[LINK] Absence of evidence to support contact-tracing apps
Roger Clarke
Roger.Clarke at xamax.com.au
Sat Apr 25 16:22:39 AEST 2020
[ Ada Lovelace (these days an Australian) strikes again ]
‘Absence of evidence’ for Covid-19 contact-tracing apps, review finds
https://www.digitalhealth.net/2020/04/absence-of-evidence-for-covid-19-contact-tracing-apps-review-finds/
*An “absence of evidence” to support the immediate deployment of a
Covid-19 contact-tracing app risks “undermining public trust”, a
research institute has warned.*
Andrea Downey 22 April, 2020
The independent Ada Lovelace Institute has published a rapid review of
the technical, social and public health evidence for contact-tracing
apps, finding the current “technical limitations” and “social impacts”
outweigh the potential benefits of an app.
To avoid the loss of public trust, the institute called for the
introduction of legislation to regulate the development of apps and data
processing, including strict purpose access to data and time limitations
on its use.
Deployment of technologies should be subject to sign-off from a new
Group of Advisors on Technology in Emergencies (GATE), established to
oversee the development and testing of any digital tracing application,
the review said.
The review found: “The rapid review finds that NHS plans to use
technology to help reduce the spread of Covid-19 will not be effective
unless the Government takes action to address the technical limitations,
barriers to effective deployment and social impacts of the technology.
“Premature deployment of ineffective apps could undermine public trust
and confidence in the long-term, hampering the widespread uptake of
tracking technologies which may be critical to their eventual success.”
Given the lack of evidence, the review warned making use of the
technology mandatory would “likely fall foul of the human rights standards”.
NHSX is set to trial a Covid-19 contact-tracing app
<https://www.digitalhealth.net/2020/03/nhsx-coronavirus-contact-tracking-app/>
in the North of England, but has remained tight-lipped about how the app
will work and when they expect the pilot to be rolled-out across the
country.
Privacy group medConfidential has called on the organisation to be
“upfront” about their plans for the app
<https://www.digitalhealth.net/2020/04/nhsx-must-be-upfront-about-contact-tracing-app-privacy-group-says/>
and how it will be used. A call that was echoed in the independent review.
“Government must be transparent about the technical solutions under
development. Technological solutions must complement, rather than
replace, ongoing public health surveillance and pandemic response
initiatives,” it found.
“They must be grounded in a comprehensive strategy for the UK’s
transition out of the crisis, for which Government should develop,
publish and invite public scrutiny.”
Carly Kind, director of the Ada Lovelace Institute, said: “Bad uses of
data and technology can do more harm than good. They can obscure
accurate analyses, hide abuses of power and exacerbate the position of
people already suffering from digital exclusion, who – evidence is
beginning to show – are the same people who are most vulnerable to Covid-19.
“Premature deployment of a digital contact tracing app, which will
ultimately rely on widespread public uptake to be effective, risks
tarnishing public trust and confidence in technologies that could assist
a transition out of the crisis.
“While we have seen that the public will support emergency or extreme
measures that require curtailment of liberty or agency, or the increase
of surveillance, if they appeal to a common sense of solidarity and are
clearly justified for public good, there needs to be cast-iron ‘sunset’
clauses to dismantle any data tracking and surveillance architecture, as
definitively and transparently as lifting restrictions on physical
movement.”
Digital immunity certificates
The review also examined the evidence for digital immunity certificates,
again finding a lack of evidence to support their introduction.
It found while there is “broad agreement” that widespread testing is the
only route through which the UK can exit the crisis, “there is currently
insufficient understanding of immunity, no robust scientific means of
testing for immunity and therefore no credible basis for establishing a
comprehensive regime of immunity certification at this time”.
The institute called for a comprehensive government strategy around
immunity that takes into account the social implications of any
certification, including when, why and under what conditions individuals
are required to be tested for and disclose their immunity status.
“It may lead to arbitrary and unfair restrictions on individuals’ access
to transport, services, employment, movement and other rights and
freedoms on the basis of their immunity status,” the report found.
“Discrimination and stigmatisation may become commonplace if immunity
becomes an element of identity as we transition from the crisis. The
public will need to trust and support any government strategy that
centres on immunity certification.”
Public authorities and private companies should be prevented from
requesting or requiring disclosure of immunity status outside of defined
circumstances, it added.
