1. Introduction
Contact tracing aims at reconstructing and identifying the social interactions of an infected person. It does not necessarily require knowing the exact movements of infected people, nor does it need to use digital tools to collect information. In the past, the movements of infected individuals were indeed recorded on paper on the basis of oral reports and interviews.
Contact tracing, together with other containment measures, can contribute to lowering the basic reproduction number of an infection (denoted as R_0), which is the average number of cases directly generated by one infected person[1]. The value of R_0depends on different factors, including the infectiousness of the pathogen, the number of contacts of each infected person and the duration of the infection. Currently, without measures of containment in place, the R_0of the COVID-19 is around 2.5[2].
Until a vaccine is developed, and given that the virus is infectious during the incubation period, social distancing is necessary to bring this number down. Nonetheless, since household contacts are responsible for 39% of contagions, reducing contacts across the entire population by 90% is insufficient to bring the value of R_0below 1[3]. In sum, in areas where the disease has already reached epidemic proportions, lockdowns and stay-at-home orders can only slow down the contagion curve, but not reverse it.
In these types of scenarios, contact tracing is even less effective than social distancing and altogether insufficient as a stand-alone measure. However, it can contribute to closing the value of R_0to 1 if used in conjunction with other measures. Contact tracing can be even more effective when the outbreak has not yet become an epidemic, or when the epidemic is waning, by slowing down the spread of the virus, and by helping to target virological testing. It is thus a useful instrument in the fight against the COVID-19 epidemic.
In advanced economies, data collected from handheld devices such as smartphones and tablets can be used for contact tracing. In this respect, the crucial information is the users’ location (specifically in relation to confirmed cases) and identity. With regard to the former, it can be obtained from: a) multilateration of radio signals between cell towers and phones with a location accuracy of hundreds of meters; b) satellite-based positioning systems with a location accuracy down to a few meters; c) Bluetooth based systems aimed not at localizing devices, but at registering close interactions between users.
With respect to the identification of users, while necessary to the functioning of the system, transferring personal information to public authorities can endanger privacy and data confidentiality. Of course, these risks must be weighted against the benefits of contact tracing in reducing infections in the population.
In response to the COVID-19 epidemic, China has implemented a digital tracing system on a very large scale. Everyday, chinese contact tracing apps are utilized by hundreds of millions of people to enter public spaces and to travel across the country. However, they have also raised concerns in terms of privacy and data confidentiality.
In Europe, where contact tracing apps will be deployed over the coming weeks, these principles are regarded as individual rights. A comparison between the Chinese and European approaches is helpful to understand how to make contact tracing effective, as much as safe in terms of data protection. More in general, it can offer useful insights on how to safeguard individual rights, while pursuing effectiveness in public action.
2. Contact tracing in China
Contact tracing has been central to the Chinese anti-epidemic strategy, along with social distancing, virological testing and the widespread use of personal protective equipment. As early as January 21, the Joint Prevention and Control Mechanism of the State Council (国务院联防联控机制) emphasized the importance of “discovering, reporting, isolating and treating in advance ( 早发现、早报告、早诊断、早隔离、早治疗)”, and stressed the need to carry out and standardize close contacts tracing[4].
Over the following days, the government initiated a data collection and analysis effort aimed at monitoring and predicting population flows, as well as at providing the tools for early warning of close contacts[5]. Based on the data gathered and shared by a wide range of public bodies (including the central government, territorial administrations, public telecommunications companies and regulators), as well as by the WeChat and Alipay[6], China developed a range of contact tracing tools to identify and isolate COVID-19 patients[7]. At the national level, all these tools rely on the country’s digital ID and real-name registration systems, both well-established in China.
The digital ID system, run by the country’s Ministry of Public Security, is based on the ‘Resident Identity Card’ card, the jumin shenfenzheng (居民身份证). The card contains a wide spectrum of personal information, including biometric and health data, criminal record, as well as travel details such as plane, train and long-distance bus reservations[8]. The Resident ID card is also required to register a new mobile phone number. The Chinese authorities can thus easily access citizens’ health status during ID checks, keep up with their travels on the national transportation network, and track their phone.
