The Chaos Computer Club, bless their anarchists’ hearts, published a list of minimal requirements that contact tracing apps should have. I am just going to leave it here. Among them:
The system must be designed in such a way that movement profiles (location tracking) or contact profiles (patterns of frequent contacts traceable to specific people) can’t be established intentionally or unintentionally. Methods such as central GPS/location logging or linking the data to telephone numbers, social media accounts and the like must therefore be rejected as a matter of principle.
IDs for “contact tracing” via wireless technology (e.g. Bluetooth or ultrasound) must not be traceable to persons and must change frequently. For this reason, it is also forbidden to connect or derive IDs with accompanying communication data such as push tokens, telephone numbers, IP addresses used, device IDs etc.
@RobvanKranenburg even if they looked at it, they are refusing to greenlight any tech solution. I think they are right in taking that stance. In infosec you can only prove that things are broken, you can never prove a negative result that things are not broken.
CCC will under no circumstances ever provide a concrete implementation with approval, recommendation, a certificate or test seal.
It is the responsibility of the developers of contact tracing systems to prove the fulfillment of these requirements or to have them proven by independent third parties.
Here’s a OPT-In prior work on an app to help with disease spread. Created by my former advisor, and one of my fave teachers nearly a decade ago. Computer Laboratory - Fluphone Project
While this project may not have been reviewed for privacy implications of the time, and certainly the technological tools we have for preserving privacy has moved on, I know they both are willing and able to examine their projects for privacy implications. I add it here to show how apps could be part of the solution, if they were designed to respect privacy from the start.
D. Fay, J. Kunegis, and E. Yoneki “Centrality and Mode Detection in Dynamic Contact Graphs; a Joint Diagonalisation Approach”. IEEE/ACM ASONAM, Niagara Falls, Canada, Canada, August, 2013 (PDF).
D. Fay, J. Kunegis, and E. Yoneki "On Joint Diagonalization for Dynamic Network Analysis ". Technical Report, University of Cambridge, 2011 (UCAM-CL-TR-806 ).
E. Yoneki "FluPhone Study: Virtual Disease Spread using Haggle ". ACM CHANTS, 2011 (PDF).
E. Yoneki, and J. Crowcroft "EpiMap: Towards Quantifying Contact Networks and Modelling the Spread of Infections in Developing Countries ". International Conference on Wireless Technologies for Humanitarian Relief (ACWR), December, 2011(PDF).
M. Freeman, N. Watkins, E. Yoneki, and J. Crowcroft " Rhythm and Randomness in Human Contact". International Conference on Advances in Social Networks Analysis and Mining (ASONAM), Odense, Denmark, August, 2010 (PDF).
E. Yoneki “Visualizing Communities and Centralities from Encounter Traces”. ACM MobiCom Workshop on Challenged Networks (CHANTS), San Francisco, USA, September, 2008 (PDF).
So while APPs could be helpful, and so could data, Edin of Privacy International covers a global trend of enforcing people to install apps and invade their privacy through a variety of surveillance mechanisms: https://www.youtube.com/watch?v=B-w51EfpY24
I think the RSA covers this tension well: Data could help, but it must be freely given, protected in a variety of ways, and transparency about it’s use must be maintained and sustained. Data is key to overcoming the coronavirus crisis - RSA
As we have seen from our data rights work, there already existed a desire among the public for greater say and control over their data rights. If the crisis is the catalyst, how do we deliver workable mechanisms that prompt positive change?
This is where deliberation – facilitated conversation by citizens – comes in. The RSA’s Tech and Society team has found deliberation of inestimable value, not only in building trust between citizens and radical technologies, but also in enabling citizens to co-design governance mechanisms. The RSA’s Forum for Ethical AI enabled just this sort of dialogue in the context of automated decision systems.
The Icelanding COVID-19 contact tracing app is not bad in this regard. From their README:
With the user’s consent the app keeps their location data. In case the contact tracing team of the Department of Civil Protection and Emergency Management needs to track someone’s movements, they will be asked to upload their location data.
This would allow for the tracing team to help retrace a user’s movements for the last two weeks and increase the likelihood of identifying individuals you might have been in contact with.
Completely automated, continuous sharing of data might not have higher privacy implications when employing data obfuscation and cloaking mechanisms. But users can’t understand these mechanisms properly, so they can’t “give freely”. Even I would prefer to give raw data on request than obfuscated data continuously.
It appears that the Icelanding system is about requesting the infected person for their location data of the last two weeks. That won’t help to find all the contacts, as not all the places know their guests (public transport won’t know, for example). What they could do is add a feature to this software that will broadcast a request like “anyone who has been at [location] at [time], please step forward”. The app on the user’s phone would do all the work of figuring out if the user has been there and then, and only if so, would notify the user, asking to confirm sharing this detail with the civil protection services. It’s a distributed, privacy enabled database system because every user has full control over the location database on their own phone.
I very much agree. It’s frustrating when there are so many great techniques for preserving privacy in location services that are cool pieces of cryptography…yet if we can’t explain zero knowledge proofs and homomorphic encryption methods, then we can’t expect the public to trust them. Sad, but true. So these opt in approaches are the best (and if we’re lucky, can spearhead more trust in those cryptographic methods).
Thanks for a positive example…and I like the open source approach to health data. Reminds me of @opencare discussions.
