COVID-19 and privacy: artificial intelligence and contact tracing in combatting the pandemic
COVID-19 is having a debilitating effect on people’s health and their economic well-being. People are being forced by social distancing/isolating edicts and provincial emergency closure orders to stay home. As we slowly look like we may be emerging from the first wave of this health and economic emergency, people are rightly asking how we can gradually start to re-open the economy and resume “semblances of normalcy” without triggering substantial negative health rebounds or violating privacy norms or rights.
Governments, medical practitioners, researchers, policy-makers and others have been feverishly pursuing solutions to this challenge. Medical solutions such as vaccines and treatment methods including the use of antibodies and experimental medications such as placenta-based cell-therapy are being pursued with understandable urgency. Testing for COVID-19 and persons with COVID-19 antibodies to identify lower risk groups of individuals for whom the emergency measures could be relaxed is an obvious strategy being debated. German researchers are planning to introduce “immunity certificates” which theoretically could be used to identify some of these individuals. So far these conversations about testing have focused only on voluntary and not mandatory testing for the virus thus not implicating privacy concerns, at least insofar as the testing results are used only for diagnosing and treating the individuals tested.
Artificial intelligence solutions
Artificial intelligence technologies are being used in varied ways to combat the pandemic. For example, AI has been used to identify and track the spread of the virus. A Canadian company, BlueDot was among the first in the world to identify the emerging risk from COVID-19 in Hubei province and to publish a first scientific paper on COVID-19, accurately predicting its global spread using its proprietary models. AI technologies such as chatbots are being used as virtual assistants to provide information about the virus. AI is also been used to help diagnose the disease including via the use of diagnostic robots, to predict which patients will likely develop severe symptoms requiring treatment, to develop drugs, and find cures including through literature searches for clues to cures buried in heaps of scientific literature. Data-mining operations have been conducted on large datasets to build predictive computer models to provide real-time information about health services, showing where demand is rising and where critical equipment needs to be deployed. AI has also found uses to monitor for crowd formations to help enforce social distancing rules. Some of these uses raise privacy compliance issues as they involve, amongst other things, the collection, use, aggregation, analysis and disclosure to third parties of datasets that may or may not include de-identified or re-identifiable data.
Other uses of AI for tracking and public surveillance purposes also raise privacy compliance issues and, depending on who is conducting these activities and the purposes, issues under the Canadian Charter of Rights and Freedoms. Tracking and surveillance such as using location data stored on or generated by smartphone use, scanning public spaces for people potentially affected using fever detecting infrared cameras, facial recognition and other computer vision surveillance technologies, are examples.
Contact tracing solutions
A solution that is increasingly being relied upon is COVID-19 contact tracing. Public Health Ontario defined contact tracing in an online notice linking to a Government of Canada website portal soliciting volunteers for the National COVID-19 Volunteer Recruitment Campaign as “a process that is used to identify, educate and monitor individuals who have had close contact with someone who is infected with a virus. These individuals are at a higher risk of becoming infected and sharing the virus with others. Contact tracing can help the individuals understand their risk and limit further spread of the virus.”
Contact tracing as an epidemic control measure is not new. It is infectious disease control 101, often deployed against other illnesses such as measles, SARs, typhoid, meningococcal disease and sexually transmitted infections like AIDS. The use of smartphone technologies and various other technologies to help identify and trace individuals with various diseases has also either been proposed in connection with other diseases such as Ebola.
Contact tracing using location tracking capabilities to combat COVID-19 has already been implemented in other countries such as South Korea and Taiwan. It as also been deployed in China using a plugin App to the ubiquitous WeChat and Alipay Apps. The use was not compulsory, but was compulsory to move between certain areas and public spaces. A central database collected user data which was analyzed using AI tools.
Singapore deployed its TraceTogether mobile application to enable community-driven contact tracing where participating devices exchange proximity information whenever an app detects another device with the TraceTogether app installed. It uses Bluetooth Relative Signal Strength Indicator (RSSI) readings between devices across time to approximate the proximity and duration of an encounter between two users. This proximity and duration information is stored in an encrypted form on a person’s phone for 21 days on a rolling basis. No location data is collected. If a person unfortunately falls ill with COVID-19, the Ministry of Health (MOH) would work with the individual to map out 14 days’ worth of activity, for contact tracing. And if the person has the TraceTogether app installed, he/she is required by law to assist in the activity mapping of his/her movements and interactions and may be asked to produce any document or record in his/her possession including data stored by any apps in the person’s phone.
The European Data Protection Supervisor (EDPS) has also called for a pan-European mobile app to track the spread of the in EU countries.
It may not be realistically possible to stem the COVID-19 virus and return to a semblance of normalcy without using a sophisticated contact tracing technology. It would take an army of coronavirus trackers to attempt to curb the spread of the disease using traditional contact tracing techniques. Further, even if contact tracing technologies would not replace humans, they could speed up the process of tracking down possibly infected contacts and play a vital role in controlling the epidemic. A research article published in Science concluded:
Organizations, recognizing the challenges in combatting the pandemic, have started to propose privacy-sensitive mobile phone based contact tracing solutions that could potentially be used in Canada. MIT researchers, for example, are developing a system that augments “manual” contact tracing by public health officials, while purporting to preserve the privacy of individuals. The system relies on short-range Bluetooth signals emitted from people’s smartphones. These signals represent random strings of numbers, likened to “chirps” that other nearby smartphones can remember hearing. If a person tests positive, he/she can upload the list of chirps the person’s phone has put out in the past 14 days to a database. Other people can then scan the database to see if any of those chirps match the ones picked up by their phones. If there’s a match, a notification will inform that person that they may have been exposed to the virus, and will include information from public health authorities on next steps to take.
