Contact tracing apps: A new world for data privacy

The Australian Federal Government launched a contact tracing app (the COVIDSafe App) on April 26, 2020.

By the Australian Government

• Function creep – There was initially concern regarding “function creep”, with information being used for other law enforcement purposes but a Determination under the Biosecurity Act 2015 (cth) (Determination) prohibited this. The Determination was repealed on May 15, 2020 by the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (the Privacy Amendment Act). This amends the Australian Privacy Act 1988 (Cth) and creates offences for using data collected by the COVIDSafe App for purpose other than contact tracing.
• Tracking – There were also initial concerns around the Government tracking people, but such concerns have been allayed by the COVIDSafe App not using GPS.
• Privacy professionals – Privacy professionals are generally accepting that the COVIDSafe App does seek to protect Australians’ privacy. On May 8, 2020 the Australian Government released the COVIDSafe App source code for public inspection, hosted on a GitHub repository. The source code for the COVIDSafe App is complete. 
• Cybersecurity review – There has been a cybersecurity review by The Cyber Security Cooperative Research Centre, which has confirmed that the personal information collected is limited.
• Technical – There are some technical concerns that on iOS the COVIDSafe App will need to be kept running in the background.

By private sector organisations

• AWS – The data in the COVIDSafe App can not be used by private organisations. Amazon Web Services (AWS), will supply the infrastructure and associated support services for the National COVIDSafe Data Store. As such, the Privacy Impact Assessment made recommendations that the Government should confirm the arrangements with AWS and ensure the contract is sufficient. The Government has stated emphatically that it is not possible for the US Government to get access to the data via AWS.
• Centralised model – The Privacy Impact Assessment acknowledged the “increased intrusiveness” of a centralised model, but states that it is understood that this “…has been balanced from a policy perspective against the ability of government to most effectively track potentially infected persons and to reduce the spread of COVID-19 in a manner consistent with the objects of the Privacy Act”. No recommendations to use an alternative de-centralised
  approach have been made.

The Government of the Province of Alberta has introduced a mobile contact tracing app, “ABTraceTogether”, which utilizes Bluetooth with the aim of letting users know if they have been exposed to COVID-19 or exposed others. Alberta’s “ABTraceTogether” app was developed using the same code that formed basis of Singapore’s “TraceTogether” App.

Currently the government of the Province of Alberta is the only Canadian government to introduce a COVID-19 contact tracing app. The Canadian Federal Government and other Canadian Provinces and municipalities are set to similarly introduce contact tracing apps.

The App is viewed to be minimally intrusive from a privacy perspective (especially in light of Alberta Privacy Commissioner’s positive comments) as it is voluntary and collects very little information, which is only used for the limited purpose of contacting users in the event of a positive test. Major privacy concerns centre around employers potentially requiring employees to download the app as a condition of being permitted to return to the workplace.

Currently a major issue is that there is insufficient uptake within the population for the app to be effective and technological issues in that the app is always required to be open and on to work properly and transmission can be interrupted while other phone applications are being used (i.e. email).

China established a nationwide telecom data analysis platform under the leadership of the Ministry of Information Industry Technology after the COVID-19 crisis outbreak. Based on this platform, telecom carriers (China Mobile, China Unicom and China Telecom) may provide a tracking record of the cell phone users’ location in the past 15 days or up to 30 days.

In addition, various apps with similar functions were introduced in different regions of China to achieve a dynamic certification of health status of the local residents. Different status (red, yellow or green) will impose a different level of restrictions or regulations.

When the personal data is collected and used for public security purposes, no consent from individuals providing it is required. This is the principle established by the Personal Data Security Specifications. The notice issued by the Cybersecurity Administration of China supporting mechanisms to control COVID-19 (Notice) provides that entities authorized by National Health Committee are entitled to collect this data without consent.

In practice, both the Government or authorized private sector organizations may have access to personal data, but the mechanism for the processing, use and storage of the personal data lacks transparency, with the potential for abuse of personal data in the future.

