Why ‘Mandatory Privacy-Preserving Digital Contact Tracing’ is the Ethical Measure against COVID-19

By Cansu Canca

Thanks to privacy-by-design technology, population-wide mandatory use of digital contact tracing apps (DCT) can be both more efficient and more respective of privacy than conventional manual contact tracing, and considerably less intrusive than current lockdowns. Even if counterintuitive, mandatory private-by-design DCT is therefore the only ethical option for fighting COVID-19.

Since the first report of “a pneumonia of unknown cause” to the World Health Organization (WHO) on 31st of December 2019, the coronavirus disease 2019 (COVID-19) has spread to all continents. In just over 3 months, it resulted in over 1.6 million confirmed cases and over 95,000 deaths (as of April 10).

In the epicenters of the disease, healthcare systems become rapidly overwhelmed, resulting in high numbers of avoidable deaths. Preventing these fatalities is only possible by reducing the speed of transmission. The WHO and public health experts worldwide recommend rigorous contact tracing as one of the three main action items to achieve that (the other two being testing and isolation of confirmed cases).

Contact tracing helps control the epidemic by testing or precautionary self-isolation of suspected cases. However, traditional manual contact tracing is slow and subject to memory gaps. This is especially problematic in the case of COVID-19 where there are too many cases for too few health officials to track down and where the 14-day incubation period of the disease during which asymptomatic carriers are contagious requires the infected individual to remember a 2-week period during a time when the individuals are already experiencing tremendous stress, anxiety, and physical discomfort.

Digital Contact Tracing (DCT)

Digital contact tracing (DCT) can overcome these efficacy disadvantages. DCT uses digital means (often mobile phones) to make contact tracing faster and more accurate, thereby increasing its effectiveness. For example, Singapore’s TraceTogether uses a mobile app that detects and timestamps encounters and stores them in the device for three weeks. When an individual is confirmed to be infected, they can allow the health officials to use the data stored in their device to quickly get in touch with suspected cases. Similar efforts are now underway in the United States and in Europe.

The core concern in DCT is privacy. DCT is only possible if individuals’ location and health data are collected and matched. If done with no regard to privacy, this will provide state or private actors masses of intimate and personal information for tracking and identifying individuals for various purposes. This would be a very powerful tool for governments to oppress their dissident citizens or predatory companies to profile individuals. However, privacy-preserving design (or privacy-by-design) can prevent such abuses — not merely by prohibiting them (possibly in vain), but by making them technologically impossible.

Privacy-Preserving DCT (PP-DCT)

Privacy-preserving (PP) design means that individuals cannot know who is infected, who is suspected, and who might have exposed them to the virus. The only information individuals may receive is the mere fact that they were exposed to the virus. Most importantly, privacy-preserving design also means that governments cannot know who infected whom and where individuals have been. The only information available to governments or anyone else administering the system is a list of infected and suspected cases.

Contrast this to traditional manual contact tracing, an accepted but exceedingly intrusive practice. In manual contract tracing, connections between confirmed and suspected cases must be explicitly laid out to health officials. This means government officials will know where a positive-testing individual was and whom they interacted with (and likely in which capacity). The government official will thereby also learn a lot about those other people who have not (yet) tested positive. If such information were made public by the government to combat the inefficiencies of manual contact tracing, other individuals would also learn about the positive-testing individual’s test results and prior movement. Such transparency has not traditionally been provided but would arguably be justified to allow self-identification by anyone who has been in close contact with an infected individual, who may not remember or otherwise not disclose this contact to the government official.

None of these privacy violations would occur with DCT if it is designed for privacy. Design features that make this possible could include storing the data in the device, recording encounters in anonymized format, using Bluetooth, and encrypting the data to prevent unauthorized persons from using the information stored. Various teams such as MIT’s Safe PathsStanford’s COVID Watch, and Pan-European Privacy-Preserving Proximity Tracing are developing DCT apps with privacy-by-design principles. Designers, ethicists, public health experts, and developers should collaborate to maintain a comprehensive list of features required to ensure that a DCT system preserves privacy. Privacy-by-design can only be ensured if the apps are open-source and audited by ethics experts and rights advocates for their compliance.

Mandatory Use of PP-DCT (MPP-DCT)

If privacy can be guaranteed by design, then, against initial appearances, DCT is so harmless that it ought to be rolled out on a mandatory basis. Up to now, government initiatives and public discourse seem to have considered only voluntary DCT. However, this inevitably leads to gaps in the adoption of DCT and hence avoidable gaps in tracing and, ultimately, inferior public health outcomes.

With voluntary adoption, only a subset of the population will agree to download the app, keep the app running, and/or share the data with the health officials (in Singapore only about one-sixth of the population downloaded the app). Non-adopters cannot be notified, tested, or isolated if they have been in contact with an adopter who tests positive for the disease. Nor can adopters be notified, tested, or isolated after contact with a non-adopter who tests positive — protecting non-adopters’ autonomy thus inevitably hinders others’ autonomy because they lack the information to make decisions to protect their health and the health of others they interact with. To some extent, such gaps could be plugged with manual contract tracing, but, as already noted, manual contract tracing is less effective and more intrusive than privacy-preserving DCT. DCT can completely replace manual contact tracing and protect individual privacy only if PP-DCT is used society-wide, which only a mandate can ensure.


Mandatory privacy-preserving DCT (MPP-DCT) is the only ethical option because it is less restrictive and more efficacious than other measures that are already in place or being considered in the fight against COVID-19 and public health generally. This is obvious with respect to manual contact tracing, as just explained: anyone advocating mandatory manual contract tracing must thus endorse MPP-DCT. It is also quite clear with respect to the mandatory lockdowns currently in place in much of the world. Even if MPP-DCT were used to impose mandatory quarantine on identified contacts, this would be much less intrusive than the lockdown, which is effectively mandatory quarantine for the entire population. In terms of intrusiveness, MPP-DCT also compares very favorably to traditional, accepted public health measures such as mandatory testing or vaccinations.

Importantly, measures such as lockdown can be eventually relaxed at least to a certain degree if we have efficient DCT that determines all suspect cases and tests or isolates them before they spread the disease further. Slowing down the spread of the disease means that even if the waves of surge might require future lockdowns, they could be less frequent and shorter, thereby constituting less of a limit to our liberties.

In the global fight against COVID-19 pandemic, MPP-DCT is the ethical policy for finding and isolating infected and suspected cases. The failure to adopt such a system and setting its standards will result in countries pursuing more intrusive and/or less efficient, ethically inferior measures.

(Update: In a recorded panel discussion, I addressed most common objections and concerns about this idea. Here is the video ⬇️)

(Image credit: higyou/Shutterstock.com)

This post is originally published on Medium.

Leave a Reply