How privacy enhancing technologies can help COVID-19 tracing efforts
Stephen Sarki Musa
May. 22, 2020
Privacy Enhancing Technologies (PETs) can help ensure that the COVID-19 crisis does not develop into a privacy crisis. PETs can strike a balance between public health and privacy by enabling privacy-enhanced information sharing without exposing individuals’ private data.
As governments move out of full lockdown, a return to normal routines will be highly dependent on the ability of public health authorities to be continuously informed on the rate of COVID-19 infection and to be able to act immediately and effectively to contain new cases. To do so, public health agencies have to rely on advanced technologies such as contact tracing apps and data analytics. These tools can be very effective when deployed at scale - a requirement that brings to center stage the debate on privacy versus public health in the face of a global pandemic.
Many data privacy regulations contain clauses that allow for partial and temporary suspension of their provisions and authorities in many countries are currently activating these emergency clauses. While some citizens are willing to make some trade-offs in the short term for the greater good, the need to trace during this COVID-19 crisis and similar crises in the future could last for years. Given the ability for governments to access data long after the crisis, a long-term privacy solution is needed.
Privacy Enhancing Technologies (PETs) can help ensure that the COVID-19 crisis does not develop into a privacy crisis. PETs have the potential to enable a balance between public health and privacy by enabling privacy-enhanced information sharing without exposing individuals’ private data and addressing the issues with the roll out of either centralized or decentralized strategies.
What are 'Privacy-Enhancing Technologies' and how can they help
PETs are a group of emerging technologies that “ enable the analysis and the sharing of insights without requiring the sharing of the underlying data itself” . They help resolve the tension between individual privacy and public health challenges introduced by the COVID-19 pandemic by enabling data sharing and collaboration while the data itself remains protected.
Homomorphic Encryption is a PET that can be crucial in the current crisis by enabling computations on encrypted data, such that data can be analysed and insights gleaned without ever exposing the data. This allows for multiple parties, i.e. public health authorities and location data aggregators, to collaborate on sensitive data while parties protect the data in their custody. Homomorphic encryption can enable public health authorities to pursue contact tracing of populations without exposing sensitive health information to location data aggregators, such as cellular companies or tech giants.
In the global rush to develop cures and vaccines against COVID-19, PETs could also prove useful in facilitating cross-border healthcare research on sensitive data. Healthcare providers from multiple countries can contribute encrypted data sets to researchers allowing them to reliably calculate correlations between certain chronic conditions or genetic variants and COVID-19 mortality rates without ever exposing individual patient data.
Privacy and lockdown exit strategies
European and North American countries are beginning to understand the enormous benefits in using mobile location data for contact tracing but are hesitant to utilize the personal data, which is protected by l ong-fought for laws, regulations and standards . Personal location data is extremely sensitive, and even when anonymized, can be re-identified . Hence, its use by government agencies for contact tracing causes fears of data misuse and digital surveillance.
To address these privacy concerns, the majority of countries are opting for decentralized digital infection alert systems, many of them based on the API being introduced by Google and Apple. This API will enable public health authorities to implement apps that will inform individuals on their exposure risk without providing any personal information to public health authorities themselves.
There are two major challenges with the fully decentralized solutions:
1. It is difficult to reach the critical mass of downloads that is required for these apps to be effective. A recent poll found that nearly 3 in 5 Americans say they are either unable or unwilling to use such apps , while scientists estimate that at least 60% of the population have to opt-in to contact tracing apps to make them effective - a critical gap that might be difficult to close. 2. Decentralized systems leave public health authorities with limited insights to the population-scale aspects of the disease, such as the rate of spread, geographic hot-spots, and more. Access to such information is now crucial for public health authorities to successfully steer their societies through the “deconfinement” period during which systematic testing of exposed individuals and early detection of new flare-ups are key to avoiding renewed lockdowns.