The other essential ingredient in China’s contact tracing system is real-name registration, via the Resident ID Card and mobile phone number[9], to access the country’s main social media platforms (WeChat and Alipay). This is critical because, aside from developing the health code apps, WeChat and Alipay (and, to a lesser extent, China’s main search engine Baidu) also provide essential contact tracing data such as GPS positioning[10], as well as users’ personal connections and web search data.
In sum, thanks to the digital identity system and to real-name registration on web platforms, Chinese contact tracing apps can tap on an immense reservoir of information. However, integrating data at a national level has proven to be a challenge[11] . As a result, China’s contact tracing tools are not unified, but they instead fall into two categories, depending on their scope and on the administrative level of implementation.
In the first category, the contact tracing apps are developed by local governments, jointly with internet giants Tencent and Alipay. They aim at regulating movements within the provincial (or city) boundaries, by separating healthy people from potentially infected individuals that need to be isolated. The main example of such tools is the QR Health Code app, first launched in Hangzhou, and now used in hundreds of cities across the country.
Tencent’s recently published “technical guide for anti-epidemic passcode” (防疫通行码参考架构和技术指南), clarifies the functioning of the QR health codes apps[12]. In terms of data, the system integrates the information provided by local public authorities, with those in the hands of the internet platforms. To access the app, users are also required to answer a range of questions about their health condition and recent travels. Based on these data, users are then assigned to different risk categories labeled via a colour code (green, yellow and red). The green code is required to access public transport, residential and office buildings and shopping malls. Users with a yellow or a red code must instead self-isolate and undergo health checks[13]. On top of this, the health apps also allow one to check the code of other users by typing in their name and phone number.
The second type of contact tracing tools are those developed by the central government, with the aim of normalizing movements across different provinces, and of harmonizing local health codes along with unified standards. In this respect, the Politburo Standing Committee (China’s highest decision-making body) recently stated that in order to “accelerate the establishment of an order of economic and social operation compatible with the prevention and control of epidemics (…) the necessary health certificates must be recognized throughout the country”[14] and “all provinces (…) should implement unified policies and consistent standards in personnel control and mutual recognition of health codes”[15].
One example of the government’s effort to unify contact tracing at the national level and to kickstart economic activity is the Communication Big Data Itinerary Card (通信大数据行程卡). Developed by the Ministry of Industry and Information Technology (MIIT), the card relies on phone tracking information provided by the three national mobile carriers to identify and isolate people travelling from red zones, or that boarded the same train or plane of a confirmed case[16]. The card was specifically designed to allow people to travel from the provinces, where many had retired during the New Year holiday, back to their workplaces in coastal cities and industrial regions.
In parallel, the government is also working to integrate the different regional health codes into a fine-grained national system that can effectively track down and isolate single cases, rather than just regulating flows across provinces. In this regard, as early as February 27, the city of Shanghai and three provinces of the Yangtze River delta (Zhejiang, Jiangsu and Anhui) agreed on the mutual recognition of their respective health codes[17]. The codes developed by Tencent, with over 900 million users spread in 20 provinces, have also been progressively integrated[18]. The final goal seems to be to unify all the regional systems into a single and universally recognized health code that can be used throughout the entire country[19]: the Epidemic Prevention Health Information Code (防疫健康信息码).
In sum, China’s multifarious contact tracing tools are progressively being reordered in a pyramidal structure. At the bottom, local authorities cooperate with internet platforms to develop contact tracing tools based on the digital ID system, real-name identification and GPS tracking. These tools are then progressively integrated into the National Integrated Platform of Government Services (全国一体化政务服务平台) to develop a nation-wide system allowing citizens to move freely across the entire country.
This raises the question of the link between the government’s power to access individual data and citizens’ right to privacy. In the Cyber-security law (网络安全法), personal data are not only safeguarded as individual rights, but also as a strategic interest of the State[20]. Civil law remedies offer the main layer of protection to individual data. Treatment of personal data cannot take place without consent, and it should be limited to information that is necessary to the offered service (Article 40). Citizens are granted legal actions to obtain the elimination of data that were gathered illegally, but not a general right to be forgotten[21]. Interested parties can also require the removal of incorrect information, as well as slandering or privacy infringing digital content published by third parties[22].
