The ongoing coronavirus pandemic has led to us being urged to stay at home, for our own good. However, given the capability of the SARS-CoV-2 coronavirus to infect people without showing many symptoms, and by simply being in contact with a patient who may have remained undetected, contact tracing through smartphone location services have surfaced as a key resource across the world, as governments try to contain community spread of the virus, thereby restricting the overall spread.
This, though, has given rise to a rather perplexing debate around location tracing and the aspect of online privacy. On the face of it, installing an app and giving it access to your device’s present and historic location data seems like a small price to pay in exchange for finding out if you may have unintentionally come in contact with now-detected Covid-19 patients. What, though, of user privacy? Are there any possible ways to safeguard the transmission and usage of this data, and can contact tracing be really differentiated from blanket surveillance?
Location tracking vs Privacy
The Indian government, through its Aarogya Setu app, has told citizens that while the app will be tracking location data on an individual level, information will only be shared with authorised government officials, who will only use it to identify potential patients of Covid-19 and enforce quarantine protocol to keep them and surrounding individuals safe. Furthermore, Prime Minister Narendra Modi has reportedly suggested during a video conference with state chief ministers that the app can be used as an ‘e-pass’ to facilitate future cross-state travel, in a bid to restrict the spread.
In many ways, this makes location services the devil that right now can be used to save lives. On April 8, the European Commission filed a recommendation talking about the usage of smartphone location data for contact tracing and combating Covid-19. In the recommendation, the European Commission talks about establishing the use of personal data to track down Covid-19 community spread, but also includes provisions of checks and balances put in place to prevent the misuse of data.
Through the recommendation, the EC is particularly careful about handling the personal data, where it recommends the three following steps:
- Strictly limit the processing of personal data for the purposes of combating the COVID-19 crisis and ensure that the personal data are not used for any other purposes such as law enforcement or commercial purposes.
- Ensure regular review of the continued need for the processing of personal data for the purposes of combating the COVID-19 crisis and set appropriate sunset clauses, so as to ensure that the processing does not extend beyond what is strictly necessary for those purposes.
- Take measures to ensure that, once the processing is no longer strictly necessary, the processing is effectively terminated and the personal data concerned are irreversibly destroyed.
Over the weekend, Apple and Google announced a collaborative project that will help healthcare authorities track down potential Covid-19 cases without using the geolocation sensor. These APIs will use Bluetooth low energy (BLE) beacon to create a log of whom you meet. This way, the companies have stated that there is no risk of personal contact details of users being uploaded to a cloud server, and only a part of the data will be shared with government authorities once a person tests positive for Covid-19. This will be an API-level change, and ease the process for governments to build contact-tracing apps.
What’s important to know is that right now, having BLE always on through a smartphone is not possible, since both Apple’s iOS and Google’s Android do not allow developers to continue accessing user location while running a service in the background. This is a basic security check to protect users from unwarranted surveillance. However, with the rollout of this API, the makers of two of the world’s most used operating systems are setting a precedent of enabling native contact tracing. In many ways, this can work as a precedent to the ‘backdoor’ debate that technology enablers have been waging against governmental pressure for years. The question — what defines the parameters of national security? During these times, are we making the question of our privacy completely redundant?
Tracing without surveillance?
Researchers and privacy experts working on these projects state that contact tracing can be made possible, and should be promoted to governments as the way forward. A blog post by Kylie Foy of the Lincoln Laboratory at Massachusetts Institute of Technology (MIT) details a technique that uses BLE for contact tracing, but encrypts the device Bluetooth identifiers as anonymised ‘chirps’. Each person will have a unique anonymised ‘chirp’, which can then be tallied on a database to identify who met whom, and in turn, if a Covid-19 patient may have come in contact with other people.
There are more such instances. Another MIT project called ‘Private Kit: Safe Paths’ uses a smartphone’s geolocation data, but hashes the location information into synchronised, anonymous information squares, before pinging off the data to central healthcare servers. This can also help governments detect Covid-19 hotspots, without needing to narrow down the places by identifying personal details of individuals. Yet another project by a group of researchers talks about using an anonymised server network akin to Tor (The Onion Router) in order to disguise private user data. While this would still allow authorities to trace contact and community spread of the coronavirus, they also set new precedent of catering to user privacy, which should ideally be the long term goal.
So far, India is using a more direct approach, asking individuals to directly share their location and private data with the government to help tracking Covid-19 patients at large. With the likes of Apple and Google also enabling API-level access to location services for background tasks, the onus is on us to not forget the aspect of user privacy, in a bid to tackle the pandemic.