It has become clear that technology will play a crucial part in the path out of lockdown for many countries, supposedly facilitating a return to some semblance of normality and the revival of slumping economies.  

Contact-tracing is the key technology, and its function is simple; bluetooth signals between smartphones are utilised to track people’s daily interactions. When a person is diagnosed with COVID-19 and inputs this to their app, other users they have come into contact with are notified, and prompted to get a test or to self-isolate according to their country’s guidance. The benefits of this tech over traditional methods of contact tracing is its ability to trace people the infected person does not know, such as people they’ve sat next to on public transport.

DECENTRALISED CONTACT-TRACING

Tech giants Apple Inc. and Google have teamed up to create a contact-tracing app compatible with both iPhone and Android.  This has been incorporated into the roadmaps out of lockdown by countries such as Germany, Ireland,  Switzerland and Canada. The Silicon Valley companies have built strong privacy protections into their contact-tracing tool, including randomising the system’s tracking keys and encrypting bluetooth data,  intended to defend against hackers. The system also does not reveal users’ identity or location to Apple Inc. or Google. Crucially, the majority of the data is stored on user’s phones, a decentralised method intended to minimise risk of “de-anonymisation” by hackers or governments.  This method of contact-tracing has been judged by a group of leading UK lawyers to be in accordance with the law, proportionate and necessary in response to the virus, and is unilaterally understood as the most privacy-conscious method of technological contact-tracing.  

CENTRALISED CONTACT-TRACING  

Many governments are opting out of the off-the-shelf tech; developing their own apps, and generally pursuing a centralised data storage approach. The need to generate more informative data for health services trying to map and contain the virus is cited as the leading justification for this method. The UK is currently piloting its own app, for official release in early June. Under its centralised system, when an infected person self-reports on the app, all their recorded interactions will be transferred to a central server for further analysis by the country’s National Health Service.  Whilst the UK’s government has argued that this method will make the technology more efficient in fighting COVID-19, it has been judged by the aforementioned group of lawyers as resulting in a “significantly greater interference with users’ privacy” than the de-centralised method. There are concerns that the data could be harnessed for purposes outside controlling the spread of the virus, including law-enforcement and immigration control. This is where the lines between the tech and totalitarianism begin to blur. 

The country at the forefront of this balancing act between tech and totalitarianism is India; its contact-tracing app, Aarogya Setu, was downloaded over 100 million times in six weeks.  The app collects extensive data, including age, address, travel history, GPS movements and contact-tracing through bluetooth, all of which is centrally stored by the federal government.  The government claims privacy is at the core of the app, with location data kept anonymous and all records to be deleted after 60 days. However, critics of the app, and of India’s right-wing Modi government, have voiced concerns that the technology has the potential to become a permanent surveillance tool. India has no laws or legislation around data collection and protection, leaving citizens with no method to hold the government accountable, or to protect their right to privacy. 

CONTACT-TRACING AND THE RIGHT TO PRIVACY 

International human rights groups have flagged that consent is vital to retain privacy whilst using the apps. The imposition of mandatory downloads would be considered in direct opposition to the right to privacy, and representative of a slide toward totalitarianism.  In India, all government and private sector workers are required to download the app, which both sets a dangerous precedent for the rest of the country, and heightens concerns about the creeping development of a Modi surveillance state. In the UK, downloading the app is not mandatory. However there have been suggestions that businesses may require their staff to use the app as a pseudo-immunity passport to be able to work. 

Pursing the centralised contact-tracing method without enforcing mandatory usage would, however, have a detrimental impact upon its uptake and utility. Norway’s app works in a similar way to India’s Aarogya Setu, and the resulting privacy concerns have resulted in a high drop-out rate. Around 1.5 million people downloaded the centralised Smittestopp app, however only 899,142 were actively using it.  In the UK, where trust in the government is at a relatively low level, there have been worries that there will be a similarly low uptake which will thus hamper the app’s efficacy. Key concerns for citizens hesitant to download the UK’s app include whether additional functionalities such as GPS tracking will be added without user knowledge, and questions around whether the data could be sold to third parties. In order to be effective in tackling the virus, it could be argued that app’s surveillance powers must be far reaching in order to be truly effective; China’s success with digital contact-tracing is facilitated through the existing surveillance state, which gives an indication of the scale of access governments may claim to require to conquer COVID-19. 

STRIKING THE BALANCE

It is understandable that a degree of surveillance will be utilised on the road out of the COVID-19 crisis. In countries pursuing the centralised data storage approach,  striking the right balance between public health and privacy protections is integral in the interests of citizen’s rights, and in the overall uptake and thus efficacy of the apps. Amnesty International UK has published a list of seven privacy-protecting principles for contact-tracing tech, designed to placate community concerns and defend against the misappropriation of the tech for greater surveillance purposes.  Whether these are met by governments pursuing a centralised contact-tracing approach remains to be seen.