Contact tracing is seen as a crucial tool to combat the coronavirus pandemic. To facilitate this process, more and more countries are relying on digital mechanisms such as contract tracing apps. As their purpose is to track people’s location and movement, by their very nature these apps raise challenging questions about privacy, including for the press. For one, journalists must be able to protect their sources. ​For another, constant surveillance can have a chilling effect on investigative journalism.

IPI began monitoring the impact of the COVID-19 pandemic on press freedom in spring 2020. Students at the School of Public Policy at Central European University in Vienna have used IPI’s data to research the public policy implications of the pandemic when it comes to journalism. This article is a guest post by CEU student Mohammad Abu Hawash focusing on the nexus of contact tracing and press freedom.

(Note: This article was written by an external researcher and does not necessarily represent the views of the International Press Institute.)

In January 2021, The Singaporean government was embroiled in a political scandal surrounding the misuse of contact tracing data for the purpose of criminal investigations. The International Press Institute’s COVID-19 tracker picked up this story under its “surveillance/endangering Source Protection” category. Singapore’s three major contact tracing apps, TraceTogether, SafeEntry, and BluePass[1], were not being used solely to monitor users’ contact with COVID-19. Instead, the Singapore police was enjoying mostly unregulated access to the geolocation data of users- as reported by Reuters. The police claim that they were using this data for the purposes of criminal investigations only, but investigations of potential misuse are still ongoing. This is despite previous assertions by the Singapore government that users’ private data was used solely for COVID-19 contact tracing. Reuters highlighted TraceTogether’s claim that “data will only be used for COVID-19 contact tracing,” which was a false statement.

The Singaporean government responded quickly by issuing the COVID-19 (Temporary Measures) (Amendment) Bill. This bill regulates police access to contact data, limiting its use to seven so-called ‘serious offenses.’ The new bill also gives users the right to object to police use of their geolocation data from these apps, although it was not specified how users could file such an objection.

Pitfalls

As contact tracing apps began proliferating last year, tech journalists sounded the alarm. Simon Sharwood wrote in the The Register about the need for an “exit strategy from the overt surveillance of smart phone contact tracing… before we dive in.” Unfortunately, much of the world did not heed Sharwood’s words. Contact tracing apps were developed and rolled out with little in the way of regulations. Therefore, some governments are now acting in hindsight to regulate and control the wealth of data generated from contact tracing apps. The recent developments surrounding contact tracing data in Singapore shine light on the ubiquity of contact tracing apps worldwide and the risks they pose to data privacy. Singapore is by no means the first country to misuse contact tracing data from COVID-19 apps. This is indeed another case of a government experiencing widespread public pressure to extensively regulate the use of user data following revelations of misuse.[2]

Singapore’s revised bill does not prohibit the use of contact tracing data for non-contact tracing purposes, but it does restrict police access to this data. The Singapore police have legal permission to access contact tracing for the purpose of criminal investigations relating to the following seven issues (as stated in the seventh schedule of the amended COVID-19 temporary measures bill):

1. Unlawful use or possession of corrosive and explosive substances, firearms or dangerous weapons.
2. Any offence relating to committing, aiding, conspiring, abetting or financing of acts of terrorism as described in Singaporean law.
3. Any offence relating to causing death or concealment of death, or maliciously or willfully causing grievous bodily harm where the victim’s injury is of a life-threatening nature.
4. Drug-related offenses that are punishable by death under Singaporean law.
5. Any offence relating to escape from custody where there is reasonable belief that the subject will cause imminent harm to others.
6. Kidnapping, abduction or hostage-taking.
7. Any offence involving serious sexual assault such as rape or sexual assault by penetration.

In these situations, it is possible that culprits would have planned their act ahead of time. In such situations, culprits would have most likely disabled, uninstalled, or otherwise took measures to avoid being traced using one of Singapore’s contact tracing apps. This raises questions about the effectiveness of regulation.

While other countries may soon follow Singapore’s example in regulating the use of contact tracing data by law enforcement, such reforms may not be enough even if they address the privacy concerns left unanswered in Singapore’s recently amended bill.

Many countries worldwide suffer from weak judiciaries and compromised law enforcement agencies. In these countries, restricting the use of contact tracing data to ‘serious offenses’ might have adverse effects. For example, if a law enforcement agency wishes to intimidate or surveil an investigative journalist, it could subject them to legal persecutions simply to allow itself access to their contact tracing data.

