The UK Information Commissioner’s Office (ICO) has published an opinion on the recently announced joint initiative by Apple and Google to help health authorities with contact tracing (the Contact Tracing Framework, known as CTF) in the fight against Covid-19, saying that despite certain risks it is happy that it would meet data safety standards.
Law firm Faegre Drinker Biddle & Reath sums up the ICO’s opinion in a note on the subject. “The commissioner concludes that the proposed CTF incorporates sufficient safeguards by design to ensure that it meets data protection standards, on the basis of the information publicly available at this stage. However, the opinion also emphasises that any apps designed to make use of the CTF will have to be assessed on a case-by-case basis, and it will be the responsibility of app developers and app stores in their capacity as data controllers to ensure that their respective apps comply with data protection law,” it states.
“The commissioner also identifies risks from further developments that might be necessary to enable the effective use of tracing technology, such as the need for monitoring compliance with isolation requests and preventing uploads of false positives to the apps, which could limit their efficacy,” adds the law firm.
Faegre Drinker notes that contact tracing is likely to play a significant part in any plans for easing out of lockdown as a tool to facilitate social distancing and social or professional gatekeeping. The tool has already been used with success in Singapore and Taiwan.
It explains that the CTF is not itself a contact tracing app, but includes new application programming interfaces (APIs) that will enable interoperability between Android and iOS devices. This would enable third parties to create contact tracing apps that, in theory, exchange information via Bluetooth between any and all devices.
“The idea, as envisioned by Apple and Google, is that each mobile device would emit an anonymous identifier Bluetooth signal that is then picked up by any devices nearby and locally stored as an anonymised log of contacts. If a user were to test positive for Covid-19, they could update this in the app and consent to have this log uploaded to the cloud. Anonymised data about anyone testing positive would regularly download to all devices with the app installed, and any devices matching that identifier data would then receive notification that the user had been in contact with someone who has tested positive,” explains the law firm.
The ICO pointed to several key ways in which the CTF design looks to be effective from a data privacy perspective, from the information currently publicly available:
- The CTF seems to comply with the data minimisation principle, because information exchanged between devices does not include personal data, any matching processes take place on-device, and the system does not use location data
- The CTF gives power to consumers, because app installation is voluntary and any diagnosis uploads are voluntary
- The CTF complies with the security principle because it uses cryptographic techniques and no persistent user ID is broadcast (rather a series of pseudo-random tokens), meaning there is a limited risk of identifying a user from the interaction between two devices.
The ICO said that it will continue to monitor progress, including all apps that are developed, to ensure continued compliance – particularly given suggestions that the ‘phase two’ version of the CTF API may form part of each device’s operating system, therefore greatly limiting the ability of users to give genuine consent. “The risk of scope creep from app developers seeking to use CTF-enabled apps to collect additional data (such as location data) will also need to be monitored,” notes Faegre Drinker.
“Wider issues around obtaining consent from the user also need to be ironed out, in particular the question of how allowing users to withdraw their consent can be reconciled with ensuring the effectiveness of contact tracing, for example what notifications to other users at risk after contact with a positively diagnosed individual who has withdrawn consent might still be possible. As far as compliance goes, the commissioner confirms that the ICO will continue to take into account the overriding public interest during this health crisis, which is impacting the approach to enforcement that is being taken,” states the law firm.
“Data protection issues aside, it has been widely reported this week that there are estimates that as many as two billion phones worldwide will not be able to use the CTF because it relies on wireless chips and software not available in many models, particularly those released more than five years ago. How national and regional governments across Europe and the US choose to harness this technology will become clearer during the coming weeks and months,” concludes Faegre Drinker.