How ‘Corona Apps’ Threaten Our Privacy

Surveillance apps might help contain coronavirus. But they are prone to inaccuracy and can create a false sense of security.

“Corona apps” are coming to Europe, to help governments in “trace and track” efforts to manage their coronavirus response. Tracking apps were already widespread in some
Asian countries before the now but privacy rights have largely discouraged their adoption in the West. 

Even in the face of a global pandemic, we shouldn’t rush to discard those privacy rights.

“Stopp Corona” was developed by the Austria Red Cross, and has the aim of reducing the time between the discovery of symptoms and the notification of social contacts. The app allows itself to “digitally handshake” people you interact with, and notifies those people if you happen to present symptoms, requesting them to self-isolate. The app now has more than 200,000 downloads, with growing popularity.

“Experts tell me: If the app obligation is limited in time and provided with a sunset clause, this is compatible with the EU data protection regulation and the constitution.” Those were the words of Austria's parliament chairman Wolfgang Sobotka in an interview, when asked whether so-called corona apps should be made mandatory.  He also believes that the movements of those who have not installed the app should be limited.

The Austrian digital rights advocacy group Epicenter.works doubts the efficacy of the Red Cross app, as it remains unclear which proximity would trigger a social handshake, and whether it would also work through walls. Adding to that, the app does not register the length of interactions, making it possible that harmless interactions like walking past someone will trigger a notification to isolate yourself. Epicenter.works cautions apps could create false sense of security, implying that healthy people would end up isolating while infected people would continue to go outside. The group also notes that the app requires access to users’ cell phone microphones.

Austrian Chancellor Sebastian Kurz seems to recognize that neither the Red Cross app nor any alternatives investigated by Vienna are in line with a constitutional vision of data privacy. He says:

It is a trade-off: What is more important to us? Data protection or that people can return to normal? Data protection or saving lives? Everything is based on voluntary action—until there is a vaccination we will have to continue to find measures.

Everyone wants things to return to normal, but it's disingenuous to suggest that the only alternatives to data privacy is more deaths or unending lockdown. Tracking apps make it possible to identify individuals merely by power of deduction (you going home regularly establishes the pattern that YOU live there). After the European Union had requested anonymized data from telecommunications operators, the Dutch privacy regulator said that anonymizing this data is not possible. The European Data Protection Supervisor (EDPS) agrees.

Just last summer, Belgian researchers released a study that proves that in apps, data can never be completely anonymous, and de-identified data can easily be re-assembled. They concluded that data anonymization was not enough to comply with the EU's strict GDPR (General Data Protection Regulation) rules. The latter rulebook was implemented recently, in an effort to make Europe free from misuse of data, for instance by social media networks.

It becomes clearer to European experts that it is awfully difficult to allow for corona apps that are compliant with GDPR. But with public support mounting, governments will feel enabled to act above established rules. A survey published by the Irish Computer Society shows that 87 percent of the Irish public is willing to share personal data. Now Germany, Norway, the Czech Republic, and Belgium are all working on their own apps that could track virus infections. Whether or not these comply with the rules, the responsible EU Commissioner Thierry Breton still doesn't seem to know.

Let's just hope that no European governments will come near the surveillance apparatus that South Korea has established. A "Coronamap" shows the movement of COVID-19 patients, and health authorities have access to everything from credit card information to CCTV camera footage. The government informs citizens about nearby cases via text messages, and reveals very sensitive information about citizens.

One stark example: A man in his 30s was humiliated online for visiting prostitutes, when in fact he was dining in a restaurant close to an area known for prostitution. After the man's name had been publicly dragged through the mud, health officials blamed the mistake on a "technical glitch." Note that the ability to know the man's whereabouts before he displayed of his symptoms means that all movements are constantly being tracked. 

It is also striking how dramatically the debate on personal privacy has shifted. There was a brief time when the bulk collection of data (even if merely meta-data) was a scandal, and when the presence of CCTV cameras was subject to public debate. Under COVID-19, people seem all so willing to surrender personal privacy in the interest of a feeling of personal safety, without much evidence that their data is treated with care or that the measures are even effective. As a result, fundamental rights will come out of this crisis in a worse shape than they have ever been.

Photograph by Catherine Lai/AFP via Getty Images.