Dr Jennifer Cobbe, Department of Computer Science and Technology
Contact Tracing Apps: potential side effects
There are numerous potential issues arising from the use of contact tracing apps to help control the pandemic. For example, these apps have the potential to invasively infringe fundamental rights like privacy and data protection. Of course, these are extreme circumstances so there's more a bit leeway with what kinds of infringements on those rights might be justified, but we can't give up on fundamental principles like necessity (the idea that infringements on fundamental rights must be necessary) and proportionality (that infringements must be proportionate to the problem being addressed). Nor can we allow discrimination or other differential treatment based on whether or not someone has had the virus to become commonplace. We also must be mindful of the potential consequences of extensive data collection and reuse. As such, I think my biggest concerns with these apps are twofold.
Firstly, are these apps actually effective enough to justify that level of intrusion? As far as I'm aware, the jury is still out on that and evidence from other countries suggests that they may not be as useful as some have claimed. If mobile contact tracing isn't effective then the necessity test isn't met, and they can't be justified, and they shouldn’t be used. But equally, even if they are effective, if there are other, less intrusive ways to do the same kind of contact tracing and get the same kind of idea of what's going on with the virus and its transmission then those other ways should be preferred.
Secondly, what kind of safeguards are there going to be to ensure that they aren't misused, that any data isn't shared inappropriately, and that they aren't repurposed once our current emergency is over? We've seen in the past that NHS data has been passed on to the police and to the Border Agency, for example. I would have very serious concerns about the sharing of this kind of fine-grained location and health data with police forces or immigration agencies that might turn that information against people of colour, migrants, refugees, and so on. At a minimum, we need to have strong safeguards to protect people from that. A public health emergency can't become another excuse to carry on the hostile environment and other policies of that kind through these apps.
I would much prefer the use of decentralised protocols – like DP3-T - to ensure that the Government can’t easily access this data. Thankfully, it looks like NHSX are moving in that direction. But that’s not enough - I'd also want to make sure that these apps and any data they produce are time-limited. I'm deeply concerned about the potential for all kinds of surveillance technology being justified and normalised as a result of this crisis, and then never being rolled back. Surveillance creep is a very real thing, and once surveillance technologies have been introduced it can be very difficult to step back again. Contact tracing apps and their data need to have an expiry date. And we need genuine transparency and accountability around the design, deployment, and use of these apps so that they can be properly scrutinised. Ultimately, I think, statutory safeguards for privacy and non-discrimination established in new primary legislation will probably be needed.
See also a recent opinion piece by Elettra Bietti and Jennifer Cobbe on Medium:
