ICCL and a number of data protection and privacy experts have been engaging with Ireland’s Health Service Executive (HSE) since it announced it would introduce a contact-tracing app to curb the spread of COVID-19.
We have outlined our concerns regarding the HSE Covid Tracker app in detail in our report card but, in summary, we have concerns about privacy, efficacy, necessity, and proportionality.
No evidence the app will curb transmission of COVID-19
We have seen no evidence to support the theory that contact-tracing apps, in general, curb the transmission of Covid-19. We have also not seen any evidence from the HSE or the Department of Health to support the theory that the HSE app will detect close contacts, despite the app having been trialled by the gardaí. We have been told the app can “accurately detect 72% of close contacts using the Google Apple API,” but we have seen no public data supporting this figure.
Risk of inaccuracy
Instead, we have evidence from Dr Stephen Farrell and Professor Doug Leith, of Trinity College Dublin, that it would be challenging for Bluetooth apps to discern whether contacts are closer or further than 2m away and that the recording of signals between app users will very much depend on whether they have their phones in their pockets or handbags or how they’re standing next to each other. Being in a bus or Luas also has a significant affect as metal reflects radio waves.
False negatives and false positives
They have found that false negatives – where people’s contacts are not detected – may be unavoidable for Bluetooth apps using the Google/Apple API, such as the HSE app.
False positives, where people have been falsely alerted as having been in contact with someone diagnosed with Covid-19, are another concern. The HSE and the department themselves have stated that they will advise Luas drivers who download the app to turn off the contact-tracing element while working, in order to avoid getting false positive notifications.
Can experts see and test the code?
ICCL has applauded the HSE and the Department of Health for their steps toward transparency in terms of publishing the Data Protection Impact Assessment (DPIA), source code, and other documentation, including the Data Protection Commissioner’s review of the DPIA.
However, unlike the open source code of the HSE app, the source code of the Google/Apple API, upon which the HSE app sits, is closed. We have concerns that the Google/Apple API can affect the performance of the app’s contact-tracing capabilities by silently updating the API, unbeknownst to users and, as a consequence, affect the app’s false positive and false negative rate. We believe this is insufficient and problematic for governance and oversight.
So what has ICCL been doing about this?
On 29 April we wrote an open letter to the HSE and the Department of Health underlining the need for transparency and respect for privacy and data protection principles. Read our letter here.
Throughout May we reiterated our calls for the HSE to publish the Data Protection Impact Assessment, the source code, and the design spec of the app. This was to allow data protection experts time to examine it before the app was launched.
On 3 June we published a set of nine principles which the app developers would have to adhere to in order to comply with human rights and data protection laws. Read the principled framework and press release.
On 26 June, when the Data Protection Impact Assessment was published, we were concerned that the app’s efficacy had been assumed, rather than proven. Along with Digital Rights Ireland (DRI), we wrote to the Oireachtas COVID-19 Committee and issued a press release.
On 2 July, one week before the app was formally launched, ICCL and DRI issued a report card grading it on the nine principles outlined in June. We awarded the government a C+ for their efforts overall.
In the week the app was launched, our concerns remained so grave that we did not feel we could recommend the app for population-wide usage.