‘Contact tracing apps should be strictly voluntary, no forced adoption’: Natl Security Commission on AI

A National Security Commission on AI white paper says that contact tracing apps can provide value in helping to control the spread of COVID-19, but that the apps should be “strictly voluntary” and without forced adoption.

As privacy and human rights advocates continue to express concern over contact tracing apps potentially being used as a means of mass surveillance, the National Security Commission on AI (NSCAI) released a white paper that called on lawmakers to draft legislation on the ethical use of technology to meet the COVID-19 challenge.

“Missteps could undermine core civil liberties, put inappropriate information and power in the hands of government or private corporations, and deepen inequalities in our healthcare and society” — NSCAI White Paper

The white paper, “Privacy and Ethics Recommendations for Computing Applications Developed to Mitigate COVID-19,” is billed as offering “recommendations to put civil liberties at the center of contact tracing methods, and to ensure that federally funded AI tools used in pandemic response account for potential bias and avoid introducing additional unfairness into healthcare delivery and outcomes.”

First on the list of recommendations, contact tracing and civil liberties.

NSCAI Recommendation: Leverage technology, policy, and law to put civil liberties considerations at the center of contact tracing methods and tools

Contact tracing technologies and apps can provide healthcare providers and governments with valuable data for policymakers, but how that data is collected, where it goes, how it’s used, and how long it will be kept are important for maintaining civil liberties.

The Wall Street Journal just came out with an explainer on how contact tracing apps work, which you can check out in the video below.

According to the NSCAI report, the benefits of contact tracing include:

• “By tracking geo-location and/or co-location data, mobile contact tracing applications offer tools ranging from helping a user improve the efficiency and completeness of manual contact tracing interviews to identifying and alerting individuals who may have been exposed through proximity to an infected person.”
• These technologies, “may provide value in helping to control the spread of COVID-19 when they are coupled with effective policies for testing and with periods of isolation for those who test positive or are determined to be at high risk for having been exposed to the infection.”

While there are some short-term benefits to contact tracing, the long-term risks are great.

“Missteps could undermine core civil liberties, put inappropriate information and power in the hands of government or private corporations, and deepen inequalities in our healthcare and society,” the authors note.

Contact tracing potential abuses include:

• A government could use the data collected to track citizens’ movements and identify people with whom they have had contact, leading to a coercive, involuntary approach to public health or the exploitation of the information for other purposes.
• In the hands of a corporate actor, the same personal data could be exploited for narrow private gain.

According to the report, “Privacy-sensitive policies and technologies, voluntary usage, and ethical practices around disclosure and consent are central considerations with the use of contact tracing technology, but there are no coherent national or international standards for contact tracing applications.”

Contact Tracing ‘Best Practices’

The authors offer 12 best practices for contact tracing applications:

• Make the use of mobile-based contact tracing applications strictly voluntary. The government should not in any way compel or force  the adoption or use of these applications.
• Provide disclosure of how the collected data will be used, how long it will be kept, to whom it will be accessible and for what purpose, and the known risks and limitations of the application in advance of accepting usage.
• Require that users must explicitly consent to the use of the application and data collected by it before any data is collected or analyzed. Users must be allowed to withdraw consent at any time. Additional consent should be requested in advance of sharing information about sensitive changes in status, such as new information on testing positive for illness.
• Collect the minimum amount of data required for the task of contact tracing and hold the data for only as long as it is needed for the task before it is deleted. Automate deletion of collected data after it has served its purpose, and within relatively short windows of time as needed for detecting risk of infection.
• Utilize privacy-sensitive technology, architecture, and protocols including the use of data encryption with an effective and secure encryption scheme to minimize risks to privacy.
• When performing data analytics that is consented to by end users, include aggregation of the data of multiple users that adhere to strict rules of anonymization, such as the use of principles of k-anonymity where values of k are large enough to minimize threats of identification of individuals.
• Store user data on the user’s own device(s), unless express permission is granted to share. To obviate the concerns with having a central database held either by a governmental or a private entity, a third-party free approach is strongly preferred, as the risk of third party access is reduced if the data is not shared, but instead stored on local, user devices.
• Store encrypted location data on a user’s own device for the sole purpose of use by individuals for memory jogging in support of manual contact tracing. However, for the sharing of data in larger automated solutions, limit shared data to encrypted information about proximities among users, rather than absolute locations, to minimize risks to privacy.
• Carefully consider challenges with inclusiveness and potential discrimination based on systematic differences in familiarity, abilities, and disparity of access to mobile devices for contact tracing technologies, as well as differences in COVID-19 testing among populations of different demographics and socio-economics, including race, ethnicity, gender, age, education, and income levels. To mitigate differences in familiarity with contact tracing applications, informational resources should be provided both online and offline. In areas where mobile contact tracing will not be feasible and areas that are disparately impacted by testing access and resources, gaps must be filled with more intensive manual contact tracing efforts. The Federal government should invest in understanding and addressing disparate effectiveness of contact tracing because of differences in access to technologies.
• Review of proposed solutions and applications should be undertaken by expert panels of privacy and security experts, including panelists with expertise in cryptographic methods and adversarial attacks on security, and representatives from civil liberties organizations.
• Publish proposed systems and invite red-teaming, including adversarial attacks as part of the design process, including study of malevolent attacks that can flood systems with false information about infection and well-being.
• Adopt proposed systems that are co-designed in the context of larger strategies and considerations, including disease testing, and modeled on a larger scale aimed at understanding the effectiveness of technology given real-world considerations, such as sensitivity to different levels of usage in communities and different coverage or availabilities of tests for COVID-19. Proposed systems should be used as a tool to complement, not replace, human efforts such as manual contact tracing.

The authors went on to make recommendations surrounding bias and unfairness in dealing with COVID-19-related data in their 18-page report.

Massive data surveillance, warrantless wiretapping, and the weaponization of intelligence agencies against private citizens were all conducted in the name of national security following the 9/11 attacks.

Threats to privacy and civil liberties now loom in the form of a national health crisis where the COVID-19 pandemic response has the potential for abuse and exploitation like those that occurred post 9/11.

Would you be OK with being forced to adopt contact tracing technologies?