COVID contact-tracing apps and privacy — Robert Hannigan

Governments rarely make their best decisions in a crisis. Crises do not lend themselves to perfect policy making. There is no time for the careful analysis and discussion of unintended consequences that would normally be seen as essential. A pandemic requires us to settle for ‘good enough’, to avoid making perfection the enemy of what works, and get on with whatever saves lives. That is true of vaccine development, drug therapies and testing products, and it is also true of contact tracing technology solutions. But just as we are clear about the safety and efficacy redlines for a vaccine, however willing we may be to fast-track trials and cut through regulatory red tape, we should also be clear about our core principles and redlines for privacy. We should then make sure that we revisit these decisions in quieter time, after the crisis, and adjust accordingly.

Under pressure to find ways of reviving economic activity in advance of a vaccine or treatment for Covid, many governments and public health authorities are looking to smartphones to solve the problem of tracing and alerting. They know, as we all do, that a traditional human-staffed contact-tracing bureaucracy simply cannot be scaled up to deal with a very large population at the necessary speed in the middle of a pandemic. Investigation of each case takes too long and uses too much resource.

The evidence from countries where a technology fix has been tried already, notably in South Korea and Singapore, suggests that contact tracing apps can be a useful supplement to public health initiatives but are not a magic solution. They rely on extensive testing, which many countries are still struggling with, require wide-spread adoption to be useful, and will always return a significant number of false positives and false negatives. Nonetheless, they offer citizens a rough-and-ready guide to any likely exposure to someone with Coronavirus and should therefore help populations to isolate based on risk, rather than as a blanket precaution for the whole country.

But the practical caveats about how effective they will be have been outweighed by legitimate concerns about intrusion on privacy. At the extremes, a contact tracing app could become a remarkably comprehensive surveillance device and could be misused to discriminate against groups or individuals on a huge scale. We can avoid this if we ensure tracing apps meet certain criteria.

First the scope of what information is being ‘collected’ should be strictly limited. There is a huge variety of useful information that could be gathered about an individual’s health, but that is for debate in the future: this should not become a health ‘fishing trip’, however well intentioned. Now, the only data that should be recorded is an individual’s Covid history and their likely contact with others. The precise geographical location of the person and their actual identity are also irrelevant, although wider patterns of Covid exposure in particular regions will be helpful to health authorities.

Second, who stores and holds this data and who has access to it is critical. As far as possible data should remain with the individual and only be aggregated to public health authorities where necessary. There should be complete transparency about who can access this data and why. It should be deleted as quickly as possible.

Finally, the purposes for which this data can be used should be limited strictly to the pandemic. The temptation to allow public authorities or private companies, including advertisers, to do all sorts of other things with this information, however useful, should be resisted. The debate about the use of personal data in healthcare is already lively and needs to be taken much further in the future, but now is not the time to rush to a conclusion.

As far as possible these principles should be built into the technology so that the app itself protects privacy by design and as a key priority. I have avoided being prescriptive about which technical solution meets these tests, though it will be obvious that the Apple/Google proposal to enable localised contact tracing by Bluetooth comes close. But given that any solution which is useful in public healthterms will have some flaws, rigorous oversight by an independent body should go alongside this. Most democracies already have such regulators and will not need to invent them. Public trust is key to data handling: both big tech companies and governments have learnt this the hard way in recent years. An app which citizens believe may be abused by the private sector or government will not be widely used and will defeat the whole purpose.

Perhaps most importantly, these contact tracing apps should be limited in time to the pandemic and not allowed to roll on seamlessly into the future. As well as helping in the crisis, they could then become a genuinely useful experiment in mass technology solutions for public health. If we can study and learn the lessons, both on effectiveness and privacy, we could then have developed a key tool in the management of future pandemics.

Cyber Security Specialist. Chairman of BlueVoyant International. Former GCHQ Director & Founder of UK National Cyber Security Centre. Views are his own.