UK ICO Issues Opinion on the Apple and Google COVID-19 Contact Tracing Framework
Photo by engin akyurt on Unsplash

UK ICO Issues Opinion on the Apple and Google COVID-19 Contact Tracing Framework

UK Information Commissioner's Office Issues an opinion on the joint initiative by Apple and Google (referred to as the Contact Tracing Framework (CTF)) to enable the use of Bluetooth technology to help governments and public health authorities (PHAs) reduce the spread of the virus.

Key takeaways:

The Contact Tracing Framework (CTF):

The proposals for the CTF itself appear aligned with the principles of data protection by design and by default.

Data minimization:

  • The exchange of information between devices does not include personal data such as account information or usernames;
  • Matching processes take place on-device and are not undertaken by the app host or with the involvement of any another third party; and
  • The information required for the core functionality of contact tracing apps built using CTF does not use location data, either in the exchange between devices, the upload to the app host or subsequent notifications to other users from the app host

Security Measures:

Under the CTF, the exchange of information between devices and the upload of information to the app host incorporate a number of security measures including using cryptographic functions with additional safeguards. For example:

  • The generation of tokens takes place on the device and is not under the control of the contact tracing app utilizing the API, using cryptographic techniques to ensure that information broadcast to other devices is not directly related to an identifiable individual
  • The exchange of tokens between devices do not indicate COVID-19 status
  • While there may be circumstances where an individual could determine the identity of a diagnosed user (eg if they had only been in recent contact with a few people they know), these measures address risks about identification in circumstances such as public spaces
  • If a user is diagnosed they can voluntarily upload the stored tokens on their device to the app host (eg a PHA) via an encrypted communications channel
  • While looking up the tokens of COVID-19-positive users is possible, that is only for technically advanced attacker in specific circumstances, meaning this risk appears low.
  • Te second-stage transfer of data to the app host is likely to be undertaken via transport layer security (TLS)
  • No persistent user ID is broadcast. Instead, a sequence of pseudo-random tokens representing changing user IDs are broadcast

Purpose Limitation:

Third-party app developers may also develop functionality that involves collection of additional data or new uses of existing data. This risks expanding the use of CTF-enabled apps beyond the stated purpose of contact tracing for COVID-19 pandemic response efforts. The Commissioner will monitor all developments, with an eye to ensuring that this purpose does not expand outward, in the phenomenon known as scope creep.

Contact Tracing Apps Using the CTF:

  • The processing of additional data by apps that use the CTF may be legitimate and permissible. This may be needed to support the public health utility of a tracing app, and would need to be assessed on a case-by-case basis
  • Organizations designing contact tracing apps are responsible for ensuring the app complies with data protection law where it processes personal data and the organisations are the controllers for that data.
  • The primary responsibility for providing privacy information rests with app developers (who create apps; this may include organisations, who outsource the actual app design to a third party) and app stores (who make apps available to users), particularly where app developers are also controllers.
  • The data protection by design and by default principles used in the development of the CTF DO NOT necessarily extend to all aspects of a contact tracing app that is built to use the CTF.
  • If the app processes data outside the CTF’s intended scope, then the controller should ensure it assesses the data protection implications of this processing (along with any undertaken by way of the CTF) and ensure that the processing is fair and lawful. It is also crucial that the processing is transparent. This may involve a separate data protection impact assessment if the threshold criteria are met.

Transparency:

  • While Google and Apple’s app stores mandate specific requirements for the privacy information that apps must provide, it is at present not clear whether this would mean contact tracing apps utilizing the CTF must include information relating to the CTF
  • The responsibility cannot solely be placed on the user and the apps must clarify to the user who is responsible for the processing
  • Use of the CTF by apps must be documented and auditable.

Legal basis

The Commissioner understands that most current proposals for contact tracing apps would rely on consent as the lawful basis for processing any personal data, and that installation of the apps is also voluntary

Unclear matters that must be addressed:

  • How will the CTF facilitate the collection of consent for the upload of stored tokens to the app host.
  • How an app utilizing the CTF will manage this consent signal and how the CTF and an app may between them provide control to users.
  • What impact consent withdrawal may have both on the effectiveness of contact tracing solutions and any notifications provided to other app users once an individual is diagnosed.

Security

Apps should espouse robust security (including the use of encryption, and covering each stage of the data processing), data minimization, transparency and user control, and that any supporting technology, including centralized processing to support contact tracing, should follow the same principles.

Enforcement:

The Commissioner is a reasonable and pragmatic regulator, and does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, the Commissioner will take into account the compelling public interest in the current health emergency. Controllers should refer to the ICO’s guidance on COVID-19 that reflects this position.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了