Turkish Law Blog

Contact Tracing Apps: Should We Have a Privacy Concern?

Melisa Gül Bolayır Melisa Gül Bolayır/ Bolayır & Erdoğan Attorneys at Law
22 December, 2020
172

What is Contact Tracing?

Contact tracing is a widespread tool that has been used over the history in order to slow down the spread of many diseases such as tuberculosis, measles, HIV and Ebola. It is the act of tracing the steps of a diagnosed patient to discover who they have been in contact with. To date, contact tracing included a great deal of footwork, visits and calls to the patients and everyone they have been in contact with. The goal is to trace everyone and create a network of individuals that may have been exposed to the disease so that such people can either self-quarantine or take precautions. This method has worked – with its flaws – through the years. For example, a person who has contracted the virus can be asked the names and addresses of the people she/he has been in contact with while contagious. [1]

The rise in technological developments in the last 10 years had a huge impact on the way contact tracing is being carried out as well. Instead of making visits to patients and calling to inform every individual, with the new contact tracing apps introduced by many governments and private sector entities, this can now be done by tracking their location and notifying the users whenever they are in close contact with a diagnosed patient for more than a certain amount of time.

COVID-19 is a disease so widespread and alarming that the world had shut down for a shockingly long time to slow the spread while self-quarantine became the new trend in 2020. In our day, contact tracing is being used to fight the COVID-19 pandemic since it is close to impossible to keep everything closed until the pandemic is over. As business returns to usual, businesses and governments are trying to balance between the old and the new normal. It is important to continue work; however, it is crucial to protect businesses, employees and customers properly. Currently many governments and private sector entities are taking standard measures that are known to be precautionary: social distancing, masks and temperature checks. [2]

There is one other mechanism that may prove to be more effective than any other: contact tracing. However, contact tracing does not come concern-free. Privacy is a dark shadow looming over contact tracing, and rightfully so. As these concerns continue, it is hard to achieve the maximum potential of such technology since widespread adoption of it is crucial for success. There are studies which suggest that unless 60% of a population install and use the app, the spread of the disease will not slow down effectively.[3]

Contact Tracing Apps

Since the beginning of 2020, governments have been bringing unprecedented restrictions on its citizens all around the world. By way of mankind’s strongest tool – technology, we are trying to find a way to lift all of these restrictions and move past the pandemic.

Contact tracing apps take the traditional approach to contact tracing to a whole new level. It takes the mentality of contact tracing and combines with technology. It basically creates a network of people who have been in close contact with a COVID-19 diagnosed patient for an amount of time that may expose them to the virus. This network is created by tracking the location of individuals that have downloaded the certain contact tracing app (“User”), using GPS or Bluetooth. The apps are created to notify User’s when they may have been exposed to the virus so that they can either get tested or take informed measures. [4]

It is clear that contact tracing aids in creating a new normal as businesses open and economies regain strength. Explained this way, the apps seem like a catch and it is hard to figure out why anyone would be hesitant to download and use the app, however it comes with a range of privacy issues depending on the way the app is created. In every country it is established with different features and some of them will be analyzed below. Once the privacy issues are resolved, contact tracing apps may be used by many more and prevent the spread in the most practical way.

Privacy Implications of Contact Tracing

The contact tracing app’s established by governments or private sector entities tend to have certain features in common – which are the main reasons for privacy concerns. The first feature concerns the storage and share of data, which may be a centralized or decentralized system. The second is the scope of data collected.

Centralized vs. Decentralized System

When data is stored and shared with a central authority, especially if this authority is a government, it causes concern. It makes the data more vulnerable to cyber-attacks since it may be easier to access through one point.[5] On the other hand, in a decentralized system, the “data is stored on the User’s device until and unless a user voluntarily elects to push information, i.e. to report a positive test result, out to a central authority.”[6]

Decentralized approach makes the app more user-friendly since it eliminates this concern or at least lowers the risk of data being compromised and allows users to have more control over their data.

