Contact tracing apps – saving society or surveillance society?

Posted: 07/05/2020

Covid-19 or 1984 re-imagined?

On 17 April  2020, the Information Commissioner’s Office (ICO), the UK's independent body set up to uphold information rights, issued an opinion on the recently announced Apple-Google initiative to develop a Bluetooth-based contact tracing framework (CTF) to help governments and public health authorities reduce the spread of Covid-19, see here.

The ICO opinion states that the proposals of the CTF appear to be aligned with principles of data protection by design and by default. The ICO warns that apps developed under the CTF could also be used to collect other data using other techniques beyond those immediately envisaged. Developers of the apps must ensure compliance with data protection laws for any additional processing of data.

The ICO opinion comes with certain caveats such that it:

• represents the views of the Commissioner at the time of publication
• is based on publicly available information on 10 April 2020 from the Apple-Google initiative
• only relates to Phase 1 of the CTF project. Phase 1 is contact tracing and Phase 2 introduces additional functionality such as compliance with isolation.

What is contact tracing under the CTF?

Contact tracing is a technique used to warn individuals who have been in contact with an infectious person so they can take appropriate steps to protect themselves and others. The proposal is that individuals would download an app that exchanges anonymous identifier beacons (such as  anonymous keys or tokens) via Bluetooth Low Energy, although it is possible under the scheme to use location data.

When an individual tests positive for Covid-19, the individual can then give consent for the app to upload the last 14 days (being the longest known current incubation time of Covid-19) of tokens to the Cloud. This sends out a broadcast beacon to all other devices which were in proximity to the infected user in that time period. Exposed individuals would then receive a notification informing them they were recently in contact with an infected person and guidance on what to do next.

Assessment of the CTF in the ICO opinion

The ICO says the CTF appears to comply with the data minimisation principle:

• The data exchanged between devices does not include personal data such as account information or usernames.
• The matching of anonymous keys takes place only on the devices themselves and not by the app host or third parties.
• Location data is not used at any stage as it is Bluetooth-based (although this may change).

The ICO notes that installation of the apps is currently voluntary and that the upload of tokens will require a separate consent process, although we believe that this opens the question as to the effectiveness of the app.

The ICO points out that the plan in Phase 2 is for the CTF application programming interfaces (API) to be pre-installed on any mobile device’s operating system. If this were the case, the ICO is of the view that users should not have to take action to prevent tracking. The ICO notes that further review will be required about the potential implications for individuals’ rights and freedoms but did not expand on this point.

The ICO believes that the CTF documentation indicates the use of appropriate cryptographic functions with additional safeguards around data security. It notes that the risk of the personal identification of an individual with Covid-19 through the app is low.

The apps to unlock lockdown

Apple and Google are not yet proposing to develop their own app under the CTF. Both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities or other third parties who will develop these apps.

The ICO acknowledges that processing of data beyond the basic CTF may be legitimate and permissible, for example, to ensure that the system is not overwhelmed with false positives. The ICO notes data protection obligations rest upon multiple parties but the primary responsibility is with the app developers. This is no different to normal apps.

The ICO sets out the following three points of concern:

• How the apps will obtain consent for the upload of tokens.
• How the consent signal will be managed and how the app will provide users with control.
• What impact the withdrawal of consent would have on the effectiveness of contact tracing.

The ICO notes that there is a risk that users will believe the CTF extends to all aspects of the contact tracing apps. If data is processed outside this scope, then the controller processing the personal data must comply with the relevant data protection law.

Centralised or decentralised? That is the question

On 4 May 2020, the National Cyber Security Centre (NCSC), the defensive operational division of GCHQ, published a blog explaining that the NHS app will be a centralised model, see here.

A decentralised model is a model as described above: if a user is ill, they inform the app but provide no further information. In a centralised model (akin to Phase 2 as described above): if a user is ill, they not only  report their symptoms but also all their anonymous contacts or keys to the public health authority; details about any contact such as duration and proximity; and broad location data such as the first half of the user’s postcode.

The centralised model does have the benefit of allowing the public health authority to do more analysis. The NHS could model how the disease is spreading, create anonymous contact graphs for areas and provide risk scores on encounters with anonymous individuals who have statistically been more infectious. Although the centralised model presents more security risks, Ian Levy of the NCSC assured in the blog post that the app has been designed to protect privacy, security and anonymity.

The NCSC blog notes that the legal descriptions of the data used will be published at a later date in the Data Protection Impact Assessments.

Summary

• The Contact Tracing Framework (CTF) proposed by the Apple-Google initiative appears to be aligned with the principles of data protection by design and by default.
• The CTF appears to meet data minimisation principles in the contact tracing Phase 1 of the plan.
• If the NHS chooses to use a centralised app, then additional privacy, data security and practical concerns will have to be considered.
• App users will need clarification about who is responsible for data processing.
• App developers or data controllers must ensure they have assessed the data protection implications of any additional data processing.

This article was co-authored by James Mitchell, a trainee in our commercial dispute resolution team.

Return to news headlines