Privacy Concerns with App-Based Contact Tracing
The pace of the COVID-19 outbreak in the United States has quickly outpaced pre-existing public health efforts and has highlighted the need for a more efficient system to increase contact tracing measures. Several countries have focused efforts toward developing different application platforms for disease tracking and detection to better monitor and control the spread of COVID-19. While contact tracing has been identified as a necessary tool to reduce the spread of infectious diseases, there are significant privacy concerns regarding the use of personal information from mobile applications. Maintaining privacy and confidentiality is considered both an ethical and legal interest and is necessary for proper implementation of proximity tracking tools.
To preserve the privacy of users, developers have turned toward the use of Bluetooth-based contract tracing systems. The first national deployment of a Bluetooth-based system, TraceTogether, is an application released by the Singapore government which uses BlueTrace protocol to protect the personal data and privacy of users. The application outlines its privacy safeguards using BlueTrace protocol as such: 1) Limited collection of personally-identifiable information, 2) Local storage of encounter history; each user’s encounter history is stored exclusively on their device, 3) Third-parties cannot use BlueTrace communications to track users over time, and 4) Revocable consent; users have control of their data.
Another application developed for the use of contract-tracing is The NHS COVID-App. Its design also relies on Bluetooth rather than geolocations to measure the proximity of app users. User enrollment does not require any personal or phone information, and the use of routing IDs and Bluetooth network protocol prevents bad actors from tracing a user by the ID broadcasted. If the individual user self-diagnoses as a carrier, they can choose to upload personal records or proximity events. The NHS will then analyze the uploaded records but personal information is kept to a minimum unless entered by the user.
Privacy or security implications of these technologies are being carefully analyzed and are held to the same confidentiality and consent standards for all aspects of case investigation and contact tracing outlined by the CDC. Ensuring confidentiality and data security should also be included in the training of staff and application implementation. With minimal data on the performance of such applications in US communities, many gaps could pose challenges toward the use of contact tracing. Regardless, the conservation of privacy for individuals is a priority and crucial for the widespread adoption of proximity-tracking tools through mobile devices.