Skip to main content

Ethics of AI and Data Science


  • What privacy issues do we really face?

A major element of the strategy for achieving a safe exit from the current lockdown phase of the response to the COVID-19 pandemic is expected to be the use of contact tracing apps on mobile phones. These apps record contacts (in the sense of proximity episodes) between users. If a user becomes infected, a centralised authority is able to notify all other users, who can then check whether they have been in the proximity of that person in the relevant period.

There is currently intense discussion as to whether contact information of this kind can be shared without seriously breaching the privacy of users. Many protocols for the design of the apps are under consideration.


The Computational Privacy Group at ICL has proposed a framework within which to assess the capacity of generic protocol families to meet reasonable requirements for the personal data security of the app users. Read the CPG's paper on evaluating COVID-19 contact tracing apps.

The paper presents a schematic arrangement of the parties to the app infrastructure, outlines a range of abstract protocol designs that might be adopted for the app and suggests eight questions about those protocols that need to receive satisfactory answers in order for users to feel safe about entrusting their contact data to the app.

The infrastructure comprises three types of participant: users, private individuals who voluntarily install the app and may be risk-free, infected or at risk; a central authority responsible for coordination and, crucially, the acceptance of infection reports and dissemination of infection notices; and external adversaries who seek to exploit the accumulation of information for malicious purposes.

Within this scheme, there are three abstract ('toy') protocols. On protocol one, apps on individual phones record complete location records (trajectories). On infection, a user sends his entire trajectory to the authority which, in turn, pseudonymises that trajectory and releases it to all uninfected users. On protocol two, the app does not record trajectory information but broadcasts a unique Bluetooth identifier assigned to it by the authority, receiving in turn broadcasts from other apps in its proximity.

On infection, the user sends the authority its encounter history (the total number of identifiers that it has received), and the authority duly notifies the broadcasters of the relevant identifiers. On protocol three, the app also broadcasts an identifier, but this time it is changed at fixed time intervals (every hour on the model). It is now the time-specific identifiers that are sent to the authority on infection. These identifiers can also be used in the same way as before by the notified users to check their risk status.

The current most popular design proposals seem to focus on the use of identifier-based protocols (two and three), but the simpler trajectory-based design may also have advantages. The paper asks eight questions about the privacy implications of the various protocols, and in the following response we offer some further considerations as to the suitability of the questions and the optimal responses to them.