Virginia Dignum, Ricardo Vinuesa, Andreas Theodoru and I wrote a scientific paper, aimed at governments and decision makers, describing the ethical framework by which contact-tracing applications should be designed and developed.
This ethical and social framework, if applied, guarantees the balance between the global equilibrium, which is that of governments and the effectiveness of the app in providing epidemiological data, and the local equilibrium, which is that of citizens, and the usefulness of the app, along with the rest of the strategy, to live safely in all areas of their lives, without being discriminated.
The proposed evaluation framework is based on a total of 19 criteria, divided into the three following categories:
A. Impact on the citizens
B. Technology and
C. Governance.
These criteria are derived from different regulations and guidance documents and from the concerns raised by experts. Each criteria is measured on a scale from 0 to 2 as discussed next.
As an example of application of this framework, Figure 1 shows the result for three apps: Stopp Corona (developed in Austria), NHS COVID-19 (being developed in the United Kingdom) and TraceTogether (which has been deployed and utilized in Singapore since March 20, 2020).
In addition, we also analyze the European Data Protection Board (EDPB) guidelines, and assess to what extent they comply with our framework.
We observe that all the apps have low scores in Governance, and none of them complies with criteria 15, 17 and 19, which are in our view important areas for any digital contact tracing.
The EDBP guidelines provide a clause to halt the use of apps once the situation returns to ‘normal’. This can be seen as vague, since ‘normal’ is open to interpretation considering the socio-economic changes lockdowns brought.
A more clear date, unless further action is taken, would be preferred. The EDPB guidelines also require criterion 19, but they do not include any requirement regarding geotagging (relevant for criterion 17).
It is also important to remark the importance of using a decentralized protocol (criterion 7), a feature which is not exhibited by the NHS COVID-19 app and it is not required by the EDPB guidelines, while TraceTogether only partly complies with it through a mixed centralized/decentralized protocol. We believe that this approach should be implemented in any digital contact-tracing app, in order to fully ensure the safety of citizen data.
A. Impact on the citizens
1.Respecting fundamental rights of individuals: This includes the rights to safety, health, nondiscrimination and freedom of association (2). Unclear information/only partially respecting these rights (1), or not respecting them (0) are not adequate.
2. Privacy and data protection: Data collection should be compliant with the General Data Protection Regulation (GDPR) [6] and respect the privacy of the individual. A Data Protection Impact Assessment (DPIA) must be carried out before the deployment of any contact-tracing system. The purpose of the app and the mechanisms to assess its usage need to be clearly defined. All these requirements should be fulfilled (2), whereas fulfilling them only partially (1) or not at all (0) are not adequate.
3. Transparency rights: They include the right of users to be notified, to control their own data, transparency regarding which personal data are collected, and of explanation of app-produced output. The app should be auditable. Fulfillment of all requirements (2) is suitable, whereas fulfilling them only partially (1) or not at all (0) are not adequate.
4. Avoid discrimination: The app needs to prevent stigmatization due to suspected infection (2). Unclear information/measures to avoid this (1), or the lack of a plan to address this issue (0) are not adequate.
5. Accessibility: Possibility to be used by all regardless of demographics, language, disability, digital literacy and financial accessibility. All these requirements should be fulfilled (2), whereas addressing them only partially (1) or not at all (0) are not adequate.
6. Education and tutorials: Ensure that users are informed and capable of using the app correctly, including e.g. in-app help (2), or external materials, e.g. website (1). Absence (0) is not adequate.
B. Technology
7. Decentralized protocol: E.g. use of the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) architecture. Furthermore, the app needs to allow interoperability. Bluetooth is preferred over GPS. A fully decentralized protocol is best (2), whereas mixed (1) or completely centralized approaches are not adequate (0).
8. Data management: Ensure data-minimization principle, i.e. usage of local and temporary storage, and encryption, based on principles of data protection by design. Ensure that only data strictly necessary are processed. All these requirements are needed (2), whereas unclear documentation (1) or lack of compliance with all of them (0) are not adequate.
9. Security: User authentication to prevent risks such as access, modification, or disclosure of the data. Use unique and pseudo-random identifiers, renewed regularly and cryptographically strong. Compliance with these requirements is needed (2), whereas unclear (1) or lack of compliance (0) are not adequate.
10. App easy to deactivate/remove: Either through clear instructions or automatically by sunset clause (2). Unclear (1) or difficulties for removing the app and the data (0) are not adequate.
11. Open-source code: Participatory and multidisciplinary development, access to the code and methods used for adaptation to new knowledge on the virus (2). Open-source code without the possibility of contributing (1) is not recommended, and non open-source code is undesirable (0).
C. Governance
12. Public Ownership: Ownership by State is preferable (2), whereas Health Agency (1), a research institute (1) or a private/commercial party (0) are less adequate.
13. Data governance should be made public: Open data governance is preferable (2), while intermediate (1) or private/opaque settings (0) are not suitable.
14. Use: Downloading the app needs to be voluntary (2). Furthermore, the use of the app cannot be mandatory to access certain places (1) or otherwise be legally enforced (0).
15. Sunset clause: This needs to be clearly specified with a clear date and procedure (2), while unclear information (1) or the lack of such a clause (0) are not adequate.
16. Legislation and Policy: Clear, broader legal framework voted through parliament (2), partial governmental policy (1) whereas no policy or unknown is not desirable (0).
17. Incidental Findings and dual-use policy: Purposes beyond contact tracing (e.g. placing people into crime scenes, identification of behaviour patterns) are strictly prohibited (2). If not, at least a policy stating what are the other potential uses of the data collected (1) needs to be in place.
18. Design Impact Assessment and Open Development Process: Explicit design process, including clear description about aims and motivation, stakeholders, public consultation process and impact assessment (2). Unclear information (1) or the lack of such an assessment (0) are not adequate.
19. Right to contest/liability. Users need to be able to contest decisions or demand human intervention (2). Partial/unclear compliance (1) or the lack of this feature (0) are not adequate.