One of the most concerning cases are those of investigative journalists who are actively investigating law enforcement authorities. These journalists might be put in a situation where they have to distort their own contact tracing data to avoid being tracked or intimidated by corrupt law enforcement officials who abuse police access to contact tracing data. This pandemic began just over a year ago. Therefore, it might take a while until more anecdotes of the misuse of contact tracing data come to light.

State institutions are not the only entities that can misuse contact tracing data. In the Philippines, for example, the National Privacy Commission began an investigation into the misuse contact tracing data by business establishments, as reported by The Philstar Global. One of the outcomes of this investigation is a bulletin that includes answers to FAQs on how businesses can utilize contact tracing data. FAQs help businesses develop a clear and sufficient understanding of government regulations without having to worry about reading legal documents like the Philippine Data Privacy Act of 2012, Republic Act no.11332, or the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act. Despite the comprehensive Philippine regulatory framework governing contact tracing data collection, the enforcement mechanism of these regulations is lacking. Since before the pandemic, the Philippine privacy law punishes mishandling of data by penalties of up to five million Pesos and as many as six years in prison. Still, business establishments felt that they could risk breaking the law since the enforcement capacity of privacy laws in the Philippines is relatively low. In the Philippines, investigative journalists focusing on business establishments must ensure that their contact tracing data does not get compromised by the business establishments that they are investigating.

Journalists should also keep in mind the nuances of the political system wherever they are operating. In countries with decentralized political systems, such as the United States, regulations differ greatly across the country. According to Todd Ehret for Reuters, California has a robust regulatory framework for contact tracing data but many other parts of the US do not. While the decentralized regulatory framework can be a disadvantage for the US, its decentralized contact tracing system has many advantageous aspects to it. A decentralized contact tracing system reduces the risk of data being compromised. This is because each state has its own regulations and method of storing contact tracing data. Therefore, if a malign actor wanted to access the contact tracing data of the entire US, they would have to hack into approximately 50 jurisdictions – as opposed to just one.

In addition to their responsibility for their own individual security, journalists are also responsible for the protection of their sources. Many journalists around the world rely on confidential sources, without whom they would not be able to operate. Journalists must take additional security measures to avoid compromising their sources through contact tracing data. These sources must receive instructions on how to avoid compromising themselves as well, which will be challenging.

The issue of uptake must also be mentioned. It appears that the US, like Europe, was not seeing enough people voluntarily download contact tracing apps. This made the use of these apps mostly pointless for the fight to curb COVID-19 in communities where not enough people used these apps. So, while making it mandatory for citizens to download a contact tracing app will cause major privacy concerns, not making it mandatory may limit any potential benefits from tracing apps.

Widespread proliferations

Speaking to The Well (a publication at the University of North Carolina –Chapel Hill), Jues Polonetsky said “Anybody who’s dealt with public health is well aware that there isn’t a notion of privacy when you have a communicable disease.” In the same article, another expert, Jay Swaminathan, said “There’s a general fear that when integrated, centralized contact tracing is proposed in some governments and countries, this poses greater risk for individual data privacy and government’s potential future usage.” Both these statements continue to ring true. The next major global policy challenge will be to restore conventional notions of privacy as the COVID-19 pandemic ends while minimizing potential damage from the ubiquity of contact tracing data.

At the height of their popularity in July 2020, COVID-19 contact tracing apps were developed across the globe. Over time, some countries have downgraded or limited the use of such apps either for the same reasons previously mentioned or due to significant declines in COVID-19 cases locally.

While misuse of contact tracing data by law enforcement and corrupt politicians is a major concern, another concern has also arisen: that of fake contact tracing apps. The National Interest reported on a study conducted by Anomali Threat Research (ATR) highlighting the use of Anubis, Spynote, and other ‘generic malware’ in fake contact tracing apps. Exploiting the surge in popularity of those apps, scammers and malicious software programmers designed fake contact tracing apps that claim to be helping users trace their contact with COVID-19. In reality, these apps seek to steal users’ banking credentials and other sensitive data. According to ATR, fake contact tracing apps have emerged in Armenia, India, Brazil, Chhattisgarh, Columbia, Indonesia, Iran, Italy, Kyrgyzstan, Russia, and Singapore – and that was only in the first half of 2020. Since last June, tens more fake apps masquerading as contact tracing services emerged around the globe, including in Canada for example.