Scope of Collected Data

Among all of the data collected, the one that stands out the most is location tracking. By way of location tracking, it is possible to identify individuals even if names are kept anonymous. It is possible to effectively carry out the process of contact tracing without actually storing location data. This concern can be eliminated by identifying whether two users have been in close contact without tracking their location.[7]

Government Generated Apps vs. Local Privacy Laws

Contact tracing apps have mostly been generated through government collaborations and each government developed the app in different ways. Australia, China, France, Turkey and the United States are among the governments that have made an effort towards digitalizing contact tracing. These apps will be discussed in light of the local privacy laws.

Australia

The Australian Federal Government launched a voluntary contact tracing app (the “COVIDSafe” App) on April 2020. The app is designed to collect limited personal information; therefore, it conforms with the data minimization principle. The first issue here was about whether the information collected could be used by other government or private sector entities and if so, for what purposes. The government answered this concern by a Determination under the Biosecurity Act 2015 (cth) which prohibited such use and created offences for using the data for any purpose other than contact tracing. [8]

A second issue focused on tracking individuals. The public was not keen on the government tracking their location; however, the app eliminates such concern as it does not use GPS and only uses Bluetooth for location tracking. [9]

China

China launched a telecom data analysis platform nationwide after the COVID-19 outbreak. The platform is a collaboration of the Ministry of Information Industry Technology and the Chinese government. The platform is set up in such a way that allows telecom carriers to track and provide a location record of users from 15 to 30 days. Furthermore, new apps were launched to show the health status of residents. [10]

A major privacy concern in the way China uses contact tracing is that no consent is required from individuals to collect and use personal data for public security purposes. Both government and authorized private sector entities may have access to personal data and on top of that the process of using the data is not transparent – making it a weak system open to abuse.[11]

France

The app in France is named “StopCovid” and has been launched by the National Institute for Research in Digital Science and Technology. The app collects data of all cross-contacts and sends it to a central server. This shows that the app collects more information than necessary since initially the app was only supposed to store User data of contacts lasting more than 15 minutes and closer than 1 meter. The app does not comply with the data minimization principle which is the building block of data privacy. [12]

The fact that the app uses a centralized server is what makes it fragile to cyber-attacks and what makes it a tool to use the data for purposes other than contact tracing. Another downside is that the app is not technically voluntary - they might not be able to access certain public places unless they use the app. If more people start to use the app, it may basically create a surveillance system for the government and the rest of the population may be pushed to use the app as well. [13]

Despite of all this, the French Data Protection Authority expressed that the app complies with both EU and French data protection legislation.

Turkey

The Turkish Ministry of Health has launched a contact tracing app called “Hayat Eve Sığar” (Life Fits Into Home) in collaboration with the Information Technologies and Communication Authority and mobile phone operators. The app monitors the movement of diagnosed COVID-19 patients and warns users if they are in a high COVID-19 risk zone or if they have been in contact with a diagnosed patient. 

The use of the app is voluntary, however when travelling between cities or when visiting government buildings, a HES code is required – which can be provided through the app or via text message. Entities such as airlines check the code on a platform created by the Ministry of Health to see if the individual has any COVID-19 related barriers to travel. [14]

The collected data is received by the Ministry of Health and may be shared with the Ministry of Internal Affairs (for example when a diagnosed patient leaves their place of isolation).   The information collected from the app cannot be used by private sector entities, however there is no certain information on whether the required measures have been taken to prevent cyberattacks. This is important, given the fact that the app collects excessive information from

User’s and does not give a framework as to how the data will be used and stored. Note that users can track others’ location given they consent to such act. [15]

The privacy policy within the app states the purposes of processing data and refers to the Turkish legislation on data privacy. According to such legislation, health data can be processed by certain authorized institutions without consent.

To conclude, the app’s privacy notice conforms to the standards of the Personal Data Protection Act of Turkey, however it was expressed by public authorities that such regulation does not apply in cases where public health is concerned.

