By Wahab Hamou-Lhadj, PhD | April 23, 2020

With so many countries planning to lift the lockdown and re-launch the economy, the risks of spreading the coronavirus (COVID-19) becomes higher unless a vaccine is found and deployed, a task that may take several months according to experts.

Social guidelines such as distancing, frequent hand washing, and the wear of masks should remain in effect, but these actions alone may not be sufficient to slow down the spread of the virus. Public health authorities must continue their effort in conducting rigorous contact tracing and testing.

Contact tracing has traditionally been done manually, a process that is time-consuming, limiting its scalability for a large population. Contact tracing apps have emerged as a possible solution that is considered (or used) by some countries to supplement (and not to replace) manual contact tracing efforts. Simply put, contact tracing apps use proximity data to enable health authorities to trace individuals who may have been in close contact with someone tested positive for the virus and send them instructions on how to proceed.

In my opinion, for these apps to gain wide acceptance, they should (a) satisfy a clear set of requirements and developed using best practices, (b) comply with the applicable privacy laws and regulations, and (c) operate within an open and transparent governance framework.

Understanding the requirements:

Contact tracing apps are before all software tools and their development should be based on a clear set of requirements and the adoption of best software development practices. App developers should work closely with health authority experts to understand the functional and non-functional (performance, scalability, security, etc.) requirements that an app should support.

To this end, I find the recently issued European Union requirement guidelines for contact tracing app development quite helpful. I summarize some of the key points in what follows (the complete document can be downloaded here):

• A contact tracing app should adopt "epidemiological heuristics" agreed upon by health authorities when referring to concepts such as distance, proximity, contact, etc. In addition, the guidelines provide detailed requirements for the handling of notifications of contacts.
• The app should be developed with data privacy and security in mind and must present “all guarantees for respect of fundamental rights, and in particular privacy and data protection, the prevention of surveillance and stigmatization”. The guidelines discuss briefly the advantages and disadvantages of decentralized vs. centralized data processing methods, which refer to whether proximity data stays on the user handset or is sent directly to a centralized server, stressing the fact that both options must be based on anonymized data and should never reveal the identity of the people infected.
• The guidelines converge towards the use of Bluetooth, a less privacy-invasive approach as opposed to GPS, to estimate proximity between individuals, without suggesting any specific architecture. Apps built on Bluetooth can also benefit from the changes to iOS and Android that were recenlty announced by Apple and Google to enable app developers to harness Bluetooth signals.
• The app should support features for automatically deleting information when no longer needed, i.e., after the crisis phases out.
• The app should support a number of other requirements using software best practices including (a) accuracy and precision, for example, when estimating the distance between individuals, (b) completeness by holding the entire history of contacts, (c) integrity by keeping authentic events, (d) scalability by not crashing when used by a large number of users, (e) security throughout the entire development lifecycle of the app, and (f) user-friendliness.
• In the probable situation where there could be many apps, it is essential for these apps to interoperate and work together.
• Contact tracing apps should satisfy accessibility laws to enable their use by individuals with disabilities.

Respect of data privacy laws and regulations:

Privacy-preservation goes beyond technology. App developers should be aware of the data privacy protection laws applicable in their respective countries and regions. These laws were created to protect the right to privacy, which is a fundamental human right.

For example, the EU General Data Protection Regulation (GDPR) that went into effect in 2018 regulates the collection, use, and disclosure of personal data of EU citizens by enforcing a set of principles that ensure "fairness and transparency" in processing of private data, and that organizations should only collect the data needed for a given purpose. In addition, the data must de deleted once no longer needed for the purpose it was collected. The complete list of GDPR principles can be found here.

In Canada, The Personal Information Protection and Electronic Documents Act (PIPEDA) regulates how “private companies across Canada collect, use or disclose personal data”. Similar laws to PIPEDA exist at the provincial level such as the Personal Health Information Protection Act of Ontario, Québec’s An Act Respecting the Protection of Personal Information in the Private Sector, etc.

Recently, the Office of Privacy Commissioner (OPC) of Canada issued a framework to help government institutions evaluate the impact on privacy for initiatives, such as the development of contact tracing apps, which would rely on the collection and processing of personal information to combat COVID-19.

OPC framework states that government institutions must operate within a legal framework by respecting the applicable data privacy laws (e.g., PIPEDA or other provincial laws) including any special provisions under emergency laws, and that any necessary new measures that may contravene actual laws must be based on scientific evidence and must be proportionate. Personal information must be used to combat the pandemic and not for any other purpose. Government institutions should also be mindful of the impact that the data may have on vulnerable populations to prevent discrimination and stigmatization. The complete list of guidelines can be found here.

In short, I believe that it is essential for contact tracing apps to comply with the applicable data privacy and protection laws and guidelines to preserve people's right to privacy, which can lead to increased trust in the use of these apps.

Governance and monitoring:

Countries should consider putting in place clear mechanisms to govern and monitor the use of contact tracing apps. The EU guidelines state that all apps must be approved by the competent health authorities, which are also the ones accountable for these apps. The installation of an app is on a voluntary basis and for situations where a person should provide identifiable personal information, an opt-in model is adopted.

I also believe that it is critical to establish monitoring processes to ensure that these apps work as intended and to allow public authorities take the necessary actions to address potential issues. The EU guidelines go further by suggesting that Member States “should develop a set of KPIs to assess/reflect the effectiveness of the apps in supporting contact tracing.” Various monitoring techniques have been proposed ranging from technical peer-reviews to thorough audits of the apps with respect to, among other things, privacy and security.

We should also keep in mind that the effectiveness of these apps heavily depends on user uptake and behaviour. Policy makers should consider public awareness campaigns to promote the appropriate use of these apps, while stressing the fact that people should not overly rely on these apps by relaxing other social measures. Contact tracing apps are just one tool, among others, as part of a government strategy to gradually lift the lockdown.

Furthermore, we must not forget groups of population who cannot use these apps (e.g., children, people with no smartphones). This is another reason why manual tracing must remain in effect and active.

In summary, it is difficult to assess the effectiveness of contact tracing apps in helping to combat this deadly disease, but I believe that the chances are higher if these apps are developed following a clear set of requirements established by the competent health authorities in charge of the crisis, adopt best software practices, and comply with data privacy laws and regulations. Governments should also put governance, monitoring and accountability mechanisms to ensure the appropriate and effective use of these apps and to prevent potential oversight and problems.

Dr. Wahab Hamou-Lhadj, a professor of computer and software engineering in the Department of Electrical and Computer Engineering at Concordia University, and the leader of the software research and technology lab (SRT).

For comments, please use email: wahab dot hamou-lhadj at concordia dot ca