After the initial lockdowns of the Spring 2020, the large-scale adoption of contact-tracing apps was endorsed in many countries as a means to facilitate the tracking of transmission chains and the early detection of outbreaks, and thus to minimize the resurgence of Covid-19 contagions. However, centralized approaches, where data captured by the app are all sent to a nation-wide server, raised important concerns about citizens’ privacy and needlessly strong digital surveillance, alerting researchers and policy makers to the importance of limiting personal data collection and avoiding location tracking.

This is, in a nutshell, the critical issue highlighted in a study recently published in Ethics and Information Technology by a group of national and international experts. The study was spearheaded in April 2020, during the first wave of the epidemic, by members of the Pisan Data Science & AI community and of the European research infrastructure Among them Mirco NanniFosca GiannottiSalvatore Rinzivillo and Roberto Trasarti of ISTI-CNR; Chiara BoldriniMarco Conti and Andrea Passarella of IIT-CNR; Paolo FerraginaRiccardo GuidottiAnna MonrealeDino PedreschiFrancesca Pratesi and Salvatore Ruggieri of the University of Pisa; and Francesca Chiaromonte and Giovanni Comandè of the Sant'Anna School – a statistician and a jurist belonging to EMbeDS.

These experts advocate the conceptual advantage of a decentralized approach, where both contact and location data are collected exclusively in individual citizens’ Personal Data Stores, to be shared separately and selectively (e.g., with a backend system, but possibly also with other citizens), voluntarily, only when the citizen has tested positive for Covid-19, and with a privacy-preserving level of granularity. This approach better protects the personal sphere of citizens and affords multiple benefits. It allows for detailed yet privacy-preserving information gathering on infected individuals, enabling both contact tracing and the early detection of outbreaks at a finer geographic scale. The decentralized approach is also scalable to large populations, in that only the data of positive patients need to be handled at a central level.

The recommendation of the team is two-fold. First, to extend existing decentralized architectures with a light touch, which can manage the collection of location data locally on individual devices and allow them to share spatio-temporal aggregates – if and when they want and for specific aims (for instance, with health authorities during an epidemic). Second, in the longer term, to pursue the broad adoption of the Personal Data Store vision, giving individuals the opportunity to contribute to the common good voluntarily and for specific objectives, enhancing self-awareness, and cultivating collective efforts for rebuilding society.

"The optimal balance between public good and protection of personal data - says Mirco Nanni, first author of the study - can only be reached if we include individuals in the decision process. The priority is to give people the means to gain full awareness and full control of their own data, allowing them to consciously chose whether, when, how and within which boundaries to share their data with others. The Covid-19 epidemics " - continues Mirko Nanni -  has brought to the fore a trade-off between the potential contribution that individual citizen can provide with their data, and the fear that such data can be abused. We believe that providing awareness and control is the right remedy to overcome this trade-off, and that the challenges in this respect are cultural rather than technological". 

The basic idea is to promote a New Deal of personal data. “Empowering individuals to collect, use and add value to their own data reduces the dominant role of big platforms and helps democratizing Big Data and AI” - says Dino Pedreschi, the corresponding author of the study - “This can be the key for a digital transformation that actually increases individual and collective welfare”.

“The approach proposed in this article” - adds  Giovanni  Comandè - “anticipates the new European regulations in the Data Governance Act, and its 'data altruism' policy”.