Why Contact Tracing Apps Will Be The Biggest Test Yet Of Data Privacy Versus Public Safety
2 July 2021
As countries prepare to wind down social distancing efforts to prevent the spread of Covid-19, there are hopes that technology will come to our aid, where a medical solution has so far eluded us.
Contact tracing apps are designed to automate the process of tracking those who are likely to have been in contact with the virus. The basic principle is that they allow us to be tagged (or to tag ourselves) if we develop Covid-19 symptoms and test positive. The app then uses some form of positioning data (not necessarily location data), along with what it knows about who we have been in close proximity with, to warn those at risk of being infected that they should self-isolate and test.
Sounds fantastic, right? Well – maybe. The fact is though, that most of us don’t really understand the exact details of what data will be collected, what it will be used for, and who will have access to it.
This means that there is a danger that people may distrust these apps and refuse to use them. If an insufficient number of people decide to take part, the overall effectiveness of the app becomes greatly diminished.
A number of different contact tracing systems are either in deployment or are being trialled around the world. In the UK, the organisation responsible for the app – the NHS – has defended its decision to use a centralised model of data collection and analysis, rather than a decentralised model as favoured in other territories. Centralised models are fundamentally less private – as someone has ultimate control over all of everyone’s data. Their logic is that healthcare needs, in these circumstances, trump the need to maintain privacy. As Dr. Ian Levy, technical director of the UK National Cyber Security Centre says in this very informative blog post, “an app that provides fantastic provable privacy but doesn’t stop the disease isn’t a useful tool.”
This is certainly true – the problem is, it’s equally true that if the app isn’t sufficiently trusted and adopted, it won’t be a useful tool. There’s no getting away from the need to balance the two primary requirements of public safety and information security.
This is the same argument, of course, that’s raged on for decades now. Is it right or necessary for us to give up expectations of privacy in return for data security? The difference today, however, is that as participation in contact tracing apps is entirely voluntary, this is now a decision we all need to take for ourselves – and our own decisions could easily affect the lives of others.
Centralised versus decentralised?
Centralised data aggregation and analytics, as used in the NHS app, gives healthcare services the advantage of better oversight of the data, meaning that connections and insights are made that may not be apparent from a decentralised system. At the same time, there’s a risk, however small, that data could leak or be stolen and end up being used for reasons we didn’t intend, when we agreed to share it.
In the case of the NHS app – where there is a functional necessity that data is shared with healthcare providers as well as other users of the app – its possible, though very unlikely, that someone with access to all of the systems (including NHS patient records) could “join the dots” and use encrypted data to identify individuals. The system is set up so no one person would have access to all of those points of contact. However, as Dr Levy implies in his blog, its not possible to say with 100% certainty that a malicious actor could never take control of them at some point. Additionally, users’ IP addresses are logged by “commercial front end” components of the software stack. Though access to those logs is strictly controlled, again it isn’t possible to say this security will never be breached.
One aspect of this app that does give me cause to feel optimistic is that it is entirely open-source. The code is available in its entirety to be dissected and analysed, so people with more programming knowledge than myself will at least be able to verify that it is doing what it says it does, nothing more and nothing less.
For example, this means that we’ll know for sure that the app does not, as was originally widely assumed, use locational data to track where we go and who we see. Instead, it uses Bluetooth signals to detect your proximity to other people. In other words, all of the positional data collected and transmitted is relational to other app users around you, rather than to your geographic location, which seems like a pretty clever solution.
There’s some other very clever stuff going on. The models that determine risk – whether or not an interaction between two people should warn of a likelihood of infection – are algorithmic and use machine learning. By monitoring the types of interaction experienced by people who later report a positive diagnosis, it learns what interactions are most likely to be dangerous. It is then more likely to alert other people that they should self-isolate or get tested if they display similar patterns of “risky” interaction.
Safeguards
Another feature works as a safeguard against people who might ignore warnings to get tested. If it advises someone to get tested, and they do not record a result (indicating the person did not get tested, or perhaps has stopped using the app), it analyses that person’s recent contacts to see if there is a cluster of symptom reports. If it finds that there is, it notifies all of the non-reporting user’s “risky” contacts as if they had reported a positive result.
The UK is far from the first country to introduce an app to automate the process of contact tracing – Singapore had one deployed by March 20, and Australia, India, China, Colombia, The Czech Republic, Hungary, Iceland, Israel, New Zealand, Norway, and Switzerland are among the list of countries where they are now active.
Many of these countries have opted for a decentralised system. This leaves fewer holes through which privacy could be compromised. However, from a healthcare perspective, the pros and cons of centralised versus decentralised are far from certain. There simply isn’t enough data yet for us to know for sure.
An important choice
If we live in those countries where automated contact tracing is available, we now all have an important decision to make. Do we trust the government with the data they are asking us to hand over? Or – trust or not – is the situation simply so critical that our concerns over data sharing and privacy have to be put aside?
Related Articles
4 Smartphones Leading The AI Revolution
As enterprises increasingly rely on company-issued smartphones as primary computing devices, these mobile devices are becoming the frontline of workplace AI integration.[...]
The Rise Of AI-Enabled Virtual Pets: Why Millions Are Raising Digital Companions
Remember Tamagotchis? Those tiny digital pets that had millions of kids frantically pressing buttons to keep their virtual companions alive in the 1990s?[...]
The Dark Side Of AI: How Deepfakes And Disinformation Are Becoming A Billion-Dollar Business Risk
Every week, I talk to business leaders who believe they're prepared for AI disruption. But when I ask them about their defense strategy against AI-generated deepfakes and disinformation, I'm usually met with blank stares.[...]
Why You Should Be Polite To ChatGPT And Other AIs
In my latest conversation with ChatGPT, I caught myself saying "please" and "thank you." My wife, overhearing this, couldn't help but laugh at my politeness toward a machine.[...]
The 7 Revolutionary Cloud Computing Trends That Will Define Business Success In 2025
Picture this: A world where quantum computing is as accessible as checking your email, where AI automatically optimizes your entire cloud infrastructure, and where edge computing seamlessly melds with cloud services to deliver lightning-fast responses.[...]
AI And The Global Economy: A Double-Edged Sword That Could Trigger Market Meltdowns
The stock market's current AI euphoria, driven by companies like NVIDIA developing powerful processors for machine learning, might mask a more troubling reality.[...]
Sign up to Stay in Touch!
Bernard Marr is a world-renowned futurist, influencer and thought leader in the fields of business and technology, with a passion for using technology for the good of humanity.
He is a best-selling author of over 20 books, writes a regular column for Forbes and advises and coaches many of the world’s best-known organisations.
He has a combined following of 4 million people across his social media channels and newsletters and was ranked by LinkedIn as one of the top 5 business influencers in the world.
Bernard’s latest book is ‘Generative AI in Practice’.
Social Media