Are Contact-Tracing Apps the Answer? Lessons the US Can Learn From Other CountriesUnited States Policy Manager at Access Now Legislative Manager at Access Now
Tracking people and information about them, like health or geolocation data, is quickly becoming the primary tactic in fighting COVID-19. It’s been implemented in at least 30 countries, including Singapore, Australia, Israel, Ecuador and South Africa, and is currently under consideration in the United States. In the rush to contain the pandemic, few countries are, however, considering the dangerous ramifications of their actions.
Public officials in India, for instance, have publicly shamed people by releasing PDFs with the names, addresses and travel history of COVID-positive patients and by placing notices outside the homes of quarantined people. South Korea sends phone alerts to people who are believed to have crossed paths with an infected person, which has led to re-identification of those people and discrimination and death threats. These actions stigmatize individuals with the virus, potentially leading to underreporting, and entail the unnecessary collection of vast amounts of information about people, like location or health symptoms.
Governments are also using technology to enforce quarantine orders. Polish authorities employ an app requiring those in quarantine to respond to text messages and take daily selfies to prove they are complying with stay-at-home orders. Failure to respond to the messages within 20 minutes leads to a police visit. Authorities in Russia use facial recognition in public to identify people who disobey quarantine orders, and authorities in Mexico, France and the U.K. have deployed drones to monitor quarantine. These technologies are incredibly privacy-invasive, handing over to governments a treasure-trove of data that could be repurposed for any future use (such as building a facial recognition database). Governments should consider implementing less privacy-invasive ways to reach the same goals.
The most promising and talked-about “solution” to the spread of COVID-19 is digital contact tracing, either through geolocation or through proximity, leading governments around the world to amass this data. At least eight EU telecoms (including Vodafone, Deutsche Telekom, and Orange) are sharing anonymized geolocation data with the European Commission. South Korea uses GPS to supplement contact-tracing interviews with COVID-19-positive patients. Yet, there are several issues with this type of contact tracing.
Contact-Tracing Apps Are Likely to Be Ineffective
Contact tracing through technology such as Bluetooth or geolocation has several flaws, and plans to implement it should be carefully considered, not rushed. Thus far, there is only “anecdotal evidence” that contact-tracing apps are effective, according to experts from the World Health Organization. The proof is in the pudding.
For one, geolocation is insufficiently granular to serve the contact-tracing purpose. It’s generally understood that people need to come within six feet of each other to become infected, yet telecom location data, GPS data and Bluetooth proximity data are unreliable in making those determinations. Both telecom and GPS data are not accurate enough to determine when two people actually come within six feet of each other. And Bluetooth data goes through walls and glass, potentially leading to false positives when two people, for instance, drive by each other in cars or are sitting on opposite sides of a wall separating two apartments. Bluetooth-based apps are also susceptible to data breaches and even hacking. (A team at MIT is attempting to address these concerns with its own app called Safe Paths.)
Second, such a contact-tracing app will only be effective if it is used by enough people — some experts say 60% of a country’s population. There are many reasons why this may never come to pass, particularly given that a recent Washington Post-University of Maryland survey showed that 50% of smartphone owners in the U.S. would not use such apps. This result is likely caused by a lack of trust in the companies who build them and a lack of understanding in what happens with the data. Even in Singapore, only one in five have downloaded the TraceTogether app since its launch on March 20. And it didn’t stop a huge surge in COVID-19 cases in Singapore a month later.
Finally, using Bluetooth or cell phone location to trace contacts means that only those who have smartphones with Bluetooth capability will benefit. While 81% of U.S. adults own a smartphone, that number drops among more marginalized demographics — only 53% of those above age 65 and 71% of people earning less than $30,000 per year own a smartphone.
While these apps can provide some benefit, they should not be viewed as a panacea to the pandemic.
While we must address the pandemic, we should also consider the long-term consequences of building entrenched systems of surveillance that will be difficult to roll back after the crisis.
The U.S. Should Learn Lessons From Other Countries
As authorities search for solutions in technology, there are lessons to be learned from how other countries have leveraged technology to respond to the crisis.
Apply strong data protection requirements to health and location data. Governments should impose strict data protection requirements like purpose and use limitations (including no public shaming), access limitations and retention policies. Such protections will help ensure people’s data are not misused or repurposed after the pandemic is over. It will also improve trust in use of technology for public health, as people will not have to worry about their data being harnessed to drive advertising, housing, employment or other decisions. Information that is collected in response to a pandemic should not be used for commercial purposes nor should it be mined for AI or machine learning systems.
For instance, Australia proposed legislation that punishes misuse of app data, such as collection, use or disclosure of COVID-19 data (except by public health authorities), and criminalizes the forced download or use of the app. Narrowing who can access and use the data will help ensure people trust their data won’t be used for nefarious purposes.
Recently, U.S. Senate Republicans proposed a COVID-19 data protection law. That the Senate has identified the need for legislation to protect against abuses of COVID-related data is a positive development, but the bill could go further. It should include anti-discrimination protections for people who choose not to use contact-tracing apps, strengthen data minimization requirements and prohibit secondary uses of data, particularly for data retained after the emergency is over.
Identify the information needed to help combat the pandemic. Tracking people’s symptoms or tracking their movements through geolocation may not yield useful information, and it may even make matters worse by collecting unreliable data. Governments and companies should identify the necessary information to help combat COVID-19’s spread and determine how best to gather that information. If a government needs to know whether people have come within six feet of each other, it’s a poor choice to rely on GPS data that is accurate to about 16 feet (and gets worse when near buildings, bridges and trees). Further, using facial recognition data to identify who is on the streets is not likely to help with monitoring quarantine compliance given that it often misidentifies people.
Contact-tracing apps like TraceTogether can be beneficial, but only as a supplement to larger efforts. People may not remember every place they’ve been in the prior two week period, or might not know the identities of those with whom they came into contact. Accordingly, contact-tracing apps should, at most, support the overall effort to fight the spread of COVID-19.
Consider long-term consequences for privacy. While we must address the pandemic, we should also consider the long-term consequences of building entrenched systems of surveillance that will be difficult to roll back after the crisis. In the immediate aftermath of the 9/11 attacks, we had a state of emergency, and in the completely legitimate pursuit of the attackers and the prevention of future attacks, Americans lost some rights that we’ve been trying to claw back ever since. History doesn’t always repeat itself, but it does rhyme. We have been here before.
Google and Apple are working on contact-tracing software with government and public health authorities in mind. While they have put a lot of thought into the privacy protections of the app, including that location tracking in the tool will be banned, there is still reason for concern. Despite public commitments from both companies to protect our rights, there are no stringent requirements in place that would ensure that the software provided by Google and Apple cannot be repurposed for more tracking once the COVID-19 crisis is over. Moreover, their solutions are not based on open-source code, which prevents independent security and privacy experts from auditing how data may be used by these companies during and beyond the crisis.
Governments should avoid a knee-jerk reaction to the public health emergency with blind over-reliance on technology. People will experience real harm if governments don’t analyze the downsides to these new technologies. We must fight COVID-19, but we shouldn’t give up our rights in the process.