Data Blast: Covid-19 contact tracing updates on the plans from the UK, Australia, and California’s tech giants

The Information Commissioner’s Office (ICO) issues a positive Opinion on Apple and Google’s contact tracing technology

As governments, healthcare providers and technology companies collaborate towards the widespread roll-out of contact-tracing apps, the Information Commissioner’s Office (ICO) concludes that the Contract Tracing Framework (CTF) being developed by Apple and Google is aligned with the principles of data protection by design and default, and that all apps using the CTF must also align to the principles.

Across the world, governments and health authorities are collaborating to find solutions to the Covid-19 pandemic. Smartphone tracing apps are gaining significant attention as countries look to ease lockdown measures, but they do raise significant privacy concerns.

We have previously reported in our earlier article on Apple and Google’s announcement that they are collaborating to develop technology that will enable governments and national healthcare providers to develop and introduce contact-tracing apps on either iPhones or Android smartphones. The CTF involves the development of application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing.

Contact tracing apps using the CTF will work by broadcasting unique digital tokens at regularly set intervals. The tokens of users diagnosed with Covid-19 are also uploaded to a central server, which then sends them to all app users. Each app checks downloaded tokens against a local database and any matches signify that the user has possibly come into contact with a person infected with the virus.  Although NHS Digital (NHSX) is developing its own technology and app (discussed further below), it is understood to be in consultation with both Apple and Google.

The ICO has stated that most of the proposals for contact tracing apps will rely on consent as the lawful basis for processing any personal data.

In summary, the ICO concludes that:

• The CTF is aligned with the principles of data protection by design and by default, including design principles around data minimisation and security;
• The information required for the core functionality of contact tracing apps built using the CTF does not use geographical location data;
• The generation of tokens takes place on the smartphone using cryptographic techniques to ensure that data transmitted to other devices is not directly related to an identifiable individual;
• Clarification will be required for app users concerning who is responsible for data processing. This is because the majority of app users will have neither the time nor the expertise to understand that whilst the CTF is facilitating the collection of data from the smartphone, the app itself was designed by another party;
• Each data controller designing an app is responsible for ensuring their app is compliant with data protection law; and
• If the app processes data outside the CTF’s intended scope, the controller responsible must ensure that it has assessed the data protection implications: Any contact tracing apps that use the CTF platform should themselves align with the principles of data protection by design and by default whenever personal data is processed.

Finally, the ICO acknowledges that as the pandemic continues, additional questions regarding the use of technology and the processing of personal data for contact tracing will arise. This accords with the acknowledgement by Apple and Google that the CTF is likely to evolve over time (covered in more detail below). Although the ICO considers that its existing guidance will suffice, it has stated that it will carefully consider developments in this area, and may choose to issue further Opinions or guidance to address aspects of personal data processing during the Covid-19 pandemic.

We will continue to report on any significant developments in this area. The ICO’s Opinion can be found here.

Apple and Google provide update on contact-tracing plans

On April 24th, Apple and Google released further information regarding their plans to support global contact-tracing to combat the spread of the coronavirus, modifying certain security provisions which underpin the plan (which we previously covered here).

In a joint FAQ document, the duo explains that, after consulting with government and health agencies, they plan to move away from associating individual devices with a specific key. Rather, for additional protection, they plan on using a ‘privacy-preserving’ identifier, a randomised string of numbers not tied to a user’s identity, which will change every 10-20 minutes. The changing identifier will make the tracing and pairing of Bluetooth signals in order to associate keys with specific users more difficult. The companies also confirmed that user data will not be dispatched to relevant public health authorities, or the companies themselves, until a user both tests positive for the virus and opts into the programme.

The clarification seems to put to bed concerns that the companies’ system will employ centralised contact-tracing, whereby an app would allow for governments to collect and store the location and health data of large parts of their country’s population. The update confirms that the system will be decentralised, an approach that has been supported by the German and Austrian governments.

In a statement in support of the Apple and Google proposal, the German Health Minister explained that ‘this app should be voluntary, meet data protection standards and guarantee a high level of security.’

The FAQ document also explains that the companies plan on deploying the system in two phases. First, the duo will release a list of approved apps to government authorities, noting that ‘apps will receive approval based on a specific set of criteria designed to ensure they are only administered in conjunction with public health authorities, meet our privacy requirements, and protect user data.’ Second, the program will be installed at the operating system level, which the companies hope will prompt the widespread adoption necessary for the tracing application to succeed in identifying and tracking the spread of the virus.

Australia releases coronavirus contact-tracing app

The Australian government has released its coronavirus contact-tracing app, called COVIDSafe, available on Apple and Google devices, and it appears at least 2 million people downloaded the app within hours of it being made available.

The app requires that users create a unique identifier, and register their names, age range, postcode and phone number. A user’s identifier is shared with other app users when they encounter one another. If a user subsequently tests positive for the coronavirus, they may elect to notify the health authorities, after which users with whom that individual has had close contact are then contacted. Data pertaining to the interaction is encrypted and stored on a user’s device for three weeks, while some data is stored off-device for use by health authorities. Off-device data may only be accessed by Health Authorities after a user opts in, and after a second permission request is approved upon confirmation of a positive test. However, the app’s source code has not been released by the Australian Department of Health, despite recommendations that it do so.

The government’s legal justification for the app relies upon a ministerial determination under section 477(1) of Australia’s Biosecurity Act and has been met with approval from the Australian data protection community. Specifically, the government’s determination avoids the use of broad discretions, and a refusal to download the app cannot provide grounds for the refusal to provide an individual goods and services or to enter premises. Therefore, an employer could not require employees to download the app as a condition of physically returning to work, nor could a cinema limit ticket sales to only those who have downloaded the app.

However, the app’s use of Amazon Web Services has raised concerns, as the company is subject to the US Patriot Act and could be compelled to surrender the app’s data to US authorities, despite it being stored in Australia. A further criticism of the app is that, in order for it to perform on Apple devices, it must be in active use, as Apple’s iOS typically prevent third-party apps from running in the background. Therefore, if Australian iPhone users do not avoid low power mode, or close other Bluetooth apps while in public, there is a risk that the app may not collect useful data from such devices. This is important, as iPhones account for roughly one half of smartphones in use in Australia.

NHS contact-tracing app proposals revealed

The NHS contact-tracing app, currently under development and expected in the coming weeks, is believed to go further than basic contact-tracing, by warning people if they have failed to properly practice social distancing.

The app, like others proposed and deployed globally, would document a user’s encounters with one another using Bluetooth, automatically notifying those who have encountered someone infected by the coronavirus. However, internal documents from the app’s producer, NHSX, suggests that it could be repurposed, allowing it to boost, and potentially enforce, social distancing measures. The app could notify users when they have spent more than 1 hour outside their home, prompting them to return home, or warn them if they are too close to other users of the app. However, it should be noted that, at present, such features are only hypothetical, and a spokesperson for NHSX has stated that ‘NHSX is not developing any product to be used for enforcement purposes.’

The documents also suggest that the app could function within a larger ‘immunity passport’ system, when lockdown measures are relaxed in the future. However, in addition to concerns over the privacy impact of such a passport system, there is currently widespread debate among medical professionals as to whether immunity passports are an effective and safe means of containing the spread of the virus.

For more information please contact Partner, James Tumbridge at jtumbridge@vennershipley.co.uk.