Clickability tracking pixel

Digital Contact Tracing Efforts Hampered by Privacy Concerns

Experts say smartphone contact tracing apps should at least include encryption, anonymity, and secure storage of any data collected. A recent study found that most apps lack privacy protection measures.

by Kasra Zarei, The Philadelphia Inquirer / July 8, 2020
Shutterstock

(TNS) — Drexel University has rolled out a coronavirus contact tracing app that lets smartphone users indicate every day whether they have symptoms that might indicate a COVID-19 infection.

Physicians will review the responses, and users can be surveyed to find out whether they’ve been tested, and whether they live in a dorm or play sports. The goal: Help medical professionals track and prevent the spread of COVID-19 on campus, according to Charles Cairns, dean and senior vice president of medical affairs at Drexel University College of Medicine.

Technology has been rapidly developed to respond to the pandemic, especially as efforts ramp up to increase contact tracing — usually a labor-intensive process involving phone calls to anyone with an infection and all of the people they’ve had contact with.

“The work of contact tracing and collecting data — and making it transparent — is incredibly difficult when done manually and using traditional methods,” said Austin Kilaru, emergency physician and a fellow in the National Clinician Scholars Program at Penn’s Perelman School of Medicine. “Technology offers a great deal of promise not just making the work easier, but also making it more effective.”

Singapore, China, and Taiwan are using tech-based efforts to contact trace, with varying degrees of success. These technologies hold promise to address growing challenges in health care. But they also raise concern and debate about such civil liberties as digital privacy, highlighted by recent scandals such as the Facebook-Cambridge Analytica data misuse and the use of facial recognition technology.

Smartphone applications often require access to users’ personal data, and measures to protect user privacy should at least include encryption, anonymity, and secure storage of any data collected. The Drexel effort, for instance, asks users whether they are willing to share personal data with the university. However, a study recently published in Nature Medicine found that most apps related to COVID-19 lack privacy protection measures.

“The pandemic led to a surge of app development around the world in an effort to contain the spread of the virus and minimize the number of people getting infected,” said Masooda Bashir, associate professor at the School of Information Sciences at the University of Illinois at Urbana-Champaign and senior author of the study.

Among the apps’ functions are live maps and updates of confirmed cases, direct reporting systems to governments and health ministries, community-driven contact tracing, educational material, and real-time location-based alerts. Some apps monitor vital signs and offer virtual medical consultations.

“We found that the majority of apps did not include privacy preserving mechanisms,” Bashir said. “For instance, very few were anonymizing data or reporting the data in an aggregated format. We also found that a lot of the apps were requesting or accessing very personal information on the mobile device that did not seem to be needed for the app to function.”

Personal information collected by some of the apps studied include the users’ names, email addresses and voter/nationality information. Some apps required permission to access the contacts, photos, camera, location, microphone, and network access of users, and a lot didn’t limit how long the data could be used.

Drexel’s application has emphasized privacy protection, through using an established platform to design the app and not tracking geographic locations as apps such as Google and Apple do.

“The organization only uses deidentified data. The only access to individual data is for occupational safety and health workers,” Cairns said. “The app won’t be used for any other purposes other than COVID-19 or health, and COVID-19 innovation.”

While automated e-mails will be sent out to people who haven’t used the app, Cairns says the design is intended to engage people rather than be punitive.

“Checking symptoms on a voluntary basis is better than blindly tracking people with technology. The privacy concerns people bring up are very real. But on the other hand, we all benefit from a healthy campus and a safe environment,” Cairns said.

COVID-19 is the first pandemic in the digital era and so there’s tension between privacy and protecting public health. Countries have responded differently. Hong Kong has used mandatory electronic wristbands. China created a large-scale digital surveillance network, and South Korea has broadcast detailed information on where people with coronavirus live. Singapore has enhanced its tech-based approach with privacy safeguards — removing GPS functionality and Internet and cellular connectivity from devices used for contact tracing.

In the United States, there hasn’t been a unified initiative, but Apple and Google have now adopted a privacy-first approach. Experts believe transparency about how long the data will be collected, who has access to it, and how is it reported is essential.

“To help both the public and our public health authorities, we need to make sure applications meet a certain standard informed by patient and public input,” Kilaru said. “Rules need to govern public information during non-pandemic times, and realize the urgency of situations like the pandemic.”

For all its challenges, the COVID-19 pandemic also has created opportunities to better consider how to protect privacy by design during both pandemic and non-pandemic times.

“We tend to think when we have a digital innovation, we have to give up privacy,” Bashir said. “But we can both provide the functionality as well as protect individual privacy — it doesn’t have to be one or another. We just have to think harder and be more creative in our approach.”

©2020 The Philadelphia Inquirer, Distributed by Tribune Content Agency, LLC.

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

E.REPUBLIC Platforms & Programs