qstockmedia - Fotolia
Contact tracing apps seem effective, but have privacy concerns
Contact tracing mobile applications appear to offer an easier, safer way to track where an infected person has been, but technology could cross a data privacy boundary.
When the state of Rhode Island launched a contact tracing app for COVID-19 in May, public health officials said the program could help curtail the pandemic, but privacy advocates worry that the app, and ones like it, take too much data while potentially sharing it with too many people.
As stores, restaurants, parks and offices in the U.S. begin to open back up months after the first COVID-19 related stay-at-home orders, enterprises and governments face the difficult challenge of providing goods and services while keeping people safe.
To tackle that challenge, enterprises and governments are turning to technology to create contact tracing apps.
Balance of safety and privacy
A decades-old strategy to help slow the spread of contagious diseases, contact tracing is the process of identifying infected people and tracking down who they have been in contact with and notifying them of a potential infection.
While this was largely done manually in the past, enterprises, as well as local and state governments, are beginning to use apps to do it, including mobile applications that use location data to track a person's whereabouts, to more quickly and effectively track where COVID-19 may have spread. Using AI-powered big data analytics, governments and enterprises can then process the data more anonymously.
Contact tracing apps, however, have raised concerns from privacy advocates, who say that some platforms either take too much identifying information, such as GPS data, give too much data to government authorities, or both.
The Electronic Frontier Foundation (EFF), for one, explicitly opposes automated COVID-19 contact tracing apps that track location through GPS or cell phone location, as well as apps that send information about possibly infected people directly to the government.
"This data is highly intrusive of location privacy, yet not sufficiently granular to show whether two people were within transmittal distance (six feet)," said Adam Schwartz, senior staff attorney at the EFF.
Rhode Island, with its recently unveiled CRUSH COVID RI app, is an example.
Released May 19, the app uses GPS location data to track the people and places users visited for at least 10 minutes over the past 20 days. If a user tests positive for COVID-19, they can agree to share their location data with the state health department so it can identify people the user was in contact with and alert them.
Signing up for the app is voluntary, and location data, unless shared with the health department, is stored entirely on users' phones. It's deleted after 20 days.
Despite the fact that these apps are voluntary, privacy advocates worry that apps that use GPS data to track people, and that send data to the government, are invasive.
"We are disappointed that some nations and states are using location apps and hybrid location/proximity apps. The voluntariness of such apps does not cure the lack of data minimization," Schwartz said.
The American Civil Liberties Union was similarly critical of such contract tracing technologies, saying they carry some inherent risk of exposing an infected person's medical condition to people with whom they come in contact.
However, some contact tracing platforms aim to be privacy-friendly.
These include a Google-Apple initiative, which has drawn wide interest, as well as a tracing app from the Pan-European Privacy-Preserving Proximity Tracing consortium.
These mobile apps use a phone's Bluetooth Low Energy beacons to interact with other phones, enabling the phone of an enrolled user to announce itself with a different random large number to nearby phones every few minutes. Phones keep a log of the numbers they send out, as well as the numbers sent out by nearby phones.
If a user is diagnosed as infected with COVID-19, they can then voluntarily upload the that list of numbers to a central server. Those users who are not infected have their numbers automatically compared to the numbers on the server. If enough numbers match, then users are notified that they may have been in contact with someone who is infected.
That's different from Rhode Island's new app, which uses GPS data and which uploads information to government officials.
A Bluetooth system is more accurate and less revealing than an app that uses geolocation data, an ACLU white paper on tracing apps noted. While Bluetooth tracking could potentially reveal associations, it's less likely to do so.
The EFF, likewise, is wary about contact tracing apps that track proximity using Bluetooth, Schwartz said.
"This system might not help; if it does, it will be a small part of a larger public health response that must focus on manual interview-based contact tracing and widespread testing," he said.
"This system carries privacy risks that must be mitigated through voluntariness, data minimization and open source code. We oppose hybrid tracking apps that use both proximity and location," Schwartz continued.
Enterprise-level
Meanwhile, national governments around the world, including the governments of South Korea, Singapore, China and Australia, have developed and released contact tracing apps. Some enterprises are also beginning to consider the implications of having their employees use contact tracing apps.