The app, StopCovid, developed by INRIA (National Institute for Research in Digital Science and Technology). is publicly available since June 2, 2020.

A decree (Decree No. 2020-650 of May 29, 2020 relating to data processing known as “StopCovid”) was published on May 29, 2020, setting the definitive legal framework for the implementation of the app.

The French Data Protection Authority (the “CNIL”) has stated that the app is compliant with the EU and French legislative data protection requirements.

The main concern relates to the use of a centralized server, which increases the risk of possible cyber-attacks and the temptation to exploit this data for purposes other than those provided for by law.

• Discrimination – people who do not use the app might not be able to work or access certain public places freely, meaning their consent was not freely given and therefore is void.
• Surveillance – in the event that the app is adopted by part of the population, it is feared that the French Government may more easily impose it on the rest of the population against their will. Moreover, the app is not based on pure anonymization – it is at best pseudonymous, which does not protect against any kind of individual surveillance.
• Security acclimatization – once the app is deployed, it will be easier for the French Government to add coercive functions to it (individual control of lockdown). Moreover, the app provides an incentive to subject one’s body to constant surveillance, which will reinforce the social acceptability of other technologies, such as facial recognition or automated video surveillance, which are currently widely rejected.

The German Federal Government has launched an official App "Corona-Warn-App" on June 16, 2020 which was developed by SAP and Telekom on behalf of the German Federal Government. The "Corona-Warn-App" is based on the Privacy-Preserving Contact Tracing (“PEPP-IT”). The Corona-Warn-App and backend infrastructure will be entirely open source - licensed under the Apache 2.0 license. The Corona-Warn-App is being developed on basis of the Exposure Notification Framework (“ENF”) provided by Apple and Google, which will uses Bluetooth Low Energy technology (“BLE”). The Corona-Warn-App will collect pseudonymous data from nearby mobile phones using BLE. As soon as two users approach each other within a distance of about two meters and remain at this distance for fifteen minutes or longer, their apps will exchange data via BLE. If an user tests positive for COVID-19, the user can feed the test result into his/her Corona-Warn-App. The Corona-Warn-App will then anonymously inform all stored contacts. The data will be stored locally on each device preventing access and control over data by authorities or a third party.

 Currently there is one other app available in Germany launched by Robert Koch Institute (German federal government agency and research institute responsible for disease control and prevention, “RKI”) – “Datenspende-App”. This app does not yet trace contacts, but only general movement and fitness information. The app collects the user data using their fitness tracker and sends it to the RKI. The RKI analysis anomalies in the data, which is sorted by postcode: As pulse rate, sleep rhythm and activity level change due to an acute respiratory disease, the RKI claims that it can also indicate a Covid-19 disease having this data.

“Corona-Warn-App”: - There are no major privacy concerns as the Corona-Warn-App has been designed with a special focus on privacy from the beginning. The German Data Protection Authorities generally support the Corona-Warn-App and only expressed minor concerns, but less on the Corona-Warn-App itself but rather on the way it may be used: 

• As Apple and Google, as providers of the operating systems, have access to all data that runs over their interfaces, there are some concerns regarding the Intension of Apple and Google.
• The voluntary aspect of the Corona-Warn-App could be undermined through social or economic pressure which could be specifically enforced by employers. It is proposed that a special accompanying law (which has not been passed, drafts of opposition parties available) is required to address these issues. 

The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit) announced that the use of the telephone-Tan-registration is not an optimal solution because the complete anonymity of the user will no longer be guaranteed.

“Datenspende-App”:  There are several concerns indicated by Chaos Computer Club, a cyber security NGO, in particular:

• RKI can directly retrieve the fitness data from the provider of the fitness tracker or Google Fit and only then the data will be pseudonymized (except Apple Health). As the RKI also stores access data to the fitness tracker, it can be used to access complete history and names of the users.
• Easy reversal of the pseudonymisation and the insecure handling of the confidential pseudonym as the app does not use a standard browser but an embedded web view which is insecure due to man-in-the-middle attacks.
• The RKI server exposes additional functionality such as a management and admin interface as well as a SOAP API via the Internet. This increases its vulnerability. 

