Loki Foundation

COVID-19 contact tracing privacy open letter from Simon Harman

COVID-19 contact tracing in Australia and abroad: An open letter from Simon Harman

On April 10th, Apple and Google announced their plans to jointly create software infrastructure in Android and iOS for use in contact tracing apps. Separately, the Singapore government’s efforts to develop a contact tracing app have resulted in TraceTogether, and a similar app now being actively developed for use in Australia. This app will have to utilise the APIs being provided by Google and Apple to increase its effectiveness when they become available.

Contact tracing identifies people who may have come into contact with someone with an active case of COVID-19. Due to the pandemic, many countries have launched technologies and apps that aim to perform contact tracing, which has understandably given rise to some privacy concerns

Digital rights advocates are naturally sceptical of any apps that track user behaviour through their own devices. This is a healthy attitude to have, but I think it’s more useful to have a nuanced conversation about specific proposals and ideas in the context of countering the spread of the coronavirus.

I am a strong advocate for privacy and a staunch supporter of user autonomy. However, I’m actually reasonably impressed by both the designs of the Android and iOS contact tracing APIs, and the Singaporean Government’s application, and I believe they are in fact good uses of mobile technology that adequately protect privacy. 

The thing is, the kind of tracking being proposed for COVID-19 contact tracing can barely be described as tracking. It’s encrypted, it’s anonymised, and it doesn’t share location data. This is far less invasive than the tracking big tech companies and governments are already doing. Every day, we interact and use technologies and apps that collect data about us, including our location details and contact history. Theoretically, government agencies could work with data analytics companies and tech companies such as Google, Apple, or Facebook to implement contact tracing without our permission. Thankfully, this would be completely unacceptable in our democracy, and our government is rightly offering us something better.

Should we decry the government’s efforts to give us an opt-in, open-source, encrypted, peer-to-peer, low risk, privacy-preserving method of automatically notifying us when we’ve been in close contact with a carrier of a potentially deadly virus? I think not.

I’ve always been sceptical about the reliability of Bluetooth in any sort of phone-to-phone communication, but in this time of crisis I definitely think contact tracing using Bluetooth is a worthwhile experiment. It may not be perfect, but in the battle to contain the pandemic and reduce restrictions, imperfect is better than nothing.

Current analysis of contact tracing systems has raised some concerns over the potential discovery of phone numbers or health information through leaks and hacks, but this isn’t actually creating a new privacy risk. Phone numbers are already exposed in dozens of government services, apps, websites, and stores. It’s unreasonable to think that your phone number isn’t already known by all your local government organisations and every major tech company. And guess what? Your public health records are also already vulnerable to hacks and leaks

Don’t get me wrong, we should be concerned about information harvesting, data leaks and centralised data storage, but that’s part of a larger problem than these contact tracing apps. In my opinion, a minor increase in exposure risk is absolutely worth the potential benefits of contact tracing. If you’re able to notify people you’ve come into close contact with that you’ve been infected, you could literally save someone’s life. 

With their willful consent, anyone in the community can and should use the contact tracing app proposed by our government. This might not suit everyone, and if you’re averse to exposing yourself to any kind of tracking, then the solution is simple — just don’t opt-in. You might want to ditch your iPhone or Google Play-powered Android phone while you’re at it though, as they already give up your location and phone number to big tech companies anyway.

My only problem with the contact tracing apps arriving in Australia and around the world is that some of them are black boxes — the code can’t be audited. Singapore’s TraceTogether has been made open source, and all contact tracing apps should follow suit. This way, we (the tech community) have the chance to verify its safety and legitimacy and help with any issues that slip through the cracks during a very accelerated development process. And, as a less obvious benefit — the stamp of approval from trusted members of the tech community can help alleviate the public’s concerns. This could mean more people feel comfortable downloading and using a contact tracing app — potentially improving health outcomes across the whole community. Everyone wins.  

Privacy and security are more important than ever. Even in times of crisis, we must ensure that whatever measures we take as a nation don’t undermine our fundamental values. I’ve reviewed the contact-tracing API designs from Apple and Google, and I think we should applaud them for enabling something that aims to provide a life saving service while trying to preserve our privacy. But, while I don’t think contact tracing is the world-ending privacy threat some people are forecasting, we’re still going to need some basic safeties. It must be opt-in only. It must be encrypted. It must be open source. 

Don’t get me wrong, we should be worried about apps and technologies that carry out surveillance and invade our privacy, and must remain vigilant that times of crisis are not used to erode our freedoms. But in my opinion, the potential benefits of the contact tracing app outweigh the slight privacy exposure risk its use may give us. By using the app, an infected person could literally save someone’s life. This technology is impressive, and I would expect nothing less of competent leaders in technology and public health. 

I’ll be opting in.

Simon Harman, Loki Foundation Chairperson

Published 16th of April, 2020

Addendum: Simon is available and happy to comment further as new information comes to light regarding the developing situation around contact tracing.