Contact Tracing Apps - Protect Your Privacy or Let Reduced Privacy Protect You

Despite concerns revolving around privacy and state surveillance, many authorities have adopted contact tracing infrastructures to ensure public safety. Is it possible to have the best of both worlds?

As several countries begin to ease lockdown measures, many authorities are introducing contact traceable technologies to control the spread of the novel COVID-19 virus. TraceTogether is one of the notable contact tracing applications which has been developed by the Singaporean Government to allow digital tracing to take place seamlessly. Germany has also released the Corona Warn-App. In many other countries, they are also working on building their own contact tracing mobile application.

Contact tracing mobile applications and wearables are designed to automate the tracking process of individuals who have been in close proximity with those who were tested positive for COVID-19. Essentially, these technologies are the modern solution for the authorities to understand and disrupt the virus transmission path in order to limit its spread. The basic principle of these technologies is to protect public safety without further compromising daily lifestyles and activities.

However, the implementation of such technology has caused many to worry that the recovery of this pandemic might come at the hefty cost of their personal privacy. To address the concerns of the citizens, EDPB has released a statement to ensure that privacy regulations such as European GDPR are still being enforced throughout the implementation of contact tracing measures. 

Tug of war between information security and public safety



Source: National Cyber Security Centre.

 

To address the issue of data privacy, many organisations have shifted from centralised to decentralised approach. In fact, tech giants like Apple and Google have also adopted the decentralised approach by leveraging on bluetooth signals, which can be illustrated in their sample code published here.

The key differences in the applications have been outlined in the white paper by experts from universities such as University College London and University of Oxford.


In the centralised approach, a central server is used to estimate a user’s exposure to COVID-19. The central server holds a long-term pseudo-identifier for every user and uses it to derive ephemeral pseudo-identities (EpHIDs) that are pushed to the smartphones.

In the decentralised approach, proximity tracing process is supported by a backend server that distributes anonymous exposure information to the app running on each phone. The backend server serves solely as a communication platform and does not perform any processing.

How the decentralised system enforces privacy and security settings:

  1. Ensures data minimisation
    Central server only observes anonymous identifiers of COVID-19 positive users without any proximity information as ephemeral identifiers broadcast via Bluetooth are generated on users’ smartphones.

  2. Prevents abuse of data
    Central server collects the minimum amount of information so that it minimises the likelihood that the data collected are used for other purposes. In fact, the technology can only be used to trace citizens who have been tested positive within a small geographical area.

  3. Data retention
    Data on the server and in the apps will be removed after 14 days. Estimation of exposure is computed locally on the mobile device.

With concerns revolving around privacy and state surveillance, most privacy experts recommend decentralised contact tracing infrastructure such that ephemeral IDs are stored locally on device and can only be uploaded with consent, after the user is tested COVID-19 positive.

In a quest to resume back to normality, we agree that the situation calls for the need for such measures to take place in order to control the spread of the virus. However, it is strongly encouraged for all to understand the application and implication of the technologies before they adopt it.

PreviousNext
Eunice Cheah

Related Posts

The Path to Building Better Business Practice in Compliance with UK SOX

Press archives over the past decade have demonstrated that many Public Limited Companies in the United Kingdom have either collapsed or made the headlines due to accounting irregularities or some other form of lack of internal control to ensure financial statements are reliable. This article explores the need for UK businesses to anticipate wide-scale adoption of SOX, as they progress down the path to building better businesses.
Read more

The Importance of Diversity & Inclusivity in the Workplace

At Alyne we strongly believe in diversity and inclusivity, as they foster creativity and highlight new perspectives in the workplace; translating into innovative ideas that ultimately benefit the organisation. In the last couple of weeks, many countries and companies across the globe have been celebrating and supporting LGBTQ+ Pride bringing awareness to all that has been accomplished in terms of equality, identity and inclusion, and all that is yet to be done. In this article, we analyse the importance of representation in the workplace and we take you through our rebranding decision for the months of June and July.
Read more

Automating Risk Assessments with Alyne

At Alyne, we are focused on providing cyber, compliance and risk professionals, as well as their clients, with next generation technology, expert knowledge and actionable risk insights, powered by Artificial Intelligence, to seamlessly identify, qualify and quantify their risks. Learn how Alyne’s solution will transform your risk assessment process and generate operational efficiencies, while providing your clients with an optimised, personalised and positive digital experience.
Read more