Contact Tracing Apps: Privacy Implications and Trade-offs

This article was published on June 7, 2020 in the Economic Times ET Health:

In the absence of a veritable vaccine for coronavirus, countries around the globe have turned to contact tracing technology to limit the spread of the contagion, assist health bodies track individual and subsequent community exposure, and to relax lockdown restrictions. There is a deluge of contact tracing mobile apps and in the last two months, around 45 such apps have been launched worldwide in over 25 countries, emphasizing the critical significance of digital contact tracing. Albeit proven to be an effective tool, these apps are engulfed by ample disputes and controversies pertaining to violation of privacy infringements guidelines and data protection laws inviting severe rebuke from activists, privacy advocates and cybersecurity experts.

Mechanism of action

The contact tracing apps require constant access to location history through GPS. The user has to input information such as name, mobile number, age, gender, profession, travel history etc. Bluetooth range is considered as proximity sensor and helps to alert a user if there is a possible contact with another user who is infected. Around 70% of these apps globally work on the centralized model which effectively means that the location details and the collected anonymized data by the app is channeled into a centrally run database rather than storing locally on the user’s phone (known as the decentralized model). This database is most likely controlled by the country’s government or the local health regulatory body raising serious questions on the transparency and the cybersecurity-hygiene principles adopted to stop misuse of this data for any unintended purpose.

Aarogya Setu: Benefits and the Controversy

On April 2 nd , India’s official tracing app, Aarogya Setu, was launched with aplomb. Since then it has witnessed 120 million downloads till May 29 th , making it the most downloaded contact tracing app in the world (and the seventh most downloaded app worldwide in April overtaking Netflix). Available in 12 languages, the app has helped to predict 3000 virus hotspots at a sub-post office level, traced over 500,000 people and alerted over 140,000 Indians of possible infections.

The data that the Aarogya Setu app collects is divided into four categories—demographic, self-assessment, contact and location and is stored and managed on the government servers. Data is deleted from the government server after a maximum of 60 days and the information stored on phone in 30 days. Recently, MIT downgraded the rating of the app (1 star out of 5) citing reason that the app does not follow the principle of ‘data minimalization’ – implying that it collects far more data points from the user than actually required for contact tracing.

Privacy advocates and cybersecurity experts have raised serious questions on...