COVID-19 Tracking Apps: pros and cons, and the emergence of new business models around privacy and personal data?

Professor Maureen Meadows

In the UK, the government’s plan to use a tracking app as a key plank of its strategy for exiting lockdown is under scrutiny. The potential benefits, in helping to reduce the spread of coronavirus, seem to many commentators to be clear. Yet the use of a contact tracing app is a controversial step; according to experts, the tracking app will need detailed justification to satisfy human rights and data protection laws [1]. For example, will the app be voluntary or mandatory? And if it’s mandatory, is specific legislation required to set out a clear and detailed legal basis of the mandatory system? This short piece discusses some of the potential benefits and downsides of COVID-19 tracking apps, pointing to their implications for privacy and new business models in the future.

What are contact tracing apps, and how can they help?

Contact tracing is a system used to slow the spread of infectious diseases like coronavirus. One method is for someone who has been infected to list all the people with whom they have recently been in prolonged contact. Those people will then be tracked down by phone or email, and potentially asked to self-isolate. Another way of tracing contacts is by using a location-tracking mobile app, which identifies people the patient has been in contact with. One advantage of the app is it can identify people the patient may not know – like fellow passengers on a bus [2].

In the UK, the NHS has announced the launch of a coronavirus tracking app, with a pilot study in the Isle of Wight before a planned wider rollout.  The app is considered to be a key dimension of the government’s strategy as it moves towards the gradual lifting of lockdown conditions. Via contact tracing, people can be told to isolate immediately after coming into contact with carriers of the virus; the aim is to reduce instances of contact when the virus is passed on while people are asymptomatic. NHSX, the innovation and technology arm of NHS England, is leading the project; a team at Oxford University has been developing the algorithm since mid-January, inspired by the Chinese tracking app that designates people a red or green riskiness code determining whether they should self-isolate [3].

What are the possible downsides?

Critics of the app-based approach are posing some fundamental questions about the likelihood of success [4]. Fundamentally, how many people will download the app? If the approach is to be successful, a high proportion of the population, say around 60%, may need to install and use it – and it only works on smartphones. Second, will the app actually work? The pilot study will reveal whether users are in fact being alerted, in a timely fashion, to take action after coming into contact with the virus, and what steps they take next.

Contact tracing apps need to collect sensitive information, such as the user’s location. On this basis, privacy campaigners are already raising concerns about the UK’s pilot study [5]. First, they argue that, from their analysis of the NHSX app, there is no mechanism to opt-in or opt-out of third-party trackers which are included with the app. It seems that the app would only work when it is operating on the foreground, particularly on iOS devices, making its efficacy questionable. And, they point out that the app is incompatible with a range of older Android devices, potentially putting the most vulnerable, such as the elderly or those on low incomes, at risk.

Critics also point out that the app will effectively give the government and third parties access to people’s data. Civil rights group Liberty says the government must take the risks seriously, and that using the app should not be a condition to leaving the lockdown or returning to work [6]. The UK app will use a “centralised model”, meaning the matching process will take place on a computer server. An alternative, decentralised model was put forward by Apple and Google, where the exchange happens on people’s handsets. The tech giants say their version makes it harder for hackers or the authorities to use the computer server logs to track and identify specific individuals. But NHSX has argued that the information gathered will only ever be used for health and research purposes, and that millions of us are going to need to ‘trust the app’ and follow the advice it provides. NHSX also says its centralised system will help give it more insight into how the disease spreads.

So how great is the risk that patient confidentiality will be compromised? The UK Health Secretary, Matt Hancock, has pushed back against privacy concerns, claiming that data would only be held as long as it was needed and that “all data will be handled according to the highest ethical and security standards” [7]. However, a recent report [8] argues that given the nature of the data likely to be shared, the government will need to undertake a data protection impact assessment (DPIA) prior to the processing of any personal data, adding that “the results of that DPIA should be made public. Those steps may be in progress, but we are not aware of them having been completed thus far.”

What can we conclude from the debate thus far, as we watch the roll-out of contract tracing apps around the world? What motivates us to share our personal data – perhaps monetization [9], or data donation [10] for a good cause? As we discuss the benefits to ourselves and to society more widely of contact tracing apps to tackle COVID-19, perhaps we will recognise the need for new business models around personal data, putting privacy at the heart of what organisations do (Meadows and Hatzakis, 2018). As the immediacy of this global pandemic subsides, the use of our personal data to fight the spread of infection may come further to the forefront of the public debate, allowing a richer conversation about the organisations we do and do not trust (including governments and health organisations), and the notion of a ‘business model of me’ that puts individuals in control of their personal data and its privacy protection.












Meadows, M. and Hatzakis, T. (2018) ‘Getting to know you? New business models for privacy and the quantified self’, Social Business, 8(1), 13-20.



Tomas Allum