Quarantine monitoring – mandatory wristbands have been introduced for those arriving from overseas and are required to be worn for a 14 day home quarantine period. The wristband is linked to an app, StayHomeSafe. There is no contact tracing app under development for use in Hong Kong.

The key privacy concerns are excessive data collection and that data may be used for other purposes such as tracking. The Hong Kong Government addressed this concern by using geo-fencing technology rather than GPS location tracking. Other privacy concerns include storage and access to the data, as the privacy policy of the app does not contain clear information regarding retention of and access to such data.

The Government has selected a contact-tracing app developed by a well-known software house. On 29 April the Italian Government issued a law decree setting out inter alia the rules governing the adoption of such app (Law Decree no. 28 of 30 April 2020, the Decree). After a beta test in four regions, the app has been made available in the whole of Italy since June 15.

The Data Privacy Authority considers that the Decree on the app complies with its previous comments on this topic and with EDPB guidelines.

Main privacy concerns lie in data minimization, data security, re-identification risk and actual prevention of use of such data for other purposes. The Decree addresses a wide-spread concern about ownership and localization, providing that the data controller shall be the Ministry of Health, and that data shall be stored in servers on the Italian territory.

Private sector apps to be used in the workplace need to comply with strict Italian rules on remote monitoring of employees, as well.

The Ministry of Information and Communication (MOCI) launched a mobile application called PeduliLindungi. The app enables users to compile data related to the spread of COVID-19 in their communities to help bolster the Indonesian Government’s efforts to trace and track confirmed cases. Users are expected to register as participants and share their locations when travelling and also trace whether they have had contact with persons exposed to COVID-19. The app will also alert users entering crowds or COVID-19 red zones, namely locations where there are confirmed COVID-19 cases.

That said, the Government has not been very transparent on what measures or methods it is using to ensure protection of data privacy. For instance, the app mentions that it will have periodic updates to improve security and privacy. Whilst the private sector has conveyed privacy concerns, there has not been anything major as of yet.

The “Kwarantanna domowa” application is intended for people who are subject to 14-day mandatory house quarantine due to suspected COVID-19 exposure. The application uses geolocation and face recognition technology to ensure that relevant people are quarantined.

The “ProteGO Safe Safe” application is designed to allow users to monitor their level of risk of getting infected. The app facilitates self-assessment of the risk of COVID-19 infection and, if the user decides to do so, it allows the user to scan the environment for other smartphones on which the application is installed and saves the history of anonymous identifiers encountered.

“Kwarantana domowa” – It is unclear what methods have been used to protect personal data collected by the application and there may be a risk of data leakage. Due to concerns that the use of the “Kwarantanna domowa” application violates users' rights to personal data protection, the Polish Ombudsman has asked the President of the Office for Personal Data Protection for an opinion on this matter.

“ProteGO Safe” – There are three main concerns indicated by Panoptykon, a Polish NGO:

1. risk of deanonymisation and reconstruction of the map of social links;
2. threat to the safety of users (Bluetooth constantly on); and
3. the risks associated with automatic decision making, which can have significant consequences for people using the application.

There is no single technology that has been introduced consistently throughout Russia.

However, monitoring of the spread of COVID-19 is done at the local level and some technologies have been introduced in certain regions of Russia. Moscow, where the number of cases is highest (about 50% of the total cases), is the only region of Russia that has introduced a technology for monitoring the location of citizens (as well as their close contacts) with confirmed COVID-19 via an app called Social Monitoring.

The Social Monitoring App was developed by the Department of Information Technologies for the city of Moscow. The app is intended for monitoring violations of a self-isolation regime and quarantine established for those who are being treated at home and/or are limited in leaving their places of residence.

