numerous security vulnerabilities that exposed the personal data of millions of citizens. This data had been stored in a central database, making it much more susceptible to being unlawfully accessed or hacked. Beyond this, it’s reported that the government is also able to turn on real-time location tracking of users via the app.

From unethical data sharing to increased government surveillance, there is a clear need to better balance people’s right to privacy with public health objectives.

But is it still worth the risk?

Short answer: it’s hard to say.

To date, the effectiveness of contact tracing apps has been hard to measure. Because human rights law and major data protection regulation state that citizens can only voluntarily download these apps and self-report diagnoses of COVID-19, it is difficult to drive widespread adoption and get an accurate picture of community infection.

As each country has had to adapt to overcome COVID-19, so too must the technology they use to trace new cases.

Does your mobile app have a privacy policy?

Create a free privacy policy and Terms and Conditions for your business. Create your privacy policy now.