Contact tracing apps: how do they concern me?


Joseph Evans

A discussion of the issues and limitations of contact tracing apps and why they are so controversial.

A contact tracing app to help limit the spread of coronavirus has been discussed for months. The original proposal was that it would help to limit the initial spread of the virus back in the “herd immunity” days of March — hopefully helping to avoid the need for a lockdown. Now, following a number of changed requirements and controversial ideas, the app is set to be launched over summer to assist in the government’s lockdown exit strategy, following a trial period on the Isle of Wight.

Two major concerns are raised by the development of this app: firstly, is it too late for it to be useful; secondly, what are the security and privacy implications of an app having access to (and making others aware of) the medical data and location of members of the public?

To address the concern over usefulness, the supporting evidence for the efficacy of contact tracing technology comes from its use in China, Singapore, Taiwan and South Korea to identify and isolate those infected with the virus before they could spread it to others. These countries have had extensive surveillance systems in place from long before coronavirus was a concern. Contact tracing via an app will necessarily operate very differently to contact tracing performed by the full apparatus of a surveillance state. Wired reported that when an app was introduced in Singapore to supplement the manual process of contact tracing via interviewing patients and reviewing CCTV, it had little to no effect, and could not replace the human-led operations of volunteers and the police. In the west, the kind of national surveillance infrastructure that is available to the government of Singapore does not exist. Extensive CCTV networks are used by the police to monitor the population, which would be politically impossible here due to the emphasis on freedom and civil liberties that lies at the heart of western government institutions. The very existence of government institutions such as the NSA or GCHQ is already controversial, to give them the powers of eastern security services would cause uproar. The closest we have is data harvesting performed by private companies such as Google or Amazon, which, judging by the lack of relevant protective legislation highlighted in Mark Zuckerberg’s hearing with the US Senate, is almost certainly not going to be made available to the various governments seeking to introduce effective contact tracing.

Further doubt as to the utility of contact tracing apps comes from the variety of proposed requirements across the world for the numerous apps in development. Apple and Google have created a system upon which apps can be built which seeks to limit privacy concerns by storing the relevant contact tracing information on the user’s phone, keeping it decentralised. The UK and France, in contrast, are building apps that use Bluetooth to collect information about which users have been in proximity to each other, and then store this information in a central database, leading to fears over freedom of information and excessive surveillance. Indeed, the French government has asked companies to relax their privacy protections, which has been greeted with concern that these reduced protections will remain after the crisis is over.

This brings us to the security and privacy issues. The prospect of the UK government holding a central database containing information listing everyone a person has been in contact with is quite terrifying, given their history of lack of understanding or concern when it comes to data protection. Theresa May’s government had to scrap the proposed age restriction for access to pornography after it was revealed that verification would require the user’s credit card details to be submitted to a third party – that third party being a subsidiary of Pornhub – on which the only restriction was a flimsy request that they not use the data for nefarious purposes. Controversy was already sparked in April when the government announced that they reserved the right to de-anonymise people who tested positive to the virus. To make matters worse, as reported on 13 May in the Guardian, there is already evidence that people are abusing the trial of the app on the Isle of Wight to send false alerts as part of a phishing scam — fake alerts inform users that they may have been exposed to the virus and direct them towards a link that asks for personal details.

It is no surprise, then, to see that the majority of published discussion on this topic focuses on the risks of such an app, and the dangerous precedent of allowing a government to bypass privacy restrictions and gather more and more data about its citizens. This does constitute a breach of the fundamental right to privacy. It cannot be denied, though, that the extensive surveillance state in South Korea has contributed significantly to their success in battling the virus, and it is only natural that other governments would seek to learn lessons from this.

Should contact tracing be shunned or feared? I don’t think so. The idea of using contact tracing to identify possible sources of transmission has been shown to be effective. Is an app the right way to go about instituting contact tracing? No. As was found in Singapore, the most effective way to carry out contact tracing is through interviews and human investigative work. An app taking note of which other phones its user is in close proximity to is a half-measure, with the same invasion of privacy and far less of the effectiveness of the physical surveillance methods used in eastern countries. Lockdown has shown that the public is prepared to accept restrictions to their freedom providing that it helps combat the virus and save lives. Thus far the evidence points to the app failing to meet this requirement.