There are significant privacy concerns regarding the implementation of a Social Monitoring App. In addition to those mentioned above they include the following:

• The use of unprotected sources of transmission of personal data which may increase possible exposures, cyber- attacks, leakage of information and its further disclosure to unintended users in the market;
• Launching the process of personal registration and institution of online surveillance over the population for some state aims which cannot be clearly identified at this time (e.g., taxation or other).
• Since the app allows easy monitoring of a change of geolocation and any movements from the place of personal residence, it allows identification of violators of the regime and for significant penalties to be imposed.
• The scope of information collected and transmitted with the use of the app raises issues. In particular, this concerns photos/selfies transmitted with the use of the app. Given that only limited information regarding how the app works is available, there are questions as to whether information transmitted with the use of the app is properly protected.

The Singapore Government launched a contact tracing app (TraceTogether) on March 20, 2020. SafeEntry has also been rolled out by the Singapore Government. Safe Entry is a national digital check-in system that logs the NRIC/ FINs and mobile numbers of individuals visiting hotspots, workplaces of permitted services, as well as selected public venues to prevent and control the transmission of COVID-19 through activities such as contact tracing and identification of COVID-19 clusters. Individuals check in/out from SafeEntry at entry/exit points through (1) using the SingPass Mobile app to scan a QR code or choose from a list of nearby locations using the ‘SafeEntry Check-in’ function, (2) having an identification card with a barcode (e.g. NRIC, Passion card, student pass and work permit) scanned by staff, or (3) scanning of a QR code displayed at the venue and submitting one’s personal particulars.

To address contact tracing issues for those persons who may not have a smart phone, the Singapore Government also announced in early June that it would be making available a TraceTogether Token. This token is not an e-tag and has no internet connection or geo-location tracking functionalities but will record Bluetooth proximity data to the token for 

Concerns have focused on data security issues associated with the collection and storage of the data. The existence of data privacy issues associated with the TraceTogether app has been acknowledged by the Singaporean Prime Minister who commented at a national address on 21 April 2020 (which encouraged the use of the TraceTogether app) that “there will be some privacy concerns, but we will have to weigh these against the benefits of being able to exit from the circuit breaker [Singapore’s lockdown measures] and stay open safely”.

The South African government has partnered with the University of Cape Town to develop a smartphone app to assist government with tracking people who may be unaware that they have COVID-19 and to track people who have come into contact with others who are COVID-19 positive. The App is called Covi-ID.

The South African Government acknowledged that it is critical that the Government works collaboratively with South African technology companies and individuals to leverage technology capabilities in the fight against COVID-19 and its effects.

We are aware that the Government has approached technology companies to identify suitable projects that may assist the Government with its response to the crisis, in particular, its plan to develop a national COVID-19 Tracing Database. The database seeks to track people who are known or suspected to have come into contact with persons known or suspected to have COVID-19.

On 2 May 2020, the Department of Health also launched a Whatsapp based symptom reporting process. The details of the back end and privacy controls are unknown at this stage.

Given that South African privacy laws are not yet in force, there is a concern that personal information may not be properly protected during the pandemic and may be used for further processing not anticipated on collection of the data. On the WhatsApp symptom tracker it is unclear who is processing the information submitted and where else it may be disclosed. There are no terms and conditions available regarding the use of this functionality.

Even though South African privacy laws are not in place, there is a constitutional right of privacy; however this may be infringed where there are larger public interest considerations that outweigh the impact on privacy.

The Covi-ID App has a GDPR-based privacy policy and also voluntarily submits to the South African data privacy laws not yet in place.

The technologies being used in Thailand for tracking COVID-19 are mostly contact tracing applications used together with the cell phone location data of the user. The Thai Government authorities (e.g. Department of Disease Control (DDC), Office of The National Broadcasting and Telecommunications Commission (NBTC) etc.) are currently using these applications to monitor and track individuals who have been infected or classified as being in a “high risk cluster” (including the individuals who may have been infected) with support from the private entities and state enterprise (e.g. Airport of Thailand (AOT), mobile service providers and digital start-ups). The apps in use are:

• DDC-Care – this contact tracing application will require the user (those who have been diagnosed by the hospital or the disease screening point in Thailand, including the airport, that they are at risk of being infected) to submit a self-assessment report directly to DDC during the 14-day detention period. Also the user will be required to report all of their travel history, including the people who have been in contact with them. The general public is allowed to install and register this application;
• AOT Airport Application – the application is required to be installed before passing through immigration points for those who have travelled to, or returned from, contagious areas outside Thailand. This application will track tourists and returnees by using the mobile phone location data and will notify the NBTC, and the mobile phone service provider, if the user is infected after entry into Thailand. If the tourists, returnees or any person is diagnosed as infected, such persons will then be required to install the application in item (1);
• MorChana application – the application offers a contact tracing solution that enables smartphone device users to perform self-assessment and determine the risk level of infection based on exposure and travel history. It is designed to track the spread of the novel coronavirus, prompt quick and accurate public health responses, and ensure effective and measurable social distancing measures; and
• Sydekick for THAIFIGHT COVID-19 – the application, developed by a Thai start-up, was previously developed for the purpose of emergency care. People who have been discharged from detention at a quarantine centre and who have returned home to self-quarantine will be required to install and register the application before leaving the quarantine centre. As a result of the registration, such persons will be monitored by the DDC officer and required to submit the self-assessment reports on a daily basis.

Excessive data collection which may be used for other purposes such as tracking individual after the spreading of COVID-19 has ended.

The Dutch Government is currently investigating whether a contact tracing app should be launched. In this context, the Dutch Government asked the public to submit proposals. Approximately 700 proposals were submitted. Subsequently, the Government selected seven apps that were further presented during an “appathon” held on 18 and 19 April. Following this “appathon”, the Government decided that none of the apps met the requirements, inter alia under privacy legislation.

Therefore, the Government will, working with various experts, be working on the development of an app during the next few weeks. Currently, there are a lot of uncertainties surrounding the contact tracing app and it is even unclear whether such an app will be launched at all. Nevertheless, some aspects of the framework have already been confirmed, which are indicted below.

Furthermore, the Government had published a draft bill which amends the Dutch Telecommunication Act (Telecommunicatiewet) and allows the National Institute for Health and Environment (Rijksinstituut voor Volksgezondheid en Milieu) (RIVM) to access telecommunication data (including the aggregated location and traffic data of citizens) through the dutch Central Bureau of Statistics (Centraal Bureau voor de Statistiek) for the purpose of contact tracing and controlling the spead of COVID-19. The Dutch Data Protection Authority (the Authority) had reviewed the previous version of the draft bill and identified a number of areas that require improvement: (i) given that the bill was drafted with great urgency, its scope should be limited the COVID-19 crisis alone (it allowed RIVM to access data for future epidemics as well); (ii) the purpose and necessity of the extended powers of the RIVM needed to be stated clearly; and (iii) no maximum retention period for the telecommunication data was included. The Government had considered the comments from the Authority and published a revised draft bill on May 29, 2020 which is currently reviewed by the Authority.

There are significant privacy concerns regarding the implementation of a contact tracing app. According to the
Dutch Data Protection Authority, it is unclear whether the apps are necessary and effective in combatting COVID-19. This clarity is required in order to justify the extensive intrusiveness that the contact tracing app will have on the fundamental right of privacy.

Furthermore, the purpose(s) of the app is/are unclear, as well as the legal grounds to justify processing the data, including special categories of personal data (i.e. health data) regarding which more stringent requirements apply under the General Data Protection Regulation (GDPR). It is unclear which (governmental) organisations will use the app and who the data controller is in respect of the personal data.

This is important as the data controller will be responsible for complying with the GDPR and will be the point of contact for data subjects in order to receive information on the data processing and to enforce their data subject rights under the GDPR. Given that no app has been developed yet, it is unclear whether appropriate technical and organisational measures (e.g. pseudonymisation) will be implemented to ensure that the personal data is sufficiently protected. It should also be noted that there is a risk that the app will be used on an ongoing basis (i.e. after the crisis has ended). Pursuant to the GDPR, the app should in any case be a temporary measure..