Last week Google and Apple announced they are jointly launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing while reportedly maintaining strong protections for user privacy. In May, both companies plan to release APIs that will enable interoperability between Android and iOS devices using apps from public health authorities. These official apps will be available for users to download via their respective app stores. Later, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms “that would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities.” According to Apple and Google “Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders. We will openly publish information about our work for others to analyze.”
A diagram of how the Apple/Google solution is intended to work is shown below.
As part of the partnership, Google and Apple released draft technical documentation including information on how user privacy will be maintained in their Bluetooth and cryptography specifications and framework documentation. The privacy enhancing features are described as “explicit user consent required”, the solution “Doesn’t collect personally identifiable information or user location data”, people you’ve been in contact with never leave your phone, People who test positive are not identified to other users, Google or Apple”, and the app “Will only be used for contact tracing by public health authorities for COVID-19 pandemic management”.
The UK Government confirmed that the UK’s National Health Service (NHS) is also working on a contact tracing system with two technology companies. NHSX, the technological branch of the NHS, has reportedly been working on the software alongside Apple and Google. Experts in clinical safety and digital ethics are also involved. Pre-release testing is scheduled for next week. Apple also launched COVID-19 screening tools built in collaboration with the U.S. Centers for Disease Control and Prevention (CDC), Federal Emergency Management Agency (FEMA), and the White House. It promises that the tools include “strong privacy and security protections” and that Apple will “never” sell the data it collects.
It is unclear what technological contact tracing technologies the governments of Canada, the provinces or organizations operating in Canada will deploy. However, as contact tracing solutions using mobile phone technologies all involve at least some collection, use, and disclosure of personal data, their adoption will necessarily be influenced by a variety of factors including who implements the solutions e.g. governments health authorities and/or private organizations, and whether the operators are subject to privacy laws, or are given any special immunities from liability under emergency orders.
Privacy law issues
Canada has a myriad of federal and provincial laws across the country that could apply to any proposed contact tracing solution. Much would depend on the public or private entities, or combinations of organizations, that would be involved.
Federally, the Privacy Act applies to departments and ministries of the Government of Canada. This legislation includes provisions that regulates the uses and disclosures of personal information under the control of the government institution. The Privacy Act applies to Health Canada. (Health Canada also regulates medical devices under the Food and Drugs Act. Consideration may need to be given as to whether a contract tracing system which can include software (SaMd) and medical device data systems (MDDS) requires Health Canada approval.) Canada’s comprehensive privacy legislation PIPEDA could also be implicated if, for example, personal information is collected, used or disclosed by an organization in the course of commercial activities.
There are also a myriad of provincial laws that could apply. There are comprehensive privacy regimes in Quebec, Alberta, and British Columbia and health privacy laws such as those in the provinces of Ontario, New Brunswick, Newfoundland and Labrador and Nova Scotia. There are also privacy statutes that apply to provincial institutions. For example, in Ontario the Personal Health Information Protection Act (PHIPA) applies to health information custodians that include physicians, hospitals, and medical officers of health. The Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) applies to various institutions including municipalities and boards of health. There are statutory or common invasion of privacy laws across the country.
While there are some similarities between privacy laws across the country, there are also key differences. This includes differences in the standards for obtaining consents from individuals and the types of exemptions federal and provincial authorities and private organizations might look for. There is not, for example, a common framework like there is in the European Union under the GDPR which contains specific exemptions for processing data including when processing is necessary for reasons of substantial public interest and specific exemptions for health data. (This is one area that may be ripe for reform in Canada.)
There are numerous privacy considerations that could be taken into account in evaluating the adoption of technologies to tackle the COVID-19 epidemic. As for contact tracing technologies, the factors may include the architecture and protocols used by the solution, who has access to any data including public authorities and for what purposes, whether the use of the solution is voluntarily or mandatory, whether the data is encrypted, whether users are anonymous, what is revealed by infected users to individuals they come into contact with, whether the system can by exploited by external parties, and how reliable and secure the system is.
All Canadians must certainly share a common goal of overcoming this pandemic. Until a vaccine is publicly available, measures to resume at least some of the economic and other activities that have been shut down will need to be considered. It seems likely that innovative new technologies such as artificial intelligence and contact tracing technologies could be deployed to foster this.
Artificial intelligence and contact tracing tools will not be the panacea that alone will solve this crisis. Artificial intelligence can be helpful, but one has to be cautious about evaluating over hyped claims about what AI can achieve and whether AI firms have the data and expertise to deliver on their promises. Experience with contact tracing such as in Singapore has shown shortcomings including the potential for not flagging cases where the virus has spread and producing false positives. Moreover, we won’t be able to re-open the country without much more including widespread testing programs.
Privacy laws should not impede uses of technologies that can help ameliorate this emergency situation and which maintain an appropriate balance of privacy interests. Privacy laws in Canada have always recognized the need for balancing of interests. Privacy, as a moral or legal principle, does not trump all other laws or interests.
Ethical arguments for using mobile phone based contact tracing in privacy sensitive ways were cogently expressly by the University of Oxford researchers of the Science research article referred to above:
Some have argued that abridgements of privacy and democratic rights even in emergency situations create risks that measures may become permanent or be hard to reverse. However, in a thoughtful article recently published in the MIT Technology Review by Genevieve Bell, the director of the Autonomy, Agency, and Assurance Institute at the Australian National University and a senior fellow at Intel, the author concludes that the present circumstances justify a response to this pandemic that should be subject to a sunset clause.