With a third of the planet’s population still under COVID-19-related restrictions, the wider social and economic impact of “lockdown” is becoming apparent. However, with a vaccine still 12 to18 months off, governments around the world are weighing the apparent trade-off between easing restrictions and maintaining public health.
To prevent a second infection wave, countries have been exploring how to harness technology to automate contact tracing, releasing the remainder of the population to go about daily life. Though sounding simple, such technology is far from straightforward. It also brings serious practical and ethical concerns already playing out in some countries, and risks pitting health care against data protection.
What is contact tracing?
Contact tracing is a key tool in preventing the spread of communicable diseases. It involves tracking down and alerting those who have been in contact with a confirmed sufferer. However, it has limitations: with airborne diseases such as COVID-19 where symptoms are delayed, it is difficult to identify everyone who may have been exposed. It is also time-consuming and works best with low infection levels. In March, the UK government stood down Public Health England’s 290 contact tracers, believing them already overwhelmed by the coronavirus spread.
In April, however, the government reversed its decision, announcing plans to train 18,000 contact tracers and to support their efforts through automation using a contact tracing app developed by NHSX (the digital arm of the National Health Service, or NHS) downloaded to smartphones to “track-and-trace” those exposed to the virus.
How would automated contact tracing work?
Individual nations are developing their own contact tracing apps but, broadly, two methodologies exist: one employing the user’s geo-location, often in conjunction with credit card data and surveillance camera records, and the other a more privacy-friendly version based on Bluetooth.
In the Bluetooth version, as the user moves about, their phone connects with others within a certain range. A “Bluetooth handshake” would take place in which connected phones exchange and each store a unique “key” signifying physical proximity. In the UK, when users subsequently display symptoms, they may choose to allow the app to inform the NHS, which would then alert other app users whose smartphones hold the infected person’s key, indicating that those other users should self-isolate. The key would be anonymous and would not reveal the personal identity or location data of the infected individual to those receiving alerts.
To facilitate automated contact tracing, Apple and Google are collaborating to release interfaces enabling Android and iOS devices to work together using apps from public health authorities.
How effective is it?
Although elementary, automated contact tracing has significant practical limitations. Bluetooth is an imprecise tool and risks false positives, such as proximity through a wall. Inevitably, it is “blind” to disease transmission in spaces vacated by infected individuals moments before where no Bluetooth handshake between handsets would take place. Crucially, automated contact tracing relies on uptake. In the UK, 60% of the population would need to download the app for it to make a positive difference and with 20% of Britain’s population estimated not to own a smartphone and many older devices with limited app capability, many people would be excluded.
A further difficulty arises from the multiplicity of contact tracing apps currently under development. How will they work together? Moreover, once international travel resumes, will national contact tracing apps be interoperable? Finally, there is a risk that automated contact tracing will be seen as a panacea by “fanboys” of utopian technological solutions. In reality, it can only be part of the answer, along with adequate infection testing and traditional confirmatory contact tracing which are essential components of any useful roll-out.
Authoritarian regimes around the world have been quick to use the pandemic to restrict their citizens’ freedoms, with China introducing a “traffic light” system to control citizens’ movements and Russia deploying aggressive surveillance methods to enforce lockdown. Even in more libertarian states, contact tracing apps risk morphing into “immunity passports” as a means of easing lockdown, determining access to amenities based on apparent health status and further widening the “digital divide.”
Against this background, automated contact tracing has raised acute privacy concerns. Whereas many prefer a decentralised model where the Bluetooth handshake keys are stored only on a user’s handset, many health authorities around the world, including the NHS, wanted centralised records of anonymised data. However, centralised systems permit re-identification by governments or even hackers. In the UK, such concerns were highlighted when a draft government memo was leaked in March suggesting ministers may be empowered to order the re-identification of individuals from their smartphone data where they viewed it as proportionate, fuelling pre-existing worries over excessive state surveillance, in particular from the Investigatory Powers Act (the so-called “Snooper’s Charter”).
To alleviate such risks, Apple and Google limited the operability of their proposed interface for centralised systems. The UK, however, pressed on with a centralised system, bypassing the deliberate limitations imposed by Apple and Google - albeit at a cost to phone battery life and necessitating that phone screens remain unlocked - risking data security.
Beyond practical concerns, an automated contact tracing app raises wider issues. Could those downloading it, for example, become liable for failing to self-isolate if the app notifies them of potential infection? While such notions sound far-fetched, South Korean authorities have launched a murder investigation into ‘Patient 31,’ a woman who refused to test and allegedly infected thousands with COVID-19. In this time of heightened anxiety, might we see existing UK criminal legislation deployed to “police” the app’s use?
Data protection laws – a help or a hindrance?
In a straight contest between health and data privacy, polls show the public in favour of allowing the government to use mobile phones to track coronavirus carriers and inform others of potential infection. Regulators have been at pains to say that data protection laws are not incompatible with public health safety. Both the UK’s Information Commissioner and the European Data Protection Board (EDPB) have expressed their support - in principle - for a data-driven solution as part of the response to this health emergency.
On 4 May, the Information Commissioner submitted evidence to the UK parliament’s Human Rights Committee about the NHSX app and, while sitting on the fence about whether or not the database should be centralised, emphasised the need to observe essential principles of transparency, data minimisation and purpose limitation. The EDPB has stated that, such is the privacy intrusion of monitoring location and contacts, only voluntary adoption could legitimise it; those who cannot or decide not to use contact tracing apps should suffer no disadvantage. With concerns already emerging about the app’s “function creep” and who may be given access to its database, a group of leading human rights lawyers highlighted the significant interference with human rights inherent in the UK government’s proposals, warning of potential litigation to come. Facing such legal headwinds, the government has found itself out of step with much of the rest of the world and is reportedly exploring a switch to a decentralised model after all.
Despite the controversy surrounding it, data protection law is remarkably malleable. Although the legislative framework is complicated there is a path through which, if navigated carefully, permits the potentially life-saving benefits of automated contact tracing whilst simultaneously guarding against governmental overreach and maintaining trust. With the NHSX app now being trialled on the Isle of Wight before national roll-out in weeks, it remains to be seen whether the practical problems and legal hurdles can be overcome to help restore a semblance of normality to our lives, and allow the UK and the rest of the world to begin the path to recovery after this extraordinary period.
Julian Hayes is a partner at BCL Solicitors LLP in London, specialising in computer misuse offences, surveillance and data protection law. Andrew Watson is a legal assistant in BCL Sollictors LLP’s corporate and financial crime team.
Are you a recognised expert in your field? At Euronews, we believe all views matter. Contact us at firstname.lastname@example.org to send pitches or submissions and be part of the conversation.