In collaboration with the Information Technologies and Communication Authority and all mobile phone operators, the Turkish Ministry of Health has launched a mobile contact tracing app called “Hayat Eve Sığar” (Life Fits into the  House) to monitor the movement of diagnosed COVID-19 patients and to warn users if they enter a high COVID-19 risk zone or if they had crossed paths with a diagnosed patient. Diagnosed COVID-19 patients are warned via text messages and automated calls in the event that they leave their place of isolation.

The app is not being used by private sector organisations and to the best of our knowledge, there have been no surveys or polls to test public opinion on the app or any privacy concerns around it. However the major privacy concerns in relation to an app of this type would be the risk of a cyber attack and exfiltration of personal data (including sensitive health data) and whether established data processing principles would be duly complied with, including purpose limitation and time limitation.

So far the UAE has developed three COVID-19 tracing apps. The Abu Dhabi Department of Health first launched StayHome, which was then followed by TraceCovid. The UAE has now recently launched a new tracing app, ALHOSN. All three apps are designed to identify people who have been in close contact with infected individuals, allowing authorities to immediately reach out to possibly infected individuals and provide them with the necessary healthcare treatments.

From the information publicly available, ALHOSN was jointly launched by the Ministry of Health and Prevention, Abu Dhabi Health Authority and Dubai Health Authority to serve as the official digital tracing app for COVID 19. The new app combines the features of the two previous apps, StayHome and TraceCovid. The new app also provides additional features such as access to user test results, and a health colour coding system that identifies the status of the users’ health.

The National Health Service (NHS) reports that it will be launching a contact-tracing app which is currently under development. This is being developed by the technology arm of the NHS (NHSX). A trial was commenced on the Isle of Wight on 5 May.

Concerns centre on privacy principles of security, data minimisation, transparency and accountability and these apply both to private and Government use of tracing apps. 

In particular in relation to Government use:

• Government surveillance – government harvesting superfluous data and being able to centralise the data and use it for unrelated purposes. 
• Lack of trust in government to store and handle data appropriately if the data is centralised. 
• Centralised data being held indefinitely given the ongoing nature of the pandemic. 
• A lack of Government accountability. 
• Privacy being trumped by community health concerns.

In particular in relation to private sector use:

• Employee surveillance beyond what is necessary for the purposes of maintaining a safe work environment – e.g. using data for keeping tighter controls on employee movements/engagements. 
• Unnecessary dissemination of data within a business beyond strict confines of relevant HR manager. 

In the U.S., there has been some minimal, state-level efforts in this area, and two federal bills introduced in Congress. There also continues to be a major collaboration between Apple and Google.

The two federal bills focus on COVID-19 data privacy and create new rights for individuals related to COVID-19 health information. Some key similarities include requiring covered entities to: (1) obtain “affirmative express consent” before collecting and using COVID-19 related health information (subject to a few expectations); (2) disclose their data practices related to COVID-19 health information; and (3) create and implement reasonable data security and privacy safeguards. Some key differences include: (1) the definition of covered information, with one bill going beyond COVID-19 health information and including any physical or mental health status; and (2) the coverage of employee-related data, with one bill essentially exempting COVID-19 related health information used to determine eligibility for entering the workplace facility (e.g., temperature checks).

Apple and Google released an API in mid-May that can be used in official publich health apps in the iOS and Google Play stores. The API uses detection of Bluetooth signals in order to track location of users over time. For example, if User A has been in close contact with User B, who later self-identifies as having COVID-19 within a pre-identifined time window, then User A will be alerted if the potential exposure.

The major privacy concerns that would normally be associated with this type of data collection appears, on paper, to have been mitigated through: (1) affirmative express consent (in the case of the federal bills) and (2) the use of a complex public key cryptography infrastructure develop by Apple and Google for the API. The devil of course, is always in the details, and so we will be able to better judge when apps using this API go live. At this point, notwithstanding a fair amount of noise in the media about privacy concerns, this approach could work well, if affirmative express consent is obtained (and the bills ultimately become law) and the crypto implementation by Apple and Google is sound.