COVID-19, Tracking and Privacy

Who can see your shit...

· trust,security,identity management,privacy,GDPR etc

I receive, at a guess, around 10 or so emails everyday (distinct, I also get a number of repeat emails from the same organizations around the issue) explaining how a company is taking steps to protect me during the COVID-19 situation. Ok. That's great. But, interestingly, I don't care about any of that, to an extent. Here's what concerns me: How are you, as an organization, keeping your employees safe? Do they have enough, or even proper, PPE to do their jobs safely? How is my privacy and by extension, my data being kept safe during this period, especially, if some of your core technical team gets ill and can't do their job. How will that impact me, and my privacy? How secure are your servers from hackers, and other smart people?

In other words, how are you keeping your people safe? and how are you keeping my data safe?

The first question, I haven't got a clue. That is the purview of the various organizations. But, I would hope that the employees are not some after thought in terms of safety.

The second question, well, that is of more interest to me, and it is, also from a practical perspective, critical for them. Especially in Europe, and to lesser extents in Canada and the US, where the penalties are not nearly as much as in the EU. Why? Currently, there are a number of proposed ideas on how to track COVID-19 cases, and the big contenders are Google, and Apple. Both of whom offer solutions. But, that is later. Right now, let's have a look at how different jurisdictions are looking at tracking COVID-19, and how that impacts your rights.

To be fair, there are as many different interpretations of privacy as there are jurisdictions. The strictest jurisdiction is the EU. They introduced GDPR, after all. After that is Canada, in total, since they have updated PIPEDA, and have added some GDPR like language to PIPEDA. After that are various US states, California is leading the charge there with CCPA, which is very close to PIPEDA. The main issue that I have with PIPEDA and CCPA etc are the lack of financial penalties for not protecting user privacy.

GDPR, on the other hand, is very serious with its penalties. Recently fining some as much as 175MM EU. Pretty steep.


Many European countries are demanding that the COVID tracing data be kept on the device, versus in some centralised server. The countries include Switzerland and Germany, and they are demanding all user data generated by coronavirus contact tracing apps be stored on-device, rather than aggregated on a centralized server. They are looking for a way to not use Google or Apple for their apps, although the US [CDC], is moving forward with the Google / Apple suggestions.

With talk of lifting border restrictions taking place, European countries begin voicing their concerns over the ethical deployment of contact tracing apps. A new coalition led by Switzerland and backed by countries like Germany, Austria, Finland, and Italy, is concerned that contact tracing apps could be used to spy on citizens. They argue that data should be stored locally on a user's device, rather than held by government health officials.

This approach dovetails with the goals and implementations provided through Apple and Google Exposure Notification project. Apple and Google's API uses Bluetooth tracking tokens stored on a user's device to alert them when they've come in contact with someone who has tested positive for COVID-19.

The coalition has laid out a roadmap to enable national apps to exchange data and handle infections when people travel abroad. The primary goal is to help countries create a decentralized system that can still accurately alert those who may have been exposed to the virus.

The document states that everything must take place on a user's device, from generating identifiers to computing risk of exposure. They also clarify that any apps should be limited to distributing COVID-positive data, and not broadcast any information of those who have not tested positive.

"Everything about these projects has from Day One been about how we can make it work on an international level," Marcel Salathe, a digital epidemiologist at the Swiss Federal Institute of Technology in Lausanne, told Reuters.

From: [European countries form coalition over contact tracing app concerns]

As you can see there are vastly different approaches to how privacy is handled. And how it is perceived. In America it is seen as not critical, and the data you provide is always seen as useful for marketing, and possibly other things. Whereas in Europe, they are insisting that it must be kept private and secure, and under the users control. Two different approaches to the same problem. At its heart is the one underlying thing: TRUST. Do you trust the government to keep your data safe and secure? Do you trust the technology presented by Google and Apple to keep your data safe and secure?

Who Else?

At privid, we see you privacy as critical, and we have put in a tender to create a tracking app for COVID-19. Our system anonymises the user data creating a token of sorts (not my favourite term, but it works, for now). This allows full anonymised tracking of data without revealing any user info. Our system is a dApp and can be stored on the device or on decentralised servers. Our core technology is all about privacy and anonymisation of data. We not only help organisations not get fined, under GDPR, but we safeguard your data in an anonymised structure. We also have a validation and verification system for identity management even with complete anonymity. Your data is always safe.

All Posts

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!