The United Kingdom's Information Commissioner's Office has issued an opinion on the joint initiative by Apple and Google, referred to as the Contact Tracing Framework (CTF), to enable the use of Bluetooth technology to help governments and Public Health Authorities (PHAs) reduce the spread of the COVID-19 virus.

Key Takeaways:

The Contact Tracing Framework

The proposals for the CTF itself appear aligned with the principles of data protection by design and by default.

Data Minimization

• The exchange of information between devices does not include personal data such as account information or usernames.
• Matching processes take place on-device and are not undertaken by the app host or with the involvement of any another third party.
• The information required for the core functionality of contact tracing apps built using CTF does not use location data, either in the exchange between devices, the upload to the app host or subsequent notifications to other users from the app host.

Security Measures

Under the CTF, the exchange of information between devices and the upload of information to the app host incorporate a number of security measures including using cryptographic functions with additional safeguards.

For example:

• The generation of tokens takes place on the device and is not under the control of the contact tracing app utilizing the API, using cryptographic techniques to ensure that information broadcast to other devices is not directly related to an identifiable individual.
• The exchange of tokens between devices does not indicate COVID-19 status.
• While there may be circumstances where an individual could determine the identity of a diagnosed user (e.g. if they had only been in recent contact with a few people they know), these measures address risks about identification in circumstances such as public spaces.
• If a user is diagnosed, they can voluntarily upload the stored tokens on their device to the app host (e.g. a PHA) via an encrypted communications channel.
• While looking up the tokens of COVID-19-positive users is possible, that is only true for a technically advanced attacker under specific circumstances, meaning this risk appears low.
• The second-stage transfer of data to the app host is likely to be undertaken via transport layer security (TLS).
• No persistent user ID is broadcast. Instead, a sequence of pseudo-random tokens representing changing user IDs are broadcast

Purpose Limitation

Third-party app developers may also develop functionality that involves collection of additional data or new uses of existing data. This risks expanding the use of CTF-enabled apps beyond the stated purpose of contact tracing for COVID-19 pandemic response efforts. The Commissioner will monitor all developments, with an eye to ensuring that this purpose does not expand outward, in the phenomenon known as scope creep.

Contact Tracing Apps Using the CTF

• The processing of additional data by apps that use the CTF may be legitimate and permissible. This may be needed to support the public health utility of a tracing app and would need to be assessed on a case-by-case basis
• Organizations designing contact tracing apps are responsible for ensuring the app complies with data protection law where it processes personal data and the organizations are the controllers for that data.
• The primary responsibility for providing privacy information rests with app developers, including organizations that outsource the actual app design to a third party and app stores that make apps available to users, particularly where app developers are also controllers.
• The data protection by design and by default principles used in the development of the CTF DO NOT necessarily extend to all aspects of a contact tracing app that is built to use the CTF.
• If the app processes data outside the CTF’s intended scope, then the controller should ensure it assessed the data protection implications of this processing (along with any undertaken by way of the CTF) and ensure that the processing is fair and lawful. It is also crucial that the processing is transparent. This may involve a separate Data Protection Impact Assessment (DPIA) if the threshold criteria are met.

Transparency

• While Google and Apple’s app stores mandate specific requirements for the privacy information that apps must provide, it is currently unclear whether this would mean contact tracing apps utilizing the CTF must include information relating to the CTF.
• The responsibility cannot solely be placed on the user and the apps must clarify to the user who is responsible for the processing.
• Use of the CTF by apps must be documented and auditable.

Legal Basis

The Commissioner understands that most current proposals for contact tracing apps would rely on consent as the lawful basis for processing any personal data, and that installation of the apps is also voluntary.

Unclear matters that must be addressed:

• How will the CTF facilitate the collection of consent for the upload of stored tokens to the app host?
• How an app utilizing the CTF will manage this consent signal and how the CTF and an app may, between them, provide control to users.
• What impact consent withdrawal may have both on the effectiveness of contact tracing solutions and any notifications provided to other app users once an individual is diagnosed.

Security

Apps should adopt robust security (including the use of encryption, and covering each stage of the data processing), data minimization, transparency and user control. Any supporting technology, including centralized processing to support contact tracing, should follow the same principles.

Enforcement

The Commissioner is a reasonable and pragmatic regulator, and does not operate in isolation from matters of serious public concern. Regarding compliance with data protection, the Commissioner will take into account the compelling public interest in the current health emergency. Controllers should refer to the ICO’s guidance on COVID-19 that reflects this position.

Additional Information