Balancing Identity and Privacy with COVID-19 Mobile Apps
The 10-second summary
There are multiple COVID-19 mobile apps available, with more on the way. These apps provide important breakthroughs that will supplement testing and traditional contact tracing. However, most of these apps are designed for use by the general public, with complete anonymity in mind. Universities need COVID-19 apps that include strong identity (while still preserving privacy). Without identity, campus teams will struggle to get good data or thorough adoption, and the administration won’t gain enough data to assist decision making.
Bringing new COVID-19 technology to the campus
Most university campuses will open their campuses for a full semester in fall. And mobile apps should play a role in awareness, coaching healthy behaviors, and (maybe) filling the gap between testing and contact tracing.
Now that Google and Apple have partnered to provide a layer that allows public health agencies to release apps that do large scale digital exposure tracking, we’ll start to see a greater level of sophistication from these apps.
There are a few truly encouraging trends about this progression:
- Large tech companies are setting aside competition to build wide-scale solutions
- There is an emphasis on open source software in order to allow progress to move more quickly
- There is a universal emphasis (or at least concern) around privacy
These are not priorities that we always see in everyday life. It’s encouraging to see that these shared priorities do exist and that we can prioritize them when it’s important.
Today, I want to focus on what I see as a key gap between what existing apps are providing, and what university campuses truly need: strong user identity.
But particularly in this context, you can’t talk about introducing identity without discussing the impact on privacy.
Privacy is always important
It’s hard to keep track of what “privacy” refers to any more. The term has been abused so much that we’ve been trained to flinch instinctively whenever a corporation begins by assuring us that they “take our privacy seriously.”
So, to revisit the term again, privacy protects what you do by concealing your actions from others.
But privacy is not a mere luxury. Julie Cohen argues in her celebrated 2013 paper What Privacy is For that privacy is a basic human need. When we know that we’re under any kind of surveillance, it constrains our thoughts and behavior to some extent. Cohen explains that freedom from surveillance creates the necessary negative space for innovation, for self-development, and for informed and reflective citizenship. In short, privacy is essential to the environment that supports the core values of academia.
What makes privacy tricky is that it exists along a spectrum. You must be clear about which information will be kept private, and which information will not.
Anonymity is optional
If privacy conceals what you do, then anonymity protects who you are by hiding your true identity.
In the research environment, we all know anonymity as a way to separate valuable but sensitive research data from the individual’s identity. This allows us to study and even share the data without fear of causing harm to the individual.
Anonymity can also be important for providing shelter from stigma. For example, Alcoholics Anonymous depends on anonymity to reduce fear of stigma associated with alcoholism. It also serves to strip away titles and social structures in order to achieve a level of equality.
Anonymity can also be important for providing protection from racism or unconscious bias. During the initial job interview screening process, it’s common to mask candidates’ names from their resumes. This helps to keep interviewers focused on the candidate’s capabilities, and to eliminate any of the known positive or negative biases that may emerge from inferring a person’s gender or cultural background from their name.
Universities’ unique accountability
Universities are in a unique (and difficult) position. They are fully accountable for their campus’ safety—a massive responsibility—but they have limited authority over students’ behavior.
In many ways, employers have it easier. They have far more leeway to impose restrictions and mandate behaviors from their employees than universities can from their students.
The problem with anonymity in COVID-19 mobile apps for campus
This presents a quandary when it comes to COVID-19 mobile apps. All of them are designed with good privacy in mind, but most of them are also designed for complete anonymity. This means that nowhere in the app would you enter your name, or a username or password, or even reveal your phone number. For a government-branded app, this anonymity increases trust.
The problem is that because these apps form an important part of the safety structure of the university, anonymity breaks the ability to verify an important contract between the student and the university. The university is accountable for student safety, and the students are accountable for following university policy.
When an app plays a role in campus safety—such as exposure tracking—then compliance with using these tools is an important component of creating a safe environment for students and faculty to return to campus.
Anonymity is incompatible with the university’s responsibilities
So, in order to be effective, a COVID-19 mobile app that is designed for universities must integrate with the university’s authentication system, so that it can verify whether individual students are using the app (and nudge those that aren’t). The university already knows exactly which students are scheduled to be on campus. Authentication provides a way to ensure that on-campus students are using the tools that create the necessary margin of safety.
Identity → Accountability → Compliance → Safety
The compliance and usage data provides invaluable measurements for the administration to make decisions around the extent to which the campus is operating safely or not.
Identity is not opposed to privacy
Just because the app requires authentication in order to ensure usage and compliance, that doesn’t diminish the importance of privacy.
The university must know that students and faculty are using the app, but it should not have access to most of the information that’s being recorded by the app. That information is health related and for the user’s benefit, and giving the university access to it would amount to surveillance, which would propose new liability. The strict lines that most apps draw with users’ privacy around COVID-19 are appropriate for the university environment, too.
In fact, strong privacy is essential for widespread adoption. People will not want to use an app that they distrust and without widespread engagement, campus will not be safe.
Privacy → Trust → Engagement → Safety
Opportunity
The COVID-19 situation is not completely bleak for colleges. Academia is in a unique position to demonstrate to the world how science and community can come together to manage COVID-19’s risks while still delivering a valuable education experience.
Fall 2020 will be a defining semester for many universities. When universities deploy COVID-19 apps to help keep campuses safe, there are two important principles to keep in mind:
- the apps must embrace privacy in order to gain trust and engagement
- but they must also insist on identity in order to create accountability and compliance
Only then can there be meaningful measures of participation, so that there can be at least a lower bound on the margin of safety that is being created.