TraceTogether in Singapore, Aarogya Setu in India, StopCovid in France, Covidsafe in Australia… Contact tracing applications are flourishing around the world and becoming the new trendy governmental tool to track the spread of COVID-19. This fashionable tool’s main purpose, is to prove that a citizen has been in proximity to someone tested positive for coronavirus. Thus, Privacy International and other organizations raised concerns about the rush to deploy technologies and the dangerous false debate between health and privacy. So contact tracing app is the new trendy and polemical thing, but how does it work? Is it the seed of a dystopian surveillance state? Above all, how does the General Data Protection Regulation (GDPR) birthplace responds?
- Using anonymized telcos metadata is highly sensible.
- What does the Queen of privacy has to say?
- The Queen’s disillusion: a Common EU approach.
Firstly unlike collecting telcos metadata, generally contact tracing app relies on Bluetooth technologies. And among all the other tracking technologies (GPS and Wifi location data), Bluetooth is the least invasive. The Bluetooth protocol used by Apple, Google, and BlackBerry: Bluetooth Low Energy, is ideal for transferring a low amount of data and suited for short-distance transfers. Basically, the stronger the Received Signal Strength Indicator (RSSI) of a Bluetooth connection is, the closer devices are. This way, it can be designed to alert people that have been in close proximity with infected individuals.
Nevertheless, to be efficient, this tracking technology has to be downloaded by at least 60% of a country’s population, according to Oxford University’s Big Data Institute. In addition, it should be accompanied by a methodical national testing strategy.
On the contrary, telecommunication metadata doesn’t meet privacy security standards. It respects privacy principles on the one condition: data anonymization. However, today complete anonymization isn’t achievable. The only option left is to de-identify by aggregating data to a great amount of data. But even at this point, it is feasible to re-identify an individual. In brief, location data collected by electronic telecommunication service providers requires robust anonymization, thus governments should choose contact tracing applications built with proximity technology.
Considering the inherent limits of using aggregated telcos metadata, the European Data Protection Board (EDPB), which ensures consistent application of the GDPR published Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. Unsurprisingly, the Queen emphasized her superiority by exhibiting her favorite child, GDPR seven data protection principles, eight customer rights, and the less cherished Directive 2002/58/EC or “ePrivacy Directive”. Regarding contact tracing app, the EDPB made it crystal clear that “It can only be legitimised by relying on a voluntary adoption by the users for each of the respective purposes.” Furthermore, it defines a controller, who controls the procedure and the purpose of data : the national health authorities. The controller has the ultimate responsibility, should be audited regularly and the algorithms used in contacts tracing app should be transparent. Consequently, national health authorities should publish a data protection impact assessment (DPIA) before releasing such a tool.
Still, those guidelines don’t really threaten the Queen’s legitimacy. Indeed, the core issue of a contact tracing app is the storage of people’s data. Is the data going to be stored in a central government server, or in individuals phones? In other words, does the Queen recommends a centralized or a decentralized approach? To that question, EDPB answer is: “Implementations for contact tracing can follow a centralized or a decentralized approach.” However, as the virus knows no borders the European Commission urges member states to take a common approach.
Even though, a clear European protocol would be ideal, governments are divided between two systems: the Europe PPEP-PT COVID-19 contact tracing standard, also called the Pan Privacy Preserving Proximity Tracing, and the decentralized protocol DP 3T. On the one hand, pseudonymized IDs would be stored and processed on a server controlled by national health authorities. This design backed by France, Italy and the UK could be used to create a social graph. On the other hand, Germany, Spain, Switzerland and Estonia adopted a decentralized protocol, in regard of social graph abuses.
Her kingdom is torn apart, and icing on the cake : Google and Apple are working on a decentralized tracing tool. This collaboration will allow an iPhone to communicate with an Android and vice-versa. The two tech giants are imposing their own vocabulary by talking about “exposure notification” technology and not “contact tracing”. Their goal is to modify the API framework in order enable the building of apps. Moreover, they have the key to the golden gate to Bluetooth technology. A centralized protocol would need permanent access to Bluetooth, which IOS doesn’t allow. This is a crucial time in history: governments like France are therefore pressuring Apple to remove those restrictions, and for now Apple is saying no.
If the Queen of privacy is nearly dead and its allies are facing difficulties, are Apple and Google the new Kings?
About the Author
Margaux Vitre is a final year Bachelor student at SciencesPo Paris and La Sorbonne, interested in data privacy and GDPR influence around the world. Introduced to data privacy from a competition law perspective, at the Cyber Peace Foundation I’m focused on two main areas: Policy Review and Technology Governance.