By EDRi

“We’re being asked what do we want these systems to look like. If we don’t make the decision it will be made for us (…) This virus will pass, but the measures will last”

Edward Snowden

According to the World Health Organisation (WHO), closely watching contacts during a pandemic “will prevent further transmission of the virus”. In response to the COVID-19 crisis many technical responses (or acts of techno-solutionism) arose shortly after the pandemic was declared by the WHO. Contact–tracing applications are one of the notable solutions brought forward, and currently occupy the center of the public debate in the European space.

Whether contact-tracing technology will help or not, however, is still contested. Technology is not a silver bullet, as Carly Kind, director of AI research center Ada Lovelace Institute, puts it.  Moreover, Dr. Michael Ryan, a key advisor for the WHO, warned that “when collecting information on citizens or tracking their movements there are always serious data protection and human rights principles involved”. Several voices in the EDRi community also question whether the risks in using apps may outweigh the benefits (La Quadrature du Net) and if apps are just “we-did-something” political responses (FIPR – Ross Anderson).

That said, if apps (and technology in general) are proven to be useful in any significant way, they need to fully protect fundamental rights, since the risks created by these technologies could outlast the pandemic itself.

European Digital Rights, as the voice of 44 organisations working to advance and uphold human rights in the digital space, warned early on of the potential problems that a rushed technological solution could lead us to.

In reaction to the debate regarding the safeguards potential technical solutions must provide, the European Commission (EC) has published a toolbox and guidelines for ensuring data protection standards. The two instruments aim to guide the responses that Member States are already preparing nationally, sometimes in very different directions.

In this article, we aim to provide insight into European Commission’s proposals and how they fit with civil society views on this subject.

A techie toolbox

A fragmented and uncoordinated approach to contact tracing apps risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing adverse effects to the single market and to fundamental rights and freedoms”

European Commission Common EU Toolbox for Member State

The EC argued for the need of a toolkit as national authorities are developing mobile applications (apps) to monitor and mitigate the COVID-19 pandemic. The Commission agrees that contact tracing, as usually done manually by public health authorities, is a time-consuming process and that the “promising” technology and apps in particular could be useful tools for Member States.

However, the EC points out that, in order for apps to be efficient, they need to be adopted by 60-75% of population – a very high threshold for a voluntary app. As comparison, in the famous case of Singapore, only 20% of the population downloaded the app.

The toolbox calls for a series of concrete requirements for these apps: interoperability (apps must work well with each other in order to be able to trace transnational cases); voluntary; approved by the national health authorities; privacy-preserving and dismantled as soon as they are no longer needed.

The time principle was a key point in our statement laying out fundamental rights – based recommendations for COVID-19 responses. On apps in particular, EDRi member Access Now advocates that access to health data shall be limited to those who need information to conduct treatment, research, and otherwise address the crisis . Finally, EDRi members Chaos Computer Club (CCC), Free Software Foundation Europe (FSFE) and noyb are among those that agree on the need for the apps to be voluntary.

Decentralised or centralised, that is the question

The Toolbox describes two categories of apps: those that operate via decentralised processing of personal data, which would be stored only on a person’s own device; and those operating via a centralised back-end server which would collect the data. The EC argues that this data should be reduced to the “absolute minimum” necessary, with technical requirements compiled by ENISA (encryption, communications security, user authentication….) and “preferably” the Member State should be the controller for the processing of personal data. The Annexes list key recommendations, background information on contact tracing , background on symptom checker functionalities and an inventory of existing mobile solutions against COVID-19.

Our member noyb agrees with the Commission requiring strong encryption, an essential element of secure technologies for which we have also advocated before. More, EDRi member CCC sides with the decentralisation option rather than a centralised one, as well as with strong communication security and privacy requirements.

Readers who liked the Toolbox… also liked the Guidelines

People must have the certainty that compliance with fundamental rights is ensured and that the apps will be used only for the specifically-defined purposes, that they will not be used for mass surveillance, and that individuals will remain in control of their data.

European Commission Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection

The Commision guidance summarises some of the key points of the Toolbox but provides more insight on some of the features, as well details on ensuring data protection and privacy safeguards. The guidance focuses on apps which are voluntary and that offer one or more functionalities: provide accurate information to individuals about the pandemic or provide questionnaires for self-assessment and guidance for individuals (symptom checker). Other functionalities could include alerting individuals if they have been in close contact with an infected person (contact tracing and warning functionality) and/or provide means of communication between patients and doctors.

