April 16, 2020
The coronavirus contact tracing app won't log your location, but it will reveal who you hang out with
The federal government has announced plans to introduce a contact tracing mobile app to help curb COVID-19's spread in Australia.
However, rather than collecting location data directly from mobile operators, the proposed TraceTogether app will use Bluetooth technology to sense whether users who have voluntarily opted-in have come within nine meters of one another.
Contact tracing apps generally store 14-21 days of interaction data between participating devices to help monitor the spread of a disease. The tracking is usually done by government agencies. This form of health surveillance could help the Australian government respond to the coronavirus crisis by proactively placing confirmed and suspected cases in quarantine.
The TraceTogether app has been available in Singapore since March 20, and its reception there may help shed light on how the new tech will fare in Australia.
Your location is not being tracked
Internationally, contact tracing is being explored as a key means of containing the spread of COVID-19. The World Health Organization (WHO) identifies three basic steps to any form of contact tracing: contact identification, contact listing, and follow-up.
Contact identification records the mobile phone number and a random anonymised user ID. Contact listing includes a record of users who have come into close contact with a confirmed case, and notifies them of next steps such as self-isolation. Finally, follow-up entails frequent communication with contacts to monitor the emergence of any symptoms and test accordingly to confirm.
The TraceTogether app has been presented as a tool to protect individuals, families and society at large through a community data-driven approach. Details on proximity and contact duration are shared between devices that have the app installed. An estimated 17% of Singapore's population has done this.
In an effort to preserve privacy, the app's developers claim it retains proximity and duration details for 21 days, after which the oldest day's record is deleted and the latest day's data is added.
TraceTogether supposedly doesn't collect users' location data – thereby mitigating concerns about location privacy usually linked to such apps. But proximity and duration information can reveal a great deal about a user's relative distance, time and duration of contact. A bluetooth-based app may not know where you are on Earth's surface, but it can accurately infer your location when bringing a variety of data together.
No perfect solution exists
The introduction of a contact tracing app in Australia will allow health authorities to alert community members who have been in contact with a confirmed case of COVID-19.
However, as downloading the app is voluntary, its effectiveness relies on an uptake from a certain percentage of Australians—specifically 40%, according to an ABC report.
But this proposed model overlooks several factors. First, it doesn't account for accessibility by vulnerable individuals who may not own or be able to operate a smartphone, potentially including the elderly or those living with cognitive impairment. Also, it's presently unclear whether privacy and security issues have been or will be integrated into the functional design of the system when used in Australia.
This contact tracing model is also not open source software, and as such is not subject to audit or oversight. As it has currently been deployed in Singapore, it also places a government authority in control of the transfer of valuable contact and connection details. The question is now how these systems will stack up against corporate implementations like that being proposed by Google and Apple.
Also, those who criticise contact tracing point out that the technology is "after the fact" when it is too late, rather than preventive in nature, although it might act to lower transmission rates. Some research has proposed a more preemptive approach, location intelligence, implemented by responsible artificial intelligence, to predict (and respond to) how an outbreak might play out.
Others argue that if we're all self-isolating, there should be no need for unproven technology, and that attention may instead be focused on digital immunity certificates, allowing some people to roam while others do not.
And in the apps created to respond to particular situations, there's always the question of: "who owns the data?". A pandemic-tracing app would need to have a limited lifetime, even if the user forgets to uninstall the COVID-19 app after victory has been declared over the pandemic. It must not become the de facto operational scenario—this would have major societal ramifications.
It's all about trust
In the end, it may simply come down to trust. Do Australians trust their data in the hands of the government? The answer might well be "no," but do we have any other choice?
Or for that matter what about data in the hands of corporations? Time and time again, government and corporates have failed to conduct adequate impact assessments, have been in breach of their own laws, regulations, policies and principles, have systems at scale that have suffered from scope and function creep, and have used data retrospectively in ways that were never intended. But is this the time for technology in the public interest to proliferate through the adoption of emerging technologies?
No one fears "tech for good." But we must not relax fundamental requirements of privacy, strategies for maintaining anonymity, the encryption of data, and preventing our information from landing in the wrong hands. We need to ask ourselves, can we do better and what provisions are in place to maintain our civil liberties while at the same time remaining secure and safe?