Yoshua Bengio1, Richard Janda2, Yun William Yu3, Daphne Ippolito4, Max Jarvie5, Dan Pilat6, Brooke Struck6, Sekoul Krastev6, Abhinav Sharma7. 1. Montreal Institute for Learning Algorithms, Université de Montréal, Montreal, QC, Canada. 2. Faculty of Law, McGill University, Montreal, QC H4A 3J1, Canada. 3. Department of Computer and Mathematical Sciences, University of Toronto, Toronto, ON, Canada. 4. Department of Computer and Information Science, University of Pennsylvania, Philadelphia, PA, USA. 5. Borden Ladner Gervais, Montreal, QC, Canada. 6. The Decision Lab, Montreal, QC, Canada. 7. McGill University Health Centre Research Institute, McGill University, Montreal, QC H4A 3J1, Canada.
Digital contact tracing applications represent a powerful yet controversial strategy to combat the COVID-19 pandemic. Manual contact tracing has important challenges, not limited to recall bias and delays in communicating with high-risk contacts. Digital technologies are already increasingly used in the context of health-care delivery and clinical trials. Due to the considerable strain on public health institutions, digital contact tracing through mobile phones is being used or explored in a growing number of countries despite concerns raised over individual privacy and state surveillance.Mobile phone-enabled digital contact tracing colocalises individuals in time and space through the use of GPS, Bluetooth, or other such technologies. Google and Apple have promised to provide frameworks for how to use their technologies for contact tracing. A digital contact trail can be created when individuals who have downloaded such applications come into physical proximity. Machine-learning strategies can improve on simple binary contact tracing systems by providing methods to calculate quantifiable individual risk of acquiring COVID-19 depending on specific features such as distance and duration of interaction, self-reported comorbidities, demographics, and the presence of any symptoms in each individual in an interaction. As an individual's risk level for acquiring COVID-19 increases, various behavioural messages can be delivered quickly to enable the individual to take appropriate, measured action. These multiple advantages have the potential to establish rapid epidemiological control of the pandemic.Despite the potential advantages, most of the applications in use or under consideration have an impact on individual privacy that democratic societies would normally consider to be unacceptably high. In a free and democratic society, there are major concerns regarding privacy. The UK, Australia, Singapore, South Korea, and other countries have deployed such tools (using binary variables of contact, not scalar risk probabilities for risk of infection); however, these applications have come under scrutiny relating to the ability of governments and other groups to access personal information. Public trust in the use of these applications is paramount because widespread adoption of these technologies is needed to be effective in curbing viral transmission. Indiscriminate collection of personal information, chronic privacy breaches, and lax attitudes towards individual privacy in the private sector have eroded public trust in digital technologies. Moreover, tracing applications raise the spectre of generalised state surveillance in the face of the pandemic, with potentially devastating consequences if democratic societies learn to accept such an intrusion on civil liberties. Therefore, to counteract both negative perceptions and genuine threats, a privacy-protecting approach must be central in the development of such a contact tracing application.Several strategies can be leveraged to increase and maintain the public trust with such applications (panel
). Express consent at each step of data sharing is crucial and must be meaningful, not buried within lengthy privacy policies or vague language agreements, and includes express consent to anonymously share COVID-19 test results. No identifiable data should be shared with any public institution or private enterprise. Pseudonymised or aggregate data can be adequately used to develop machine-learning and epidemiological models and inform public policy. Otherwise data should be kept encrypted on users' devices and inaccessible to public authorities or private interests. The tracing application itself can propagate alerts to high-risk contacts and can recommend that users voluntarily contact health authorities where relevant, thereby assisting markedly in contact tracing while minimising the potential for state surveillance, snooping, or vigilantism.ConsentDownload, installation, and use of the application must be entirely voluntary, and users must be able to uninstall the application at willThere must be express consent for all collection, use, and disclosure of personal information (ie, users might choose to share some data and not others, such as official test results or to feed a machine-learning model)Individuals must be able to opt-in or opt-out of data sharing. This includes consent to download the application, turn on location services, receive notifications, and share COVID-19 test resultsOversightA non-partisan independent oversight committee with representatives from legal, health, machine-learning, and privacy experts should be established to oversee ongoing development of the application, its information ecosystem, and data governanceImportantly, public