The guidance relies heavily on references to the ePrivacy Directive (currently blocked by EU Member States from becoming an updated Regulation for 3 years and 4 months) and the General Data Protection Regulation (GDPR) . The references include data minimisation, purpose limitation, time limitation (apps deactivated after the pandemic is over) and top-of the-art security protections.

Our member Access Now has thoroughly gone through the data protection and privacy requirements of purpose limitation, data minimisation and time limitation , largely coinciding with the Commission, while Bits of Freedom has also mentioned the minimal use of data needed and time limitation, in addition to the apps being based on scientific insight and demonstrable effectiveness.

Location data is not necessary, decentralisation is

The Commission states that location data is not necessary for the purpose of contact tracing functionalities and that it would even be “difficult to justify in light of the principle of data minimisation”, and that it can create “security and privacy issues”. Regarding the debate of centralisation vs decentralisation, the Commission believes that decentralisation is more in line with the minimisation principle and that, as Bits of Freedom, CCC and many other groups have suggested, only “health authorities should have access to proximity data [which should be encrypted]” and therefore no law enforcement agencies can access the data. What about the well-intended but risky use of data for “statistics and scientific research”? Commission says no, unless it is necessary and included in the general list of purposes and clearly communicated to users.

Get us some open code. And add good-old strong encryption to go with it, please

The Commission asks for the source code to be made public and available for review. In addition to this, the Commission calls for the use of encryption when transmitting the data to national health authorities, if that is one of the functionalities. Both of these conclusions have been some of the key requests from EDRi members such as FSFE, both for transparency and security purposes but also as a an appeal for solidarity. We consider the call for openness as a positive request from the Commission.

Finally, the guidance brings back the forgotten Data Protection Authorities (DPAs) who, as we have also suggested, should be the ones consulted and fully involved when developing and implementing the apps.

Moving forward

We have many uncertainties regarding the actual pandemic, especially regarding whether any technical solution will help or not. Furthermore, it is unclear how these technologies should be designed, developed and deployed in order to avoid mass surveillance of citizens, stigmatisation of those who are sick and reinforced discrimination of people living in poverty, people of colour and other individuals of groups at risks who are already disproportionately affected by the pandemic.

The voices of experts and civil society must be taken into consideration, before taking the road of an endless “war on virus” that normalises mass surveillance. If proven that technologies are indeed helpful to combat this crisis, technological solutions need to comply with very strong core principles. Many of these strong principles are already present in the Commission’s two documents and in many of the civil society views in this ongoing debate.

In the meantime, strong public health systems, strong human rights protections (including extra protections for key workers), a human-rights centric patent system that puts humans at its core and open access to scientific knowledge are key principles that should be implemented now.

Read more:

Press Release: EDRi calls for fundamental rights-based responses to COVID-19 (01.04.2020)
https://edri.org/edri-calls-for-fundamental-rights-based-responses-to-covid-19/

COVID-19 & Digital Rights: Document Pool
https://edri.org/covid-19-digital-rights-document-pool/

noyb Active overview of projects using personal data to combat SARS-CoV-2.
https://gdprhub.eu/index.php?title=Data_Protection_under_SARS-CoV-2

Privacy International Extraordinary powers need extraordinary protections. (20. 03. 2020)
https://privacyinternational.org/news-analysis/3461/extraordinary-powers-need-extraordinary-protections

Access Now Protect digital rights, promote public health: toward a better coronavirus response. (05. 03. 2020)
https://www.accessnow.org/protect-digital-rights-promote-public-health-towards-a-better-coronavirus-response/

Ada Love Lace Institute: Exit through the App Store? (20. 04. 2020)
https://www.adalovelaceinstitute.org/wp-content/uploads/2020/04/Ada-Lovelace-Institute-Rapid-Evidence-Review-Exit-through-the-App-Store-April-2020-1.pdf

European Commission – Mobile applications to support contact tracing in the EU’s fight against COVID-19: Common EU Toolbox for Member States (15. 04. 2020)
https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf

European Commission (COMMUNICATION)- Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection (16. 04. 2020)
https://ec.europa.eu/info/sites/info/files/5_en_act_part1_v3.pdf