Contact Tracing Apps - Protect Your Privacy or Let Reduced Privacy Protect You

Despite concerns revolving around privacy and state surveillance, many authorities have adopted contact tracing infrastructures to ensure public safety. Is it possible to have the best of both worlds?

As several countries begin to ease lockdown measures, many authorities are introducing contact traceable technologies to control the spread of the novel COVID-19 virus. TraceTogether is one of the notable contact tracing applications which has been developed by the Singaporean Government to allow digital tracing to take place seamlessly. Germany has also released the Corona Warn-App. In many other countries, they are also working on building their own contact tracing mobile application.

Contact tracing mobile applications and wearables are designed to automate the tracking process of individuals who have been in close proximity with those who were tested positive for COVID-19. Essentially, these technologies are the modern solution for the authorities to understand and disrupt the virus transmission path in order to limit its spread. The basic principle of these technologies is to protect public safety without further compromising daily lifestyles and activities.

However, the implementation of such technology has caused many to worry that the recovery of this pandemic might come at the hefty cost of their personal privacy. To address the concerns of the citizens, EDPB has released a statement to ensure that privacy regulations such as European GDPR are still being enforced throughout the implementation of contact tracing measures. 

Tug of war between information security and public safety



Source: National Cyber Security Centre.

 

To address the issue of data privacy, many organisations have shifted from centralised to decentralised approach. In fact, tech giants like Apple and Google have also adopted the decentralised approach by leveraging on bluetooth signals, which can be illustrated in their sample code published here.

The key differences in the applications have been outlined in the white paper by experts from universities such as University College London and University of Oxford.


In the centralised approach, a central server is used to estimate a user’s exposure to COVID-19. The central server holds a long-term pseudo-identifier for every user and uses it to derive ephemeral pseudo-identities (EpHIDs) that are pushed to the smartphones.

In the decentralised approach, proximity tracing process is supported by a backend server that distributes anonymous exposure information to the app running on each phone. The backend server serves solely as a communication platform and does not perform any processing.

How the decentralised system enforces privacy and security settings:

  1. Ensures data minimisation
    Central server only observes anonymous identifiers of COVID-19 positive users without any proximity information as ephemeral identifiers broadcast via Bluetooth are generated on users’ smartphones.

  2. Prevents abuse of data
    Central server collects the minimum amount of information so that it minimises the likelihood that the data collected are used for other purposes. In fact, the technology can only be used to trace citizens who have been tested positive within a small geographical area.

  3. Data retention
    Data on the server and in the apps will be removed after 14 days. Estimation of exposure is computed locally on the mobile device.

With concerns revolving around privacy and state surveillance, most privacy experts recommend decentralised contact tracing infrastructure such that ephemeral IDs are stored locally on device and can only be uploaded with consent, after the user is tested COVID-19 positive.

In a quest to resume back to normality, we agree that the situation calls for the need for such measures to take place in order to control the spread of the virus. However, it is strongly encouraged for all to understand the application and implication of the technologies before they adopt it.

ZurückWeiter
Eunice Cheah

Related Posts

Blog thumbnail

Budgetabstimmungen für 2021 - Unser Business Case Builder unterstützt Sie.

Im letzten Quartal des Jahres starten die Budgetabstimmungen und mit ihnen kommen Fragen rund um Toolauswahl, Prioritäten und Umsetzungszeiträume auf. Wir möchten Ihnen die Vorbereitung auf diese Diskussionen erleichtern, Argumente an die Hand geben um Sätzen wie “nächstes Jahr gibts kein Budget für Tooling” zu begegnen und Ihnen einen gründlichen Überblick über Ihren Business Case verschaffen. Aus diesem Grund haben wir den Alyne Business Case Builder entwickelt, ein Tool das auf Basis unterschiedlicher, voneinander abhängiger Faktoren Argumente liefert.
Blog thumbnail

RiskNET Summit 2020: Gelebtes Steuern in Unsicherheit

Wir als Alyne haben uns sehr über die Gelegenheit gefreut uns auf dem diesjährigen RiskNET Summit zu präsentieren und fanden es als sehr bereichernd uns mit Teilnehmern aus unterschiedlichen Bereichen auszutauschen. Lesen Sie den vollständigen Artikel und erfahren Sie mehr über die dort besprochenen Topthemen sowie unseren daraus resultierenden Schlussfolgerungen.