Contact Tracing Apps Must Respect Privacy and Digital Security Principles

The Jordan Open Source Association has called against adopting any applications that track COVID-19 patients and people they have come in contact with, until after adequate guarantees are available regarding these applications’ effectiveness as well as their respect for users’ privacy and personal data protection.

Contact tracing apps warn people who have come into close contact with COVID-19 patients by recording virus cases and tracking people’s movements.

The Jordan Open Source Association stresses the need to create measures that prevent the distribution, dissemination, and trade of users’ health data, or processing it for purposes other than containing the COVID-19 pandemic, and advocates against storing this data for longer periods than is necessary.

Application developers must only collect information that is required for their specified purposes, and only allow access to this information to authorized parties whose line of work requires it (e.g. treatment providers). They must also provide personal data after hiding users’ identity (data anonymity) if this is required for scientific research purposes or for decision-making efforts to prevent the spread of COVID-19.

Patients’ personal information, such as their full names and ID cards, must remain confidential to the public. It also must not be leaked to companies or to third parties whose work doesn’t involve infection prevention.

The Jordan Open Source Association warns against the collection of individuals’ geolocation data without implementing processes to anonymize this data and ensure that it’s free of personal information. Even after these processes have been implemented, the principles of digital privacy must also be applied. These include "data minimization", meaning limiting the collection and storage of personal data except when necessary, and using personal data only for the purpose for which it was initially collected.

The Jordan Open Source Association calls for adopting open source technologies to develop these applications in order to ensure more transparency and accountability. It also emphasizes the need for these applications’ operating mechanisms to be reviewed and examined by other parties to raise their level of their digital security.