Enterprises with global operations have particularly shown a greater willingness to use technology-based contact tracing within countries with less legal or cultural opposition to contact tracing, said Deborah Golden, U.S. cyber risk services leader at Deloitte Risk and Financial Advisory.
"In the U.S., we expect that organizations will likely lean on a variety of approaches to reach the next normal. Some organizations may even bypass this challenge altogether and realize they are able to maintain fully remote operations in perpetuity," Golden said. "Others that are more dependent on physical presence may consider a combination of physical protocols."
Before using or developing contact tracing apps, however, governments and enterprises need to deeply consider the privacy implications the platform may have, as well as methods to help ensure users' personal data stays safe and anonymous, she noted.
The creators
Regardless of the method used for contact tracing, or who is deploying the apps, companies that create such apps need to ensure they are anonymizing data and keeping people's information private, according to some vendors.
Maven Wave, an Atos-owned technology consulting firm that specializes in digital delivery skills and cloud-powered applications, is working with vendors to develop technology-assisted contact tracing (TACT) apps.
"There's a whole bunch of things that need to happen" to keep information private, said Brian Ray, managing director of AI and machine learning at Maven Wave.
"Redaction, making data points anonymous, having a control system in place, having a way to audit that process" are just some of the things tech companies need to do, he said.
Meanwhile, enterprises considering using TACT apps should take into account many privacy and data protection concerns, regardless of whether contact tracing apps require users to opt in, said Golden.
Deborah GoldenU.S. cyber risk services leader, Deloitte Risk and Financial Advisory
"In adopting these technologies, organizations are creating large datasets of sensitive personal health information and personally identifiable information," she said. "Organizations should carefully consider how this data will be protected, accessed, stored, transmitted and reported."
"Leaders need to think through where organizational lines of responsibility exist for communication with regulatory officials, employees, customers and other stakeholder groups, as well as how communication should occur to foster trust and transparency -- particularly when disparate regulatory guidance may exist across geographies or industries," Golden continued.
Yet, governments and the public may have different, even opposing, views about what data should be shared, added Asif Dhar, chief health informatics officer and a principal in Deloitte Consulting's Monitor Deloitte practice, which is working with states and companies to build and deploy contact tracing apps.
"Active engagement with consumers and employees is critical to gain an appreciation of their preferences to establish clear expectations," he said. "For example, organizations should establish clear consenting platforms so that stakeholders understand when and under what circumstances data is used."
Without a focus on trust and transparency, organizations may risk low acceptance of apps, Dhar continued. Organization should also consider ways to adequately protect data, including where data is stored, who can access it, and how and when it can be accessed.
Still, even if enterprises or governments set up fairly secure, anonymized contact tracing apps, it's no guarantee they will provide the information needed to keep people safe.
Effectiveness of apps
How many people use available contact tracing apps can play a part in their effectiveness.
If only a few people download and use an app, the app may convey inaccurate results, such as indicating to officials that fewer people are getting infected. That may create a false sense of security. People simply not getting tested, or not changing their infection status in the app, would also skew the results.
But according to Prince Kohli, CTO at RPA vendor Automation Anywhere, people are generally willing to download the apps and provide data.
Automation Anywhere helped develop contact tracing apps in conjunction with other companies in several countries, including Australia and China. Some apps ask users to answer surveys about where they have been and their medical status. Most people have been willing to answer questions like these, said Kohli.
"This is not data that people are trying to hide," he said.
A usage rate as low as a 10% to 20% in a group could provide relevant results, Kohli said, as long as the percentage indicates a truly random sampling of people.
Even so, app usage and COVID-19 testing rates aren't the only determining factors of an app's effectiveness.
While use thresholds are an important factor, other considerations, such as whether a person has their phone on them when going out or not, or if a person travels across disparate geographical areas, can help determine efficacy, according to Golden.
The Rhode Island app, for example, can't be downloaded by users outside of Rhode Island, making it useless for tracking visitors to the state.
"Although contact tracing applications may be an important tool in a country's ability to return to work, there is no silver bullet in getting back to normal," Golden said. "Organizations cannot negate the opportunity that human contact tracers and other physical and digital health safety tools and protocols offer."