An app to follow the whereabouts of citizens could greatly assist in slowing the spread of Covid-19 but would it ’’open the gates to privacy hell’’, asks
In the times we live in, technology moves fast. In the era of a pandemic, it moves at a lightning pace.
Over the past four weeks the idea to use a smartphone Covid-19 tracing application has become a would-be silver bullet for the vast majority of developed nations seeking to contain the virus.
It’s been posited that a successful app could be the key to reopening the world’s economies in the absence of a working vaccine for the disease, or any other form of accepted effective treatment.
Ireland was quick to get in on the act, with the HSE announcing formally at the end of March that an Irish version of such an app was in the works, and would be launched within a matter of days.
Over a month later, the app has yet to see the light of day. The latest official word is that it will be available “next month”. Don’t hold your breath on seeing it soon however, at least not in the guise the HSE initially intended.
There are a myriad of problems that such an application needs to overcome, both technical and in terms of public trust, while the technology itself has evolved at an overwhelming rate, a fact that has left the Irish iteration hamstrung by the Government’s slightly plodding approach.
What was first announced by the HSE was an application known as CovidTracker Ireland. Based primarily on bluetooth functionality (albeit with permissions for GPS location tracking also required due to issues with getting the bluetooth aspect to function correctly across platforms), the application was touted as something of a ‘Swiss army knife’ approach to the coronavirus.
Not only would it aid in contact tracing by detailing the movements of those with the disease, it would further allow users to monitor their symptoms, while storing their phone number and personal details and sharing same with the HSE in a centralised database. This is in contrast to most other applications in use internationally, which tend to concentrate rather on a bare-bones contact tracing approach.
On April 12, the HSE said it was carrying out “final security and product testing” of the app, adding that its creation would “maximise privacy”. Despite this, the health authorities here have declined to either publish the application’s source code, so that the public can see what exactly is being done with its data, or its data protection impact assessment (DPIA) - a fundamental requirement for any privacy-involving project under the EU’s powerful General Data Protection Regulation (GDPR) and one which the HSE has decided to carry out itself, according to sources.
Since early April, the landscape has changed fundamentally. Little concrete is known about the form the Irish app has taken to date, but the HSE’s branding is to be found on the website of the consortium behind one of the two major technical standards used in such apps that have emerged over the past six weeks - the Pan-European Privacy-Preserving Proximity Tracing group (PEPP-PT), suggesting that its template may be the one the executive has been following.
More recently the PEPP-PT, the brainchild of German tech entrepreneur Hans Christian Boos, has been criticised for the lack of transparency of its centralised model - to such an extent that European powerhouse Germany has dramatically dropped its own adherence to that approach in its own app in recent days.
Centralisation in this context means basically that all data is stored in one central source (in this case, with the HSE) with no independent oversight, which translates into opening “the gates to privacy hell” according to Kenneth Patterson, a professor of computer science at German university ETH Zurich. Decentralised means that the phones running the application will handle the tracking and notifications involved in the viral-tracing process themselves, thus removing the Big Brother element of the project.
The main decentralised standard - Decentralised Privacy-Preserving Proximity Tracing (DP3T) - is now very much en vogue, not least because the two major tech giants with regard to smartphone technology, Apple and Google, have endorsed it themselves as part of their own recently-announced collaboration to develop a tracing standard that works on all devices. That leaves PEPP-PT apparently dead in the water, and the Irish authorities stuck in an awkward situation of having to pivot away from what they originally promised.
But pivot they must, and the reason for that is that public trust is absolutely crucial to the success of any app.
“This isn’t a technical matter, it’s a social engineering project. Public buy in is essential or it simply won’t work,” Simon McGarr, data protection lawyer and privacy expert, says.
In order for an application to have any chance of succeeding, the accepted participation threshold across the population is in the region of 60% penetration. Bear in mind that only 80% or so of Irish people have a smartphone, let alone one which boasts bluetooth optimisation (and the older generations, those most at risk from the virus, display far lower levels of smartphone penetration), and the problem begins to come into focus - straight off the bat at least three quarters of people with such phones need to have the application installed and running for it to work - a mammoth ask and one entirely dependent on transparency and trust.
All of this runs contrary to the State’s “institutional impulse for secrecy”, as Mr McGarr describes it.
One of the major players behind the Irish app is the Office of the Government Chief Information Officer, a subsidiary of the Department of Public Expenditure and Reform which seasoned Public Services Card observers will recognise as having played a key role in that controversial project.
The decision not to release either the source code or the DPIA, despite doing so being seen as best practice internationally, while simultaneously claiming to have fully engaged with the Data Protection Commission “comes straight from the PSC playbook” according to one industry source. A willingness to budge from entrenched positions is not one of that body’s notable characteristics.
So where do things stand now? Different accounts have emerged in the media in recent days as to how the app will operate. Meanwhile, multiple industry sources have suggested that the State must eventually change tack to adopt a decentralised model - mainly because that is the route that Google and Apple - who between them produce 99% of the smartphones in existence - have chosen to travel.
Not all is lost. An app has yet to actually be published for starters, while the firm behind the project’s development, Waterford-based NearForm, boasts of its contributions to open-source (publicly accessible and free) technology and willingness to engage with that community. There is still time to publish the app’s source code and any DPIAs that have been carried out.
“This is a technology the world needs. I would happily endorse it if it were done properly,” says Mr McGarr.
What happens next is in the State’s hands. A request for comment as to where the tracer app project currently stands was not answered prior to publication. Read into that what you will.