Covid-19: digital contact tracing raises both hopes and concerns

Yola VerbruggenFriday 12 June 2020

In late March, the Guatemalan government introduced a Covid-19 alert app, called Alerta Guate. Privacy concerns mounted quickly. For example, the app’s privacy policy allows for user data to be held for up to ten years, far beyond the likely duration of the Covid-19 pandemic.

Global Witness, a non-governmental organisation, published a report on the Alerta Guate app in mid-May. It found that the app collects users’ exact location data when sending their information about the pandemic. In-telligent Properties, the app’s developer, highlighted to media that the app does not share data with either the Guatemalan government or Tenlot – the company that donated the app – and that the information it collects is kept strictly confidential. Tenlot’s Chief Executive Officer, meanwhile, has stated that neither Tenlot nor the Guatemalan government can access the app’s data.

By mid-April the app could no longer be downloaded from the Android and iOS app stores, but the app reportedly still functions for the 100,000-plus users who had downloaded it by that point.

In order to mitigate the concerns, we need transparency about development of the apps and to clarify their scope, timeline and data processing methods

Daisuke Takahashi
Membership Officer of the IBA Business Human Rights Committee

According to Global Witness, ‘given the potential for governments to misuse technical infrastructure rolled out for fighting pandemics, a much higher level of scrutiny should be applied to the [companies] developing these applications.’

A report from Reuters found a pattern of cyber intelligence companies using the pandemic to try to sell spy and law enforcement tools to track the virus and enforce quarantines. In the hands of oppressive governments, such technology could increase the risk of privacy violations that overstep the boundaries of proportionality and necessity laid out in human rights law.

The IBA Legal Policy & Research Unit (LPRU) and the IBA Business Human Rights Committee outline in a new paper – entitled Digital contact tracing for the Covid-19 epidemic: a business and human rights perspective – the responsibilities of those businesses working on tracing apps alongside governments in ensuring human rights are protected. The paper is part of a wider IBA project on human rights due diligence for artificial intelligence.

‘Tracking apps are often developed through public-private partnerships, in which businesses share an equal responsibility with governments to ensure they are built around legality, proportionality and necessity,’ says Maria Pia Sacco, Senior Legal Advisor with the LPRU, who co-authored the paper. ‘But responsible business conduct would see businesses go beyond what is required of them by law. They should act as gatekeepers and implement technical features and procedures to identify, mitigate and address the risks of adverse human rights impacts associated with this technology.’

Sacco adds that these risks should be assessed on a continuous basis during the pandemic. Potential safeguards, she says, include internal processes that allow the detection of misuses as well as adaptations of the app to terminate its deployment, once the public health crisis is over.

Apps that trace a person’s interactions, rather than their location, through Bluetooth connections and then store this data in a decentralised fashion on the user’s phone, are generally considered safest from outsider attacks and misuse of the data. These systems inform anyone automatically if they have been near someone who has tested positive for the virus.

Google and Apple have both updated their interfaces to support the efficient running of such decentralised tracing apps. They have also built in an extra security measure that changes the way your phone is identified or ‘named’ every fifteen minutes in order to protect against the misuse of data.

However, some tracing apps used by governments do not do this. India’s Aarogya Setu app, for example, does not change this identifier.

The UK government, meanwhile, is testing a Bluetooth contact tracing app that uses a centralised data collection system. Because this design is not supported by Google and Apple, the app will likely not run as efficiently on phones with Android or iOS. It also raises questions about the app’s interoperability with those used in other countries, including Northern Ireland, which has said it will use a different, decentralised system.

The UK Parliament’s Joint Committee on Human Rights raised concerns about the government’s contact tracing app in a report, published in early May. The report concludes that the app has the potential to fight the pandemic but ‘significant’ human rights concerns must be addressed first. It highlighted the need for parliamentary scrutiny of the contact tracing app, as has been carried out for previous extensions of state surveillance.

The Joint Committee has drafted a bill that would require the government to provide legal assurance on data collected by the app. The bill was sent to the UK Secretary of State for Health and Social Care, Matt Hancock, in early May.

Another concern involves location tracking. From mid-March to late May, Israel’s parliament allowed the country’s Shin Bet security service to track mobile phone data to monitor the spread of Covid-19. By early June, this surveillance had been paused to allow the parliament to regulate the practice via the drafting of a new bill.

Rights groups, including Human Rights Watch and Privacy International, have raised questions about the proportionality and necessity of the data collected for tracing, especially in regards to location tracking.

To safeguard human rights, including the right to privacy, any data collected needs to be limited in scope and time-bound, says Anne O’Donoghue, Co-Chair of the IBA Immigration and Nationality Law Committee. ‘Safeguards are important, because governments change and politics changes.’

Yet, setting a timeline on the use of an app is difficult. ‘In many cases, there is no timeline. While this would help to build trust in order for people to download tracing apps, this might be impossible’, highlights O’Donoghue, pointing to the possibility of countries experiencing a second wave of Covid-19.

‘We don’t know yet whether tracing apps are really an effective tool to fight the pandemic,’ says Daisuke Takahashi, Membership Officer of the IBA Business Human Rights Committee. ‘In order to mitigate these concerns, we need transparency about development of the apps and to clarify their scope, timeline and data processing methods.’