“Apps” are multiplying for tracking users affected by COVID-19 and also in Italy – it seems – institutions are evaluating similar solutions while private entities have already developed software of this sort.
Inevitable, and often inappropriate, the alarms for the “violation of privacy” – as if the necessary limitations of the other fundamental rights that we are suffering were nothing at all – and those invoking the GDPR (which, I repeat ad nauseam, does not apply to the protection of public order and security, national security and other associated misfortunes and disasters). But this does not mean that it would be good to overlook the principles of the GDPR. Even putting aside regulatory precepts approaches based on need-to-know (do I need – or right – to process specific data? And who receives them?) and secure software design (OWASP exists “regardless” of the GDPR) are fundamental elements for the functioning of a digital ecosystem, especially in times of emergency.
That said, it is certainly possible that the Government can access the movement data of users of electronic communication services and their personal identity associated with the device. The problem, if anything, is “who else” can do it if this tracking happens through third-party software, whose functioning is conditioned by the way the operating system works. Translated:
- smartphones store information on users’ movements and make it available to “apps” that use this data to offer services based on geolocation,
- although in several cases, geolocation operates “on-demand”, there are documented cases in which the operating system installed in the terminal (Android, in this case) has recorded this data nonetheless,
- these data, with all due respect of the GDPR, systematically end up outside the EU.
Another issue to consider is the impact of such software on public order and security resulting from the choice of whether or not to make the data in question – even anonymized – available to citizens. By doing this, the risk of triggering a “manhunt” or fomenting tensions would be extremely high, and the (criminal) responsibility of those who make such instruments available to the people would be a matter to discuss.
The aspects related to the use of a “governmental” application to be used for fighting COVID-19 would be many others, but for the moment it makes sense to expect such software:
- only works in passive mode, in the sense of making the information available only to public authorities, with no possibility for the user to become aware of the processing results,
- prevents anyone (including Apple and Google) from accessing the association between GPS data and COVID-19 data (knowing that through cross-referencing and comparisons, Google could probably get the data nonetheless),
- is, as far as intellectual property is concerned, in the sole and exclusive ownership (which includes analysis, documentation and sources) of the Government.