The European Commission, in coordination with its e-Health Network, has released guidance for the development and management of COVID-19 contact tracing applications. The guidance outlines standards for national applications that require they be voluntary, approved by the national health authority, easily dismantled when no longer needed, and privacy-preserving. That last bit is complicated and has already caused confusion.
As the coronavirus pandemic progresses and some countries seem to be seeing a decline in the frequency of confirmed COVID-19 cases, nations are eager to revitalize their economies and relieve citizens from the burden of stay-at-home orders. To achieve this, health experts across the globe have noted that along with the softening of social distancing standards comes the need for robust testing capacities and advanced contact tracing measures.
Contact tracing is nothing new, but the scale at which this coronavirus will require tracing measures is unlike anything the world has dealt with previously. Technology is seemingly ready to rise to the occasion with several countries and organizations currently working on mobile applications to tackle the challenge. ProgrammableWeb published a story last week discussing a joint effort by Apple and Google to develop an API and subsequent application for global contact tracing powered by Bluetooth.
Tech giants like Google and Apple, alongside global governing bodies, are the leaders in developing contact tracing applications (in terms of attention and eventual use), but that hasn’t stopped other organizations from developing competitive applications. A quick search of Apple’s App Store quickly found several applications claiming to help “protect yourself and others.”
The guidance published by the EU discusses this issue, noting that “In order to prevent the proliferation of unlawful or harmful apps, each Member State should consider setting up a national system of evaluation/accreditation endorsement of national apps...” The document continues by stating that “Close cooperation with app stores will be needed to promote national apps and promote uptake while delisting harmful apps.” This line, in particular, seems to have been exaggerated to create catchy headlines claiming that the EU is demanding Apple/Google remove offending apps. The document does not explicitly say that, but it does position government-run applications as good and leaves room for the interpretation that all other apps are bad.
This raises the very important question of what apps should people use for contact tracing, who decides, and how do we know they can be trusted. After all, it wasn’t long ago that an API created by the US Centers for Medicare & Medicaid Services had to be shut down when it was discovered that a security vulnerability led to personal data being leaked. Similarly, Apple, a company well known for its security prowess, has been connected to security missteps.
So if governments and large corporations are capable of security failures that leave personal data vulnerable then who should you trust with the creation of a COVID-19 contact tracing app? Probably no one. Contact tracing might need to be viewed as a personal sacrifice for the greater good, and that’s why transparency is paramount. In combatting this pandemic we will all be required to think a little differently (unintentional nod to Apple). The corporations and governments creating these applications will need to be extremely clear about what data they are collecting and how it will be shared. After all, for contact tracing to work it requires a massive amount of participation. Something that isn't likely if individuals feel that the data collected could somehow be used against them. Individuals will need to view the intrusion of this kind of Orwellian oversight as a temporary, yet arguably necessary means by which we can all exist in these turbulent times as safely as possible. The decision of whether or not you should provide these applications with your personal information is one that can't be taken lightly, and it is incumbent of all parties involved to provide the information necessary in order to allow for individually calculated risk/reward ratios.
Until the details of these applications eventually come to light I am encouraged by the direction outlined by the European Commission's e-Health Network:
"The cybersecurity requirements also address the need to enhance both national authorities’ but also citizens’ trust in the proper functioning of the applications and to provide transparency. Independent testing of the applications, access to source code and policy for vulnerability handling and disclosure are in this respect deemed necessary."