This article was originally published by Radio Free Europe/Radio Liberty and is reprinted with permission.
In many countries, the fight to control the coronavirus has turned to new contact-tracing phone apps. But some forms of the technology — particularly in Russia, Iran, and China — are raising concerns of an Orwellian world.
Along with ramped-up coronavirus testing, contact tracing is crucial to help stamp out new outbreaks of COVID-19 as lockdown restrictions are eased around the world.
Contact tracing has been at the heart of the battle against communicable diseases for decades — including the fights against measles, HIV, and the Ebola virus.
The eradication in the late 1970s of smallpox, once the world’s most terrifying disease, required exhaustive contact tracing to locate all infected individuals, isolate them, and immunize those in their communities at risk of catching the disease.
But the speed of the coronavirus contagion has been overwhelming for traditional “manual” tracing methods like interviewing patients about who they’ve seen and where they’ve been.
Tens of thousands of Americans are being hired in the coming weeks across 44 U.S. states to create a phone-bank army tasked with interviewing infected people and identifying others who may have been exposed.
Still, health experts warn that even such an expanded staff is far from adequate.
To supplement manual methods, many governments are looking to automated tracing — particularly, through mobile-phone apps and location data — to help identify and notify those who come in contact with an infected person.
The result has been a flood of new, frequently untested tracing apps aimed at bolstering the detection of COVID-19 exposure.
In many countries, participation is voluntary and individuals must download the software themselves to their phones.
But the widespread acceptance necessary for those apps to be effective requires that app providers and government authorities be trusted not to misuse the mountains of personal information being collected about the day-to-day activities of individuals.
Critics say many of the new automated tracing apps lack transparency and have no meaningful limitations on the collection, retention, or use of data.
Some tracing apps also are pervasive and invasive — raising concerns about privacy rights, government overreach, and personal security.
Human Rights Watch (HRW) warns that “in the hands of governments that already have intrusive surveillance practices, such as China and Russia, this can magnify discrimination and repression.”
On a global scale, the lack of uniformity among new automated tracing apps also creates problems for scientists trying to assemble disparate data scattered in different formats from country to country.
The MIT Technology Review has launched a database to track these emerging apps. It includes details of 25 significant automated contact-tracing systems around the world.
Location Data
According to the MIT Technology Review, tracking programs that use location data from mobile phones are the most invasive.
Rights advocates warn they give governments access to troves of personal information that could be misused for purposes other than fighting the pandemic.
HRW digital rights researcher Deborah Brown says mobile location-tracking programs used by governments “pose serious risks to human rights.”
“People are being asked to sacrifice their privacy and turn over personal data for use by untested technologies,” Brown says. “Containing the pandemic and reopening society are essential goals, but we can do this without pervasive surveillance.”
China, Iran, and Russia are all cases in point.
China’s system has been used by local police to detect those breaking quarantine rules. It gathers a wide range of data that includes the identity of citizens, their locations, and even their online payment history.
When Iran launched its official AC19 coronavirus “detection” app in early March, some users accused the Iranian government of using the software to spy on citizens — collecting telephone numbers along with real-time geolocation data and other personal information.
Iranian dissidents caution that the app could allow Iranian intelligence agencies to install malware on the phones of millions of citizens at a later date through an automatic update.
Suspicions about the Iranian app have been bolstered by the fact that its developer, Smart Land Strategy, also created two Telegram clones accused of secretly collecting user data for Iranian intelligence agencies.
Iran’s Health Ministry sent a mass SMS message to all Iranians urging them to install the AC19 app by downloading it from a dedicated website, Google’s official Play Store, and other third-party app stores.
Millions of Iranians did so. Then, on March 9, Google removed the Iranian app from Play Store — just as it had done for the other Iranian apps created by Smart Land Strategy.