To address concerns with the trustworthiness of contact tracing applications, media platforms focusing on technology sprung to action. MIT Technology Review, for example, designed a simple rating system that gives contact tracing apps a grade between zero and five stars. The rating is based on the following five questions:

1. Is the service voluntary, or does a state force citizens to download this service?
2. Are there limitations on how the data gets used, and if so what are these limitations?
3. Will Data be destroyed after a period of time?
4. Is data collection minimized?
5. Is the effort transparent?

Proprivacy created a similar rating system where contact tracing apps are given a score out of ten. In addition to MIT Technology Review’s criteria, Proprivacy also asks whether the app relies on Bluetooth or GPS technology, who accesses the data (if such info is available), locations where the data is stored, and whether the app has a privacy framework (BlueTrace, DP-3T, or Apple/Google frameworks).  These two rating systems are easy tools for journalists to learn more about new considerations and security arrangements that they might have to make in light of COVID-19.

In addition to this, universities also sprung to action by tracking the development of contact tracing apps worldwide. The Blavatnik School of Government, in partnership with ourworldindata.org, created a user friendly and freely available tool tracking the development and use of COVID-19 contact tracing apps around the world (see the embedded interactive map or click here).

In the end however, the keys for change are (and always have been) in the hands of the public. Contact tracing apps are only effective if a large-enough collective of people use them. During the pandemic, millions of people downloaded coronavirus tracing apps, either voluntarily or based on local requirements. Theoretically, however, citizens’ trust in tracing apps and willingness to comply with requirements to use them can be taken away in the same way it was given. Even in the most repressive states, if a large-enough group of people uninstalls a COVID-19 contact tracing app or some similar action, the government will be forced to listen and accommodate the public’s grievances because such an act would render the app almost useless. Therefore, policymakers must take action to regulate the use of contact tracing apps before the public takes drastic measures in response to flagrant infringements of the right to privacy. If some countries reach a stage where collective public dissent is needed to end the mandatory use of contact tracing apps, it will already be too late. This is because collective public dissent is a sign of systemic failure in government. Such dissent reflects the failure of policymakers to act in accordance with the public interest.

Perhaps this pandemic will be over before the situation with contact tracing apps deteriorates any further. Much of the world has already stopped using these apps already. However, there are lessons learned here that we should remember for the next time. Contact tracing technology existed long before the pandemic, but never on this scale. Contact tracing software is now a global privacy issue.

Conclusion

Writing for the Fair Observer, Claire Downing described COVID-19 contact tracing as a ‘Wolf in sheep’s clothing’ and questioned whether these apps were necessary for the fight against COVID-19 in the first place. Despite the frequent cases of misuse and the persistent ubiquity of COVID-19 contact tracing data, these apps do not have to remain a part of our lives. Whether they are effective in the fight against COVID-19 or not, a society should have the right to choose not to use contact tracing apps if they pose a significant threat to the freedoms and safety of citizens. Until then, journalists must remain vigilant in ensuring their personal security and the confidentiality of their research.

Implications

While writing this article, I came to understand contact tracing technology differently. Conceptually, contact tracing methods have existed for as long as humans have known about communicable diseases. Public health experts of our contemporary times inherited this concept from older civilizations that experienced pandemics. The utilization of geolocation data revolutionized the concept of contact tracing. In doing so, it created new risks that public health administrators and professionals are still contending with.

Our societies at-large are still comprehending the consequences of contact tracing on our privacy. As we reflect on the implications of the proliferation of contact tracing technology, we should also think about those who work in fields that require contact tracing on a daily basis. Long before the pandemic, many workers – especially blue-collar workers – were contractually obligated to share their geolocation data with their employers. Indeed many of the contact tracing apps used in Singapore (where my investigation started) were originally designed to track the movements of workers of different professions between their residence and workplace. As governments lift the mandates for contact tracing apps, these workers will continue to share their private geolocation data. In what situations are we as a society going to accept the use of contact tracing?

[1] The latter two apps existed before the pandemic and were initially used by workers to log entry and exit at their workplace but were repurposed to be used for COVID-19 contact tracing.

[2] Another example where the use of contact tracing data faced a strong public backlash is in the United States, as exemplified by this Vox article.