UK Parliament's human rights committee pushes for better protections of coronavirus contact-tracing data in law

Decentralised app rolling out soon, but manual process remains problematic

In the absence of a working contact tracing app, the UK government has been forced to rely on manual data collection and human-powered tracing to identify potential cases of exposure to the Covid-19 virus. But, as Parliament’s cross-party Joint Committee on Human Rights claims in a new report, this is just as problematic as the original centralized app, particularly when it comes to user privacy

The report acknowledged that human-powered contact tracing has many of the flaws that dogged the original application with respect to the deanonymised identification of individuals. "There has been little public debate of the privacy implications of manual contact tracing, but in some ways, the information gathered is more personal," the Committee said.

"Information gathered by a human contact tracer could feasibly be names of the people who were in contact, how long the contact was for and where they met," the report added, pointing out that a decentralised app would merely correlate two phones that have been within close proximity for more than 15 minutes.

Furthermore, as this information is recorded and stored digitally, any concerns regarding an app-based approach to contact tracing also apply to manual contact tracing.

The report raised eyebrows at the government's strategy of outsourcing contact tracing to third parties, like pubs and restaurants. One of the conditions that allowed the lifting of lockdown restrictions on the hospitality sector was that establishments would be forced to record the contact details of patrons. However, there have been instances where this track-and-trace information has been misused.

"There have been reports of customers being harassed after people obtained their numbers from sign-in books left on display in pubs and restaurants," the Joint Committee noted.

Irrespective of the ongoing national emergency, any organisation that collects data from the public is obligated to adhere to the existing data protection legislation, like GDPR and the UK's Data Protection Act. While the government has issued guidance to businesses, the Joint Committee questioned whether this information is being properly managed.

The report comes as the UK government is mere days away from launching its contact-tracing app in England and Wales. This follows the Northern Ireland Executive, which launched its own effort, StopCOVID NI, in July. This uses the purpose-made Bluetooth API interfaces created by Apple and Google in response to the pandemic, and is interoperable with the contact-tracing app used in the Republic of Ireland.

Similarly, the Scottish government has its own app, called Protect Scotland. Like StopCOVID NI, this also uses Apple and Google's tech, and has already received more than one million downloads.

The launch of the UK government's second contact-tracing app is already embroiled in confusion after a Downing Street spokesperson incorrectly told reporters yesterday that it wouldn't log interactions between users – which is a fundamental component of app-based contact tracing.

The government "clarified" later in the day that Thursday's app would include the feature.

Users will also be able to "check-in" to venues by scanning QR codes, allowing them to avoid providing their details directly to the establishment. A handwritten register will remain available for those without a smartphone. In addition, the app will support booking tests, checking symptoms, and display the ongoing risk level for a particular area.

The Joint Committee on Human Rights echoed previous calls for the government to protect contact-tracing data privacy with a bespoke law. Harriet Harman, who heads the committee, has previously described existing legislation as inadequate for the task and scope of any app designed to register the movements of the general population.

"To build trust with users, which has been shaken by high-profile missteps, the Government should introduce legislation which defines what data will be collected, how long it can be held, when it will be deleted," the report argued. "Such legislation should include a ban on contact tracing data being shared for any purpose other than combating the spread of Coronavirus."

As the experience of any country using app-based contact tracing shows, there will always be a need for human-powered processes. Not everyone owns a smartphone, and the apps themselves are voluntary. The report therefore suggested that any legislation should also extend to manual contact tracing.

"Manual contact tracing is the main component of the UK's test, track and trace system. This still involves data being collected; indeed, that data is arguably more sensitive than that collected by the app," it said.

"Whether that data is gathered digitally or manually, the legislation should limit how long manually gathered data can be held, define what type of information can be gathered, confirm when it will be deleted, and restrict it from being shared for any purpose other than combating the spread of Coronavirus." ®

Similar topics

Broader topics

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022