Building Privacy into COVID-19 Digital Solutions
From enhanced contact tracing to teleconferencing, we have seen a vast amount of digital solutions come up in response to the COVID-19 pandemic. The sheer complexity of the issue has given birth to several problems that innovators have attempted to address through various means. However, in all the rush to come up with ways to combat the virus, the privacy of end users must still be respected. With this in mind, I have listed a few recommendations for developers who are in a position to integrate privacy into the design of their solutions. I have tried to provide more technically inclined examples below, but by no means do I claim expertise on any of their implementations. Rather, I hope that these can make it easier for readers to imagine how to operationalize these principles in their own practice.
1. Collect the bare minimum amount of information needed to fulfill the solution’s objective.
It must be communicated clearly both to end users as well as to your internal team what the exact purpose of the solution is. From there, you must identify what information is absolutely necessary to be collected for the application to meet this stated purpose.
If the application is meant to trace a person’s whereabouts for contact tracing, then it is unnecessary to ask for a user’s gender or height or ask them to upload a photo. If your website’s form has a field that is tagged as optional, consider removing it instead. Ask yourself if it is truly relevant to the objective or if it is simply a nice to have that is meant for some vague data analytics down the road. If developing a mobile app, only request permission of a phone’s resources that makes sense. If your app is meant to inform users of positive cases near them, why do you need microphone permissions?
2. Decrease granularity of information collected
Once you have identified what is most necessary for your application to run, consider decreasing how granular or specific the information you collect about your user is.
If the objective is to create a heat map based on IP geolocation of users, consider “rounding down” the IP address to the nearest subnet. Let us say that the map is meant to show COVID-19 case density up to the barangay level and that the IP address range of 180.190.50.1–254 identifies a particular barangay. Consider storing the person’s IP address as 180.190.50.0 to reflect that he is part of that barangay without compromising his more specific IP address (and location).
Another method of geolocation is based on extracting longitude/latitude coordinates via an API. If going with this method, a suggestion would be to assign a central node with its own coordinates for each barangay. A user’s coordinates would then be rounded off to the nearest nodes’ coordinates rather than their actual longitude/latitude.
Another way to decrease granularity is by asking users to identify with a certain category instead of giving them the actual information. COVID-19 solutions will most likely ask for a user’s age since this reflects the probability of the user being at-risk. But instead of asking users to input a specific age and storing this value in your database, you can ask users to choose from a drop-down list that could include categories like Child (0–12), Teenager (13–17), Young Adult (18–29), Middle Age(30–59), and Senior (60 years old and above).
3. Delete once data ceases to be relevant
The average incubation period of the virus on its host is 14 days. If developing a digital contact tracing solution, consider only storing a user’s information in your database for around this length of time, perhaps with a few days leeway. Anything more than that is intuitively irrelevant to the purpose of contact tracing, but may be used for more malicious purposes if this data was breached.
Implementing this recommendation could be a matter of configuring your SQL databases to automatically delete entries once their age has reached a certain threshold.
4. Maintain confidentiality to the necessary parties involved
The National Privacy Commission maintains that the Data Privacy Act of 2012 is not meant to deter the response to COVID-19. I will not delve into the legalities of who should you be sharing your collected information with but assuming that it is with parties of legitimate interest, then the next step must be in securing how to share this information.
There are different methods of sharing information through the Internet and all vary in security and convenience. On a more technical level, it could be providing restricted database privileges to 3rd party personnel, setting up a Secure File Transfer Protocol (SFTP) server, or using a managed file sharing service. On a more consumer level, it could be encrypting an excel sheet sent out over a private email server or changing the permission of the Google Drive shareable link to “only specific people can access.”
Whichever way you want to secure your transfer and access, remember that data provenance, or the ability to trace and record the origins and movement of data, is also becoming an exceedingly important aspect of ensuring the security and privacy of our data.
5. Provide an opt-out for users
It is important that users are provided an explicit, straightforward way to opt out of your service and express their desire to delete their information from your database. Leaving a catch-all Contact Us form on your page, although technically a way for a user to make their preference known, is rarely enough since it conveys that your organization is simply reacting to a request rather than proactively giving users the option.
6. Consider de-centralization of data
Developers may intuitively design their applications to extract all information generated by users and send them to a central database. Although not always feasible, de-centralizing your data away from your own servers towards your users’ local drives can be another way of respecting privacy. There is already a contact tracing mobile app that stores the information generated by users on their own devices only. Once the person has been confirmed to have tested positive with the virus, they are then asked to provide their data to authorized personnel, who will extract the relevant information from the individual’s device.
7. Explore less invasive technologies to achieve the same goal
Depending on the expertise of your dev team, consider using more “intrinsically private” technologies to achieve the goals of your solution. While there is no definite list of which technologies meet this criteria, choosing which path to take may come down to a matter of expanding your creativity to what is possible. Perhaps instead of asking a telecommunications company to provide a detailed list of the movements of all mobile phone users in their jurisdiction — effectively robbing users of consent — why not use Google and Apple’s Bluetooth and Cryptographic specifications to provide users with a less intrusive way of knowing who they have been in contact with?
