Contact Tracing Impetus and Authority
Ryan Carrier
Public
Seen by 18
We have a series of questions in the audit, which start with Pandemic, step down to epidemic, and then conclude with "if not those, then what"? I have appended them below. My question to the group is: Where does the right to "call" for Contact Tracing end? What are the minimum requirements for "Contact Tracing" to be called for? I am afraid without this backstop that "mission creep" is used to translate this into other areas of surveillance on slightly less than significant public health criteria. Any amendments in the language and the audit questions themselves should be done in Office Hours (found on the registration form of the website) or in the spreadsheet where were are currently editing them.
Is a Pandemic necessary for your entity to initiate a Contact Tracing program? |
Has a Global Health Authority or National Health Authority declared a Pandemic? |
Is an Epidemic necessary for your entity to initiate a Contact Tracing program? |
Has a Global Health Authority or National Health Authority declared an Epidemic? |
What are the requirements for a Contact Tracing program to be initiated? |
Does the Contact Tracing Entity (CTE) have the authority to call a Pandemic or Epidemic? |
Does the CTE have the authority to contact trace? |
Aaron Maxwell Thu 28 May 2020 5:01PM
I think we are worrying about the wrong thing, almost. Once this technology is out of the bag, and developed and hosted on people's phones, then any actor with bad faith can modify it as they see fit. Sure, they might try to make it legitimate by calling on the CTE to re-instate the app, but they'll probably also refuse any audit which would harm said legitimacy. I think we keep it simple and ask "What is the condition for halting contact tracing that requires the app?" but, you know, in a much better way that what I just wrote.
Ryan Carrier Thu 28 May 2020 5:06PM
True enough, as it is already in the Apple IOS. But when approaching an infrastructure of trust, no system will defeat bad actors and malfeasance. So the audit and governance system we are building applies to those who choose to comply, who want to build trust and faith in the system. We could argue that there should be no contact tracing software, so that bad actors can't get to it, but that would ignore the value to public health and the pragmatic answer of "well it is coming anyway". So I think our mission here is to mitigate downside risk and get the best possible results for the traced. Does that make sense?
Ryan Eagan Wed 3 Jun 2020 1:18PM
I think leaving the questions as is might be the best approach. The challenge is, we are operating from an independent oversight role, not as a legislative or enforcement role. Our goal is to be able to call out and highlight these potential conflicts so that the parties which can affect change have the means to do so.
We can look to potentially create a more challenging position by asking questions related to the lifetime of the program in addition to these questions. In the expiry section, there are some questions, but perhaps we ask more specific if a program end date has been set, who sets it. I think if we add questions with an overlap, it challenges a potential brushing off of other expiry questions, as an inconsistent answer would be a red flag for the auditing body.
Ryan Carrier · Thu 28 May 2020 1:39PM
Furthermore, when we allow the same contact tracing authority to determine that there is a problem worthy of contact tracing, now we have an inherent conflict of interest. That was why the questions were worded the way they were before. Now, if left as is (and there is a practical value to leaving the questions as is), there is an in-built conflict. We might have to codify that this is NOT best practice because of the conflict. I worry about Authoritarian regimes with illegitimate power applying this as a power grab,