Amnesty International is rightly concerned about possible privacy breaches that a contact tracing app could bring. That is why they have published a number of guidelines. However, Savitas QR as a solution fully meets their requirements. That's why we wrote them an open letter.
June 18, 2020
Letter to Amnesty International Belgium re: Coronavirus and human rights - Tracing Apps
Dear Amnesty International,
After your very disturbing findings about privacy infringing apps in Bahrain, Kuwait and Norway(!) (*) among others, we have also carefully read the publication of your UK organization regarding "Coronavirus and human rights - 7 principles that should guide the rollout of a COVID-19 tracking application". (**)
At Savitas QR, we are delighted when trusted organizations and platforms take a closer look at the brave new world of COVID19 contact tracing apps and other technology. Because we agree that the road to both health and privacy - as Noah Yuval Harari puts it - is often a slippery slope. Especially in Belgium.
If even countries such as Norway appear to be in trouble over privacy in their app, we have to put forward serious questions about the hasty rollout of over-complex technology. And we think your 7 principles are an excellent checklist to begin with, because we started from the same ideas when developing Savitas QR.
Savitas QR is a striking, simple, anonymous and social alternative to complex "tracing apps". Through voluntary cooperation, it puts people first rather than technology. It has been on the market for a month now and is available for companies that want to protect their employees as much as possible and prevent a second lockdown. See www.savitas.life.
We would like to detail our approach as related to your 7 principles:
1. Consent and transparency
Any individual decision to download and use it must be entirely voluntary.
The full source code underlying the app should be available for scrutiny.
Savitas QR's implementation: Savitas.io is a mobile website that shows a regular cookie consent. There is no app at all, no download and no registration. It simply isn’t necessary, so it's never really justified at all. All source code is available for inspection in two github repositories upon valid request.
2. Limited purpose
All data collection must be restricted to controlling the spread of COVID-19 and it should not be used for any other purpose - including law-enforcement, national security or immigration control.
It must also not be made available to any third party or for commercial use.
Savitas QR's implementation: We’re even stricter than that - Savitas QR has no access to anything, nor does it record anything other than a logbook of abstract scan actions. There’s also no anonymous person identification, direct or indirect. Therefore there is nothing that could be passed on, either to governments or to commercial players.
There must be transparent scientific proof that it is impossible for collected data to be de-anonymised, including by combining it with other data sets.
Savitas QR's implementation: The report ("DPIA") of a complete GDPR survey by Timelex's privacy experts is now available. The full analysis on this subject is included in this report.
4. Privacy and data protection by design
The app must be in line with GDPR and the UK’s data protection laws, with privacy at the forefront of its design.
Data collected must be the minimum amount necessary, and securely stored.
Savitas QR's implementation: GDPR, privacy-by-design and complete anonymity were at the forefront of architecture and design. Everything takes place in the browser that knows nothing about the user. Only abstract scan actions are tracked, in the local browser memory of the phone. Of healthy individuals, no single bit of information ever leaves the phone. Sick participants can voluntarily make their scan actions available for tracing.
5. Independent expert oversight
The app and collection and use of data must be independently overseen by a regulator empowered to enforce its decisions.
Savitas QR's implementation: If a competent entity were prepared to do so with due care, for example in the context of a national roll-out, we would be particularly pleased. Unfortunately, so far we see mostly the opposite.
6. Time limits
The data and app must be subject to mandatory time-bound deletion and/or deleted as soon as is reasonable after serving their declared purpose.
Savitas QR's implementation: All collected data live in a sliding window of up to 20 days after which they are automatically deleted as they are no longer useful for tracing. Moreover, the browsers themselves are very strict and erase all local data a few days after the last website visit (or Savitas QR scan): 7 days for iOS and 10 for Android. The user can delete the local browser memory herself at any time.
7. Equality and non-discrimination
The collection and use of data through the app must not impact disproportionately on any individual as a result of their particular status, such as socioeconomic or immigration position, age or ethnic origins.
The benefits of the app must be accessible to everyone, no matter what phone or smartphone they have.
Savitas QR's implementation: Since not the slightest personal information is requested or registered, it can never be processed or disclosed. Since no downloadable app is used, the application is accessible to anyone, using any smartphone, even without an Apple App Store or Google Play account. Also a QR code scanner app is not required, the scan function is also available in the Savitas.io website.
Dear Amnesty, for governments that - for whatever reason - want a foot in the door of the privacy of their citizens, contact tracing apps are a dreamed and rarely seen opportunity, as you rightly demonstrate. And even if good intentions predominate in the early versions, the risk remains in the automatic updates that can nibble away protections bit by bit in a less attentive period.
We believe that such risks are completely unnecessary for the objective pursued and have therefore consistently refused to take them. We invite you to independently verify our claims above and hope you can include us in your publications to remind citizens that health and privacy can perfectly go hand in hand.