Is our health more important than our privacy?on 16 February 2021 for Professionals
We recently invited privacy activist and director at the Ministry of Privacy Matthias Dobbelaere-Welvaert to give our Exellysts an online keynote on tracking applications, their known issues, and the impact they are having on our privacy. Besides some of the usual suspects, Matthias also briefly talked about the different privacy protocols behind several Corona tracking apps (such as the Belgian version, Coronalert) and explained the pros and cons of platforms implementing the DP-3T protocol.
Image: De Standaard – Rembrand Neirinckx
A Brief History of Privacy
The modern concept of data privacy can be traced back to the Gilded Age and the publication of an article in the 1890 Harvard Law Review called “The Right to Privacy” by Justice Louis Brandeis and Samuel Warren. The authors argued that “instantaneous photographs and newspaper enterprise” had “invaded the sacred precincts of private and domestic life” and introduced the concept of the “privacy of the individual”.
Up until this point, most people didn’t expect that their data would be private. For example, intercepting telegraph messages (i.e., ‘wiretapping’) was only illegal in a few US states and President Lincoln’s widespread wiretapping during the Civil War (1861-65) raised few, if any, eyebrows.
But “The Right to Privacy” helped bring about a shift in public opinion. The general public didn’t trust photography and wasn’t happy with this new intrusion into their lives. The same basic discussions have continued to this day, the only difference is that the technology being used has changed.
During the late 20th century, individual phones, rooms, and homes became the norm and invasive surveillance practices grew exponentially. George Orwell’s influential novel, 1984, portrayed a dystopian future where an all-knowing government sought complete control over its citizen’s lives. The NSA files released by Edward Snowden in 2013 showed that the scale of domestic surveillance in the US far surpassed anything previously imagined.
Privacy vs. (…): The Trade-Off
When it comes to privacy and staying safe, most people willingly trade some privacy for some security. Most people will happily share their location if it lets them access a GPS map service or pinpoint their phone if they lose it. Today’s young consumers willingly download and use location tracking ride-hailing apps that would once have been considered the stuff of nightmares.
In some cases, people are willing to share more of their data if it gives them a financial advantage. Insurance customers, for instance, will gladly share their medical data if it means lower premiums. While this practice isn’t widespread, Belgium had to introduce legislation to prevent insurers from asking for data from customers’ health trackers when calculating their fees.
This all begs the question:
Do we even care about data privacy?
The evidence suggests that for most people data privacy simply isn’t a high priority. Certainly not as high as the climate or the pandemic. Most people believe they are safe as they “have nothing to hide”. But this belief relies on the mistaken notion that society is static. It’s not. The idea that society doesn’t change can lull people into a false sense of security.
IMAGE: Big Data is watching you
From a privacy standpoint, the General Data Protection Regulation (GDPR) gives consumers plenty of rights, such as:
- A right of access
- A right to rectification
- The right to be forgotten
Companies’ business models mean that the more they know about you, the more they can sell you. The only difference is that under GDPR you should expressly consent to share your data or be tracked.
How is the GDPR doing?
Deloitte surveyed 2,000 people and found that 91 percent of people agreed to terms and conditions without reading them. Only 3% of millennials actually read the text. They are excessively long and purposefully use complex language, so people generally scroll down and click ‘Agree’. Companies could write a comprehensive T&C page on one page, but that’s not considered smart.
The bottom line? People love free stuff. And if data is the price of admission, we seem to be willing to cooperate. Most people are absolutely fine with this arrangement, which leads us on to the current state of play:
Privacy as a currency
If tracking is inevitable, then why not profit from it? After all, even paid services like YouTube Premium, which offers an ad-free experience for a monthly fee, still collect a lot of data. But is giving some personal data and getting a certain platform, money or a coupon in return really a good deal?
Since the introduction of the European PSD2 directive which stipulated that the customer is the sole owner of their details, we’ve seen several companies trying to offer a workable solution. Cake, a rather new banking app for example, shares 50% of their data-analysis revenue with its active users.
Simplifying the process: ‘Show me my data’
Show me my data is a privacy tool that makes sending a data request simple. They list all Belgium banks, operators, hospitals, cities, and insurers, and help automate the process of performing a data request.
Most people are interested in knowing who knows what about them but find it hard to create the right legal language to submit a data request or opt-out. ‘Show me my data’ makes this process as easy as a few clicks of the mouse.
