The authorities rolling out Ireland's Covid-19 smartphone tool have taken on board civil liberties concerns — but data protection experts say there is still no room for complacency, writes
The State’s plans to launch a voluntary Bluetooth-based Covid-19 contact-tracing app first came to light via media reports in March.
Shortly after, a group of data protection and legal experts, academics, computer scientists, and representatives from civil societies, such as the Irish Council for Civil Liberties, and Digital Rights Ireland, met to discuss what was known and what wasn’t known about the proposed app.
Approximately four months, and more than a milliondownloads, later, the same group knows a lot more about the app — but still has concerns around privacy, efficacy, necessity, and proportionality.
The group’s initial concerns about the technology and the implications for data protection and privacy were several-fold, not least because it was, as yet, unknown what the app would be specifically used for, how long it would be in existence, and, at the most basic level, what evidence existed to show such apps were fit for purpose. These concerns weren’t groundless.
Surveillance tools have been rapidly deployed across the world as a consequence of Covid-19 while, at the same time, people’s movements have been restricted and extraordinary powers have been bestowed on police to enforce these restrictions.
Some of these tools have put a host of people’s fundamental rights at serious risk.
- In India, a Covid-19 contact-tracing app, Aarogya Setu, which involves Bluetooth and location data, started off as a voluntary app. Within weeks, it became mandatory for all employees, public and private, with non-compliance resulting in a criminal penalty. People accused of crimes have been ordered to download it as part of their bail terms;
- Hungary launched a quarantine-monitoring app with facial recognition technology whereby a user checks in, with their identity and location data being automatically verified. At the same time, the prime minister, Viktor Orbán, suspended individuals’ data rights pursuant to articles 15 to 22 of the General Data Protection Regulation (GDPR) in relation to the processing of personal data for the purposes of recognising, preventing, and stopping the spread of Covid-19;
- In Kenya, electronic and mobile phone surveillance has been used to target people who have escaped from quarantine centres, or to enforce a mandatory 14-day quarantine rule;
- In Israel, there were attempts to enable the country’s internal security service, Shin Bet, to retrospectively track Covid-19 patients through their mobile phones in order to see whom they had interacted with prior to testing positive, and for those people to be told to go into quarantine. Anyone found to have breached quarantine orders could have faced a six-month jail term.
Thankfully, the HSE and the Department of Health’s Covid Tracker app does not resemble the tools above. However, the general global trend of normalising surveillance during Covid-19 requires that we treat any new surveillance tool with caution. This is crucial because emergency measures often outlast emergencies. What kind of new normal do we want post-pandemic?
e with the HSE and the department, our group published a set of nine principles which, we say, must be followed when the Government implements new technologies in order to ensure the technology aligns with legal and human rights requirements, and protects our privacy.
It’s not like data protection and privacy concerns are wholly alien to Ireland. One only has to consider how the Data Protection Commission (DPC) found that the processing of personal data by the Department of Employment Affairs and Social Protection for the Public Services Card (PSC) violated privacy laws in a number of ways, and ordered the destruction of data related to 3.2m cardholders. The Government has refused to comply, and the matter is now before the Circuit Court, while the DPC is currently carrying out a separate investigation into the biometric element of the PSC.
Some of our principles were adhered to and, on July 2, we applauded the HSE and the health department for uploading the Data Protection Impact Assessment (DPIA), source code, and other documentation, including the DPC’s review of the DPIA. It was one small click for the relevant authorities, but one giant leap for the State in terms of transparency. This was, as we previously said, unquestionably the model for all future DPIA processes by the State.
However, we still have concerns.
There is no evidence to support the theory that contact-tracing apps, in general, curb the transmission of Covid-19. Similarly, we have yet to see any evidence from the HSE or the department to support the theory that the HSE app will detect close contacts, despite the app having been trialled by the gardaí. We have been told the app can “accurately detect 72% of close contacts using the Google Apple API,” but we have seen no public data supporting this figure. The DPC has also said the claim by the HSE and the department that an app can improve the speed and accuracy of manual contact tracing is speculative and “unproven”.
Instead, we have evidence from Stephen Farrell and Professor Doug Leith, of Trinity College Dublin, that it would be challenging for Bluetooth apps to discern whether contacts are closer or further than 2m away; that app signals recorded between users can vary depending on whether people have their phones in their pocket or handbag, or whether they are on a bus or Luas, where metal reflects radio waves, or whether they are standing side-by-side or one behind the other.
They have also found that for Bluetooth apps using the Google/Apple API, false negatives — where people’s contacts are not detected — may be unavoidable.
False positives, where people have been falsely alerted as having been in contact with someone diagnosed with Covid-19, are another concern. This may have implications for people in terms of work or visiting family, and also affect the demand for Covid-19 testing. The HSE and the department themselves state that they will advise Luas drivers who download the app to turn off the contact-tracing element while working, in order to avoid getting false positive notifications.
We also do not believe the symptom-tracking element of the app, which has no proven efficacy, should be included in this app’s design. According to the European Data Protection Board, a Covid-19 app should have the single purpose of contact tracing.
We have concerns around the collection and transmission of metric data — for example, whether someone’s app has received a contact alert — which will be sent to the HSE and forwarded to the Central Statistics Office (CSO) daily. This will be retained by the HSE as anonymous data for research purposes for a minimum of seven years. We question whether it is necessary to retain the data for that length of time, and have not yet seen a DPIA regarding the CSO’s role.
The HSE and the Department of Health have stated time and again that location data is not used by the contact-tracing app. Yet, within minutes of downloading the app on an Android phone, a journalist from this newspaper was asked to turn on his location data.
We also have concerns that the Google/Apple API can affect the performance of the contact-tracing element of the app by silently updating the API, unbeknownst to users and, as a consequence, affect the app’s false positive and false negative rate. Our concerns around Google and Apple have been heightened somewhat in recent days, following the Minister for Health saying thatfor future health tech services.
There is a provision that the app will be ‘self-destructed’ within 90 days if found not to work. September will therefore be an opportunity to review, reflect, and consider whether the app is an effective part of Ireland’s response to Covid-19. Until then, ICCL welcomes ongoing engagement with the State about the app. We will be wearing masks and practicing social distancing, too.