representatives must be included in this oversight committeeVirtual data acquisitionNo identifiable information regarding digital contact trails or personal health information that an individual enters on the application should be shared with other application users or public, private, and governmental agenciesIndividual geolocation data should not be stored on a central server and should pass through a rigourous obfuscation protocol to reduce their information content to the bare minimum required for epidemiological and machine-learning modellingPseudonymised data should be used to inform machine-learning models, and only these data should be stored centrally on a protected serverOnly non-identifiable aggregated data should be shared with public health institutionsThe source code of the application and the algorithms used should be made accessible for public scrutinyPersonal identifiable information should be deleted from the device once the pandemic is overInformed decision makingUser preferences should drive end-to-end experienceUser comprehension should be prioritised and verified rather than assumedUser psychosocial wellbeing should be promotedUser empowerment to protect themselves and others should be maximisedUser inclusivity should acknowledge the diversity of user needs in dimensions such as gender, race, education, and rural vs urban locationThe granular non-identifying information used to train machine-learning models generally contains sufficient detail to re-identify individuals when correlated with other sources of data. This is why an independent, non-partisan trust or similar fiduciary structure must be established to protect and control access to these data, and manage the application and its ongoing development. The source code for the application and the privacy protocols used should be publicly available. Individuals must be able to make independent informed choices based on recommendations released from the application rather than using coercive or penalising strategies. An application self-destruction strategy should be used so that once the pandemic is over, all application-related personal data is deleted from participants' phones and deleted from the machine-learning server, leaving for further research, only de-identified, aggregated, and statistical data, or artificial data generated from the epidemiological model.The approach presented here advocates that consent must be explicating for users to download the application, transmit COVID-19 test results, and share data for research. Recent projections suggest that at least 56% of a country's population would need to be using the application to ensure maximal chance of epidemiological control of the COVID-19 pandemic. There is a tension between mandating use of the application versus having a consent-based approach that we are advocating. In the face of such tension, the trade-off between individual civil rights and the need for population-level control of the COVID-19 pandemic comes to the forefront. Trust in the application by individuals is pivotal for such applications to have population-level benefit. We would suggest that advocating an approach that emphasises consent and prevents any central public or private authority from accessing identifiable data would embolden more individuals to download the application, thereby optimising the population-level benefit. Various designs are currently in place with regard to strategies for identifying contacts, the types of notifications that are received, and the use of centralised versus decentralised approaches.4, 10 One question that arises in a system that emphasises a consent-based, opt-in approach, is that among individuals who do not receive a notification, does the absence of the notification imply the absence of contacts with other individuals with a COVID-19infection or that other users are not consenting to share data? The absence of notifications might create a false sense of security in the user of the application or can cause frustration if a user presumes that others are not sharing information. This limitation with such opt-in applications emphasises the need for broad public outreach and education to optimise the number of users who download the application and consent to share data.Leveraging digital contact tracing technologies can change the course of the COVID-19 pandemic. Such technologies must robustly support democratic principles of privacy to maintain public trust and to enable individuals to make informed choices to help combat the pandemic.
Authors: Abhinav Sharma; Robert A Harrington; Mark B McClellan; Mintu P Turakhia; Zubin J Eapen; Steven Steinhubl; James R Mault; Maulik D Majmudar; Lothar Roessig; Karen J Chandross; Eric M Green; Bakul Patel; Andrew Hamer; Jeffrey Olgin; John S Rumsfeld; Matthew T Roe; Eric D Peterson Journal: J Am Coll Cardiol Date: 2018-06-12 Impact factor: 24.094
Authors: Yoshua Bengio; Daphne Ippolito; Richard Janda; Max Jarvie; Benjamin Prud'homme; Jean-François Rousseau; Abhinav Sharma; Yun William Yu Journal: J Am Med Inform Assoc Date: 2021-01-15 Impact factor: 4.497
Authors: Stuart McLennan; Alena Buyx; Bettina Maria Zimmermann; Amelia Fiske; Barbara Prainsack; Nora Hangel Journal: J Med Internet Res Date: 2021-02-08 Impact factor: 5.428
Authors: Carson Paige Moore; Jenna Maria DeSousa; Thomas Foster Scherr; Austin N Hardcastle; David Wilson Wright Journal: JMIR Mhealth Uhealth Date: 2021-03-26 Impact factor: 4.773