Europe faces privacy concerns with contact-tracing apps

27 May 2020

As the Covid-19 virus ebbs in Europe and people start to return to normal activities, countries are turning to contact-tracing apps in an attempt to reduce disease transmission and lower the odds of a second outbreak.

But some apps have raised the hackles of privacy advocates, and with many unknowns about the virus, scientists can’t gauge how effective they will be. In the meantime, governments are moving ahead with the technology, sometimes changing their minds as they struggle to achieve a balance between public safety and citizen privacy.

Centralized versus decentralized

The apps have two basic formats: a centralized model, in which user data is shared with government health authorities; and a decentralized model, in which data is stored only on the individuals’ smartphones.

Germany, Italy, Switzerland and the Netherlands have opted for the decentralized system devised by Apple and Google. France, Norway and the UK are creating centralized models. The UK is currently testing its app on the Isle of Wight.

Both models use Bluetooth wireless radio signals to log instances when phone owners who have downloaded the app are too close to each other. People who are diagnosed with Covid can note their status on the app, which sends an alert to others they may have infected. By using Bluetooth rather than GPS technology, the apps are in theory less able to collect data without revealing user location.

In both systems, personal data such as names and phone numbers is anonymized. With a centralized system, government health authorities obtain the data and store it on their servers, where matches with other contacts are made. Some epidemiologists have argued they need this framework to see how the disease is spreading, and say the data can help them make informed public policy suggestions.

Privacy concerns

Privacy advocates argue that centralized data could be de-anonymized and information about who associates with whom used improperly by other government departments.

In addition, data that moves from one location to another provides hackers with a new attack portal. Government databases are especially valuable targets for foreign intelligence operatives, who could potentially damage systems or flood them with false alerts, leading to a panic. Political agents or pranksters might also wreak havoc. Furthermore, governments themselves might someday use contact information to spy on citizens.

In April, more than 300 European scientists published an open letter warning governments about privacy concerns with centralized apps, saying they could, “via mission creep, result in systems which would allow unprecedented surveillance of society at large.”

Amnesty International has asked the UK to delay rolling out its app until it can prove that the data can’t be de-anonymized and ensure that it will not be used for other purposes or accessed by third parties. The group also recommends independent oversight of the apps and automatic data deletion after set time periods.

It is not yet clear whether centralized apps meet European privacy standards. In both the EU and the UK, countries are required to do a Data Protection Impact Assessment (DPIA) in cases where information processing entails high risks to privacy. The European Data Protection Board has strongly recommended that governments submit DPIAs for contact-tracing apps. It has not yet received one from the UK.

Will the apps work?

Apart from privacy considerations, there are questions about the effectiveness of the apps, which estimate the distance between people based on the strength of Bluetooth signals between one phone and another.

Computer scientists in Dublin found that for people sitting at a table, signal strength was lower for those who kept phones in their pockets rather than laying them on the tabletop. Another problem: The presence of metal — such as that found on supermarket shelves — sometimes increased signal strength even as people moved farther apart.

The apps also don’t address the question of how close is too close. Though most health authorities are using six feet as a guideline, that number is based on diseases of the past, and some scientists say a buffer of 10 feet may be needed.

Scientists also say the apps would need to achieve widespread adoption to be useful. Researchers at the University of Oxford said 56 percent of the UK population — or 80 percent of smartphone users — would need to download an app for it to be effective in suppressing an epidemic.

Even mass adoption among smartphone users could leave the most vulnerable elderly populations out in the cold.

Another flaw is that the apps rely on users to voluntarily report a Covid diagnosis. People who are ill may not enter their information in a timely manner, if they do so at all, and in some areas, a shortage of test kits may preclude diagnosis. Many who contract the virus experience no symptoms and are not likely to seek testing, which could give their contacts a false sense of security.

Looking ahead

At the moment, most experts are considering contact-tracing apps in light of public health and data privacy. That said, the technology could ultimately affect regulations governing cross-border business, and how those regulations are enforced. It is easy to imagine, for example, immigration and tax authorities of multiple jurisdictions sharing individuals’ location information from the apps. This data sharing could in turn be used to enforce permanent establishment laws, elevating a company’s risk of triggering a taxable presence when sending an employee on short- and long-term expatriate assignments.

As government leaders turn to contact tracing in an attempt to contain the disease, and as their strategies evolve, they would do well to remember that decisions they make now will follow them into a post-Covid future. Voter insistence on privacy — which not long ago led to the GDPR — is sure to remain strong long after the virus has passed.

Vistra's Paul Sutton contributed to this article.