Contact tracing and immunity passports must respect privacy

The government’s plans for contact tracing and immunity passports should respect privacy, both at a technical level and backed by legal safeguards. This is essential for trust.

Contact tracing apps: the NHSX plans and Apple-Google changes

The governments’ plans for contact tracing apps are perhaps more confused as a result of announcements by Google and Apple for a Bluetooth contact tracing API.

Contact tracing can be performed either centrally, or on a device. In the NHS model, proximity contacts are uploaded to the NHS server, which then notifies people who are at risk. In the Google-Apple model, the server notifies users of ‘risky contact IDs’. This means that the central server doesn’t learn who is in contact with whom, otherwise known as the ‘social graph’. The same approach has been suggested by privacy researchers at DP-3T.

The ‘decentralised’ model is not without problems. There are potential attacks to disclose the identity of people who are infected, for instance, in both centralised and decentralised models. It arguably deprives the project of some information that may be useful for understanding the spread of the disease.

The prime consideration with this tool is take-up and use of the tool. The government has estimated that it needs 50-60% of the population to use it; and that means a very large percentage of smartphone users. Many mobile operating systems are slow to update; older models may never have upgrades; many will not support Bluetooth LE. Thus the government may be aiming for near-universal adoption among those users who can support an app.

Even assuming this is achievable, trust is a key factor, ensuring that privacy is as protected as possible extends the possibility of widespread adoption. Risks around re-use of data, mission-creep and repurposing contact mapping data at a later date can be reduced or removed. For some marginalised groups, these issues may well be critical to adoption.

No approach can remove all personal privacy risks, as people may speculate about whom they came into contact, when notified.

Practicality of NHSX Bluetooth workarounds

A further question arises as to the practicality of the NHSX app’s Bluetooth LE workarounds. Bluetooth LE is meant to stop working when a phone is idle. The government has not explained how it gets around this without causing battery or security issues from the device’s screen being kept on. The Apple-Google API will provide a way for apps to work in the background; this is a key reason for them introducing their new approach; but using the new API would require the NHSX to be reengineered and messily redeployed; an approach which they appear to be contemplating.

Whether any app-based approach work is still very much open to debate, as Professor Ross Anderson points out. Concerns over false positives could overwhelm such a tool; most people contacted will probably be at a low risk. At the very least, it is likely to work best in a state of very low infections combined with highly available testing regimes, so that people who are alerted can swiftly determine if any supposed risk resulted in an infection, or not. And in any case, an app is unlikely to supplant the need for rigorous and time consuming human contact tracing.

Centralised databases

We know even less about plans for immunity passports, but it is clear these could result in centralised registers: or not, if the government prefers. There will again be questions of mission creep, potential for abuse, and alternatives which remove these risks.

Legal defences against abuse

Defences against abuse of data can of course be either technical or legal. In parallel to the discussion about contact tracing, a group of academics has proposed a Coronavirus (Safeguards) Bill 2020 to protect against abuse of contact tracing tools and also ‘Immunity Passports‘. The proposal would mandate that there would be:

  • No sanctions for failing to carry device, install or run application
  • No mandatory requirement to install application or display immunity certificate credential without due safeguards
  • No reuse of evidence or data derived from symptom tracking and contact tracing, and immunity certification, without due safeguards

As the authors say, “Uptake of apps, crucial to their success, will be improved if people feel confident their data will not be misused, repurposed or shared to eg the private sector (think insurers, marketers or employers) without their knowledge or consent, and that data held will be accurate.”

The authors envisage that there may be times when the government wants to require immunity certificates: and that these must be constrained to specified circumstances where that is necessary and proportionate.

We urge the oppostion parties to work with the government to introduce this or a similar Bill to ensure that public trust is maintained, especially if and when immunity certificates are proposed. Data privacy is a condition of success — not an aspect of policy to be treated as an afterthought.