NHSX has been contacted for comment.
https://www.digitalhealth.net/2020/04/imperial-white-paper-outlines-key-data-questions-for-contact-tracing-tech/
Imperial white paper outlines key data questions for contact-tracing
tech
*The NHS “cannot afford” to not use a contact-tracing app but special
measures need to be taken to limit the risk a user could be identified,
according to a new paper.*
Andrea Downey 23 April, 2020
Imperial College London has published a white paper outlining the eight
questions governments, public health authorities and developers should
consider when developing contact-tracing apps.
Such apps could prove useful in avoiding long-term confinement measures,
the college said, but as they collect sensitive information like
location data, Bluetooth-enabled proximity information, and whether
individuals are infected, caution needs to be exercised to protect privacy.
Dr Yves-Alexandre de Montjoye, of Imperial’s department of computing and
author of the paper, said: “We need to do everything we can to help slow
the outbreak. Contact tracing requires handling very sensitive data at
scale, and solid and proven techniques exist to help us do it while
protecting our fundamental right to privacy. We cannot afford to not use
them.
“Our questions are intended for governments and citizens to help
evaluate the privacy of apps. They could also for app developers when
planning and evaluating their work.”
Dr de Montjoye answered the questions below:
1. How do you limit personal data gathered by the app
developers?
“Large-scale collection of personal data can quickly lead to mass
surveillance. We should ask how much data the app gathers – like the
whole disease trajectory and real-life social network of infected users.”
2. How do you protect the anonymity of every user?
“Special measures should be put in place to limit the risk that users
can be re-identified by app developers, other users, or external
parties. Because location traces are unique, they might easily be linked
back to a person.”
3. Does the app reveal to its developers the identity of
users who are at risk?
“The goal of contact tracing is to warn people who are at risk, so
there’s no need for app developers to know who these people are.”
4. Could the app be used by users to learn who is infected
or at risk, even in their social circle?
“Personal health data is very sensitive. Digital contact tracing should
warn those who are at risk without revealing who might have infected them.”
5. Does the app allow users to learn any personal
information about other users?
“Having access to small amounts of information could help users identify
who is infected, so apps shouldn’t disclose information on a user’s
location or social networks to other users.”
6. Could external parties exploit the app to track users or
find out who’s infected?
“Apps should consider the risk of external adversaries, including
well-resourced ones. External entities could install Bluetooth trackers
to cover a city, or install malicious code on phones, and record the
identifiers that they observe in specific locations. This can be avoided
by regularly changing and re-anonymising identifiers like location data.”
7. Do you put in place additional measures to protect the
personal data of infected and at-risk users?
“The app design may require revealing more personal information about
users who are infected or exposed, but these are often the people who
are more vulnerable and at risk. It’s important to consider what
additional measures can be taken to protect their information.”
8. How can users verify that the system does what it says?
“Large-scale contact tracing is too sensitive an issue to rely on blind
trust. Technical measures should be used to guarantee public scrutiny on
the functioning of the app. Transparency of the system (app code,
protocol, what is being broadcast, etc) is fundamental to guarantee privacy.
“This requires that the app be open source and app versions distributed
on mobile app stores be verifiable, enabling developers to confirm that
they’re running the public, auditable code.”
Privacy and effectiveness
It comes at a time when the technology is attracting questions over
privacy and effectiveness.
An open letter from hundreds of academics from 26 countries urged
governments and public health authorities to evaluate the potential
dangers of developing contact-tracing apps, which could
“catastrophically hamper trust”
<https://www.digitalhealth.net/2020/04/contact-tracing-apps-could-catastrophically-hamper-trust-academics-warn/>
if they become a tool for “large scale data collection on the population”.
A similar tone was struck in an Ada Lovelace Institute rapid review of
the technical, social and public health evidence for contact-tracing
apps, which found “absence of evidence” for their deployment.
<https://www.digitalhealth.net/2020/04/absence-of-evidence-for-covid-19-contact-tracing-apps-review-finds/>
Privacy group medConfidential has also called on NHSX to be “upfront”
<https://www.digitalhealth.net/2020/04/nhsx-must-be-upfront-about-contact-tracing-app-privacy-group-says/>
about their plans for a contact-tracing app.
<https://www.digitalhealth.net/2020/03/nhsx-coronavirus-contact-tracking-app/>
The app, understood to be using Bluetooth to trace users, allowing
people to input their own symptoms, alerting anyone they have come into
contact with that they may have been exposed to the virus. NHSX has not
provided further information.
