The official COVID contact tracing apps which have since been developed around the world all have the same aim: to alert people if they have come into contact with the disease and need to isolate to stop its spread. They mostly function under the same principle too. They count on users to voluntarily download and install an app to their smartphone that utilizes Bluetooth Low Energy signals to log when and for how long two people are have been in close proximity to each other. How those logs and other data are handled is where the apps begin to differ. And these differences have ignited a debate about digital privacy.
Centralized vs decentralized?
Two approaches to contact tracing apps have emerged, a centralized model and a decentralized one. In the former, the app gathers anonymized user data and uploads it to a remote centralized server where contact matches are made if a user reports symptoms or a diagnosis. An example of this approach is France’s national app, StopCovid, where user data is uploaded to and stored on government-run centralized servers. In the more widely adopted decentralized model, users have more control over their information. All contact information is kept only on users’ phones and there is no central database accessible by the government or authorities.
The main difference between the two models is not only a question of privacy but one of trust. While proponents of the centralized approach argue that the data collected could provide authorities with helpful insights into the spread of the disease, critics are not convinced. Instead, they find several aspects of the centralized model rather problematic. First, a centralized system could potentially be more enticing to hackers, thus leaving more people vulnerable to having their data leaked. Second, users would have to trust that whoever is collecting and storing their information would not use any of it against them at a later date or for another purpose. Lastly, many who oppose the centralized approach feel it runs the danger of inviting governments to introduce increased surveillance measures in the future.
Americans trust Big Tech
Results from an online survey commissioned by Avira and conducted by research firm Opinion Matters, report findings in line with the critics of the centralized approach. One of the main take-aways was that 71% of the 2,005 participants would not willingly use a COVID contact tracing app due to digital privacy concerns. When questioned about which contact tracing app technology they would trust to keep their data private the top answer was none (40%) but following close was Big Tech, specifically Apple and Google (32%), followed by Microsoft (28%). Only 14% of respondents said they would trust the government with such data. Moreover, the survey revealed that roughly 75% of Americans believe their digital privacy is at risk if the government or similar authorities can access data collected and stored by a COVID contact tracing app.
When asked more specifically what data, health-related or general, they were worried about being collected or leaked, participants cited most concern about general information such as their name, address, gender, and age. Taking that research into account, it makes sense that most Americans would trust the technology put forth by Big Tech.
The Apple-Google Exposure Notification API (Application Programming Interface) is decentralized, with user privacy built into its design. In practice, this means the warnings it sends out are not processed through a central database but triggered automatically and locally on users’ phones. Furthermore, its Bluetooth-detection based system doesn’t collect or use any location data and it’s up to the user to report a COVID-19 diagnosis to the app.
However, questions understandably remain about the privacy of the decentralized Apple-Google technology and not everyone is prepared to just wait and see where the technology takes us. One endeavor to ensure and protect users’ control over their data is the recently introduced bipartisan bill, the Exposure Notification Privacy Act.
Despite efforts from those who fall on both sides of the debate – whether privacy advocates or those in public health – the only way to really evaluate the efficacy of a tracing app is if enough people are willing to put their trust into the technology and use them.