As the first wave of COVID-19 infections now shows signs of stabilizing, many states and communities across the United States are loosening “shelter in place” policies and other restrictions to allow businesses to reopen and community members to resume many of their day-to-day activities. This does not mean the risk of illness has gone away. Without a vaccine for COVID-19 in the foreseeable future, the highly contagious virus will continue to infect populations across the globe.
The fight against COVID-19 is now moving into a new phase focused on containment. This will rely upon contact tracing apps to help identify individuals who might have come into contact with someone who’s contracted the virus.
The very nature of the apps, which trace an individual’s movements using either Bluetooth or GPS to collect data about the people they know and with whom they’ve met, has raised privacy concerns for many consumers as well as data privacy and security advocates. The worries aren’t unfounded because the potential for data misuse is high. Cybercriminals, for example, could sell stolen data on the dark web. Personally identifiable information (PII) also could be used by unscrupulous governments for purposes unrelated to public health. Even worse, privacy advocates warn that these apps could “creep” into a broader state surveillance system.
Contact tracing in analog form has been around for decades. It has been a successful strategy to stem the spread of diseases such as tuberculosis, polio, measles, HIV/AIDs and other infectious diseases. But much has changed in the decades since the inception of contact tracing. Today in the age of COVID-19, technology is driving the process with smartphone apps. This approach makes sense. According to Pew Research, the majority (96 percent) of Americans have a cell phone, and 81 percent now own a smartphone.
Two approaches to contact tracing are taking shape
Two approaches for smartphone-based contact tracing have emerged: centralized and decentralized. Both use Bluetooth signals to track when smartphone owners are close to each other. If someone develops COVID-19 symptoms, a notification can be sent to other contacts to inform them that they may have been exposed to the virus.
The centralized model, which is most likely to be employed by the National Health Service in the U.K., uses anonymized data. The data is uploaded to a remote server where matches are made with other contacts in the system should one of the contacts develop COVID-19 symptoms. This model gives public health officials and other authorities insight into the spread of the virus and how well the app is performing
The decentralized model, which is being promoted by Google, Apple and an international consortium and has already been embraced by Alabama, North Dakota and South Carolina, appears to give users more control over their personal information because data is stored only on an individual’s phone. Matches are made with people who may have contracted the virus, but the information is not saved centrally or monitored. The user has the responsibility to seek treatment once notified they’ve come in contact with someone who has tested positive on COVID-19.
The privacy fallacy
Although the decentralized model, which leverages either Google or Apple APIs, is generally seen as providing a higher degree of privacy and protection from hackers, personal data is still at risk even though it remains on the individual device. Users must be aware of this so they can verify the device undergoes a secure data sanitization process before it is sold on a third-party site or traded-in for a new phone. If their smartphone data is not fully erased, they face a very real risk of data exposure.
Users also should be aware of the following facets of contact tracing apps as they become widely available:
-
The large amount of PII being processed by these apps and potentially transmitted through mobile devices includes not only the information of the user of a device but also the info of anyone who has been in close proximity of a user or device.
-
The lack of a unified approach broadens the attack surface as countries and regions use different contact tracing apps - bad actors can use the same techniques and apply them to multiple targets all over the world to gain access to more PII.
-
Privacy risks will be amplified as travel within the United States and abroad increases - PII has the potential to be pulled into and shown through different contact tracing apps, all of which could be targeted by hackers.
Even though contact tracing has the potential to serve a critical role in helping to stop the spread of this highly contagious virus, consumers have a responsibility to understand how these apps work and take precautions to protect their private information. Organizations and state and local governments also must carefully consider privacy concerns and complying with government-mandated regulations, such as the GDPR in Europe and the CCPA in California.
Concerns about data privacy and security, along with the fear that many people won’t participate at all, will impact the effectiveness of contact tracing. If these apps are to accomplish their mission, app developers and governments will have to work together to ensure that an individual’s privacy is protected both in the short term and the long term.