United States – New York State

In New York state, a program for contact tracing has been put in place. Contact tracers would help identify and get in touch with individuals that have been in contact and isolate the ones that may have been infected. The state program, however, does not seem very practical as it involves in-person visits and follow-ups. [16]

The state create a more effective alternative, the “COVID Alert NY,” which is a contact tracing app. The app is described on its webpage as “voluntary, anonymous, exposure-notification smartphone app.” The app is free and anyone who is 18 years of age or older and lives, works or attends college in New York can use the app. App works by collecting User info, should you choose to provide, such as the county that you live in, gender, age, race, ethnicity and symptoms as well as information generated by using the app itself. User’s receive an “Exposure Notification” if they are within 6 feet of a diagnosed patient for more than 10 minutes. The app collects information using the IP address of User’s, however, does not store a User’s IP address. [17]

The Data and Privacy Policy states that any information provided by the user “is completely private and confidential. The app does not collect name or personal information.” In addition, exposure notifications are also anonymous, therefore User’s will not be able to identify each other.

The questions revolving around this app is same as in any other country: will this data be used for any other purpose than contact tracing? For example, will immigration authorities be able to track User’s contacts, location or etc.

New York state is handling these privacy matters delicately as it is preparing to pass a new legislation to answer these concerns. The bill is designed to limit the purpose of location contact tracing to “facilitating a legally-authorized public health-related action, in relation to a specified principal individual or contact individual, where and only to the extent necessary to protect the public health.” The new bill also brings technical safeguard to store the data properly. [18]

Conclusion

After the COVID-19 outbreak, many states were forced to lockdown both economically and physically – however this was not a long-term solution to fight the pandemic as countries could not shoulder such halt indefinitely. Technology stepped in to help track the spread of the pandemic and inform individuals about their exposed contact through contact tracing apps.

The apps seem like the most practical and efficient way to handle the pandemic and slow down the spread without closing down every business. Unfortunately, it does not come carefree; the app’s raise many issues on privacy throughout the globe. In every new version of the app citizens and privacy watchdogs worry that it will turn into a government surveillance system, the data would be used for purposes other than contact tracing and that the app would be vulnerable against cyber-attacks. It is important to eliminate these risks by collecting limited personal data, storing data in a decentralized system and being transparent to the public about the features of the app.

At our current standpoint, it is possible to say that individuals are correct to have concerns over this new technology. In many countries, the apps do not follow globally accepted data protection principles and do not disclose the specifics of how the app is developed. These major issues are trying to be solved by app developers since it is in everyone’s best interest that more individuals download and follow the instructions of these apps.


[1] Lewis, Shari Claire: “Contact Tracing Raises Privacy Issues for Businesses to Consider”, New York Law Journal, (2020).  https://www.law.com/newyorklawjournal/2020/10/19/contact-tracing-raises-privacy-issues-for-businesses-to-consider/

[2] Id.

[3] Howell, Chanley T., Talbert, Chloe B: “Privacy Risks and Implications of Contact Tracing Apps and Related Technologies.” The National Law Review (2020). Volume X, Number 311. https://www.natlawreview.com/article/privacy-risks-and-implications-contact-tracing-apps-and-related-technologies

[4] Id.

[5] Howell, Chanley T., Talbert, Chloe B: “Privacy Risks and Implications of Contact Tracing Apps and Related Technologies.” The National Law Review (2020). Volume X, Number 311. https://www.natlawreview.com/article/privacy-risks-and-implications-contact-tracing-apps-and-related-technologies

[6] Id.

[7] Id.

[8]Contact Tracing Apps: A New World for Data Privacy,” Norton Rose Fulbright, (2020). https://www.nortonrosefulbright.com/en/knowledge/publications/d7a9a296/contact-tracing-apps-a-new-world-for-data-privacy#China

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] Id.

[14] Id.

[15] Id.

[16] Lewis, Shari Claire: “Contact Tracing Raises Privacy Issues for Businesses to Consider”, New York Law Journal, (2020).  https://www.law.com/newyorklawjournal/2020/10/19/contact-tracing-raises-privacy-issues-for-businesses-to-consider/

[17] Id.

[18] Id.

Leave a comment

Please login or register to comment

Comments