Recent research from Oxford University, which is advising NHSX on its
development of an app, found an app could help stop the pandemic but
only if 60% of the population used it.
The team simulated coronavirus in a model city of one million people and
found a “digital contact tracing app, if carefully implemented alongside
other measures, has the potential to substantially reduce the number of
new coronavirus cases, hospitalisations and ICU admissions”.
The same team has previously suggested current contact-tracing methods
are too slow to keep up with Covid-19.
But Ross Anderson, a professor at Cambridge University, has suggested
the use of such apps could be unreliable as they require large numbers
of the population to use them and to input their symptoms correctly.
“Anyone who’s worked on abuse will instantly realise that a voluntary
app operated by anonymous actors is wide open to trolling,” he wrote.
https://www.digitalhealth.net/2020/04/contact-tracing-apps-could-catastrophically-hamper-trust-academics-warn/
Contact-tracing apps could ‘catastrophically’ hamper trust,
academics warn
*Contact-tracing apps could “catastrophically hamper trust” if they
become a tool for “large scale data collection on the population”,
hundreds of academics have warned.*
Andrea Downey – 23 April, 2020
An open letter, published on 19 April and signed by professors from 26
countries, urges governments and public health authorities to evaluate
the potential dangers of developing contact-tracing technology before
releasing an app to market.
They warned of risks to accuracy and privacy in using GPS-based apps,
instead recommending the use of Bluetooth to trace users. But, they
added, that could also come with risks.
“Some of the Bluetooth-based proposals respect the individual’s right to
privacy, whilst others would enable (via mission creep) a form of
government or private sector surveillance that would catastrophically
hamper trust in and acceptance of such an application by society at
large,” they wrote.
“It is crucial that citizens trust the applications in order to produce
sufficient uptake to make a difference in tackling the crisis. It is
vital that, in coming out of the current crisis, we do not create a tool
that enables large scale data collection on the population, either now
or at a later time.”
Several contact-tracing apps are under development, including from NHSX,
which would be designed to help trace the virus by collecting data on
those who report symptoms.
The NHSX app
<https://www.digitalhealth.net/2020/03/nhsx-coronavirus-contact-tracking-app/>
is set to be trialled in the North of England. It would allow people to
input their own symptoms, alerting anyone they have come into contact
with that they may have been exposed to the virus. NHSX has not provided
further detail on the pilot.
Digital Health News understands the app is based on Bluetooth
technology, but NHSX has not officially confirmed.
The letter points to Apple and Google’s newly announced partnership
<https://www.digitalhealth.net/2020/04/apple-and-google-join-forces-in-fight-against-covid-19/>
to develop Bluetooth-based contact tracing technology, saying the
academics “fully support” the initiative as it “simplifies – and thus
speeds up – the ability to develop such apps”.
But warns solutions that involve “reconstructing invasive information”
should be “rejected without further discussion” to prevent the risk of
data being exploited.
It comes the Ada Lovelace Institute published a rapid review of the
technical, social and public health evidence for contact-tracing apps,
finding an “absence of evidence” for their deployment.
<https://www.digitalhealth.net/2020/04/absence-of-evidence-for-covid-19-contact-tracing-apps-review-finds/>
The review found current “technical limitations” and “social impacts” of
an app outweigh the potential benefits and called on the government to
be transparent about the solutions under development.
Privacy group medConfidential has also called on NHSX to be “upfront”
about their plans for the app
<https://www.digitalhealth.net/2020/04/nhsx-must-be-upfront-about-contact-tracing-app-privacy-group-says/>
and how it will be used.
An NHSX spokesperson said: “Users’ privacy is crucial, which is why we
are working with other countries, a range of experts, stakeholders and
industry to ensure the app under development is led by the best
scientific and clinical advice to reduce transmission of the virus
whilst protecting user privacy.”
*Key recommendations outlined in the letter:*
* Contact tracing apps must only be used to support public health
measures for the containment of Covid-19
* Any considered solution must be fully transparent. The protocols and
their implementations, including any sub-components provided by
companies, must be available for public analysis
* When multiple possible options to implement a certain component or
functionality of the app exist, then the most privacy-preserving
option must be chosen
* The use of contact tracing apps and the systems that support them
must be voluntary, used with the explicit consent of the user and
the systems must be designed to be able to be switched off, and all
data deleted, when the current crisis is over
--
Roger Clarke mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list