Can COVID-19 Protections be Designed for Privacy?
As our society moves forward in a time of novel coronavirus we begin to improve the tools available to fight the virus. I wrote earlier about the many ways that tracking and fighting an epidemic conflict with attempts to protect personal privacy, but new attempts are being developed to maintain private data while implement more virus-fighting information tools.
Unsurprisingly, an early attempt at such a sophisticated tool has arisen in Europe. Der Spiegel reports that there “is a new European approach that is supposed to dispel fears of extensive monitoring by ‘tracking apps’.” This alternative to current disease and human tracking technologies will not be used against the will of identified individuals and will not allow others to identify infected people. Whether such privacy-reducing steps are necessary for effective tracking has yet to be determined, but creators of the new system want to try.
According to Techcrunch, “The core idea is to leverage smartphone technology to help disrupt the next wave of infections by notifying individuals who have come into close contact with an infected person — via the proxy of their smartphones having been near enough to carry out a Bluetooth handshake.” But this protection demands that the government know where you are at all times and to maintain location tracking data on nearly all individuals for a long time.
Singapore’s government is using a Trace Together program to track how the disease travels and who has been exposed, but the powers in Singapore tend toward more authoritarianism and less personal freedom/privacy than most Western societies would allow. The Trace Together app can find people who have been within two meters of a COVID-19 infected person for more than 30 minutes. This data could be used to warn the exposed person, but also to drop his/her name on an infection database and to track that person going forward. Great for epidemiology, lousy for personal privacy.
A coalition of European technologists and policymakers led by the Fraunhofer Heinrich Hertz Institute for telecoms (HHI) has proposed plans for performing such protective tasks in a manner that also shields the privacy of EU residents. They call their system Pan-European Privacy-Preserving Proximity Tracing
(PEPP-PT), which claims on its website to provide mechanisms that will include
- Well-tested and established procedures for proximity measurement on popular mobile operating systems and devices.
- Enforcement of data protection, anonymization, GDPR compliance, and security.
- International interoperability to support tracing local infection chains even if a chain spans multiple PEPP-PT participating countries.
- Scalable backend architecture and technology that can be deployed with local IT infrastructure.
- Certification service to test and ensure local implementations use the PEPP-PT mechanisms in a secure and interoperable manner.
- Our reference implementation is available under the Mozilla License Agreement.
The group claims that “anything we provide is based on voluntary participation, provides anonymity, does not use personal data nor geolocation information, operates in full compliance with GDPR, and has been certified and tested by security professionals.”
The PePP-PT system will be a voluntarily loaded app on your smartphone which can trigger an alarm if the user stays near any person tested positive for the virus and who also uses the system. The user is simply told that he/she was close to an infected person, but does not show who was infected and when or where the contact occurred.
Does a tracking system need to be government mandated to be effective? Do we need to know the names of infected people or those in contact with them to build public health policy in a pandemic? Will it work when many of the most vulnerable, including the poor and the elderly, do not carry smart phones or may not be comfortable loading a new app?
We may soon find out. According to Der Spiegel a first multi-million-dollar donation has just arrived from a donor outside the PePP-PT group to fund work on this project, and the PEPP-PT team is now advertising for “colleagues, developers, new collaborations at home and abroad.” So this effort is well under way.
It will be interesting to see how well it succeeds in a seemingly impossible task, and even more interesting to see what other ideas follow to try and stitch together COVID-19 prevention and data privacy protection.