The use of modern information technology, in particular mobile data, is seen as a central measure in containing the current pandemic. However, the Corona App, which is used in South Korea to track the chains of infection, uses a variety of data (GPS, surveillance cameras, credit card data) to track the movements of potentially infected people, and does so in complete disregard of the privacy of those affected.
Access to personal mobility data, combined with information on actual infections and diseases, holds the promise of providing better insight into the pathways of infection and the spread of diseases, especially during the currently expanding COVID-19 pandemic. However, access to such data is rightly not or at least not easily possible. In societies based on the rule of law and conscious of data protection, it is essential to consistently weigh the added value of such use against the rights of those affected. The proximity tracing framework PEPP-PT aims at providing a more responsible foundation for data-saving anti-corona apps.
Does privacy hinder Corona disease control?
The masses of fine-grained motion data of smartphone users available e.g. from mobile operators soon turned into the subject of interest. Applying big data analytics was expected to provide insight into each and every phone user’s most personal travel behavior. This data would supposedly help identify the possibility of infections that have occurred before they facilitate the further spread of the virus by applying well-defined sets of rules laid out by medical experts and epidemiologists. Retrospectively, after a person is known to have the virus, their recent movements would identify the people they potentially came into contact with. This information would then become the basis for a possible self-quarantine.
With the GDPR (EU General Data Protection Regulation) coming into force, the data owner, i.e. each single person concerned, was given extensive means to put a stop to the undesired collection, storage and use of data. This is not difficult to understand in the context of unwanted advertising, continuous, even cumulative, evaluation of user behavior or an exaggerated collecting frenzy on the part of state authorities with a view to possible future criminal prosecution.
But this perception changed considerably when it comes to the use of modern IT and big data for a targeted and efficient disease control in the current challenge through Corona/COVID-19.
Simple solutions tend to be wrong
Initially, overhasty people (politicians) were quick to call for forced state access to usage data available from mobile phone providers about the network cells in which mobile devices are registered. Beyond a legal and socio-political consideration of this approach, a quick reality check makes clear: Due to the coarse grid that network cells represent, this data is as useful for the desired purpose as a rake used as a replacement for a fork. Even GPS data is not sufficiently granular to identify information about critical contacts (i.e. those less than about 5 meters apart) between potentially infected people. And it is usually not available for indoors activities. This can only be remedied with the help of Bluetooth technology, although this information -- just like GPS data of mobile phone users -- is often not available at all, let alone centrally.
It is therefore necessary to actively obtain and properly process such data specifically for this purpose. A system would have to be created that can record contacts between people and correlate them retrospectively.
COVID-19 and Privacy by design
As important and helpful as this information is, the hurdles to collecting it with the right to privacy of each citizen are immense. A pandemic by no means justifies any violation of a fundamental right such as the constitutional right of a citizen to self-determination regarding their personal information.
The GDPR sets out specific requirements for processing personal data, and this is where the principle of "privacy by design" comes into play. Initially defined in 2011 (PDF by Ann Cavoukian), this principle demands that systems, processes and applications must always be designed in such a way that data protection is technically inseparable from the development of the actual data processing. The protection of personal data (PII - Personally Identifiable Information) in the sense of the GDPR must be maintained by taking adequate technical and organizational measures from an early stage of development onwards.
So, anyone who, when it comes to solving the issue as described above, immediately thinks of the forced installation of an intrusive sniffer app similar to the Chinese social rating model under the cloak of protecting the individual's health is wrong.
Fighting the pandemic with voluntary proximity tracing
This can be done better, and the evidence has just been presented. The PEPP-PT (Pan European Privacy Protecting Proximity Tracing) concept developed by a multinational team including several Fraunhofer Institutes including the Heinrich Hertz Institute in Berlin is a prime example of a technologically sound and privacy-compliant approach to provide non-pharmacological support for pandemic containment. Through PEPP-PT, a tracing concept has been defined that can be used to identify chains of infection and alert those affected.
As a matter of principle, it actually does not even involve tracking. Rather, mobile phones communicate with each other and locally collect pseudonymized traces of relevant encounters. This happens without any central storage and without geolocation information. Based on Bluetooth low-energy technology, it is possible to determine with an accuracy of less than two meters that two people are next to each other. Where exactly this happened is fully irrelevant regarding a possible infection.
There are several strengths to this solution that set it apart from forced access to mobile data:
- Data is stored locally in the user's own mobile phone as much as possible.
- Contact data is pseudonymized with continuously changing IDs, so that re-identification using locally stored data is precluded by design.
- Only when an infection has been confirmed may the affected person choose to release this data to create the possibility to identify IDs in danger through previous contact.
- People can subsequently be notified via the app, still with privacy in mind.
- Finally, it must be emphasized again, that every step remains entirely voluntary. From installing the app, to the actual use of it to the transmission of data to potentially infected persons there is no such thing as forced monitoring by a compulsory app.
Beyond the app: PEPP-PT as an open, scalable framework
The system is open (with a reference implementation to be made available using a Mozilla license), internationally applicable, interoperable and scalable. It is not “just an app” but a framework that enables developers to leverage this technology and to support this purpose with suitable apps based on it. This means that privacy and data protection are not a hindrance to intelligent combating of the current health threat. Rather, by considering the "privacy by design" concept, the volunteer approach and an impressively intelligent concept, a solution has been designed that simultaneously meets the requirements of modern democracies and those of infection prevention.
This is an important lesson to keep in mind when implementing more next-generation communication systems in a post-Corona era. As an analyst / advisor with more than two decades of experience in the field of IAM, I am also quite impressed how pseudonymized identity management has been designed in a decentralized manner and I am really interested to see it face the reality test soon.