How Can COVID-19 Contact Tracing Techniques be Formulated Without Violating Privacy?

There are several tracing protocols currently being developed that do mitigate privacy risks.

With every passing week, the confirmed COVID-19 cases in India have been increasing, marking the beginning of an exponential curve that will likely play out over the next several months.

Governments and first-line responders alike have had to balance news of coronavirus infections, hospitalisations, and fatalities – in India and globally – with the catastrophic secondary consequences of the pandemic. These include large-scale lockdowns, overwhelmed medical facilities, millions of families left without food and water, and millions more left without livelihoods.

In tandem, there have also been concerning instances of Indian state and local governments publicising individually identifiable medical data and encouraging harmfully biased interpretations of virus spread, leading to ostracisation, harassment, and communal violence. We must ensure that all citizens are safeguarded and protected as we introduce larger policy changes, and particularly technical solutions, into the mix.

Combatting the pandemic will take two phases. Massively scaling up testing and available medical facilities is the first phase. The second is contact tracing – a method to identify those who should be tested and quarantined, by identifying infected individuals, tracking down those who have come into contact with them, testing and quarantining possible carriers, and so on.

Contact tracing is traditionally done manually. This process was fairly successful at the start of the outbreak, when the number of cases was low. However, manual tracing will become infeasible as COVID-19 cases continue to balloon in India, which means tracing will begin to require the use of technology.

Also Read: 1.3 Billion People. One Virus. How Much Privacy?

If the idea of governments using tech to track citizens during a pandemic sounds unsettling, there is good reason for it. Slipping into mass surveillance is a major concern, especially in times of crisis, in which government bodies have traditionally eschewed privacy best practices in favour of quick and sweeping action.

For many citizens, the idea of governments having intimate knowledge of their personal movements can easily be seen as a sign of overreach, typically associated with totalitarian regimes. We have already seen this happening in China, and to a lesser extent in Israel and Singapore, as these countries deal with the pandemic. We also know that the current Indian government has already been accused of violating citizen privacy and exacerbating existing tensions in the recent past. Before excessive measures are adopted, the time to make wise choices in the development and deployment of new technology is now. 

Credit: Harvard

There are several tracing protocols that are being developed that do mitigate privacy risks, as outlined in a white paper published by Harvard last Friday by a group of researchers. However, these depend on network effects, the key to their success is a critical mass of users committing to using them. 

These protocols can be slotted broadly into three complementary categories:

  1. Manual tracing, scaled through training very large numbers of new workers – possibly in the thousands. Particularly relevant in areas with little smartphone penetration or data coverage. 
  2. Peer-to-peer data protocol through Bluetooth, with all or most data residing only on the user’s device. De-identified data stored on a central server only with secure keys.
  3. GPS, location-based protocol, with all personal data on the consumer device. If necessary, only encrypted, aggregated data is stored centrally. 

Notably missing from this list is GPS-based, individual-level tracking. Such protocols have a significant security disadvantage in that location information is harder to anonymise, and a database of location history data is far easier for authorities, and other actors, to abuse. While mobile location records are convenient – many phones are already recording this data through other applications – functionality advantages over Bluetooth are minimal. However, the potential negative impact of GPS based tracking is higher.

That being said, GPS data can be effectively used as a memory aid for manual contact tracing (that is, you check your own data to make sure that all possible points of exposure are covered), and limited, aggregate GPS data can be used to create heatmaps of possible COVID-19 hotspots. While it is theoretically possible to anonymise this data in such a way that it cannot be individually identifiable, anonymisation is fallible, and systems claiming to use anonymised GPS data should be scrutinised.

Thus, there is significant momentum around the peer-to-peer option, and several tracing applications have been built on these Bluetooth protocols. One example of this is Singapore’s TraceTogether application, where the Ministry of Health (a Central authority) stores user IDs on an encrypted server. However, alternate versions of this protocol exist that more thoroughly mitigate privacy risks, and ensure that users create their own, securely generated IDs, thereby lowering the possibility of data misuse, abuse, or hacking.

In India, the Centre has just released Aarogya Setu, a Bluetooth-based tracing application that is based on the Singapore model and already has 3 million downloads. Currently, Aarogya Setu requests access to a device’s Bluetooth, as well as its location data, and continuously collects information from both sources. It is still unclear exactly what the data is being used for, as well as where and how it is stored, and how long it will be retained. The Terms of Use state that the data will be stored locally in the app, and will only be used by the government in anonymised, and aggregated datasets, or in the event that the user has tested positive for COVID-19. However, it then states that personal data may also be shared with ‘necessary and relevant persons as may be required’, and that data will be retained for as long as the user’s account remains in existence ‘and for such period thereafter as required for the purposes for which the information may lawfully be used.’

Also Read: Government Suggests That Schools, Students Download Tracking App, Harness ‘Power of Light’

The Indian government has promised that personal data will be encrypted to preserve privacy, and that personal information will only be used to inform users of possible infection. However, the collection of location data and centralised storage of Bluetooth IDs, as well as the lack of information around specific anonymisation, data sharing, and data storage protocols, creates a strong cause for concern. Privacy advocates have called for tech responses to the pandemic to be foremost opt-in, necessary, and proportionate. Further communications and deployments from the government should be carefully evaluated to ensure these standards are met.  

In addition to concerns for citizen privacy, there are other dangers of tracing applications. These include social stigma and harassment of individuals and communities, particularly in the case of religious and communal targeting. This is especially relevant as the pandemic has highlighted existing communal tensions and material disparities, which must not be further exacerbated through technology. Prioritising and protecting already vulnerable groups should be the priority of any tracing protocol. 

Additionally, certain groups of citizens may have more access to the kind of hardware needed for tracing technology. While most smartphones will be able to run these applications, smartphone users only make up less than a third of the country’s population. Digital contact tracing will still be extremely valuable, especially in metropolitan areas. However, too much stock should not be put in containing the virus through a means that is only available to a fraction of the country’s residents. It is essential that the government invests in hiring and training manual tracers.

There are strong arguments for using digital contact tracing to battle COVID-19, and reasons to believe that privacy and civil liberties can be preserved in building out these technologies. However, to ensure that privacy-preserving protocols are actually implemented, transparency, experimentation, and oversight will be critical in the days to come, particularly through the involvement of advocacy and civil society organisations. At the end of the day, no technical solution can guarantee privacy or safety to citizens. Contact tracing methods can only work alongside other efforts to expand testing and medical capacity, produce and allocate supplies, and provide care, sustenance, and resources to all struggling individuals and families. 

Divya Siddarth is a researcher focusing on building, testing and studying impactful technology in India. She has worked with organisations such as the Digital Civil Society Lab at Stanford.