• Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
  • Events
  • Whitepapers
  • Spotlights
  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
  • Newsletters
  • Sign in
  •  
      • Newsletters
      • Account details
      • Contact support
      • Sign out
     
     
    • You are currently accessing Computing via your Enterprise account.

      If you already have an account please use the link below to sign in.

      If you have any problems with your access or would like to request an individual access account please contact our customer service team.

      Phone: +44 (0) 1858 438800

      Email: customerservices@incisivemedia.com

      • Sign in
     
  • Follow us
    • Twitter
    • LinkedIn
    • Newsletters
    • Facebook
    • YouTube
  • Register
  • Events
    • Upcoming events
      event logo
      The Pesky Password Problem: What place do passwords have in the modern workplace?

      In this webinar you'll learn: Why passwords are so easy to hack, and how the bad guys do it. How to craft a secure, risk-focused password security policy. The truth about password managers and multi-factor authentication and how they impact our risk. How to empower your end users to become your best last line of defence

      • Date: 21 Jan 2021
      event logo
      Where the buck stops: Why a shared responsibility model will help you own your cloud security flaws

      This webinar, and accompanying dedicated research, will reveal to what extent organisations are practicing a shared responsibility model for cloud security today and the degree to which IT leaders are aware of what they should be doing to ensure the secure use of their multi- and hybrid-cloud environments.

      • Date: 27 Jan 2021
      event logo
      Leveraging the Cloud to Defeat Data Disasters

      Join us and learn how your IT team can realize many of the powerful advantages of the cloud and solve the operational complexity behind managing data across hybrid and multi-cloud IT environments with centralized management, automation, end-to-end security, and lower TCO.

      • Date: 28 Jan 2021
      event logo
      Deskflix Hybrid and Multi Cloud

      One of the most powerful tools for breaking down silos and integrating resources is cloud computing. But multi-tenancy cloud is not the ideal environment for every application or every class of data and some will need to remain on-prem for the foreseeable future; nor are all clouds equal. Tune in to Deskflix season 1 to hear industry experts speak on the questions you need answered on hybrid and multi cloud.

      • Date: 10 Feb 2021
      View all events
  • Whitepapers
    • LATEST WHITEPAPERS
      Darktrace 120x194
      Cyber AI Response: Threat Report 2019

      This white paper details 7 case studies of attacks that were intercepted and neutralised by Darktrace cyber defense AI, including a zero-day trojan in a manufacturing company's network. Learn how Darktrace Antigena AI Response modules fight back autonomously, no matter where a threat may emerge, extending to the Cloud, Email and SaaS.

      Download
      Darktrace 120x194
      Cyber AI & Darktrace Cloud

      This white paper explores how cloud is a security blind spot for many organisations who struggle with the limited visibility and control in this new environment, where their existing security tools are often not applicable.

      Download
      Find whitepapers
      Search by title or subject area
      View all whitepapers
  • Spotlights
    • Spotlights

      Welcome to Computing's Spotlight section, where we focus in on particularly important themes and topics of enterprise IT.

      Intel logo

       

      Endpoint Management and Security Hub

  • IT Leaders 250
  • Research
  • Delta
  • Tech Marketing Hub
  • About Us
Computing
Computing
  • Home
  • News
  • Big Data & Analytics
  • DevOps
  • Security
  • GDPR
  • AI & ML
  • Women in Tech
  • Cloud & Infrastructure
  • CIO
  • Deskflix
 
    • Newsletters
    • Account details
    • Contact support
    • Sign out
 
 
  • You are currently accessing Computing via your Enterprise account.

    If you already have an account please use the link below to sign in.

    If you have any problems with your access or would like to request an individual access account please contact our customer service team.

    Phone: +44 (0) 1858 438800

    Email: customerservices@incisivemedia.com

    • Sign in
 
  • Privacy

Covid-19: the race to create privacy-focused contact tracing tools

As authorities seek technological solutions to the pandemic, experts fear the consequences for civil liberties

Covid-19: the race to create privacy-focused contact tracing tools
  • John Leonard
  • John Leonard
  • @_JohnLeonard
  • 07 April 2020
  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
0 Comments

Crises can be great catalysts for change. Issues that had been forever relegated to the back burner suddenly find themselves addressed, while others that were thought to be impractical, unaffordable, or too disruptive are abruptly reframed as essential and unavoidable. The most often quoted example in the context of the coronavirus pandemic is the black death, which dealt a fatal blow to the feudal system 14th Century Europe. As another example, the NHS was born in the aftermath of the Second World War. 

The broad changes that may result from this crisis are hard to predict  - who knows, they might include forgiveness of debt and a concerted effort to tackle climate change - but one obvious positive outcome would be to ensure we are better prepared for the next pandemic. International agencies like the World Health Organisation (WHO) and public health bodies need to be better resourced and evidence-based mitigation strategies followed.

When it comes to these mitigation strategies, data - including highly sensitive health, communication and location data - will inevitably play a pivotal role. Indeed, it is already taking centre stage as authorities ponder the best way to monitor the spread of infections. The question is, can this be done without major damage to civil liberties, and in a way that can be rolled back once the pandemic subsides?

There is an urgent need to address this situation as right now, around the world, governments are deciding what to do next, and may fix on a flawed solution that will have damaging long-term outcomes.

Scope creep

It's important that data co-opted in the fight against Covid-19 is used in ways that are transparent and restricted to issue of disease control. If not, the public will lose the all-important trust in the process.

Currently, the default tendency with data initiatives is frequently ‘give it to Google' or some other tech giant deemed capable of crunching through data for insights. Alternatively, authorities squirrel away the information in their own data stores to be mined in ways the public can only guess at.

See also: Do we really want Palantir embedded in the NHS?

The changes catalysed by crises are by no means always positive, and there's a risk that hard-won rights and protections could be jettisoned. Authoritarian governments are already using the emergency to consolidate their power - as of last week Hungary is effectively a dictatorship - and centralised data sources provide a powerful means of telling who's been associating with who, and where. "Our freedom is built on what others do not know of our existences," as Alexander Solzhenitsyn put it.

And of course, personal data is the fuel that powers Silicon Valley; many of the firms being called upon to assist in the crisis made their fortunes through its use. The health tech sector is predicted to be a huge revenue earner over the coming years, and there are fears that these companies will look to capitalise on a regulatory pullback by governments as they battle the virus.

There is a significant risk of scope-creep, where the data we hand over to battle the virus is cross-matched with other information in ways we don't understand.

Last week's release by Google of aggregated smartphone data charting public movement in locations such as parks and retail has been seen by many as a PR stunt. There was no demand for this from health professionals, pointed out Edin Omanovic, advocacy director at Privacy International, who described the move as "technological solutionism".

"People want to make sure that the health experts are actively driving this process," Omanovic said during a public webinar hosted by Open Rights Group on Friday. "And what is it they're asking for? They're asking for things like more testing and personal protective gear. They're not asking for these high-tech, super-duper contact tracing apps or for Google to send out anonymised data on everyone."

But privacy advocates are treading a fine line. With governments all over the world turning to phone data to trace contacts of infected people so they can be quarantined, there could be a significant backlash if privacy concerns blocked access and if that were to lead to worse outcomes.

Those concerned about the use of personal data cannot afford to be seen as blockers; they need to come up with better solutions.

Contact tracing

Contact tracing is a core strategy in coronavirus containment efforts. When a person becomes symptomatic, the people they had been near can be contacted and told to self-isolate.

Phone data and apps promise a quick and relatively easy way of locating those potentially infected, but they can be highly intrusive particularly if they use geolocation data: where we go, when we go there and who is there at the same time provides a powerful indicator as to our lives and preferences.

Image source: Pixabay
Image source: Pixabay

A less invasive approach is to use Bluetooth, whereby users' phones detect and record other devices running the app in their close vicinity without needing to record  location data. This approach is used by the Singaporean app TraceTogether and provides a degree of privacy in that data is stored encrypted on the device, deleted after 21 days, only uploaded (voluntarily) when the user becomes symptomatic, and with the user's identity and those of the contacts pseudonymised. However, it is still a centralised surveillance system and identities could be de-anonymised relatively easily.

App-based contact tracing is far from fool-proof. It skips over people infected from contaminated surfaces (albeit this is likely a small proportion of total infections). To be effective it is also thought to require the cooperation of about 60 per cent of the population, but the science on this is not solid: the demographics of app users may not be representative of the population, for example. And other measures - focusing on taxi drivers and others who come in contact with a lot of people - may be more effective.

Importantly, people need to trust the app vendors, the mobile OS providers, the data processors and the authorities not to abuse their powers. As an example of the latter, governments in Montenegro and Moldova published details of people infected with Covid-19, leading some to be abused. Such actions destroy trust and will lead to under-reporting.

Nevertheless, despite its drawbacks, at this stage in the pandemic's progress app-based contact tracing is a mechanism that many governments are looking at.

A question of consent

WHO guidelines from 2017 state that "Individuals have an obligation to contribute to surveillance when reliable, valid, complete data sets are required and relevant protection is in place. Under these circumstances, informed consent is not ethically required."

This chimes with the latest ICO advice which says: "Generalised location data trend analysis is helping to tackle the coronavirus crisis. Where this data is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified. In these circumstances, privacy laws are not breached as long as the appropriate safeguards are in place."

However, there are serious questions as to the possibility of truly anonymising location data. "It gives technical cover for governments to pretend that some data ins anonymous data and therefore not subject to the same rules", said Paul-Olivier Dehaye, board member at MyData Global, a non-profit focused on personal data empowerment.

Not only that but there are numerous other challenges around consent in this context, he added: "We're not just talking about consent of the app user, but also pre-emptive consent of the contacts for their information to be passed on."

A more private tracing solution

Given the urgency of the situation, any privacy-focused protocol or app will need to meet a number of criteria. It must be science-based, interoperable, independent from interference and accepted by authorities and users - and it must work.

Dehaye mentions a few possible candidates, one being a decentralised Bluetooth protocol called Contact Event Numbers (CEN). A European consortium-led initiative called PEPP-PT is expected to release some code in the next few days, although privacy activists fear it may be too centralising; and there's a third candidate from members of the same consortium called D3-PT, which describes itself as a "secure and privacy-preserving decentralised privacy-preserving proximity tracing system".

What all these have in common (with the possible exception of PEPP) is that data is held encrypted on the smartphone rather than being uploaded to a centralised store. Authorities will be able to notify people who have been in close contact with a symptomatic sufferer while only having access to the requisite information - the principle of data minimisation, in other words.

Dehaye pointed to a prototype called WeTrace, developed in the space of two weeks by engineers from Google and a Swiss bank, as an example of a protocol that could be merged and provide further improvement on the current models.

However, whether a privacy-preserving protocol or app will be ready before EU governments decide on an approach remains to be seen. Dehaye fears they may plump for the Singaporean approach which would leave sensitive data in central stores. Another issue is that fact that any app will need to be acceptable to iOS and Android app stores.

"The app stores are already gatekeeping for some apps and not others based on the health credentials of developers (hospital or governments), [and] questions around background trackers are important," he said.

"It's one of those moments where Europe realises how much critical infrastructure it has let go."

  • Tweet  
  • Facebook  
  • LinkedIn  
  • Send to  
  • Topics
  • Privacy
  • Security Technology
  • Health
  • NHS
  • Google
  • Privacy International
  • Open Rights Group
  • Bluetooth
  • Coronavirus
  • surveillance
  • Covid-19
  • privacy
  • GPPR

More on Privacy

WhatsApp delays updated privacy policy following criticism
WhatsApp delays controversial changes to privacy policy following user exodus

Changes moved back to May, while Indian Supreme Court receives calls to ban the app on grounds of national security

  • Privacy
  • 18 January 2021
Managing identity is crucial in the age of home working
Delta: Microsoft's identity management lead is under threat

Identity management underwent dramatic changes following the coronavirus pandemic - including the leading vendors' positions

  • Security Technology
  • 14 January 2021
Understanding the shared responsibility model for security in the hybrid cloud

If the responsibilities of CSP and customers are not well understood, the risks to security are obvious

  • Cloud and Infrastructure
  • 14 January 2021
Spooks may no longer hack multiple devices on a single warrant, High Court rules
High Court rules against bulk hacking by police and intelligence agencies

Privacy International celebrates High Court win

  • Legislation and Regulation
  • 08 January 2021
WhatsApp will share more user data with Facebook
WhatsApp will share more user data with Facebook

WhatsApp says the move will enable it to better integrate with other Facebook products and services, but there are privacy concerns

  • Privacy
  • 07 January 2021
blog comments powered by Disqus
Back to Top

Most read

Parler data breach: Hackers claim they downloaded everything from Parler before it was taken offline
Parler data breach: Hackers claim they downloaded everything from Parler before it was taken offline
Software errors wipes 'thousands' of arrest records from police databases
Software errors wipes 'thousands' of arrest records from police databases
Delta: Microsoft's identity management lead is under threat
Delta: Microsoft's identity management lead is under threat
Twitter CEO defends Trump ban while Telegram purges far-right channels
Twitter CEO defends Trump ban while Telegram purges far-right channels
BT faces possible £500m claim for overcharging landline-only customers
BT faces possible £500m claim for overcharging landline-only customers
  • Contact
  • Delta
  • Marketing solutions
  • Enterprise IT Events
  • Incisive Media
  • Terms & conditions
  • Policies
  • Careers
  • Twitter
  • LinkedIn
  • Newsletters
  • Facebook
  • YouTube

im_logo

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017
Loading