The Federal Government has announced that it will introduce an Australian version of the Singapore Government’s COVID tracking app, TraceTogether. PM Scott Morrison and the Health Minister say the app will be voluntary and will not be used as a surveillance tool.
To be effective, contact tracing apps need to be used at scale within the population. If their use is voluntary, the public will need a high level of trust in the privacy protections.
The US NGO, Future of Privacy Forum has prepared a handy comparative table of the different COVID tracing apps around the world, including TraceTogether.
TraceTogether applies the following 'privacy by design' approaches:
- Who participates? The app is ‘opt in’ between the person whose contacts are being traced and the people with whom they have come in contact, because both ‘sides’ of the contact have to be subscribers to the app. Consent may be revoked at any time via email with the mobile number used to register in the app.
- What data is collected? TraceTogether only collects only stores users’ phone number & a random anonymized User ID generated when a user signs up User location data is not collected. By contrast the UK app collects health data, IP address, location and contact information.
- How does it work? TraceTogether uses a mobile phone’s Bluetooth to ‘ping’ nearby mobile phones also loaded with TraceTogether. If the phones stay within 6.5 feet of one another for 30 minutes, they exchange messages with a timestamp, Bluetooth signal strength, the phone’s model, and a temporary identifier. The data exchanged between the phones is stored only on each phone and not transmitted back to a central database.
- How is the tracing done? If a TraceTogether subscriber tests positive for COVID, he or she can opt to provide the public health officials with the data exchanged other phones stored on his or her phone. The Temp IDs which were exchanged between the phones encrypted the other user’s ID with a private key held by the Ministry of Health, which allows the Ministry then to decrypt and match against the centrally stored subscriber data to identify the people who came in contact with the infected person.
So, TraceTogether does not trace where infected users have been but instead identifies who they came into contact with. By not using geolocation, TraceTogether avoids some of the problems encountered in South Korea where infected and exposed people have been traced at locations which were invasive of their private lives (e.g. stays at ‘love hotels’).
The head of the TraceTogether development team warns against apps sending automated notification of probable close contacts with persons who have been diagnosed with COVID-19 (read here). Apps should be a tool enhancing human lead contact tracing: proximity-based phone data is too crude because it fails to take account of the surrounding environmental factors (was the contact in open space or in a closed room?); it generates too many false positives/false negatives; it fails to throw the net wide enough to capture asymptomatic transition (contacts of the contact); and loses the humanity needed when breaking news of potential infection to someone.
Last Thursday, the EU released a Common EU Toolbox for Member States setting out the requirements for mobile contact tracing applications, including:
- apps should be temporary and voluntary with the ability to be self-dismantled and data deleted at the end of the crisis, and installation should be consent based, with clear information provided to users on intended use.
- The principle of data minimisation should be upheld – location data is not necessary for the purpose of contact tracing (as demonstrated by TraceTogether) and would be the source of major security and privacy issues.
- Careful consideration needs to be given to the privacy implications of where the collected data is stored. Decentralised apps store any proximity data on that individual device until needed for tracing and in this way reduce risks to privacy (as with TraceTogether). On the other hand, backend server solutions provide public health authorities the ability to use anonymised/aggregated data in monitoring population wide social distancing), but also carry privacy risks of surveillance of individuals.
- The apps should be designed to reduce the risks of inaccurate tracing: i.e. false positives. For example, the accuracy of contact detection should be up to one metre. But as the information needs to be that granular, there should be strong technology solutions to enhance protections against eavesdropping, hacking and tracking (e.g. pseudonymised IDs from other mobiles).