Stop Pitting Privacy Against Public Health, And Start Innovating To Address Both

As nations around the world begin to relax shelter-in-place restrictions, many countries are rolling out contact tracing applications to help contain the spread of the virus and allow people to resume normal activities. The apps are designed to quickly identify infected individuals and notify anyone who might have come into contact with them using location-based tools, like GPS or Wi-Fi. 

But there’s much debate about how these apps should operate — specifically, what data is collected (is it just location, or also name, email, etc.?) and where it is stored (locally versus in a centralized repository). Privacy advocates warn contact tracing apps could be abused and lay the foundation for mass digital surveillance and, as a result, should collect minimal data. Meanwhile, public health experts argue robust data is a vital tool in the fight against the virus as the world awaits a vaccine.

But the reality is that privacy does not always have to be sacrificed in the service of public health. Now more than ever, the onus is on businesses, research institutions, healthcare providers and governments to engage in more meaningful ways to explore the technology that exists to preserve both. Swinging between the extremes of complete compliance at the expense of no tracking and zero compliance coupled with unreasonable levels of tracking is unproductive.

Times Of Crisis Result In Innovation — And We’ve Only Just Begun

In the U.S., Apple and Google are at the forefront of innovation in contact tracing. Both companies are releasing APIs that will be the foundation for many contact tracing apps, allowing continuous tracking of individuals’ proximity to one another using Bluetooth signals from smartphones.

When two phones come into contact for more than five minutes, the API will facilitate the exchange of anonymous tokens. If one of the two individuals later reports being infected, the system will automatically send a notification to the other, with no human involvement and no external reporting of any kind. The token data is stored locally on users’ phones for maximum privacy.

However, the forthcoming API’s approach to data collection is minimalist. No specific location or other identifying information is collected. For governments and public health officials, this is a problem.

“Partial data sharing and gaps make it impossible to provide the insights and tools California needs to safely reopen,” said Claudia Williams, CEO of nonprofit health network Manifest MedEx, in a recent interview.

And that’s true for not just California, but governments everywhere. Aggregate data stored in a central repository is critical to doing everything from tracking transmission zones to gaining a better understanding of how the virus is spreading. In turn, these insights inform policy decisions, including whether and when to relax shelter-in-place ordinances. 

Let’s compare Apple’s and Google’s APIs with the Aarogya Setu app that was launched by the government of India in April. India has become the only democracy on the planet mandating that all citizens download a contact tracing application. Like other approaches, this application stores tracking data locally on users’ phones, but with two critical differences. 

First, when a user downloads and proceeds through the registration process, their name, age, location and travel history are collected and stored centrally on government servers. Secondly. if a user tests positive for COVID-19 or declares symptoms in a self-assessment survey within the app, those records are uploaded to centralized servers.

While this level of centralized tracking may be perceived as necessary to contain the virus within the second most densely populated nation on earth, the application is also considered somewhat of a black hole when it comes to privacy. Given the loose data privacy laws in India, citizens have to accept the terms offered by the government within the application. 

In a recent development, the Indian government has decided to shift to an open-source approach with the Aarogya Setu app and release the source code of this application for developers to examine and contribute to. It is also offering cash prizes for anyone who finds security flaws and bugs.

While businesses and governments take major steps forward in the effectiveness of contact tracing efforts, further innovation is necessary to both protect public health and respect the privacy interests of individuals. And in many cases, those interests are the same. Market research firm Euromonitor International released an updated forecast at the end of April suggesting that fear of COVID-19 will outweigh privacy concerns and consumers will feel compelled to share their data for the sake of public health.

Leading With Responsible Innovation 

What has become painstakingly clear from the last three months is we were ill-prepared for an epidemic like this. Contact tracing is a crucial step to post-pandemic normalcy in allowing public health officials to focus efforts on hot spots and protect communities. 

If government agencies and health providers wish to pursue a more centralized tracing and containment strategy, there are two main challenges they will need to address: 

• Investing in technology that enables secure collaboration between teams and organizations, leveraging a centralized repository of de-identified data to ensure that data cannot be traced back to individual users. When done correctly, this process can maintain the integrity of the data for development, testing and real-world simulations.

• Using de-identified data to quickly and confidently build new applications and services in the fight to contain and eliminate the virus. 

Experts predict the current coronavirus is just the first of many global pandemics we’ll experience in the years to come. So, innovation in these areas will not only help us better manage the current pandemic, but also prove to be incredibly valuable in the future. 

With that in mind, we can’t afford to settle for solutions that are “good enough” but limit our ability to make public health decisions, or those that enable public health decision-making at scale but play fast and loose with our data privacy. Businesses and governments need to take the initiative to innovate and work toward a solution that allows us to leverage data responsibly and effectively.

*** This is a Security Bloggers Network syndicated blog from Resources - Blog authored by Delphix. Read the original post at: