To trace or not to trace: opportunities and risks of contact tracing apps

Would you give up your privacy for the greater good?

Mobile technology allows us to communicate instantaneously and, to most of us, it’s a great ally to act more efficiently no matter the time or the place. It’s said to be one of the most promising tools (or set of tools) to deal with the COVID-19 existing and still unknown dangers. Only 35 years ago, when the world faced the beginning of the HIV pandemic (to some, only an epidemic) the world wasn’t nearly as equipped as it is now to fight a health emergency.  If mobile technology teams up with geolocation technology, it can help mitigate the spread of a disease, help institutions make informed decisions and adapt strategies accordingly. People traceability and real-time tracking applications are two examples of how to make this happen.

However, this is a give-and-take situation. 

Governments (and, potentially, businesses) that bet on geolocation technology need access to personal data, including people’s location and individuals’ social interactions. The objective is to break the COVID-19 transmission chain more effectively, limiting the wild spread of the virus and avoiding another potential lockdown, especially in the case of countries that lifted them already or that are doing it progressively.

Managing a potential second “coronavirus” tide effectively via geolocation technology requires users to commit with the strategy, i.e. to download the apps and to take the required actions for this approach to work. That’s why it’s crucial for citizens to first trust the institution that is to use their data and, second, to know how these app controllers will use the collected data, with what purposes, until when and how this data can truly make the difference when dealing with the pandemic. 

The old traditional tracing techniques won’t go away any time soon because, despite limitations, they don’t share the same flaws that digital technologies bring with them.

Last week, our regular cybersecurity webcast series Cybersecurity Community Calls: Stay Connected! focused on Contact tracing apps, their risks and opportunities. In this article, we summarise the main takeaways discussed by our very own experts, Damien Dietrich, MD, eHealth expert and Dmitrii Pogorelov from the Department of Infection and Immunity from the Luxembourg Institute of Health, and Philippe Valoggia, Senior Research & Technology Associate from the Luxembourg Institute of Science and Technology

A new era for contact tracing 

The fight against the global pandemic will continue, likely until a soundly tested treatment accessible to all arrives or, ideally, when a viable vaccine is discovered and commercialised in the market. Life cannot continue on stand-by nevertheless. That’s not good for the economy neither for our social system and our mental health.   

The world continues hope for a near future free of lockdowns (or, at least, as localised as possible). A way to avoid this dreaded scenario is by closely understanding how the virus spreads and how the virus carriers behave. This translates into identifying the people who might have been exposed to the virus and isolating who they’ve been in close contact with. However, the traditional analog contact tracing method used, for instance, in Luxembourg, is generally laborious and with slow processes since it relies on individual interviews. This is where the smartphone technology comes in. 

A contact tracing app can retrace people’s movements and, possibly, notify them in case of a health risk. This government-sponsored solution is already being used in countries like Italy, Germany and France. One, avid to find a way out of the pandemic affair, could think “It sounds promising, doesn’t it?” But there are several catches.

Experts point out that mobile phones make for imperfect proxies for coronavirus exposure. It raises the issue of getting inaccurate exposure reports also known as false positives. For example, the technology doesn’t understand social distancing rules. When interacting with others, individuals could be physically separated from each other, in different living or working spaces, or even using protective equipment, such as masks.

There’s also a (more than) slight issue with adoption. According to this article, contact tracing apps can only be efficient in slowing down the pandemic if, at least, 60% of the population uses it. At the same time, there are privacy and security concerns because tracing apps need user data when identifying and tracking individuals on a permanent basis. 

To make this happen, two types of technologies can be used: the Global Navigation Satellite System (GNSS), which includes the GPS, and Bluetooth, the latter being the weapon of choice for Europe because it aligns better with GDPR requirements. 

When it comes to security, we have to dive into the tech’s implementation types: centralised and decentralised. The infographic below explains them very well. 

The difference between centralised and decentralised
Source: BBC.com
Contact-tracing apps: three things to take into consideration

1. Trust is key for public acceptance

Trust is a business imperative and a social pillar, that includes governmental institutions. No one, not even the most prestigious institutions, can hold people’s trust over time if attitudes and behaviours in the present or what our memory recalls don’t account for that. Reputation is a picky and  fragile companion and COVID-19, a persistent enemy.

