So COVID-19, there’s an app for that…
In an earlier blog we explored the implications of COVID-19 adaptations in CVA response on an individuals’ right to privacy. We also argued that data portability in CVA could be explored as part of an opportunity to build back better. In this guest blog from Alesh Brown, founder at TrustWorks.io, we take a deeper dive into the types of apps being developed to manage COVID and consider how the decentralization of data may help to #buildbackbetter.
COVID-19 is creating a new normal, the implications of which are yet to be understood. As the challenge of containing coronavirus continues, governments, corporations and non-governmental organisations are now looking to technology to help ‘manage re-entry’ in a way that protects health, without sacrificing individual liberty, privacy and inclusion. Among the hype surrounding COVID-19 apps, here, we offer a closer look at what COVID-19 applications (app’s) are and whether they can help manage risk. We also explore how decentralisation may help in finding the balance between protecting privacy and breaking the chain of infection, alongside what these developments could mean for CVA programming.
COVID-19 Apps: The majority of COVID-19 related applications can be grouped into three categories:
- Contact Tracing apps
- Self-reporting apps
- COVID-19 Credential apps
Each category aims to provide a means to share, and report on, the authenticated health status and infection risk of an individual in real-time, in order to break the chain of infection. Each category potentially requires individuals to disclose their COVID-19 status as a condition of accessing humanitarian, government or private services.
Going deeper, Contact Tracing apps aim to trace and alert users if they have been in contact with an individual who is showing symptoms or has tested positive. They transmit data over short ranges via Bluetooth, in order to find a match with someone who has tested positive. Generally, they require 60% of the population to have the app active on a smartphone with Bluetooth and/or GPS capability to work.
The benefits of Contact Tracing apps are twofold: 1) To help individuals and governments to track the outbreak; 2) To alert people when they have been in contact with someone who has the virus; using the following to work out an individual’s risk score:
- Proximity of the mobile devices.
- Length of time that the mobiles detected each other.
- How infectious the person with the coronavirus was judged to be, based on how soon the meeting happened compared to when they noticed their symptoms.
Furthermore, countries such as Taiwan have combined contract tracing, surveillance cameras and card transactions to provide a more detailed picture about where people have been, using geo-fencing to track whether citizens are abiding by the mandatory quarantine period; automatically turning off phones and alerting authorities when the phone travels out of the geo-fenced quarantine area.
Self-reporting apps aim to enable users to ‘self-report’ on their health status. They often use web, SMS or email, providing organisations with user-generated opinions about their (self-reported) health status.
Finally, COVID-19 Credential apps, also referred to as Immunity Passports are applications that aim to manage the issuance, storage and transfer of COVID-19 test results between issuers, individual users and relying parties (organisations using apps to manage access). These types of apps provide a secure pipeline through which organisations and individuals can share any COVID-19 diagnostic credential via a QR code printed onto paper, a wristband or a smartphone.
Authentication (i.e. making sure the right person is presenting the right QR code) generally requires a form of biometric identification e.g. a photo which may be collected at the same time as the person undergoes a test to confirm their current COVID-19 infection status. Authenticating using a pre-existing Government or Humanitarian ID tends to be ‘safer’ – as the COVID-19 Credential App then does not have to manage any personal information, only the result.
How people could use COVID-19 credential applications
So, can app’s help manage risk in a COVID-19 world?
The jury is still out! Premature deployment of ineffective apps could undermine the long-term trust, confidence and uptake of applications that could work in the future, whilst late deployment of apps could help increase the spread of the virus. Further, unless apps these are deployed with well thought-through privacy-in-design, there is potential for them to contribute to dystopian surveillance systems, that some governments may find hard to give up.
In all likelihood, we will see all categories of apps laid out above being deployed over the coming months. But, when it comes to the likely trade off between preserving public health through deployment of solutions with high-level of centralized data oversight and the need to protect individual rights to privacy, decentralized solutions may have more to offer.
Furthermore, the technology for sharing COVID-19 data is only as good as the quality of the diagnostics and data fed into them – with ongoing questions relating to the accuracy of SARS-CoV-2 antibody tests and extent to which exposure results in immunity. As such, organisations planning on taking steps to manage COVID-19 using technology should systematically validate that the diagnostics, software and governance for using such data demonstrably reduces the number of infections.
With this, an increasing number of people are pointing to the potential of decentralised solutions as a way of providing the technical and ethical foundation for a more secure, privacy protecting model for sharing COVID-19 diagnostics without omniscient central servers. As Amos Doornbos notes
“A decentralized solution has no single point of failure; it’s a bit like cities being able to make decisions on their own without being controlled by the national government.”
In the context of COVID-19, private companies, humanitarian organisations and individuals can get the credential or contact tracing assurances they need without having to rely on third party “identity providers” to store and share personal data. Using blockchain or mobile phones to create a decentralised and ‘anonymised’ web of trust that aims to put the individual (rather than the institution) in control of their data.
However, as with all technology there are dangers. The introduction of any type of COVID-19 app, be it centralised or decentralised could interfere with our fundamental right to privacy, freedom of association and autonomy. And, as Edward Snowdon notes
“Emergency powers derived in the middle of an emergency tend to get abused and normalised…and while this virus will pass, the new laws and decisions we make will last”.
As such, it is critical that the CVA sector proactively explore the implications of COVID-19 technology on the populations they serve, ensuring that the appropriate technical and regulatory safeguards are established from the outset.
About TrustWorks: This blog was written by Alesh Brown, founder @ TrustWorks.io & TrustPass.io – a self-sovereign app for sharing of COVID-19 credentials.
 QR code is a type of barcode, a machine-readable optical label that contains information about the item to which it is attached. In practice, QR codes often contain data for a locator, identifier, or tracker that points to a website or application.