Issues arising from the use of technology for
Contact tracing in the Covid-19 era
28 September 2020
As part of their response to the rise of COVID-19 cases in the region, governments in APAC have raced to develop contact tracing technology to automate the process of tracing close contacts. This article discusses the mechanisms of the technology, its deployment in the region and the legal concerns surrounding the use of such technology. As COVID-19 cases rise, the deployment of contact tracing technology has been an important part of governments’ strategy to curb the spread of COVID-19. In this article, we discuss the increasing use of contact tracing technology in the APAC region and the legal concerns surrounding the use of such technology.
In response to the rising number of COVID-19 cases, governments across APAC have raced to develop new technologies to accurately monitor the spread of coronavirus and to cut off transmission chains early on. Contact tracing has been historically used for identifying persons who may have come into contact with individuals infected by a contagious disease and was traditionally done by conducting interviews with infected individuals and then painstakingly processing the data to track down the infection chain. Contact tracing technology replaces that labour-intensive exercise, and the scale of the COVID-19 pandemic gives rises to an unprecedented need for governments across the globe to gather information on the spread of the virus more efficiently.
While the exact mechanism of contact-tracing technology differs depending on the app, the premise is similar. Firstly, real time location tracking is used to detect close contacts between individuals over a period of time, either using Bluetooth or GPS to collect the user’s location data. In the case of Bluetooth, each device broadcasts a unique ID, when two mobile phones come into proximity, each app detects the other and records the other’s unique key. In the case of GPS, the exact location of the user is recorded at all times. Secondly, when a person tests positive for coronavirus, they can use the application to advertise their locations or their Bluetooth ID. Persons who came into close contact with an individual who has tested positive will be notified via the app. Thirdly, the app can be used to collect information about a user’s location, travel history, health and/or other personal information. Depending on the app, the users’ information can be shared either voluntarily or automatically with the government. The government can then use this information to track down the history of any close contacts.
Rise of the contact tracing apps
In early February 2020, there was a large-scale launch of contact tracing technology in China to contain the spread of the virus. Various apps have been rolled out to support the QR health code system adopted in various cities and provinces in China. Citizens are asked to register on one of the platforms operated by either Alipay or WeChat, which requires users to provide their personal information, such as their user’s name, ID card number and facial scans. The users’ location is tracked to determine whether they have come into contact with infected individuals or have travelled to cities with high infection rates. Users are then allocated a QR “health code” based on the information gathered, which is colour-coded green, yellow or red to indicate the level of risk. Many cities in China now require citizens to scan their QR health code showing a green status (which indicate the user is of low risk) before they are granted access to transportation, shopping malls, offices, stores and other public places. Individuals with yellow codes (which indicate that the user requires self-isolation) would be denied entry and individuals with red codes (which indicate that the user is a confirmed COVID-19 patient) would be reported to the relevant authority.
In Hong Kong, a toned-down contact tracing regime exists whereby travellers from overseas subject to a mandatory quarantine are required to download an app which is paired with a wristband that uses geofencing technology to alert the authorities when the individual leaves their home. The government also announced in June 2020 thata health code system will soon be launched to certify the health status of residents returning from the Greater Bay Area, with the exact mechanism yet to be announced.
The Singaporean contact tracing app allows users to log their proximity and duration of such proximity to other users using Bluetooth. If a user tests positive, the Singaporean Government receives an encrypted list of the users they have had contact with, who can then be notified.
Other countries such as Australia, Korea, India, Japan and Indonesia have rolled out similar contact tracing applications to boost their efforts in containing the virus.
Shortcomings and legal concerns
While contact tracing apps are valuable tools for the containment of the virus, the technical concerns and legal issues that may arise should not be overlooked.
To begin with, contact tracing apps will only be effective if there is a sufficient uptake. As one study conducted by the University of Oxford suggests, in order to reduce the number of COVID-19 cases, it would require usage of such apps by 60% of the population *1. Such widespread usage would necessitate the wider population to have access to the internet and mobile phones, which is not always the case. In addition, many remain sceptical, particularly with respect to potential data privacy invasions as a result of using the apps.
To be effective, these apps will necessarily have to collect a substantial amount of personal information from the user, such as the user’s geographical location and how long the user interacts with another user. Furthermore, most contract tracing apps may require users to provide personal information including personal sensitive information such as the user’s name, address, travel history, medical history, smoking habits, etc.
In addition to the collection of data, how this data is stored, shared and used poses serious concerns. Some apps opt for a centralised model of processing information (e.g. China, India, Australia), while others opt for a decentralised model (e.g. Japan). A centralised model means that the data is sent to a centralised server, which uses the data to carry out risk analysis and send out alerts to users who may have come into contact with infected individuals. A decentralised model means that the data is stored locally on the user’s mobile device. Each device will have an anonymous ID and users who have come into proximity will log each other’s IDs. All users’ anonymous IDs are uploaded onto a centralised database, and that database is downloaded on each user’s device. The contact matching happens on the device, such that it will alert the user if any IDs on the user’s phone have been tagged in the database as having been diagnosed with COVID-19. A decentralised model clearly offers more anonymity and privacy, but a centralised model has the obvious benefit of giving public health officials access to data to efficiently determine infection chains and virus hotspots.
