Contact tracing apps have a crucial role to play in combating COVID-19, but are we sacrificing our privacy in the process?
Public interest vs. civil liberties: The great contact tracing debate
Contact tracing may be our best bet in containing the Covid-19 pandemic and getting back to some form of normal. Contact tracing can be extremely effective in identifying and isolating individuals who may have been exposed to the virus. Government health agencies and private app developers across the globe have rolled out contact tracing apps to digitize the process in hopes of increasing its efficiency in response to the Covid-19 crisis.
How do they work?
Contact tracing apps work by leveraging the Bluetooth functionality or location services (such as GPS), sometimes both, on a user's device to determine proximity to other mobile phones running the same app. In China, for example, QR codes are scanned basically anywhere individuals may go, and are used to track their movements. Some apps also rely on location data directly from telecom providers, but Bluetooth is the least invasive.
This proximity data is then recorded by each of the devices running the app that come within a certain radius of one another for a sustained period. If a user ends up testing positive for Covid-19, they can let their app know. Any user whose phone had recorded contact with the infected user's phone in the preceding days would then get an alert notifying them that they had been in close proximity to someone infected with Covid-19, and would advise the user to self-isolate to limit the further spread of the virus.
These apps can be crucial in combating the spread of Covid-19 by urging those who may have been exposed to the virus to isolate themselves from others.
The downside is, contact tracing apps potentially pose considerable privacy concerns. This means it is important for governments and app developers to not lose sight of protecting user privacy and not to verge into what could amount to surveillance.
There is concern that contact tracing apps can set a precedent for extended government monitoring practices that go well beyond the scope and timeline of the current crisis. This is why these measures, as important as they are right now, should be temporary in nature and limit data collection to only what is necessary for the explicit purpose of the applications' functionality.
Privacy is crucial when deploying technological solutions that involve the processing of sensitive personal data. We investigated over sixty different contact tracing apps to determine whether they appropriately protect the privacy of users. Some had strong privacy protections, others had weak privacy protections, but most were somewhere in the middle.
Contact tracing apps around the world
We've created a table and assigned each a "Privacy Score" out of a possible 10. Please scroll across for more information.
All data above has been ethically researched and fully cited. If you would like to explore the data, get a better idea of exactly how each country's app works, or explore the citations. Then you can download the full contact tracing app dataset below.
How we score contact tracing apps
In order to assign each app a privacy score, we asked five different questions, scoring each question out of 2 based on how they protected user privacy. We then added up the totals, giving the contact tracing apps a score based on their approach to user privacy. A maximum possible score of 10 means the app's privacy protection is impeccable, whereas a score of 0 means that users of the app are afforded no privacy whatsoever.
How is this scored?
2 – Applications that use strictly Bluetooth to determine proximity between devices.
0 – Applications that rely on any form of location tracking. This is because using specific location data is unnecessarily invasive for the functionality of a contact tracing app when Bluetooth is a viable alternative.
What personal data is collected?
The most privacy-focused contact tracing apps in our list do not collect any personal data at all and instead use anonymized, randomly generated, rotating identifiers to determine which devices came within close contact with one another. Any data collection beyond that is not necessary for achieving a workable digitized contact tracing solution.
How is this scored?
2 – apps that do not collect any personal user data.
1 – for any app that collects a minimal amount of data such as a UUID.
0 – For any app that collects location data or other sensitive data such as name, email address, physical address, gender, age, or health data. If the data collection information is not disclosed the app gets a 0 by default.
Who can access that data?
It is critical that people who can access the data are relevant to it, after all, location and medical data are highly sensitive pieces of information.
Usually, for the government-contracted contact tracing apps, a government agency of some sort is able to access the collected data. Other apps are shown to be sharing data with third-parties, including marketers, for no good reason at all.
How is this scored?
2 – Only when the user is able to access the data we assigned a score of 2.
1 – When the data is collected strictly by a health authority, with express user consent.
0 – If the data is shared with third parties, can be accessed by the government at large in any country, or the information is not clearly disclosed.
Where is the data stored?
There are two ways data these apps collect can be stored, either in a centralized or decentralized way. A centralized data model means data collected from the app is stored on a centralized server, whereas decentralized means all data collected is stored on the user's device.
A decentralized approach therefore makes your data both more secure and more private.
How is this scored?
2 – Uses a decentralized system, where data is stored on a user's device.
1 – Sends data to a centralized health authority server only if the user tests positive for the virus, with the express consent of the user.
0 – Any app that stores collected user data on centralized servers by default, or if the developer or authorities do not disclose the information.
A privacy-preserving framework works to protect user privacy with a decentralized approach to contact tracing and limits the collection of data to anonymous identifiers is essential for maintaining proper user privacy. Many do not employ this framework, but those who do are clearly head and shoulders above the rest when considering user privacy.
How is this scored?
2 – Applications that apply a privacy-preserving framework into the development of the app.
1 – Any app that employs PEPP-PT. This is due to the controversy swirling around the PEPP-PT approach and agencies increasingly pulling out of the project for its centralized approach and general lack of transparency.
0 – Any app that doesn't employ any privacy-preserving framework.
Comparing the best with the worst
We found a few apps that are excellent at protecting user privacy and scored an 8, and one scored a 9. Only one scored 10 (Switzerland's SwissCovid-App). The Swiss app works using Bluetooth, collects zero personal data, restricts access to the data to only the user, never allows any data to leave the user's device at any time, and employs the privacy-preserving contact tracing framework developed by Apple and Google. In other words, users should feel safe using the app knowing that their privacy will be respected.
Unsurprisingly, we found quite a few Covid-19 contact tracing apps that did little to protect user privacy and scored 0 overall, fourteen in total. These were the apps being used in Bahrain, Bangladesh, China, Cyprus, Ghana, India, Kuwait, Peru, Qatar, Russia, Slovakia, South Africa, South Korea, and Turkey.
All of the 0-rated apps use GPS location services, collect wide-ranging and unnecessary amounts of sensitive personally identifiable data, allow third-party or otherwise questionable access to that data, store the data on centralized servers, and do not employ any privacy-preserving framework for contact tracing.
These apps do pretty much everything wrong when it comes to protecting user privacy and have a real potential for misuse beyond the scope of the current crisis. Users should be extremely wary of using any of these apps.
Contact tracing by its nature can never be considered 100% anonymous or completely private, as we have seen, but digital contact tracing methods can work to preserve user privacy as much as possible.
The data we have collected throughout our investigation into Covid-19 contact tracing apps shows that there are a few developers and governments making the effort to protect user privacy. Many, though, do not. This could set a precedent for extended misuse of user data or continued government surveillance practices, even well after the pandemic is over.
Extraordinary times call for extraordinary measures. However, we must ensure that these measures are temporary in nature, limited in scope, remain voluntary and that governments do not use the crisis as an opportunity to conduct surveillance on their citizens or otherwise exploit or invade their privacy.