However, these civil law remedies are shadowed by the government’s intervention in the management and protection of citizen data. The first layer of public protection restricts the gathering and treatment of data exclusively to licensed entities (Article 23 of the Law), who are required to store the data in servers that are physically located in China (Art. 37 of the Law). Moreover, according to the Provisions on the Supervision of the Internet and on the Inspection by Public Security Organs, (公安机关互联网安全监督检查规定), public security organs have the right to enter the premises of Internet Service Providers and remotely access their servers. While the Provisions contain measures aimed at preventing abuse by public security officers (Article 5 of the Provisions), the legitimacy of inspections by public security organs is more intricate. Inspections are grounded on a generic duty of supervision, but the actual reach and boundaries of powers related to this duty are not defined by the Cybersecurity Law, nor by the Provisions.
In sum, the interest of citizens in the protection of personal data, and the interest of the State in the security of the Internet largely coincide. It is thus not surprising that the creation of a centralized information database, the National Integrated Platform for Government Services, is not considered as a limitation to citizens’ right to privacy, but as a way to secure sensitive information.
3) Contact tracing in Europe
The European Union aims at ensuring that apps adopted in different Member States will be interoperable, thus facilitating mobility between EU countries. It therefore implemented a unified standard, contained in the Common EU Toolbox for Member States[23]. The creation of a common technical standard has also allowed the EU to imprint European principles, such as the protection of individual freedom and privacy, within the architectural framework of the contact tracing apps.
The Annex I to the Common Toolbox states that contact tracing must take place through a proximity detector app voluntarily installed by users. In practice, the app sends a Bluetooth signal (i.e. a signal that does not gather information on the position of the smartphone) to all surrounding devices that also downloaded the app[24]. The delivery of the signal leaves a trace in nearby devices by generating a random serial number. This is linked to the QR code that identifies each user. The trace of the contact between the two Bluetooth signals is stored for 14 days in the memory of the smartphones, or in a central server that should ensure anonymity. In both cases, information on the user’s location is not registered. The only information collected is the anonymized trace of the contact, which should be deleted after 14 days[25].
Whenever public authorities identify an infected user, they can notify all other users anonymously traced in the phone storage, through an automated message or phone call[26]. The exact content of the notification might vary in different Member States, but its purposes are: a) to inform the notified party that he/she entered in contact with an infected subject (no information that will allow the notified party to identify the infected contact should be provided); b) to recommend the notified person to self-isolate for 14 days; c) to establish a first contact between the notified party and public health authorities, in order to allow timely testing in case symptoms arise (this functionality discloses the identity of the contact, but is activated on a voluntary basis)[27].
In comparing the EU system outlined in the Common Toolbox with the Chinese system, three main differences stand out. First, by relying on Bluetooth technology, the European system aims at ensuring privacy by design. It can signal proximity between infected users and other individuals, without accessing their location. Once implemented, the Bluetooth-based system might prove to be just as effective in tracing contacts, although it does not allow surveillance of confirmed infected subjects. In sum, the European system adds a further layer of protection to individual privacy, while sacrificing the tracking feature of the application.
Second, the European system does not grant public authorities with the power to access individual data. This is possible regardless of whether Member States opt to implement apps that store data in the user’s smartphone or in a centralized server. In the former case, decentralized storage simply prevents public authorities from processing and analysing data. The enhanced privacy comes at the cost of depriving public authorities of big data analysis tools that could be useful in fighting against the epidemic. In the latter case, since public authorities can access the central server, user privacy is protected through anonymization. Analysis of centrally stored data must be aggregated and limited to research aimed at tracking the epidemic curve[28]. Under both data storing procedures, all information must be canceled within 14 days.
Third, in the EU system, contact tracing apps can be installed on a voluntary basis. This might severely hinder the potential of the EU contact tracing system. For digital contact tracing to be effective, apps must indeed be downloaded by at least 50% of the population[29]. It is not clear how Member States may incentivize the use of the apps, but it is unlikely that they can muster the political will and the legal tools required to produce incentives comparable with those in place in China, where showing an app-generated green code is a precondition to access a wide array of public services. At most, as the guide published for ‘Immuni’ (the app currently being tested in Italy) seems to suggest, companies that are otherwise unable to ensure safe distances between employees may impose the use of the app[30].
