[ Original @ Open Rights Group ]
Mobile data and contact tracing is a hot topic, as the UK and EU develop projects to provide privacy-protecting means of understanding who is at risk of infection.
The idea is for some 60% of the population to use an app which will look for people with the same app to record proximity. This data is then stored centrally. Health officials then add data of people who have been positively tested for COVID-19. Finally, persons who may be at risk because of their proximity to someone with the virus are alerted to this and asked to self-isolate.
This approach is likely to work best late on, when people are out of the full lock down and meeting people more than they were. It may be a key part of the strategy to move us out of lockdown and for dealing with the disease for some time afterwards. At the current time, during lockdown, it would not be so useful, as people are avoiding risk altogether.
Of course, it will be a huge challenge to persuade perhaps 75% or more of smartphone users (80% of adults have a smartphone) to install such an app, and keep it running for however long it is needed. And there are limitations: for instance a window or a wall may protect you while the app produces a false positive for risky contact. The clinical efficicacy of any approach needs to be throughly evaluated, or any app will risk making matters worse.
Getting users to install and use an application like this, and share location information, creates huge privacy and personal risks. It is an enormous ask for people to trust such an app – which explains why both the UK and EU are emphasising privacy in the communications we have heard, albeit the EU project is much more explicit. It has a website, which explains:
“PEPP-PR was explicitly created to adhere to strong European privacy and data protection laws and principles. The idea is to make the technology available to as many countries, managers of infectious disease responses, and developers as quickly and as easily as possible. The technical mechanisms and standards provided by PEPP-PT fully protect privacy and leverage the possibilities and features of digital technology to maximize speed and real-time capability of any national pandemic response.”
There are plenty of other questions that arise from this approach. The European project and the UK project share the same goals; the companies, institutions and governments involved must be talking with each other, but there is no sign of any UK involvement on the European project’s website.
The European project has committed to producing its technology in the open, for the world to share, under a Mozilla licence. This is the only sane approach in this crisis: other countries may need this tool. It also builds trust as people can evaluate how the technology works.
We don’t know if the UK will share technology with this project, or if it will develop its own. On the face of it, sharing technology and resources would appear to make sense. This needs clarifying. In any event, the UK should be working to produce open source, freely reusable technology.
We urgently need to know how the projects will work together. This is perhaps the most important question. People do, after all, move across borders; the European project places a strong emphasis on interoperability between national implementations. In the, UK at the Irish border, it would make no sense for systems lacking interoperability to exist in the North and Eire.
Thus the UK and Europe will need to work together. We need to know how they will do this.
We are in a crisis that demands we share resources and technology, but respect the privacy of millions of people as best as we can. These values could easily flip – allowing unrestricted sharing of personal data but failing to share techologies.
The government has already made a number of communications mis-steps relating to data, including statements that implied data protection laws do not apply in a health crisis; using aggregate mobile data without explaining why and how this is done; and employing the surveillance company Palantir without explaining or stating that it would be kept away from further tasks involving personal data.
These errors may be understandable, but to promote a mobile contact tool using massive amounts of personal location data, that also relies on voluntary participation, the UK government will have to do much better. PEPP-PT is showing how transparency can be done; while it too is not yet at a point where we understand their full approach, it is at least making a serious effort to establish trust.
We need the UK government to get ahead, as Europe is doing, and explain its approach to this massive, population-wide project, as soon as possible.