Introduction
Contact tracing mobile applications can help slow the spread of COVID-19 (Ferretti et al. Reference Ferretti, Wymant, Kendall, Zhao, Nurtay, Abeler-Dörner, Parker, Bonsall and Fraser.2020). However, citizens’ concerns about data privacy and data security breaches may reduce adoption below the required coverage to be effective (Ada Lovelace Institute 2020; Liu and Carter Reference Liu and Carter.2018). We analyse the determinants of citizens’ attitudes to these contact tracing apps. In Study 1, we implement a choice experiment (conjoint experiment) where participants indicated which version of two contact tracing apps they would be most likely to install. We vary the privacy-preserving attributes of the apps and estimate their effects on adoption. In Study 2, participants indicate a preference for digital-only vs human-only contact tracing. To assess the salience of data breaches as an issue for adoption, we randomly allocated a subset of participants in each study to receive a stimulus priming data breach as a concern, before asking about contact tracing.
Under current pandemic conditions, we find that citizens do not always prioritise privacy but give high preference to a centralised system led by the National Health Service (NHS) over a decentralised system (see also Wiertz et al. Reference Wiertz, Banerjee, Acar and Ghosh.2020). Citizens tend to support a mixture of contact tracing done digitally with limited human involvement. The salient threat of unauthorised access or data theft does not significantly alter either set of preferences.
Overview of Study 1.
Overview of Study 2.
Treatment effects on preference of data storage systems.
Note: Treatment is exposure to stimulus raising awareness of data breach. AMCE values calculated with the cjoint (Hainmueller et al. Reference Hainmueller, Hopkins and Yamamoto.2014) package in R. For ATE values (coefficients) see Table 2.
Treatment effects on privacy preferences within centralised systems.
Note: Treatment is exposure to stimulus raising awareness of data breach. AMCE values calculated with the cjoint (Hainmueller et al. Reference Hainmueller, Hopkins and Yamamoto.2014) package in R. For ATE values (coefficients) see Table 3.
Preference of digital vs human contact tracing per treatment group.
Note: Treatment is exposure to stimulus raising awareness of data breach.
Theory and hypotheses
Research on the adoption of technology similar to mobile phone contact tracing applications has shown that users’ concern about data security and privacy can reduce acceptance. A study of predictors of individuals’ adoption of healthcare wearable devices found that individuals’ privacy perceptions were an important part of their calculations about the use of the technology (Li et al. Reference Li, Wu, Gao and Shi.2016). This leads to our first hypothesis:
Baseline preference of privacy. We hypothesise a baseline preference of more privacy-preserving contact tracing applications.
The process of contact tracing using apps in practice supplements traditional human contact tracing. There is little direct evidence about this issue for COVID-19, but the broader literature on algorithm aversion suggests that people tend to prefer human involvement in systems even if they perform less well (Dietvorst, Simmons, and Massey Reference Dietvorst, Simmons and Massey.2015). We, therefore, propose the following hypothesis:
Baseline preference of human contact tracing. We hypothesise that citizens prefer more human involvement over digital-only contact tracing.
The concerns of users about privacy and preference for human contact tracing lead us to further examine whether making the possibility of data breaches more salient strengthens these baseline preferences, leading to a third hypothesis:
Saliency of the data breach. We hypothesise that preferences of privacy-preserving contact tracing, as well as human contact tracing, are strengthened for individuals who consider data breach as a realistic threat.
The international experience with COVID-19 has shown that citizens’ responses and willingness to engage with public health measures are affected by broader socio-political attitudes. Recently, evidence has emerged about differences based on partisanship (e.g. Utych Reference Utych2020) and gender (Palmer and Peterson Reference Palmer and Peterson.2020). In the UK context, where our studies are based, there is less clear evidence about partisan divides but the issue of other political attitudes towards the public authorities proposing the use of technology is still salient. Previous studies have found that trust in organisations is a factor influencing the intention to use related digital government technologies (van Velsen et al. Reference van Velsen, van der Geest, van de Wijngaert, van den Berg and Steehouder.2015). For these reasons, we include measures of trust in the NHS, and trust in the UK government’s handling of COVID-19. In each case, higher trust is expected to increase acceptance of privacy reducing and more technology-reliant aspects of the mobile phone app.
Globally, digital contact tracing is being rolled out with a variety of system architectures that have different implications for privacy and data security. The core functionalities of a centralised system are performed by a central server processing user data, which is managed by a health authority and can, subject to permissions, notify an infected user’s contacts of exposure (Ahmed et al. Reference Ahmed, Michelin, Xue, Ruj, Malaney, Kanhere, Seneviratne, Hu, Janicke and Jha2020, 134578–134580; Martin et al. Reference Martin, Karopoulos, Hernández-Ramos, Kambourakis and Fovino.2020). A decentralised system, on the other hand, has most of its core functionalities performed by users’ devices including exposure notifications (Ahmed et al. Reference Ahmed, Michelin, Xue, Ruj, Malaney, Kanhere, Seneviratne, Hu, Janicke and Jha2020, 134580–134581). The privacy implications of these two systems have often been discussed as a trade-off with other attributes (see also Cioroianu and Dal Reference Cioroianu and Dal.2020, for an overview). While decentralised systems are recommended for having more overall privacy-preserving features than centralised systems,Footnote 1 the lack of central oversight does limit human involvement in the process of contact tracing. This might be problematic while contact tracing apps tend to perform with poor accuracy (Briers Reference Briers2020). In contrast, whereas centralised systems do have the ability to integrate digital with human contact tracing and research (by design, but in practice may be a legislative feature), their data servers are vulnerable to the data breach that involves more sensitive protected data.
