Coalition Advises D.C. Mayor on Transparency and Other Concerns If Contact-Tracing Apps Are Used Here
Fritz Mulhauser | June 17, 2020 | Last modified: September 1, 2020
UPDATE 8/31/20 Virginia adopted an app earlier this month, the first such statewide move. See a user review here. Alabama adopted a limited pilot version of similar Apple-Google technology, as have 14 nations. Twenty states are reportedly considering it. Under 10 percent of Virginians with phones have downloaded it (experts say the system is truly useful when two-thirds of he population uses it). Rates are low around the globe as well. Washington Post reporting on this topic has been extensive.
UPDATE 7/17/20 — Mobile contact tracing apps may still be coming to the District. Writing in Washington City Paper July 16, 2020, Amanda Michelle Gomez reviewed D.C. government plans and the letter from the Coalition and other groups. DC Health spokesperson Alison Reeves told Gomez “The District is actively assessing different technologies, including proximity tracing mobile applications for their ability to enhance contact tracing, while safeguarding privacy.” Reeves declined to elaborate any further. This is not the open development the Coalition called for.
In a June 2 letter to Mayor Bowser and the D.C. Council, the Open Government Coalition has outlined key dimensions if tech tools such as smartphone apps are used to assist in locating and tracing contacts of those infected with the novel coronavirus.
Such apps typically work by exchanging signals with every phone you are near, storing them, then automatically notifying you if your phone has been near the phone of somebody diagnosed later as infected who enters that into the app. Taking action to get tested, self-quarantine, etc., is then up to you. See a 70-second video explainer, here. (Stronger versions elsewhere add location tracking or a link to government.)
The letter has a number of signers, many of whom are part of the Community Oversight of Surveillance Coalition D.C., a broad group of organizations advocating for greater transparency in the acquisition and use of all types of surveillance technologies.
Mandatory adoption, as in some nations, is not on the table here. Voluntary use by 60 per cent of the population is often mentioned as necessary for the scheme to appreciably slow transmission, though others say lower levels of use can still be helpful.
In any case, the key to acceptance is trust. That is, the letter says, “residents must trust that the relevant app will not be used to track them, will not lead to law-enforcement involvement, and will not render them less safe. It is therefore critical that the District be guided by strong privacy safeguards, which can form the basis for strong public trust in, and support of, a government’s deployment of any new technology. Further, for manual tracing efforts and digital tools alike, where there is tension between these goals, we urge the District to err on the side of public trust.”
Contact tracing is definitely planned to grow in the District. Mayor Bowser announced April 23 a “DC Contact Trace Force” that would be promptly bulked up with 200 tracers and “with up to an additional 700 tracers to be hired through Phase One of re-opening the District”—the current phase which began May 29. The D.C. government aims to train all employees as tracers by June 30, ready for detail to that assignment if needed.
But there is no sign of smartphone tracing here. “Contact tracing” details in a June 10 set of slides from the Mayor show the 200 staff tracers have been hired but don’t mention smartphone tools.
A recent 50-state review by Aaron Holmes and Hugh Langley published June 10 in Business Insider found only three states—Alabama, South Carolina, and North Dakota—have committed to using a contact-tracing platform developed by the unusual Apple-Google partnership. Another 19 states reported considering using contact-tracing apps but had not made a decision, and 17 states said they are not planning to create an app or use smartphone-based contact tracing at all.
NBC News reported in a similar vein, “Coronavirus contact tracing apps were tech’s chance to step up. They haven’t. Most states are giving the cold shoulder to smartphone apps, though some developers think there’s still a chance for them to catch on.”
If the idea does surface here, the key recommendations of the letter, signed by the ACLU of DC, Center for Democracy and Technology, New America Foundation Open Technology Institute and other D.C. groups including HIPS, In the Public Interest, Justice For Muslims Collective, Kandoo, Lucy Parsons Labs, Showing Up for Racial Justice (SURJ), DC Sisterhood of Salaam and Shalom DC-II Chapter, Stop Police Terror Project DC, and Upturn, include three most important, that any technology tool be voluntary, time limited, and not linked to location data. In addition it should:
- be developed with public health experts deciding when specific applications are necessary and effective, and be linked to adequate testing, healthcare and support for those needing to self-isolate;
- follow principles of use limitations, data protection and data minimization;
- transparently inform the public about the tool, the data it will gather, uses to be made, and the safeguards for security of the data, as well as results of ongoing evaluation of the tool in use;
- be governed in a way that provides oversight and accountability so that rules for collection and use of data are regularly audited and made public;
- be designed to suit the present Covid-19 pandemic alone, without added features imagined to be needed for some other problem in future.
The experience of Qatar highlights dangers of poor security for the highly personal data such schemes entail, according to an Amnesty International review of a data breach there described in a May 27 Guardian report:
A security flaw in Qatar’s coronavirus contact-tracing app put the sensitive personal details of more than a million people at risk, according to an investigation by Amnesty International. The app, which is mandatory for Qatari residents to install, was configured in a way that would have allowed hackers “to access highly sensitive personal information, including the name, national ID, health status and location data of more than 1 million users.” according to Amnesty International’s security lab.
Claudio Guarnieri, the lab’s head, said the flaws, fixed following their discovery, “should act as a warning to governments around the world rushing out contact tracing apps that are too often poorly designed and lack privacy safeguards.”
The Qatari app uses a mixture of GPS and Bluetooth technology to track Covid-19 cases and warn people who may have been exposed to an infectious person. Like the UK’s app, it operates on a centralized model allowing the country’s interior ministry access to the information it gathers. However, it gathers much more information than most similar apps, including the location of the user, which it links directly to their name and national ID, a choice that Amnesty describes as “highly problematic.” It also became compulsory on 22 May, with a penalty of up to three years in prison for people found to have not downloaded it.
The data-hungry approach favoured by Qatar is in stark contrast to Switzerland, which this week launched its own Covid contact-tracing app, SwissCovid, the first in the world to be built around privacy-first technology developed by Apple and Google. It operates in a “decentralised” manner, with Swiss health authorities receiving no information that can be used to track the pace of the outbreak. The Swiss app is used only by essential workers since primary legislation needs to be passed by the country’s MPs, which the government hopes can happen by June, before it can be made available to the general public.
The Open Government Coalition urges D.C. officials to do any work concerning digital contact tracing in the open, and to consider only tech tools designed in a privacy-protective and inclusive manner and with the greatest protection for sensitive data gathered.
If you have information on D.C. government plans to use contact tracing technologies and platforms, let us know at firstname.lastname@example.org.