Dec 01 2020

Contact Tracing and Privacy: Why Security Matters

Ensuring that participants understand the process — and protective measures — is critical to collecting complete, accurate data.

Contact-tracing applications are among the key technologies helping to fight the COVID-19 pandemic, but data security and privacy concerns remain hurdles that could complicate the process of identifying who has been exposed to the disease.

The public, after all, must be willing to participate in the confidential process.

A recent survey from the Pew Research Center underscores the divide. Half of U.S. adults said they wouldn’t be comfortable sharing location data from their cellphones, and 4 in 10 are not confident public health organizations will keep their personal records safe from hackers or unauthorized users.

Transparent development efforts can ease those concerns, says Colm Harte, technical director for NearForm, an Irish software developer that built the country’s COVID-19 contact tracing app and recently worked with health officials in New York and New Jersey on their respective apps.

“We went through numerous steps to make sure the back-end data was protected, and all the source code is open source, so everybody is able to see it and review it,” Harte tells HealthTech. “Governments and third parties can validate that everything works the way we say it works, and it helps ensure privacy is handled the way it should be.”

Moreover, NearForm tracing tools use a decentralized approach, meaning that all the data is stored on the user’s phone. No personally identifiable information is uploaded to a centralized server, and all the data identifiers generated on the phone are anonymized.

Putting a dual emphasis on clarity and discretion helps promote the message that the apps are behaving the way they should be, which in turn could boost participation.

“These apps are targeted at the general population, so it’s important they protect people’s privacy, and it’s very important that everything you’re doing in the app leads to that,” Harte says.

Establish Trust to Support Contact-Tracing Efforts

Trust messaging around contact tracing tools must be simple in order to gain enough buy-in for the process to be effective, says Bart Willemsen, a Gartner vice president and analyst who focuses on privacy and risk management.

“If an organization says, ‘We do not track you, we do not generate individual identifiable data,’ the public will believe that,” Willemsen says.

TELEHEALTH’S LEGAL FUTURE: Read 3 post-pandemic predictions for virtual care.

However, if the technology doesn’t live up to that promise, he notes, the public will feel misled and won’t feel compelled to participate or answer accurately. 

“Many people in the public feel contact tracing, to the level in which it can be done, is disproportionate to the risk, and therefore it doesn’t get adopted to the level where it can be effective,” Willemsen says, adding that distrust can run deeper. “There’s also the fear of being restricted in autonomy.” 

A subsequent public concern is the desire to know who’s in control of the data and how it can be used.

“Will our autonomy still be protected, or will we be disproportionally discriminated based on what an app says?” Willemsen says.

Data Protection for COVID-19 Contact-Tracing Efforts

Robust security measures such as end-to-end data encryption, randomization of identifiers and retention of data on the mobile device must remain top of mind for app developers involved in contact-tracing tools.

Those functions also are critical to combatting “fallacy of privacy” concerns that prevent people from providing detailed personal information that could have a profound impact on their social movements, says Dr. Saif Abed, a London-based cybersecurity expert.

No matter where the data is stored — be it in a centralized server or remaining with the user — the public has to trust and understand how the data will be used.

That support is even more important as states struggle to monitor rising COVID-19 cases and follow new contact-tracing guidelines from the Centers for Disease Control and Prevention.

We shouldn’t look at these apps purely as apps, but as public health analytics platforms, because they are collecting and transmitting data to help conduct analytics to understand what resources need to be pointed where — information on restrictions, hotspots and so on,” Abed says. “It’s a much bigger ecosystem of data sharing.”

smartboy10/Getty Images