As a matter of fact, a complete comparative analysis between the two systems will be possible only when contact tracing is fully implemented in Europe. Nevertheless, some tentative conclusions can already be drawn. The EU Common Toolbox openly refers to contact tracing in non-EU countries, such as Singapore, but it does not mention China, where data protection does not limit government access. Quite the contrary, in the Chinese system, the government has the right to access data precisely to prevent abuse from third parties. It can therefore store, aggregate and process data from a wide range of sources, and coordinate public and private actors alike in the development of contact tracing tools. This has proven effective in developing and progressively integrating contact tracing systems on a very large scale. However, it also raises the issue of data security when sensitive personal information in the hands of the government, such citizens’ medical condition, is shared with other public and private actors[31].
Chinese internet users are increasingly standing up for their privacy in front of internet giants, but also against the risk of data leaks from government departments. In response to these concerns, Beijing has released for public comments a draft of the Data Security Management Measures (数据安全管理办法)[32], and is currently working on a Personal Data Protection Law. The Measures introduce significant provisions such as the network operators’ obligation to notify individuals of the purposes of the information collection, and not disclose, tamper with, or damage citizens’ personal information that they have collected. Nonetheless, it is still unclear how companies will be audited against the new standards, and what their effect on business operations will be. Most importantly, the question of how personal data protection can be squared with the notion of “data sovereignty”, and with far-reaching national security and social stability goals, is one that still needs to be answered.
In the EU, the system outlined in the Common Toolbox does not allow Member States to impose the use of contact tracing apps. However, according to the General Data Protection Regulation (GDPR), whenever a task is carried out in the public interest, processing personal data is lawful, and it does not necessarily require the concerned person’s consent[33]. Furthermore, while the scope of the protection offered by the GDPR is based on the notion of personal data[34], compliant apps are not able to gather information on user location, and user identity is protected through pseudonymization. Therefore, these apps do not fall within the scope of the protection provided by the GDPR. In addition, the overall structure of the app seeks privacy by design, gathers a minimal amount of data, and prevents public authorities from accessing individual information. Insisting on citizens’ voluntary participation is redundant in terms of privacy protection, but could come at the cost of the overall effectiveness of the European contact tracing system.
In recent weeks, because of the exceptional nature of the current situation, EU Member States curtailed a wide range of constitutional rights, such as freedom of movement and freedom of assembly. Compared to these extraordinary and traumatic limitations, the imposition of a tracing system in which users’ location is not recorded, and their data is anonymized, seems reasonable.
In several East Asian countries, digital contact tracing has proven a useful tool in containing the virus and in restarting the economy. This is the case not only in China, but also in democracies such as South Korea. For the first time, Europe faces the possibility that the protection of individual liberties, if rigidly interpreted, might be put at a competitive disadvantage with societies that share a higher degree of confidence in the use of digital technologies.
In the 1800s, China declined because it was unable to imagine how foreign technologies could coexist in a largely feudal and Sino-centric value-system. More in general, history shows that societies, no matter how prosperous, are at risk of declining if they cannot cope with the introduction of new technologies. In the fight against COVID-19, and in the management of public affairs more in general, Europe must embrace the use of digital technologies and shape them according to its own values.
Note
1. https://www.iss.it/primo-piano/-/asset_publisher/o4oGR9qmvUz9/content/id/5268851 ↑
2. Kretzschmar, Mirjam and Rozhnova, Ganna and van Boven, Michiel, Isolation and Contact Tracing Can Tip the Scale To Containment of COVID-19 In Populations with Social Distancing (3/23/2020). Available at SSRN: https://ssrn.com/abstract=3562458 or http://dx.doi.org/10.2139/ssrn.3562458 ↑
