Industry perspective: The case for data minimalism with COVID-19 apps

As the COVID-19 pandemic grew in early 2020, so did the number of COVID-19 tracking apps. But not every user understood the permissions they were granting. Internews Product manager Megan DeBlois discussed what she and a team of volunteer researchers at covid19apptracker.org have discovered so far, at Transcend’s first privacy_infra() event for engineers on July 30.

DeBlois’s project uses data from contract tracing, symptom tracing, or COVID-19 information apps available for download on the Google Play Store. At the time of her talk, the team had identified a total of 121 apps. They looked for apps with potentially dangerous permissions based on Google’s definition in their Android developer documentation: “permissions that could potentially affect the user’s privacy or the device’s normal operation.”

So what did the project uncover so far? Tracking applications are requesting a number of permissions such as access to users’ geolocations, storage, cameras, microphones, contacts, and calendars. And while the need for location data makes sense for contract tracing apps, they’ve found that 76% of applications requested precise location data, even if not all of these apps were for the purpose of contract tracing.

The project also found that 36% of COVID-19 tracking apps requested permission to take pictures and videos, 12% requested to record audio, and a few apps even requested to modify calendar events and send emails without the user’s knowledge.

“I think one of the big takeaways for me is that a lot of these applications are requesting way more than they need. Whether that’s intentional, is another question…” said DeBlois.

Regardless of the motivation, DeBlois shared her belief that there is a need for education about the importance of practicing data minimalism. “There’s a lot of opportunity here, in particular, when it comes to design and creating technologies that are going to be high impact and really important,” DeBlois said.

Note: This post reflects information and opinions shared by speakers at Transcend’s ongoing privacy_infra() events, which feature industry-wide tech talks highlighting new thinking in data privacy engineering every other month. Watch the full July event, register for the next event on September 17, or learn more about privacy_infra().

If you’re working on solving universal privacy challenges and interested in speaking about it, submit a proposal to speak at an upcoming event.