Another fun platform to play around with is called How Normal Am I. You can basically look at it like a sort of interactive documentary (based on your own face) on how algorithms on face recognition work. It will definitely help you understand apps like Tinder better!
Corona Apps and their privacy protocols around the globe
Let’s have a short look at the various privacy protocols used in coronavirus tracking apps around the world and how they compare to each other.
Shortly after COVID-19 infections started taking hold outside China, Bluetrace emerged as one of the very first privacy protocols. Developed by the Singaporean government, this open-source application protocol helped stem the spread of the virus. It also powers the contact tracing for the TraceTogether app.
In its favor, Bluetrace preserves user privacy. It only collects personal information collected at the point of registration. Users can opt-out and clear personal information and render any recorded data untraceable. Furthermore, a user’s identity cannot be ascertained by anyone except the health authority with which they are registered.
If a user tests positive, the health authority requests the contact log. If a user shares their log, it is sent to the health authority. This is the largest privacy concern: the data is stored and shared from a central server and uses centralized report processing.
Australia was the second country after Singapore to introduce a coronavirus-tracking app based on the BlueTrace protocol. COVIDSafe was introduced on 26 April 2020 and racked up three million downloads within 24 hours. The government set out a legal framework that was strict on data leaks and illegal access to the data.
After spending over AU$7 million on advertising, the app detected just 17 contacts and was (rightly so) labeled a failure.
The PEPP-PT (Pan European Privacy-Preserving Proximity Tracing) protocol uses centralized reporting and that’s why Belgium isn’t using it: centralization endangers user privacy. It relies on a three-step process:
- Authentication during registration
- Handshake (Proof-of-Work challenge)
While the PEPP-PT has its merits, here in Belgium we use DP-3T because it offers greater security and anonymity. Here’s how it works…
DP-3T (and Coronalert)
Most European countries are using apps based on the DP-3T protocol (Distributed Privacy Preserving Proximity Tracing) to track and control COVID-19 infections, including in Belgium where we use Coronalert.
This solution uses Bluetooth Low Energy (LE) to estimate the distance and time between app users while making use of decentralized reporting. In the legal framework, DP-3T has to be decentralized. This means that the central server never has access to your personal information.
DP-3T is currently in use by Austria, Croatia, Germany, Ireland, Italy, the Netherlands, Portugal and Switzerland, DP-3T apps use Ephemeral IDs (EphID) semi-random rotating strings that uniquely identify clients when the two app-users meet, then exchange EphiIds and store them locally in a contact log.
DP-3T protocols offer a unique ‘double opt-in’ solution:
- The second opt-in comes into play when a user is infected. There is no mandatory action; the user chooses freely if they want to communicate that they have been infected.
Even from the standpoint of a privacy activist, this second opt-in can hamper the effectiveness of the app. Many users are not aware they have to manually push the button to communicate that they have been infected.
Exposure Notification System
The Exposure Notification framework was jointly developed by Apple and Google as a decentralized protocol to inform people if they had come into contact with COVID-19. Unlike DP-3T, it featured an opt-in feature ingrained in iOS using a local app. The protocol is similar to CovidWatch, the difference being is that Exposure Notification is implemented at an operational level. This allows more efficient operation as a background process, instead of requiring users to manually open the app and keep it open whenever they go out.
The Electronic Frontier Foundation (EFF) has shown that this protocol is vulnerable to ‘linkage attacks’, whereby sufficiently capable third parties install phone apps that act as beacons. This could potentially be used to identify people at certain times, for example when a person visits a certain location and links to a person. However, the risk of this happening is low as there are rarely enough people with beacons to do that sort of sniffing.
With the prospect of multiple lockdowns on a global scale, there’s a risk that the general public will accept deeper invasions of privacy without second guessing things like tracking apps, ANPR cameras and even drone surveillance. That’s why having these discussions remains necessary even during a global pandemic.
So, what do you think: is our health more important than our privacy?
Exellys is a Tech Talent Incubator.
Our single mission is to attract, develop and retain the finest tech talent in large and medium-sized companies and major tech start-ups. We incubate talent into our customers’ operations of today and we prepare them for the innovations of tomorrow.
Are you a student, recent graduate or a professional and are you looking for a challenge in technology? Or does your company believe in the potential of young tech talent? Let’s talk!Tags: covid-19 , privacy