Contact tracing can be our best bet to break out of the current lockout state that much of the world is facing in the midst of the Covid-19 pandemic. While traditional methods of contact tracing can be extremely effective in identifying and isolating people who may have been exposed to a virus, government health agencies and private application developers around the world are deploying contact tracing applications. contacts to digitize the process in the hope of increasing its overall efficiency and effectiveness in dealing with the Covid-19 crisis.
Contact tracking applications work by using Bluetooth functionality or location services on a user's phone (or a combination of both) to determine the proximity of other mobile phones running the same application. These proximity events are then recorded by each of the devices running the application that are within a certain radius of each other for an extended period. If a user ends up testing positive for Covid-19, they can indicate the user interface for this application. Any user whose phone had recorded a proximity event with the phone of the infected user in the previous days would then receive an alert informing him that he was close to a person infected with Covid-19 and would advise him self-isolate and / or take other precautionary measures to limit the spread of the virus.
These applications can be essential in controlling the spread of Covid-19 by encouraging those who may have been exposed to the virus to isolate themselves from others. This means that strict foreclosure orders can begin to be relaxed and people can gradually resume their daily lives.
That said, contact tracking applications inherently pose significant privacy concerns. It is important for governments and application developers to keep in mind the protection of user privacy and not to extend their authority over what could constitute surveillance. There is reason to fear that contact tracing applications may set a precedent for widespread government surveillance practices that go far beyond the scope and timing of the current crisis. This is why these measures, as important as they are currently, should be of a temporary nature and limit the collection of data only to what is necessary for the explicit purposes of the functionality of the applications.
User confidentiality must always remain at the forefront when deploying technological solutions involving the processing of sensitive personal data. We studied over forty different contact finder apps to determine if they go all the way in terms of proper protection of user privacy, and we found that not all apps are created equal in protection. of user privacy, some are great, others are downright terrible, but most are somewhere in between. To shed light on this point, we have created a table to break down each application's approach to user privacy and we have assigned them a corresponding “Privacy Score” on a scale of 10. Take a look at the table below to see how each Covid -19 contact tracking app adds up.
Contact tracing applications worldwide
When assigning a privacy score to each application, we considered five different parameters that we deemed most important for the proper preservation of user privacy. We then assign each contact tracking application a score of 0, 1 or 2, depending on its approach to user privacy, which gives a maximum possible score of 10. Below is a breakdown of our score criteria :
How it works? (What specific technology is used to determine proximity between devices)
This is usually Bluetooth, GPS location data, or a combination of the two. In China, QR codes are scanned practically everywhere people can go and used to track their movements. Some applications also rely on location data directly from telecommunications providers. Of these four tracking methods, Bluetooth (although certainly not perfect) is by far the least invasive since it can be performed using anonymous identifiers and not tied to a specific location. We give a score of 2 to apps that strictly use Bluetooth to determine proximity between devices. For any application that relies on any form of location tracking (even in conjunction with Bluetooth), we assign a score of 0. Indeed, the use of specific location data is unnecessarily invasive for the useful functionality of a contact tracking application when Bluetooth is viable. alternative. A score of 1 is not practical for this particular parameter.
What personal data is collected?
There is no need to collect personal data for a contact tracking application to work properly. The most privacy-oriented contact tracking apps on our list do not collect any personal data and instead use anonymous, randomly generated, rotating identifiers to determine which devices have come into close contact with each other. Any data collection beyond this is not necessary to arrive at a viable digitized contact tracking solution. We assign a score of 2 for applications that do not collect personal user data and a score of 1 for any application that collects minimal data such as only a phone number or UUID. For any application that collects location data or other sensitive data unnecessary for the utility of the application such as name, e-mail address, address, physical address, gender, age or user health data, we assign a score of 0. Or if the information is not disclosed by the developer or government agency that ordered the app, the score is again 0.
Who can access this data?
Usually, for contact research applications under contract with the government, any government agency can access the data collected. When the data is collected strictly by a health authority, with the express consent of the user, we assign a score of 1. If the data is shared with third parties, can be accessed by the government as a whole in any country, or the information is not clearly disclosed, we assign a score of 0. It is only when the user alone is able to access the data that we will assign a score of 2 for this parameter.
Where is the data stored?
A decentralized system in which data is stored strictly on the user's device and nowhere else is the ideal solution in terms of confidentiality. For applications that store user data on the user's device and do not require the data to leave the device at any time, we assign a score of 2. Some applications send data to an authority server of centralized health only if the user indicates a positive test for the virus, then only with the express consent of the user. For these solutions, we assign a score of 1. We assign a score of 0 for any application that stores user data collected on centralized servers by default, or if the developer or the authorities do not disclose the information.
Does the app use a privacy framework?
A privacy protection framework that works to protect users' privacy with a decentralized approach to contact tracking and limits data collection to anonymous identifiers is essential to maintaining user privacy. We give a score of 2 for applications that apply a privacy framework in the development of the application. That said, with the controversy swirling around the PEPP-PT approach and the agencies that are increasingly withdrawing from the project for its centralized approach and its general lack of transparency, we decided that a score of 1 would be appropriate for any application using PEPP-PT. We give a score of 0 to any application that does not use any privacy framework.
Compare the best with the worst
After reviewing and assigning each Covid-19 contact tracking app on our list an overall privacy score, we found a few that are good enough to protect user privacy and got an 8 and a 9 However, only one stood on top of everything else and got a perfect score of 10. This would be the NextStep app from Switzerland, which works using Bluetooth, does not collect any personal data, restricted access to data for the user only, never allows any data to leave the user's device at any time. time, and uses the DP-3T privacy tracking framework. In other words, NextStep takes all the right notes when it comes to protecting user privacy, and users should feel secure in using the app knowing that their privacy will be respected.
Although the process of tracing contacts by its very nature can never be considered 100% anonymous or completely private, as we have seen, methods of tracing digital contacts can use several principles that work to preserve user privacy as much as possible. The data we collected throughout our investigation of Covid-19 contact tracking applications shows that there are a few developers and governments making the effort to protect user privacy. Many others, unfortunately, do not. This could set a precedent for prolonged misuse of user data or government monitoring practices, even after the foreclosure. Contact tracking applications represent an important opportunity for us to significantly curb the spread of the virus and speed up the time to exit the lock. Extraordinary times indeed call for extraordinary measures. However, we must ensure that these measures are temporary in nature, of limited scope, remain voluntary and that governments do not use the crisis as an opportunity to monitor citizens beyond the chronology of the crisis.