Developing and Deploying New Technologies with Privacy in Mind: A Case Study on Contact Tracing Applications in Latin America

Person holding a mobile phone with a screen that indicates contact tracing is taking place
Published Date
July 21, 2021

During the COVID-19 pandemic, contact tracing applications have been viewed around the world as a sound countermeasure for containing the coronavirus. With the ability to pinpoint the spread of the virus based on features such as geolocation-tracking, the technology has become a cornerstone of initiatives led by governments around the world to control the spread of the virus and keep citizens safe. In some cases, however, governments have faced challenges when it comes to deploying contact tracing applications in a way that respects the privacy of their citizens. 

Across Latin America, at least 28 governments have deployed contact tracing applications in response to COVID-19. Given concerns around the right to privacy, my research and advocacy project under the Open Internet for Democracy Leaders Program focused on exploring the extent to which contact tracing applications used across Latin America during the pandemic were designed and deployed with privacy in mind. 

At the start of my project, I conducted research on the contact tracing applications developed in Colombia, Ecuador, México, Perú, and Uruguay, and examined their privacy implications. While some of these applications implemented decentralized, privacy-preserving Bluetooth technology, others used GPS geolocation and centralized Bluetooth technology, which raised some concerns around citizen privacy. Several applications also only collected personal data when the functionalities required it and the source codes were available for auditing, which helped aid privacy concerns. However, most of the privacy policies for the applications were vague and lacked transparency on the implemented security measures and other components such as the right to information. 

Following the guidance of the Open Internet for Democracy Playbook, in coordination with Puentech Lab, a civil society organization based in Mexico, I hosted a virtual multi-stakeholder dialogue on June 15 to understand various perspectives on the digital rights implications of contact tracing applications that have been deployed throughout the region during the pandemic. The discussion convened approximately 25 key stakeholders from the local business community, civil society, government and academia from countries such as Brazil, Argentina, Chile, Colombia, Ecuador, México, Paraguay, Perú, and Uruguay. 

The dialogue provided a forum for participants to share their perspectives and identify privacy gaps in various contact tracing efforts, while constructively working together to develop key policy recommendations for governments and companies when engaging in initiatives that process personal data. During the event, participants noted that the following principles must be taken into account when utilizing technologies that process personal data: privacy by design, transparency, legality, necessity, proportionality, and data minimization. 

Participants during the event also explored how multi-stakeholder coalitions can help support the development and implementation of new technologies and applications that respect digital rights during the COVID-19 pandemic and in future emergency situations. Key recommendations discussed during the dialogue include:  

  • Encouraging the development of programs that improve digital rights literacy.

Governments can consider developing these programs in coordination with civil society groups, local business communities, technology experts, and academia. Digital rights organizations throughout Latin America can also consider conducting additional trainings in their respective countries in order to expand the reach of the training content. 

  • Developing new initiatives, technologies, or applications in conjunction with the personal data protection authority, while taking into account data protection regulations, if any. 

If a government adopts a new technology or application that collects personal data, the ministry or department responsible can ensure that voluntarism, as well security and data protection measures are applied.

  • Applying security and data protection measures so that personal information cannot be easily identifiable if a data breach should occur.

Governments can work with the developer of the technology to ensure these protection measures are in place, such as end-to-end encryption. Furthermore, governments can be transparent about what types of data protection measures are embedded in the application by providing these details in the application’s privacy policy. 

  • Organizing multi-stakeholder consultation roundtables to seek public input during the development and implementation of initiatives, technologies, or applications that process data.

Governments can be primarily responsible for organizing multi-stakeholder consultations. To encourage broad and active participation from different stakeholder groups, governments can work with organizations engaged in digital rights in the organization of these meetings, which could help encourage broader participation from other organizations, including from civil society and local business communities. 

  • Conducting an analysis of the impact of a particular technology or application on the public administration and in society prior to its deployment.

Governments can consider conducting this analysis and making the results publicly available for citizens. Governments may also consider outsourcing the analysis and can consult digital rights organizations during the selection of the third-party auditor. 

  • Carrying out continuous monitoring processes during and after the implementation of the technology or application and making the results of the monitoring process publicly available. 

Governments can ensure this monitoring process occurs by enabling the independent monitoring of technologies. Governments can also consult with the digital rights community to provide input on the third-part auditor. Moreover, if the application was used solely for the purpose of responding to an emergency, after an agreed upon end date, a post-evaluation process can be performed to capture lessons learned and recommendations for the deployment of similar applications in the future. 

  • Deleting the data after an agreed upon end date.

Governments can engage with the developer of the technology to ensure that the data has been deleted after a certain amount of time. To determine the end date for which the data must be deleted, governments can engage closely with digital rights advocates to determine the specifics. Furthermore, governments can ensure that the notice of when the data will be deleted from the application is publicly available. 

As mentioned in the Democratic Principles for an Open Internet, privacy is a fundamental component of ensuring a digital space where rights are respected and protected. This experience was a great opportunity to confirm the importance of multi-stakeholder coalitions in any digital rights advocacy effort. In the context of contact tracing applications in particular, participants of the dialogue noted the importance of continuing to foster engagement and connections between each other to protect internet freedom. 

Although the 2020-2021 Open Internet for Democracy Leaders Program is coming to an end, it has certainly been one big step of my advocacy journey. I invite you to join me in playing a part in shaping the future of the internet. Together, we can all work towards a trustworthy, globally connected, and inclusive digital space.