4. http://www.gov.cn/xinwen/2020-01/22/content_5471437.htm ↑
5. https://mp.weixin.qq.com/s?__biz=MzU1Mzc4NTE1Nw==&mid=2247485418&idx=1&sn=838e74bbaf994049f1067a3bb9026567&chksm=fbecc5c0cc9b4cd618379bb0400a65ea75c378b00153e30ecc59a946ee39b6f92134bcfbeefd&scene=21#wechat_redirect ↑
6. There are strong indications that GPS location data from WeChat and Alipay are fed into the contact tracing apps, but so far this has not been confirmed officially. https://www.colabug.com/2020/0409/7231279/ ↑
7. The first of such tools, the “Close Contact Measurement Tool” (密切接触者测量仪) recorded over 130 million queries just for days after its introduction on February 10. https://tech.chinadaily.com.cn/a/202002/17/WS5e4a4ac7a3107bb6b57a03be.html ↑
8. http://www.gov.cn/zhengce/2011-10/29/content_2602263.htm ↑
9. http://www.cac.gov.cn/2017-09/07/c_1121624269.htm ↑
10. https://www.colabug.com/2020/0409/7231279/ ↑
11. At the national level data are channeled into the National Integrated Platform of Government Services (全国一体化政务服务平台), which was established in November 2019. The platform aggregates data from the National Health Commission, The Public Ministry of Public Security, the MIIT (which collects the data from the mobile carries), as well as from the national railways and the civil aviation authority. It is not clear to what extent information gathered by local authorities and private companies is also channeled into the platform. http://www.gov.cn/zhengce/content/2018-07/31/content_5310797.htm ↑
12. ] http://app.sist.org.cn/tcsc/Cms_Data/Contents/IndustryStandardsAllianceDataBase/Media/通知公告/附件1:%20《防疫通行码参考架构与技术指南》%20征求意见稿.pdf ↑
13. https://mp.weixin.qq.com/s?__biz=MzA3NzAzMDEyNg==&mid=2650833492&idx=1&sn=ab7bcc9bb3280309b44c220cff23a40b&chksm=84ac15d5b3db9cc3a7db29a8d01f41900398f255a696a35a035b2cfc3a51c50063072b973ac7#rd ↑
14. http://www.gov.cn/xinwen/2020-03/21/content_5494037.htm ↑
15. http://cpc.people.com.cn/n1/2020/0318/c64094-31638311.html ↑
16. http://cy.youth.cn/dtxw_138178/202004/t20200409_12279522.htm ↑
17. http://www.bjnews.com.cn/news/2020/04/11/715843.html?from=timeline&isappinstalled=0 ↑
18. https://baijiahao.baidu.com/s?id=1660782374347986557&wfr=spider&for=pc ↑
19. There have been several recorded incidents of people being prevented from boarding flights, or forced into quarantine because of a lack of mutual recognition of regional health codes. https://www.jfdaily.com/wx/detail.do?id=223887; https://new.qq.com/omn/20200312/20200312A0CQK200.html ↑
20. It is therefore unsurprising that the bulk of the provisions regarding protection of personal data is included in a law on cyber security, implemented with the purpose of safeguarding the security of the net and protecting citizens legitimate interests (art. 1). The cybersecurity law is available at: http://www.cac.gov.cn/2016-11/07/c_1119867116.htm ↑
21. Article 43 of the Cyber Security Law. ↑
22. Article 36 of the Chinese Tort Law or 侵权法. In these latter circumstances, Chinese online platforms are subject to strict liability rules and cooperation duties that are stricter than those provided for by the European General Data Protection Regulation or GDPR. ↑
23. Common EU Toolbox for Member States issued on April 15, 2020. https://ec.europa.eu/commission/presscorner/detail/en/ip_20_670 ↑
24. Annex I of the Common Toolbox, TF01, provides that the epidemiologically relevant distance is 1.5 meters. According to the Common Toolbox §1,2, b, i, the technical device should also keep the duration of the contact into account. ↑
25. Annex I of the Common Toolbox, EF01 ↑
26. The warning can be triggered by the user, through a QR code provided by public health authorities, or by public health authorities themselves. The latter option is only possible when the centralized data storage is adopted. In any case, it is unclear whether public authorities may issue the notification without the consent of the infected person. Anonymization imposed on centralized data storage impedes connecting the infected person to the serial number identifying it. See Annex I of the Common Toolbox, EF05.↑
27. see Annex I of the Common EU Toolbox EF07. ↑
28. Annex I of the Common EU Toolbox EF07. ↑
29. Common EU Toolbox, pag. 2 ↑
30. https://www.agendadigitale.eu/cultura-digitale/immuni-come-funziona-lapp-italiana-contro-il-coronavirus/ ↑
31. https://comment.scol.com.cn/html/2020/03/011009_1731142.shtml; https://www.creditchina.gov.cn/toutiaoxinwen/202003/t20200305_187219.html ↑
32. http://www.cac.gov.cn/2019-05/28/c_1124546022.htm ↑
33. Article 6, 1, lett. e) of the GDPR. ↑
34. Article 4, 1 of the GDPR defines personal data as information relating to an identified or identifiable natural person (…) in particular with regard to its name (..), location data(..). ↑