CS Nov-Dec 2020
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
contact tracing<br />
WE HAVE CONTACT<br />
THERE IS AN INCREASING RELIANCE ON DATA-DRIVEN TECHNOLOGIES TO HELP CONTAIN COVID-19,<br />
ESPECIALLY THROUGH CONTACT TRACING. BUT MIGHT THESE INFRINGE HUMAN RIGHTS?<br />
All contact tracing apps have one thing<br />
in common: they record when you're<br />
close to someone else (usually in a<br />
way that preserves your privacy) and try to<br />
characterise how close and for how long,<br />
states Ian Levy, in a blog published on the<br />
National Cyber Security Centre website.<br />
In all sensible models, he points out, this<br />
information is held privately on the user's<br />
phone. "The differences start when someone<br />
reports they're ill. Then, the different design<br />
choices and cryptographic models dictate<br />
the public health responses your app can<br />
support." In his blog, Levy uses the word<br />
'anonymous' in its security sense. "That's<br />
different to the definition under GDPR and<br />
other law. The proper legal descriptions of<br />
the data we use are in the Data Protection<br />
Impact Assessments, which will be<br />
published," he continues.<br />
In the first model (known as 'the<br />
decentralised model'), you tell the system<br />
you're ill and give it no extra information.<br />
Periodically, it collects a list of everyone who<br />
has said they're ill and sends it out to all users<br />
of the app. "Individual devices look to see if<br />
any of its local contacts are on the list and<br />
tells their user, if this is the case (subject to<br />
some local risk modelling about the sort of<br />
encounters they had). Notifications will lead<br />
to some health interventions, probably selfisolation<br />
to start with."<br />
Those concerned about failures to protect<br />
individual's privacy have argued that this<br />
decentralised model is the one to follow,<br />
as it gives maximum protection. However,<br />
Levy argues that, "while the health authority<br />
would know the anonymous identity of the<br />
22<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk