Why ‘Privacy By Design’ Is Mobile Apps’ Next Big Thing

Why Privacy Is Mobile Apps' Next Big Thing

After some three months of keeping consumers at home, governments around the world are beginning to let people publicly mix again — albeit in a modified fashion that involves wearing masks, keeping socially distant and limiting crowded indoor locations. The big question is how to make sure infection rates and hospitalizations don’t skyrocket.

As CEO Jon Prideaux of mobile payments and identity platform Boku noted in a recent conversation with Karen Webster, China, South Korea and Singapore are using technology-backed contact tracing to reopen, while so far keeping infection rates reasonably low. He said governments the world over are looking to deploy mobile apps to predict where outbreaks will likely occur and determine whether people are at risk.

 

Countries that have done the best job of holding down infection rates so far during the reopening period have been very aggressive about tracking and tracing efforts, leveraging mobile devices as tools to accomplish that. But as Prideaux noted, that sparks privacy issues for many consumers, particularly in democracies where governments can’t simply order citizens to download tracing apps.

“The story of the last two [or] three years has been one of: ‘We’re concerned that Facebook’s following us around the internet. We’re concerned that if we happen to browse for something on the web, for the next three weeks we will be bombarded with adverts for the same thing,’” he said. “So, there’s been a lot of political pressure about privacy. At the same time, we’ve now got this trade-off, which is less about convenience versus privacy [and] more a case of safety versus privacy.”

Prideaux said consumers are starting to think a little differently about how much they’re willing to be tracked and traced in the name of protecting their own wellness and public health. “They’re a bit more willing to be open-minded about reassessing what they think about privacy,” he said.

But more importantly, the situation creates an opportunity for technologists to think about how to build products around “privacy by design” to further boost consumer confidence in their use, Prideaux said.

Plugging Up The Data Leaks

What makes consumers uncomfortable about tracing apps, according to Prideaux, is the idea that governments could use people’s phones to track their movements and behaviors 24/7. That makes it feel like “Big Brother” is watching all the time — and brings up concerns about how governments might use the data beyond merely protecting public health.

Injecting technology into the situation worsens such fears. After all, people often fill out paper forms that submit private data to third parties, but don’t tend to worry because they don’t see that as somehow becoming public knowledge. On the other hand, using a phone app creates the feeling that their private health information and movements are being shipped off to third parties without their permission, Prideaux noted.

Consumers’ fears are not unfounded. Some of the contact tracing apps use GPS and are storing the information in a centralized location. Moreover, these governments are able to mandate the use of the app among its citizens. While the intention might be positive, there is a privacy pitfall if the data happens to fall into the wrong hands. Security researchers say it could reveal the location of COVID-19 patients — not only to government authorities but also to any hacker clever enough to exploit its flaws.

However, it does not have to be that way. “The technology to do [tracing and tracking] can balance the privacy of the user,” he pointed out.

Prideaux noted that Google and Apple are working on an application programming interface (API) for tracking and tracing, which operates in a way that doesn’t give away users’ personal information but instead stores it on their devices. The app merely provides “a service to the user to figure out whether they’ve been close to somebody who has been exposed to the virus or is showing symptoms,” the CEO explained.

Prideaux and Webster also noted that consumers have an established history of trading away some privacy in the name of safety or convenience.

One example is in the area of fraud prevention, where consumers have gotten comfortable making their data available. Even strong privacy laws like Europe’s GDPR, India’s Personal Data Protection Bill and the California Consumer Privacy Act allow the processing of personal data to help prevent fraud, with a requirement to constrain its use for that purpose. Data providers in this space are also doing a good job of balancing effectiveness with privacy. Boku‘s core data providers, which consist of mobile carriers around the world, are focused on protecting customers’ information by providing zero-knowledge signals to Boku to enable fraud prevention.

As another example, Webster said that frequent travelers who apply for the U.S. Transportation Safety Administration’s TSA PreCheck program provide all kinds of government-issued documents and other information in exchange for the opportunity to board airplanes faster.

And unlike the TSA PreCheck program, contact tracking and tracing aren’t primarily concerned with establishing anyone’s individual identity, Prideaux said: “The system doesn’t really care who you are. It simply cares that you have this disease or the symptoms of it. Once you download the tracing app, you don’t do anything with it until you start feeling ill, at which point you report your symptoms. Once that report is in, the tech figures out who your contacts have been, and they can be notified that they might want to isolate or quarantine themselves.”

The personal information about users’ health stays on their phones and is protected from “leaking out into the world” — the only thing uploaded for general use is anonymized data, said Prideaux.

Getting Consumers On Board

Of course, the challenge lies in convincing consumers in free societies to download and interact with these apps, Prideaux said. They’re not likely to do so en masse overnight, due to privacy concerns.

“We could have had a version of this conversation in the late ‘90s or early 2000s when people were just starting to do eCommerce,” he said. “There was an awful lot of concern about entering card details, and those concerns did not go away immediately.”

In fact, Prideaux noted that many well-publicized data breaches actually increased such fears. But over the course of some two decades, consumers were educated to the fact that they’re not liable for any resulting fraud. If they get charged for something they didn’t approve of, they’ll get a new card and any losses will be covered.

The key will be convincing consumers that they’re safe from prying eyes because a tracking-and-tracing app’s personal data won’t leave their devices, he said. Consumers will just need to see the app in action to realize that their private information isn’t being handed out.

“If we build these things in the right way with privacy by design … you actually end up with something that is backed up for individuals, where they aren’t revealing more than they want to,” Prideaux said. “We can see some of that success in getting ahead of the outbreaks and preventing future lockdowns, which is the outcome everyone desperately wants to avoid.”