Contact Tracing – Personal Information Privacy Concerns

Jesse Roberts
May 18, 2020 2:00:00 PM

COVID-19 has turned the world upside down. Everyone is feeling the effects of the global pandemic. Governments are still in react mode on how to best deal with a virus that for the short term does not seem to be going away. Without a vaccine in place, the world will need to rely on contact tracing to help track the spread of the disease. Contact tracing is a method of tracking patients who have either gotten COVID-19 or have come into contact with a person who has COVID-19. The idea is to limit the spread via information sharing.

The Centers for Disease Control and Prevention (CDC) has released guidelines on how to perform contact tracing. They emphasize that contact tracing is a specialized skill and requires a very thorough and well documented process. The CDC is also calling for the adoption of emerging technologies to help where rapid scale up is needed.

So, this is where I start to get worried. We are still learning about the virus and how to deal with it. Currently, there is not a firm consensus on how it is being spread. Putting technology into place on a process that is not fully defined or understood seems like a bad idea. Technology should never drive process. When technology drives process you end up with programs that no one uses. With that being said, there are so many talented software developers out there that can get an app working with a minimal set of requirements. There are already many COVID-19 contact tracing apps rolled out and available on the Apple and Google Play stores that are sponsored by governments. Most notably, the COVIDSafe app was launched by Australia on May 10, 2020 (over 2 million downloads) as well as Singapore’s TraceRogether app which launched on March 20, 2020. There are many more apps currently being designed around contact tracing. The concern here is how well are these apps being tested? Is the software development life cycle (SDLC) being followed? Furthermore, have the people and companies building these apps learned from similar apps already available? I doubt that the apps have been fully tested because of the rapid speed that surrounds the release of these apps.

Beyond the obvious concerns of security holes that may exist in the application, there is the issue of privacy. The guidelines from the CDC seem to hint at tying these apps into an already existing system that may have personally identifiable information (PII). This type of development will open interfaces to protected information. For the contact tracing information to be effective, the data will need to be shared amongst multiple entities, making data management a nightmare. What will the data available look like? Will it show who you have contact with on a day-to-day basis? Will it include health history, address, age, pre-existing conditions, etc? We know for a fact that it will tell if a user has COVID-19, as that is the whole point of the application. Who will have access to this data and on what level? Once COVID-19 is no longer an issue, where does all that data go? Will it be purged, or will the systems hold onto the data for future use?

These contact tracing applications and programs will undoubtably bring with them concerns regarding health and personal data privacy. Government and private organizations certainly must move rapidly to dispatch solutions to the COVID-19 crisis, though the speed at which they move may create new information technology risks that did not exist previously.

Subscribe by Email

No Comments Yet

Let us know what you think