3 June 2020 TechCrunch Event Response
- Jeff Whatcott
Contact Tracing/Exposure Notification SurveyInformation gathered from this survey will be used to better inform decision makers in state and local government, technologists, and the public, about the privacy and security features of leading contact tracing and exposure notification applications.
This survey will take 7-12 minutes to complete. We encourage you to complete as much of the survey as possible but if you cannot answer a question, you can move on to the next one. You must hit SUBMIT at the end of the survey or your responses will be lost.
Thank you for your cooperation. We look forward to having you demo. * Required
What is the name of your application? *
COVID Safe Paths and Safe Places
Is your application intended to be used exclusively for contact tracing and/or exposure notification?
Yes
No
Is your application designed to work in conjunction with manual contact tracing?
Yes
No
Does your application use GPS or Bluetooth?
GPS
Bluetooth
Neither
Both
Briefly describe the ways in which your application's architecture is centralized or decentralized?
We offer both GPS and Bluetooth based technology. Both are built with a decentralized architecture, meaning that user data remains on devices and exposure notifications are generated on device based on exposure data retrieved from an external source. Our Bluetooth app is built using the Google Apple Exposure Notification API and conforms to the design intent and policies of the API. Our GPS solution is decentralized by design and works without requiring users to share any location data with anyone. If, as part of a contact tracing interview process, a user wishes to share their location data with a public health authority, they have the option to do so at their sole discretion, but such sharing is not automatic and requires proactive steps by the user.
Does imputed data reside on a user's device or on a server?
User's device
Your server
A third party server
Other: An undiagnosed member of the public's data resides only on their device. If they are diagnosed, and provide informed consent, then it is passed to the server of a healthcare authority to be redacted, and passed through a one-way hash before being published out to other users for the purposes of exposure notification.
Do user IDs reside on their respective devices or on a server?
User's device
Your server
A third party server
Other: Our mobile app does not record User IDs. If users choose to identify themselves to a contact tracer, their data will likely be stored
Where is data for your application's exposure events managed?
Central server controlled by our organization
Central server controlled by a third-party organization
Other:
When consenting to use your application, are users informed as to the nature of the information they're disclosing?
Yes
No
When consenting to use your application, are users informed as to how the information they're disclosing is being used?
Yes
No
When consenting to use your application, are users informed as to the likely impacts of disclosure and use?
Yes
No
Are events impacting the company server visible to users?
Yes
No
How do users opt-in or opt-out of being tracked by your application?
Users may opt out by declining to authorize the app to access GPS or Bluetooth functions of their device when installing, by revoking these authorizations at a later time, or by uninstalling the application.
Does your application have a privacy policy? If so, please provide the link.
https://covidsafepaths.org/privacy-policy/
Does your application output aggregate data analysis?
Yes
No
If you answered yes to the above, do you apply differential privacy to this analysis?
Yes
No
Other:
Do you use data collected through your application for anything other than the health objectives related to mitigating the impact of COVID-19?
Yes
No
If your application is open-source, what license do you use?
MIT License https://github.com/Path-Check/covid-safe-paths/blob/develop/LICENSE
How is your organization structured? *
For-profit
Non-profit
Unincorporated / Research Organization
Has your code been audited?
Yes
No
Are there features of your design that you or your auditor have identified as potential vulnerabilities?
Your answer
Will you continue running your application after the COVID-19 crisis has ended?
Yes
No
Other:
What steps have you taken to ensure that subpopulations are not systematically excluded from using, or being accounted for in, your application?
We have a global volunteer community engaging with public health organizations worldwide. We have cultivated a strong media relations program to promote the availability of our apps across a variety of mass media outlets.
What steps have you taken to ensure that your clients (including government) only use the information for pre-determined health objectives related to mitigating the impact of COVID-19?
We have designed our technology to give consumers control of their private information.
Does your application use an openly published protocol to ensure that their solution is verifiable and interoperable? (For example, DP^3T, PACT, the TCN Protocol, and Apple/Google COVID-19 contact tracing technology)
Yes
No
Other:
Can information such as location history, symptom reports, demographic information, or similar shared with public health officials or researchers, be linked back to or used to re-identify individuals (even by entities legally allowed to perform such linkage)
Yes
No
Other:
Is there anything else you'd like to flag regarding your application that we have not covered in this survey?
Our global community of volunteers is working to both develop the core technology, develop and promote best practices for contact tracing, and engage directly with health authorities to guide their projects and rollout. We have brought together leading academic researchers, technology industry veterans, trusted advisors to governments and enterprises, and implementation partners who can execute projects. We believe that this holistic approach is likely to lead the best outcome.