“Sow today, harvest tomorrow”, the popular old saying goes. 

If the user doesn’t trust the institution behind the tracing app, it will probably not download it or, if it happens to do it, it will barely use it.  In Europe, increasingly, knowing how personal data is used matters to citizens. 

Could data controllers – in this case, the governments or institution behind the tracing initiative – find a way to fix the trust equation? During the webcast, the communication factor was mentioned consistently, a “solid and transparent communication” as a driver of any tracing initiative. 

It is crucial that the provider explains the purpose of the tracing app, how the data is collected and analysed, where it happens, how it contributes to a greater cause, which is the time frame for using it,  who is responsible for any improper use of personal data and which actions the citizen can take to exert its privacy rights. 

In this case, by using tracing contact, one can break the transmission chain of the COVID-19 more efficiently, avoiding massive breakouts. Users might be more inclined to give up their privacy if they know how important and decisive the action is.

An important foundation stone when building trust is cybersecurity. The protection of the user’s privacy and personal data must be considered in the equation. The app controller must be able to protect the collected data and be prepared to mitigate cyberattacks. 

2. The level of contact-tracing apps adoption is low, but it shouldn’t be

We humans are a mystery. When it comes down to it, we react differently under stress, especially when our lives are under threat. 

Contact tracing apps reached the usage peak during lockdown in certain countries, while in others, like India, Norway and Singapore,  their adoption has been a challenge.

As the world braces itself for the possibility of a second wave, we soon realise the hard truth we still face: the threat is far from being over. The chain of transmission of the COVID-19 spreads just as quickly as in the beginning. Using the power of communication can change the tides on the apps’ usage and, consequently, make the difference in a year dominated by this pandemic. 

It’s important that people are informed of the existence of these apps and how they can benefit from them, mainly to remain safe and healthy.

3. There’s always room for improvement

Technology has been growing more complex and interdependent over the years. As a result, when organisations implement a new one, processes are meant to reinvent and transform themselves. And, when individuals embrace a new one consistently, certain social behaviours could be greatly influenced too.  

For example, a few years ago, a single authentication factor on social media (i.e. the use of one static password) was enough to protect the personal data of millions of users. But, as technology evolves, so do the tools to crack it and make a bad use of the data stored. 

Over time, the single line of defence became insufficient to protect users against phishing and cyberattacks. As a result, major social media companies introduced an extra layer of protectiona second authentication requirementsuch as sending a phone message or an email to the users’ phone with a specific code.  

The use of contact-tracing apps have, naturally, downsides. Centralised systems appetising to cyber attackers and the risk of attempts to steal data is higher. Bluetooth-based technology used in the contact-tracing apps can lead to the misinterpretation of users’ movements, not being able to make the distinction between day and night time. These are only a few of the current challenges that the organisation controlling these data must face. The margin of error is enough to influence the numbers significantly, making the data recovered untrustworthy. 

The most viable solution is a mix between traditional tracing and digital tracing. While the traditional contact-tracing is both time and resource consuming, digital tracing still hasn’t fully proven its efficiency and effectiveness. However, if the data collected by the digital app could be filtered, treated and interpreted manually, the results would perhaps reveal numbers closer to reality and a better understanding of behavioural patterns.

What we think
Frédéric Vonner, Partner, GDPR and Privacy Leader at PwC Luxembourg

Using a tracking app in such current time, for the noble cause of breaking a pandemic, makes obvious sense. Yet, it creates a precedent, where we give away some of our privacy and rights for the good of all. We might get used to this. We should watch out not to erode the attention we bring to such questions, if we want to continue living in a society where privacy matters.

 

Koen Maris, Cybersecurity Director at PwC Luxembourg

The current approach is to attack the symptoms that endanger humanity, with technology. This will lead to eroding privacy and convert our private lives to a dataset accessible by commercial and/or government bodies in order to make money or gain control.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *