Update with Covid-19 Tracing App index of 40 apps; will these apps result in permanent loss of privacy?

Feature by Tony Morbin

Unless we believe that the coronavirus threat is permanent then the public interest test to allow Covid-19 tracking apps surveillance capabilities is only passed for so long as the threat remains.

When security becomes paramount we willingly give up some of our freedoms to overcome the immediate danger, but when the crisis has passed we expect to regain our earlier liberty and have emergency security measures removed.  However, governments, particularly those of an authoritarian stamp, but democracies too, are often loath to relinquish powers once obtained, and with the introduction of technology into the equation, there are many who doubt if privacy rights, once given up, can ever be taken back.

That’s the situation we are in right now as we - largely willingly - accept restrictions on movement and relinquish personal privacy to enable development and operation of Covid-19 tracing apps for the greater good of overcoming the current crisis.  

But, as a recent report in Foreign Policy notes: “ Few citizens of democracies fear that the freedoms of movement or assembly will remain permanently restricted once the coronavirus pandemic subsides. There is no such level of certainty when it comes to digital rights (many of which) are implied and assumed, but have not yet been enshrined in an enforceable capacity.”

Hence there are calls by some, such as the Ada Lovelace Institute for any such apps and surveillance entailed to be of limited use for the current emergency period and, “to balance the immediate public interest against citizen’s longer-term interest in privacy and to ensure that such surveillance is not extended beyond the coronavirus emergency or into other areas of public life without further consideration by Parliament and further legislation.”

Alastair R MacGregor QC, the UK Biometrics Commissioner issued a statement supporting this opinion, saying that although the general and public threat from coronavirus makes such surveillance in the public interest, “.. unless we believe that the coronavirus threat is permanent (and at present we do not know) then it may be that the public interest test is only passed for so long as the threat remains. 

“That means that public surveillance to try and control coronavirus probably should be regarded as time limited and should be included in emergency legislation. Parliament certainly acted in this manner when it passed the Coronavirus Act 2020 which, in part, suspended some aspects of PoFA in response to the health emergency. It did so by insisting that the emergency provision had to be limited initially to 6 months and the relevant regulations made in consultation with the Biometrics Commissioner.”

He goes on to add: “If surveillance of coronavirus is regarded as valid only during the pandemic then it is important that public trust in such a process is encouraged by regulation approved by Parliament as to the limitations of that surveillance. A group of university lawyers have produced a suggested Coronavirus (Safeguards) Bill that they believe would be necessary in order to protect an individual’s right not to participate, their anonymity, to limit the period for which it could be done and to regulate what use could be made of any data which was collected and who it could be shared with.”

Finally, MacGregor notes that: “The coronavirus emergency has highlighted the very rapid development of new biometric technology in general and its possible use by the State but also by private interests and why that is something that needs a new framework of governance backed by legislation.”

In the US too, as the Foreign Policy report demonstrates, there is body of opinion supporting the contention that: “Citizens, corporations, and leaders must start working to create a bill of digital rights—now, before things get any worse and individuals permanently lose control of their online data.”

In particular, the same Foreign Policy report raises concerns that any surveillance measures taken must be reversible, strictly proportionate, and fully transparent. “To ensure that they don’t outlive the emergency, the process for their removal must be defined at the moment they are implemented. The recent past has shown that such arrangements may be difficult to undo. For instance, many of the sweeping surveillance provisions of the temporary Patriot Act have been routinely reauthorized by Congress since 2005 and were most recently extended just last month.”

It notes how in South Korea a system to track potentially infected individuals collects localisation data from mobiles and GPS, public transport data, credit card data, immigration records, and others. Hence the recommendation that app developers demonstrate how each piece of information collected can help counter the spread of the coronavirus, saying, that there is:”...no legitimate reason to collect or process localisation or proximity contact data for months to fight a virus with a two-week incubation period.” Instead the report says government must restrict repurposing of this data for unrelated ends, whether they be profit seeking or aiding the greater good.

So what Apps are we talking about and how secure is thier privacy?  MIT has built a tracing App, and Google, Apple and the TCN Coalition (including Covid Watch, Co-Epi, and Novid) currently aim to build a framework for smartphone apps that would enable people and health authorities to track the virus using Bluetooth proximity data from their smartphones.

It is intended that next month application programming interfaces (APIs) will be available for development of  apps that work on both iPhones and Google’s Android operating system.

Few would object to the aims and sentiments expressed in the joint statement saying: “Google and Apple are announcing a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.”  However, although the joint statement also says: “Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders,” privacy advocates still have concerns.  

The companies have indeed sought to prioritise privacy.  Users who are diagnosed  positive for Covid-19 report it anonymously through the app, and any users who’ve recently contacted them will get a notification. The system is described as Bluetooth-only, fully opt-in, collects no location data from users, and no data at all from anyone without a positive Covid-19 diagnosis. 

However, although Bluetooth is less invasive than GPS, it is thought likely that tracing apps will ask for location.  While these will need to first ask permission from the user to use GPS, it does circumvent the Apple/Google approach of not initially using GPS.  You also rely on the app server itself not collecting and storing identifying data - such as the IP associated with the phone - from those uploads.

Separately, Bluetooth does require the phones to be constantly broadcasting their contact tracing bluetooth signal (albeit with number changing), with the phones being constantly monitored, which a Wired report suggests could allow a "correlation attack" which would enable some forms of tracking - though these would not be on a large scale.

However, for tracing purposes, the data can show exactly when and where paths crossed with others, hence reporting an infection potentially draws in friends and contacts to the report data.  Tracking of infected persons by advertisers is potentially possible but unlikely, though there may also be concerns that Google and Apple continue to deny advertisers access to the API after the crisis.

So the issue is, are these apps only allowable during the crisis?

Postscript:

On completion of this article, Samuel_Woodhams, digital rights lead at Top10VPN contacted SC Media UK to share the company’s Live Index which he explained, “documents new initiatives implemented in response to COVID-19 that may threaten digital privacy and human rights. I've also just updated it with details of the 40+ contact tracing apps available around the world.”  

Key findings in the index (which SC has had no part creating and accepts in good faith, all copyright belonging to Top10VPN) substantiate the privacy concerns raised above and include:

  • Contact Tracing Apps are being used in 23 countries

  • Alternative digital tracking measures are active in 22 countries

  • Physical surveillance technologies are in use in 10 countries

  • COVID-19-related censorship has been imposed by 12 governments

  • Internet shutdowns continue in four countries despite the outbreak

  •  There are currently 43 contact tracing apps available globally

  •  India’s Aarogya Setu is the most popular, with 50 million downloads

  •  28 percent of apps have no privacy policy

  •  64 percent of apps use GPS rather than Bluetooth

Readers will need to go to Top10VPN’s live index for updates, and readers are invited to submit information regarding developments occurring around the world to this public Google Sheet, but details as of today 22/4/20 are listed below.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews