As COVID-19 sweeps across the globe, many companies have set out to leverage technology to create solutions that would help inform individuals and communities of possible exposure to the virus. Much like understanding the origins of the virus and its different strains, tracing the spread of the virus in human contact is just as important. A COVID-19 contact tracing solution could be vital to returning normalcy to our communities worldwide.
However, contact tracing would only be effective with mass adoption of the solution – a key problem particularly for stand-alone tracing apps, even if it is government-sponsored. This week, Apple and Google have teamed up to create a compatible device-level contact tracing solution for the virus, addressing a technical barrier to achieving critical mass.
Now the success of this solution depends squarely on one thing: permissions. Will enough end-users opt-in to contact tracing to make it reliable and effective?
A Framework for Permissions
We’ve all heard about tech companies adopting “privacy-friendly” policies. Yet, no other event in modern times will so significantly test the balance between being privacy-friendly and serving a greater good in public health. This is why understanding when and how to ask for permissions becomes a central focal point.
The framework for how to think about permissions (allowing data to be collected on the individual) can be summarized in two key pillars. The first is value: how will the end-user benefit from this exchange of data? Consider the perceived worth. Is the value obvious? How direct is the line between the permission requested and the value delivered? For example, granting location permission with a food delivery app directly relates to the value: dinner delivered to your doorstep. A more indirect line might be allowing access to purchase history for future personalized offers or recommendations. Naturally, the greater and clearer the value (actual and perceived), the more willing the end-user will be to grant permission to their data.
The second permission pillar is trust: is there sufficient trust for the individual to believe the claims made around what data is collected, how their data will be used, and who has access? Aside from perception, trust can be built and conveyed by clearly communicating the value, being transparent at every stage of the experience, and providing assurances to the end-user (such as never selling user data or deleting data after 14 days). Basically, is it easy for anyone to understand what and how the data is (or is not) being used? This clear communication establishes a more trusting relationship with the user and increases the likelihood that permission will be granted.
The Path to Critical Mass: Permissions, Privacy, and Individual Choice
Assuming the two main components of permissions – value and trust – are in place, we must address the most glaring aspect of contact tracing: the privacy implications of requesting permission to proximity data. A 2019 worldwide survey by Cisco showed that “privacy is as much about customer experience as it is privacy.” Requesting permission isn’t just about the legality of using data. It’s much more expansive – encompassing the individual’s sense of agency in engaging with the company or organization.
Shedding the notion that seeking permission is just to legitimize data collection, the focus should be placed on inviting the user to provide data in exchange for something valuable. In contact tracing, this is about helping to protect themselves and their community through awareness of their exposure to COVID-19. Granting permissions is the mechanism by which the end-user can unlock value. It puts the individual in control and respects their agency throughout the entire experience.
Permissions – and how they’re requested – should be designed as part of the core functionality, not tacked on as an afterthought once the feature or product is pushed live. Timing is everything. Have users been informed and educated prior to the request? Is the value to both the individual and their community obvious? Consider when and how often the request is made.
Making It Happen
Achieving critical mass for a contact tracing solution is challenging, but not impossible. Even tech giants cannot guarantee success in slowing down the spread of COVID-19 if trust and value exchange is not well understood. The key is getting the permissions right.
Seeking broad adoption for contact tracing is a one-time shot and can be easily derailed or miscalculated if permissions do not play a central role. The stakes have never been higher. While much has been focused on architecting the technical design for contact tracing, what comes after – the human aspect of allowing for data collection and usage cannot be underestimated. It’s imperative to thoughtfully design the request in a way that respects the individual’s agency and protects the greater good of our communities.