Yesterday evening, the Dutch government announced they are looking into using an app to fight the Corona disease. Such an app would track all your movements, in order to notify you when you have been in contact with someone who is positively tested for COVID-19. Great intentions, but potentially a big risk for your privacy. Tracking everyones movements constantly is not something we should want. Even if it’s only temporary. As Yuval Harari put it in the Financial Times
recently: temporary measures have a nasty habit of outlasting emergencies.
When developing this app, privacy should be considered very seriously from the beginning. Privacy by design. And yes, it’s possible to make a privacy-friendly tracking app. Here is how.
1 - Track visits, don’t track locations
We should look closely to what we want to know: when someone gets positively tested, we want to know which people this person was close to in the past two weeks. It’s not necessarily to know where exactly it happened. Only tracking if a visit happens instead of where it happened would make the data less unnecessarily specific.
With modern bluetooth technology, it’s possible for phones to make a note every time the app is close to another app. This way, the user can use this app to track to which other users he or she was close to. When an infection happens, these users should be notified. No need to track where it happened.
2 - Keep data locally, check voluntarily in a secure database
Regular cloud data storing options involve sending your location constantly to a central database (a cloud), from which governments can determine who went where. Even when you would only send the location, and not the name of the smartphone user, it would be easy to determine who is behind the phone with this data. In this way, governments could literally track everyone. Luckily, there are good alternatives.
A great alternative is to only centrally store the data of people who have been positively tested. Other users can use that database to check if they have been close to a person in that database. People could agree to let their app check the central database automatically every now and then, in order to receive a notification in case they should take matters. But that should be a voluntary option.
3 - Only track and keep the data that’s really needed
The app should only track and keep data that’s needed, and delete everything else automatically. Next to that, it should only store data that's needed to obtain the goal. Sounds obvious maybe, but it should be designed. In consultation with experts it should be determined how long it’s necessary to keep the information. Recently, the WHO stated that two weeks would be enough.
As we pointed out in the first point, it might not be necessary to store the location. To further increase the privacy, it could be considered to only store the duration of the visit instead of the exact date and time. However, this might make the app slightly less effective, since it is not possible to tell the user anymore when he or she was close to a diseased person. Informing the user about when it happened, might allow him/her to tell others who where there as well but who where not using the app.
4 - Make the software fully opensource
How do we make sure the promises about privacy are being kept and that there are no (unintended) security issues or “backdoors”? Make the source code available for everyone to study it, that's opensource. With opensource, the "recipe" of the software is publicly available. This way everyone could check if the app is not secretly sending data and could double check on security. Specialists from all over the world could even do suggestions on how to improve the app, resulting in a better app for everyone (knowing the opensource community, they probably will).
Another benefit is that this would make the app available for other countries, who have less budgets for such smart lockdown apps, as well.