To bridge the information gap facing public health authorities in decentralized solutions, PETs can be used to support a privacy-preserving reporting function whereby the alerted individuals can provide their status to health authorities in an encrypted manner, so that the authorities will be informed on the number of infected and exposed cases and thus get indications on the infection spread rate and geographical distribution, but without being able to connect data points to individuals.
With the cautious easing out of lockdown that has started in many countries, it will be key for public health authorities to continuously have access to comprehensive data to monitor the situation and to detect and quickly interrupt new infection chains without shutting down entire countries and economies again. Privacy-enhanced contact tracing can deliver agencies these insights in a timely manner, provided they can collaborate with location aggregators that hold data with the required geospatial granularity, but won’t be exposed to individuals’ health data.
A centralized contact tracing system with a PET-based privacy layer could provide public health authorities with the data insights at population scale, which would greatly help to tailor alerts, provide prevention and treatment to specific cases, areas and risks - as is done in precision medicine - for the benefit of each of us, our privacy and society as a whole.
Such a system could be based on the location data and sources from national and regional telecommunication providers that have granular cellular data. This can be combined with other data sources from large Internet service providers and technology providers who have Wi-Fi and hotspot information, as well as data rich applications already used by millions of individuals. Public health authorities could execute privacy enhanced queries to identify, contact and trace at scale, while gaining insights on infection rate and geographic spread without exposing any individual's data .
With location data aggregated on such a large scale, public health authorities could inquire about the number of people found in proximity to infected individuals at sporting events or while using public transportation, taking measures to communicate broadly to those who could have been exposed. In this way, public health authorities could gain valuable insights into spread rates and geographic distribution, without exposing the identities or locations of infected or exposed individuals.
The challenges with this approach include: 1) the availability of location data aggregations at the required scale and data granularity and 2) the willingness (due to legal and reputation concerns) of the custodians of such data to allow public health authorities privacy-enhanced access to query their data. (Legal safe harbors might be needed to alleviate the legal concerns in emergency times like the current pandemics to enable the required privacy-enhanced inquiries of location data.)
To support the rapid roll-out of such alert systems, regulators must now accelerate the evaluation and approval of PETs as compliant enablers of critical use cases requiring information sharing. These approvals have already been initiated by some countries for other purposes, such as to allow privacy-preserving, cross-institutional collaborations to fight financial and cybercrime.
Being a novel breed of technologies addressing one of the most complex data protection challenges, PET’s market introduction requires active support by regulators. Data privacy regulations, such as GDPR and CCPA are often cited as barriers conflicting with the need to share data in order to join forces effectively to combat global challenges, such as epidemics, money laundering, financial crime and cyber-crime, but PETs are now becoming market accessible and being successfully piloted for market deployments and through currently undergoing standardization processes .
"It is the right time to accelerate the introduction to the markets of new technologies that can help with the complex balancing act: reconciling public health and economic recovery with individual privacy." —Rina Shainski, Executive Chairwoman and Co-Founder, Duality Technologies
Combating COVID-19 together
With COVID-19 posing unprecedented challenges to governments and health agencies as well as to the world economy, it is the right time to accelerate the introduction to the markets of new technologies that can help with the complex balancing act: reconciling public health and economic recovery with individual privacy.
Momentum has been growing toward these efforts. The value of PETs for privacy-protected collaborations in medical research has been recognized and sponsored by bodies such as the National Institute of Health (NIH). Still, there’s more work to be done. Global regulatory support will be critical to making these efforts feasible and timely. Data privacy authorities can also step in to help accelerate the adoption of PETs. These key efforts can ensure public health authorities have the critical information they need to help fight the disease.
Coronavirus: No return to 'business as usual' for dentistsCoronavirus: Scottish health secretary to face coronavirus questionsThe outrage factory: leadership in the age of social mediaCoronavirus: Father and son reunited across River TaffGeorge Floyd: Black Lives Matter solidarity as England buildings go purple