It is the centralised model that has come under attack for potential infringement of user’s privacy rights. Firstly, a centralised database is prone to cyber-attacks and cyber security issues. In China, there has been reports of leaked information about more than 6000 people who had entered a local hospital in Qingdao on WeChat. Whilst regulations concerning the administrative, technical and physical safeguards of users’ data exist, tailor-made updates would be needed to take into account the significant privacy concerns arising from the massive scale and volume of data collection, including whether users have control of their data, how long the data will be stored for and whether the data will be deleted post-pandemic. Secondly, specific guidance is needed as to how information can be used, especially in a situation where the data collected is to be used beyond the pandemic. Given the information is highly sensitive and personal, it has potential to be used as a mass surveillance tool. Thirdly, where governments engage third party platforms to host the application (e.g. in China, Alipay or WeChat), it could mean that private enterprises will be able to amass enormous volumes of sensitive personal data.
Licensing and ownership concerns
The contact tracing technology used by governments is invariably developed by third parties and licensed to governments; in many cases, the operation of the contact tracing system is also outsourced to technology developers. The licensing and outsourcing agreements should properly regulate and govern issues relating to ownership, use and protection of any improved technology and data generated as well as risk allocation and enforcement of rights. As governments and health organisations race to deploy contact tracing tools in the global battle against COVID-19 and create an urgent market demand for the technology, it is not surprising that technology companies have begun an equally intense race to enforce their rights to that technology.
Blyncsy, a Utah-based start-up, purports to have exclusive rights to the use of electronic devices for contact tracing for COVID-19 *2. Blyncsy has obtained a business method patent from the USPTO for “tracking proximity relationships and uses thereof” *3 via determining the proximity relationship between an infected person relative to other persons, and has set up a website offering licences for its contact tracing method. There have already been heated discussions as to whether tech giants such as Apple and Google which also offer contact tracing tools would be taking actions in respect of Blyncsy’s patent, especially in light of the limited patentability of software pursuant to a 2015 US Supreme Court ruling.
An additional layer to the debate is the patentability of the age-old skill of contact tracing, which has been made much more efficient thanks to the use of automated processes. Such potential litigation is made more complicated by public sentiment against attempts to enforce exclusive IP rights in technology considered necessary to fight the pandemic. Tying back to the privacy concern mentioned earlier, Blyncsy has stated that its other major goal for the licensing regime is to make sure contact tracing is not used to expand government surveillance and violate individual privacy.
Government's response to privacy
Governments in APAC have generally embraced the use of contact tracing technology and have started rolling out guidance to mitigate the concerns around data privacy breaches. For example, in China, the Office of the Central Cyberspace Affairs Commission issued a Notification in February 2020 *4 stating that enterprises with capacity were encouraged to actively use big data to support joint prevention and control efforts under the guidance of relevant departments. However, such activity was only to be undertaken if personal information collected for contagion prevention and control would not be used for other purposes. Institutions collecting or controlling personal information were made responsible for protecting the security of that personal information and told to employ strict management and technical protection measures to prevent theft and leaks.
The Singaporean government has issued guidance for the collection of personal data for COVID-19 contact tracing and the monitoring of entrance into commercial premises. It has stated that the collection of data must comply with the relevant data protection legislation and provides a template notice that businesses can use to inform visitors that person data will be collected for contact tracing purposes *5.
In Hong Kong, the Privacy Commission for Personal Data stated in a media statement in February 2020 *6 that the use of personal data must be consistent with or directly related to the original purpose for which the data is collected in the Personal Data (Privacy) Ordinance. However, the right to personal data privacy is not absolute and should be balanced with other competing rights and interests such as public health. The statement concluded that there are sufficient legal bases on which the government may collect and use information obtainable with the aid of devices, applications, software or supercomputers with a view to tracking potential COVID-19 carriers or patients in the interests of both the individuals concerned and the public.
In the global race against COVID-19, all available resources are utilised to track and prevent the spread of the virus including the use of technology to automate the process. There will always be the constant battle between the right to privacy and other competing rights including the right to life and the public health need to put an end to a pandemic. Governments will need to promptly provide detailed guidance on the collection and use of personal data for contract tracing. For businesses that wish to use contact tracing apps to determine the health status of customers and employees, care should be taken to ensure compliance with data privacy regulations. Data subjects should be made aware as to what and when data is collected and how it will be used for public health purposes, with necessary consents sought. The retention period of the data should be limited such that the data should be deleted once the purpose is exhausted. It is also advisable for data users, be it health officials or private enterprises, to take extra measures to securely protect the data, given the number of data subjects and the extensiveness of the data involved.
As contact tracing technology fast evolves, the developers of the technology, as the owners and licensors, should also carefully review the relevant agreements governing the use of the technology to ensure clear stipulations on the ownership, use and protection of any improved technology and data generated. It also waits to be seen how any monopoly of the technology would fare in potential patent invalidation and infringement battles.
With appropriate measures in place and caution exercised by data users including the governments across the world, contact tracing technology would be an indispensable tool in the joint effort to combat and hopefully to eventually control or even eradicate the COVID-19.