It is said and believed that the Internet of Things creates the invisible visible. It is known as IoT’s most significant feature, but also it is its biggest probable drawback. More sensors on more people mean the IoT develops into s visible web of human connections that can be used, for example, to track a virus.
Today, the world is using track-and-trace programs to monitor the outbreaks of COVID-19 and its spread. However, as they do so through easily enabled mass surveillance, we are required to put rules in place about how to undertake any attempts to track the movements of people. In April, Google and Apple said they would work together to build an opt-in program for Android or iOS users. They further mentioned that the program would use phones’ Bluetooth connection to deliver exposure notifications. It means that transmissions are tracked by who comes into contact with whom, instead of where people spend their time. There are other proposals that state to use location data provided by phone applications to determine where people are traveling.
All these ideas are different approaches, but then again, at their core, they are still tracking programs. Any such program that we implement to track the spread of COVID-19 should follow some basic guidelines to ensure that the data is used only for public health research. This data should not be used for marketing, commercial gain, or law enforcement. It shouldn’t even be used for research outside of public health.
To make you understand in a better way, let us talk about the limits we should place around this data. A tracking program for COVID-19 should be implemented only for a prespecified duration, which is associated with a public health goal, such as reducing the spread of the Coronavirus. So, if we are going to collect device data and do so without requiring a user to opt-in, governments need to enact legislation that explains what the tracking methodology is, requires an audit for accuracy and efficacy by a third party, and sets a predefined end. Ethical data collection is also critical.
Apple and Google’s Bluetooth method uses encrypted tokens to track people as they pass through other people. The Bluetooth data is people-centric, not location-centric. Once a person uploads a confirmation that they have been infected, their device can issue notifications to other devices that were recently nearby, alerting users, anonymously, that they may have come in contact with someone who is infected. And while it might be possible to match a person to a device, it would be not easy. Ultimately, linking cases anonymously to devices is safer than merely collecting location data on infected individuals. The latter makes it easy to identify people based on where they sleep at night and work during the day, for example.
Conversely, researchers should have access to some form of data after a few years have passed. Notably, if we can get this right, we can use the teachings COVID-19 case not only to protect public health but also to promote a more privacy-centric approach to the IoT.