In Russia, a location-data-tracing system has been implemented “at the federal level” that works “through mobile telephone network operators and their GPS systems,” according to Olga Chislova, a researcher for the international law firm Freshfields-Bruckhaus-Deringer.
In addition to notifying those who’ve been in contact with a person who tests positive for the coronavirus, Chislova says information also is sent to regional emergency response centers in Russia.
Meanwhile, stay-at-home coronavirus patients in Moscow are required to install a “social-monitoring” app on their phone.
Storing information in a central database, that app gives the Russian government access to all users’ calls, their location data, camera, storage, network information, and other data.
Privacy International says location-data apps can easily be misused by governments as “a tool for social control” that track “the movements of millions of people.”
It says subjecting people to such “intrusive and unnecessary surveillance” can cause people to lose trust in governments and health authorities.
Balkan Location Trackers
Bulgaria and North Macedonia are both using tracing apps that send location data to central databases at their health ministries.
North Macedonia’s government insists the data it gathers from its StopKorona app will be protected.
The app was developed and given to the government by the Skopje-based software company Nextsense.
Nextsense’s model includes Bluetooth technology for detecting close contact with potentially infected people.
North Macedonia’s Information Society Minister Damjan Manchevski says those who test positive for the coronavirus can “voluntarily” give their data to the Health Ministry so their contacts can be warned.
Manchevski says all data is “recorded on a secure server of the Health Ministry, and no other user has access to mobile numbers, nor is there any data stored about the owner of the number.”
Bulgaria’s ViruSafe app was approved by that country’s Health Ministry on April 4 and launched for mass use via Google Play and the Apple Store on April 7.
It features a “daily-symptoms and health-status tracker” that sends data directly to the Health Ministry.
ViruSafe says users also can “voluntarily share” their location data to “create a heat map with potentially infected people” and “enable institutions to act accordingly, in case of an emergency.”
Location-data-tracing apps in other countries include Israel’s Hamagen, India’s Aarogya Setu, Cyprus’ CovTracer, Iceland’s Rakning C-19, and Ghana’s GH COVID-19 Tracker.
Proximity Tracking
Data-protection campaigners say some “proximity-tracking” apps are less intrusive than the location-data apps used by Russia, Iran, and China.
They argue the process can be decentralized, eliminating any central database that might be misused by intelligence agencies, law enforcement, or even for commercial marketing purposes.
One possibility is through an emerging protocol for Bluetooth-proximity tracking known as DP-3T — an abbreviation for “decentralized privacy-preserving proximity tracing.”
Phones with proximity apps use short-range Bluetooth connections to carry out a kind of digital handshake that trades encrypted tokens with the phones of others nearby who also have the app.
Under the DP-3T approach, Bluetooth logs are stored on individual smartphones rather than a central database.
When a person tests positive for the coronavirus, automatic alerts are generated and sent out anonymously to those with the same encrypted token.
Both Apple and Google have been working together to put proximity-tracking software in their iPhones and Android devices.
They’ve jointly created an application programming interface (API) that allows their smartphones to swap data with each other.
For now, users must voluntarily download the software along with apps created by health authorities in countries that use the API to exchange data.
In the future, Apple and Google have said they plan to install the software automatically via their regular updates.
In theory, that could put the software on 99 percent of the world’s smartphones.
But not all countries have agreed to its use.
France, Germany, and the United Kingdom have all rejected the jointly created API, arguing that it doesn’t load all of the data into a centralized database.
That puts those governments at odds on the issue with EU officials in Brussels who have raised concerns about the threat posed to individual privacy by some emerging contact-tracing technology.
The European Commission insists contact-tracing apps used by member states should be fully compliant with EU rules protecting individual privacy, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
“Trust of Europeans will be key to the success of the tracing mobile apps,” argues Vera Jourova, the commission’s vice president for values and transparency.
“Respecting the EU data protection rules will help ensure that our privacy and fundamental rights will be upheld and that the European approach will be transparent and proportional,” Jourova says.
