BLOG POST

Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Data Privacy Issues in COVID-19 Contact Tracing Apps

In response to the coronavirus (COVID-19) pandemic, technology companies and public health authorities around the world have been developing contact tracing apps as a way to track and thus slow the spread of the virus. Implementation of those apps, however, can raise privacy and cybersecurity considerations.

Contact tracing apps essentially work by gathering information from individuals who have tested positive for the virus and then locating and notifying people with whom those individuals have been in close contact, frequently by use of GRP, Bluetooth, or wireless technology.

To better understand how contact tracing apps use and access personally identifiable information, Nature Medicine published a study of 50 COVID-19-related apps in May 2020. The study found that across the apps, the most common functionalities were "live maps and updates of confirmed cases; real-time location-based alerts; systems for monitoring and controlling home isolation and quarantine, direct reporting to government, and self-reporting of symptoms; and education about COVID-19. Some more-advanced services include self-assessment of daily physiological status; monitoring of vital parameters, such as temperature, heart rate, oxygen and blood pressure, through the use of Bluetooth-enabled medical devices; virtual medical consultations (ADiLife Covid-19 in Italy); social science–based interventions based on predictive analysis of diseases in specific locations (OpenWHO); and community-driven contact tracing (TraceTogether and mfineRadar)."

Of the 50 apps analyzed in the Nature Medicine study, 30 required permission for access to the user's mobile device. Some of the apps explicitly state that they will use "information about the person’s age, email address, phone number and postal code; the device’s location, unique device identifiers, mobile IP address and operating system; and the types of browsers used on the mobile device." Others "demand access to contacts, photos, media, files, location data, the camera, the device ID, call information, the WiFi connection, the microphone, full network access, the Google service configuration, and the ability to change network connectivity and audio settings."

Despite all of the data being used and collected, the study found that only 16 of the 50 apps analyzed stated that users’ data would be made "anonymous, encrypted and secured and will be transmitted online and reported only in an aggregated format."

The question on a lot of minds is, “Who will have access to the data and for how long will it be stored?”

Contact tracing apps use either a centralized or a decentralized approach to logging data. In a centralized approach (used by contact tracing apps in the United Kingdom, Singapore, and Australia), a user’s data is uploaded to a main server where public health authorities can review and analyze it. In a decentralized approach (used in Holland’s contact tracing app), data remains on the user’s mobile device with a "minimal amount of information uploaded to the server."

Apps that use a centralized approach have more privacy risks (as data could be stolen or used for other purposes), but supporters say it gives authorities better insight into the spread of the virus. Apps that use a decentralized approach are more privacy friendly, as the data stays on users' devices.

The United Kingdom, Singapore, and Australia have defended their choices to use a centralized approach, saying that healthcare needs at this time outweigh a lot of privacy concerns. Two large tech companies in the United States, however, announced a plan in April to create the technical framework for decentralized apps.

Like most mobile apps, contact tracing apps will likely be distributed by the large platforms maintained by the two tech companies. Both of the tech companies' platforms require all apps that access personal information to have a privacy policy that users can read before downloading and installing the app. Similarly, software that operates both of the two tech companies' devices forces popup user consent when certain functions of the device are accessed. This includes location data, photos, push notifications, and other sensitive functionalities. These functionalities of the platform and software help create privacy by design in all apps, including contact tracing apps.

Since the initial announcement of this plan, only six states in the United States have launched apps using the framework. In response, this week, the tech companies announced that they will also provide the technology for "sending and receiving alerts, no outside app required." The companies have said they remain committed to protecting users' privacy: They “won’t collect any identifying data, instead relying on anonymous identifiers to keep track of which phones are near each other. And although the feature is baked into the operating system, [certain device] users in states where it is made available will be required to opt in."