The coronavirus pandemic is shining a bright light on the rapid development and adoption of contact-tracing apps aimed at slowing the spread of the virus. But whether these apps are able to provide strong data privacy and protection remains in question.
Contact-tracing apps are designed to alert people to whether they are at high risk of having the virus, based on whether someone else they were recently near to or in contact with has been diagnosed with it. The app utilises Bluetooth technology to record each time two people are within a certain distance of each other for longer than a specified amount of time.
When one user registers themselves as being infected, a series of alerts are sent anonymously to other people they could have passed it on to — alongside a message advising them to go into quarantine and get tested themselves. This helps to monitor the spread of the virus, which empowers governments around the world to contain the outbreak.
However, concerns have been raised about the privacy implications of contact-tracing apps that gather data on large numbers of people.
Centralised or decentralised contact-matching?
In an effort to address data privacy concerns, Apple and Google recently introduced a “decentralised” approach to tracking each qualifying meeting between people. The system utilises Bluetooth Low Energy (LE) so that the two handsets can wirelessly “shake hands” and in the process exchange a string of randomly-generated numbers, similar to how hashing happens on a distributed ledger.
These random numbers (or hash) are then used to record matches without revealing the user’s names, location, or sensitive information.
The tech giants believe that this approach will provide more privacy since it limits the ability of either authorities or a hacker to use the computer server logs to track specific individuals and identify their social interactions.
By contrast, other countries are pursuing “centralised’ designs. This would give them more insight into the number of alerts being sent out and potentially the ability to re-identify users, meaning they would not be truly anonymous.
Contact-tracing apps in Africa
Across Africa, a growing number of contact-tracing apps are cropping up promising to help ease the lockdown restrictions in several countries. In Nigeria, a mobile app called Safety Visa is currently under user testing to ramp up efficient contact tracing for Nigeria’s frontline workers. Unlike other apps that use Bluetooth, Safety Visa is a location-tracking mobile app that alerts essential services workers if a case is confirmed within a 100m radius of the locations they visit.
“The application tracks your whereabouts and alerts you if you have been exposed,” said Abel Ekele, Founder of Trivoda Digital, the company behind the mobile-tracking app.
Safety Visa is particularly suited for use in Nigeria where reliance on smartphone surveillance tech is practically impossible given that only 10-20% of the population own handsets that could install apps. Nonetheless, data privacy is a primary concern for many startups developing tracking apps in Africa.
In Europe, the General Data Protection Regulation (GDPR) is the main privacy law that allows the processing of sensitive private information when it is in the interest of public health. Sadly, laws like these that also provide strict provisions regarding access and use of personal data are lacking across Africa—the exception being Kenya, Ghana, Rwanda, and Nigeria.
Kenya’s privacy guidelines—considered to be on par with GDPR—require organisations to have clear consent measures when it comes to sharing and handling of user data. Failure to comply can result in hefty fines. Nigeria has a similar provision available under the country’s Nigeria Data Protection Regulation (NDPR).
Rwanda has clamped down on its personal data protection with regulations around consent from individuals. South Africa is still toying with its Protection of Personal Information Act, but this is very likely to be signed into law fairly soon. These regulations are all essential in a time when data privacy and security are under scrutiny and governments are being urged to do more to bring the crisis under control.
For contact-tracing apps, safeguarding user privacy is not an option. Efforts must be made to ensure the models being used to interpret people’s data are transparently communicated to the public and that privacy rights are upheld.
One app that has been lauded for following this practice is Singapore’s TraceTogether App. It uses Bluetooth to identify when users are within 2m of another for more than 30 minutes.
The information is stored in an encrypted form on each person’s phone and Singapore’s Ministry of Health must get their consent to upload it for contact tracing. Moreover, third-parties cannot use the data to identify individuals.
A similar approach could help African governments to provide strong data protection for location-tracing apps. In addition, it would ensure that measures that infringe upon privacy are temporary and limited in purpose.
“When this is over, that is assuming that this is not our new normal, users can request for their entire data to be deleted from the platform,” Ekele said.
Technologies such as Bluetooth, GPS and Artificial Intelligence have enhanced the efficiency of tracing. But contact-tracing tools should take privacy issues into consideration and be used solely to help suppress the spread of the disease.