Methods
Subjects and contextFootnote 2
Study 1 uses an online panel of N = 1,504 from Dynata, targeting a diversity of respondents representative of the UK as of its 2011 censusFootnote 3; Study 2 uses a smaller, N = 809 panel from Prolific Academic, with similar sample demographics,Footnote 4, Footnote 5 Data collection occurred on 18 May 2020 to 23 May 2020. During this period, the UK had no official (government-backed) contact tracing app available for public use, except for a trial version released on the Isle of Wight exclusively. That application was one of the centralised systems as outlined above. The UK’s next contact tracing app to enter a new trial phase will be built on a decentralised system (Department of Health & Social Care 2020).
Dependent measures
In Study 1 conjoint experiment, respondents were asked to choose one of two COVID-19 contact tracing apps to install, with their data privacy and security attributes varying. Each respondent made a series of five such selections.
In Study 2, the dependent measure is the respondents’ preferred amount of human involvement in the process of COVID-19 contact tracing. This is a rating scale ranging from human-only contact tracing (1) to digital-only contact tracing (7).
Treatment: Data breach stimulus
Both groups in each study received a brief text about data security including its definition as “a set of standards and technologies that protect data from intentional or accidental destruction, modification or disclosure.” The treatment group additionally got a text about data breaches becoming “more common,” giving examples: “theft of personal data, devices containing personal data being lost or stolen.”Footnote 6 Figures 1 and 2 show the placement of treatment stimuli in the two studies, respectively.
Conjoint experiment
The conjoint experiment enabled us to assess the causal impact of multiple attributes related to privacy and data security: data storage until when data are stored, what kinds of contacts and what specificity of location is uploaded and what constitutes contact.
Conventional conjoint experiments randomise and display all attributes independently. Our challenge, however, was to capture two vastly different implementations of digital contact tracing with their privacy options fundamentally incompatible with each other, restricting the option of independent randomisation. Decentralised systems of digital contact tracing use minimal data sharing across devices whereas centralised systems use data sharing between devices and a data server. As explained above, decentralised systems may preserve privacy better but are not integrated with human contact tracing and research in contrast to centralised systems that can be integrated but may consequently be seen as vulnerable to data breaches.
We address the issue using dependent attributes. Respondents evaluate five pairs of potential contact tracing applications that compare either a decentralised system that simply does not store contact or location data with a centralised system that stores at least one of these, or two centralised systems with varying privacy attributes excluding the possibility of no data storage. In this way, attributes presented in Table 1 below are heavily system-dependent.
Privacy attributes depending on data storage system (dependent attributes)
Notes: A third of all binary comparisons were between a centralised system (privacy attributes varying) and a decentralised system (privacy attributes not varying), and two-thirds between two centralised systems (privacy attributes varying, greyed cells). Privacy-varying attributes reported on latter subsample.
Data storage models
***p < 0.001, **p < 0.01, *p < 0.05.
Pooled GLM estimates with standard errors clustered on respondent level.
Note: For simplified display, “Covariate” means “Treatment” in the first,
“Trust in NHS” in the second and “Gov’t performance” in the third column.
Treatment and moderator effects on preference within centralised systems
***p < 0.001, **p < 0.01, *p < 0.05.
Pooled GLM estimates with standard errors clustered on respondent level.
Note: For simplified display, “Covariate” means “Treatment” in the first,
“Trust in NHS” in the second and “Gov’t performance” in the third column.
Treatment effects on preferred amount of human involvement in contact tracing
*p < 0.001.
As attributes are not fully independent we (1) present a comparison of effect sizes on the data storage attribute alone, independently from the privacy attributes, and then (2) present the effect of the rest of the privacy attributes separately on respondents who compared two centralised systems.Footnote 7
Moderators
We include the following as moderators of conjoint preferences: trust in the NHS and satisfaction with the government’s handling of coronavirus.Footnote 8
Results
Study 1
Descriptive results
Across all attributes, respondents do not systematically prefer more privacy. For data storage, the NHS led centralised system is preferred in 55.94% of binary comparisons compared with the centralised system led by the UK government (45.85%) and the decentralised system (47.63%) despite the NHS system being potentially displayed with attributes more intrusive to privacy.Footnote 9
Treatment effects: Data storage
In the pooled model across all conjoint choices (five tasks, two profiles per task displayed by respondents thus N = 15,040) with standard errors clustered on the respondent level, we found no difference between a preference for data storage and exposure to the data breach stimulus, see Figure 3.
Treatment effects within centralised data storage systems
An N = 10,950 app profiles described a centralised system with further attributes relating to privacy varying. In this subset of the data, our model finds no treatment effects relating to exposure to the data breach stimulus except some evidence that the stimulus may have further strengthened respondents’ preference to store data until vaccines or tests are available over indefinite data storage, see Figure 4.
Trust in NHS as a moderator
In two similar pooled models as above, across data storage systems as well as within centralised systems we find that although high trust in the NHS strengthens preferences for an NHS-led centralised system, low trust in the NHS does not mean clear support for a decentralised system (or a centralised one maintained by the government). Within centralised systems, trust in the NHS motivates respondents to give up more privacy.
Government performance as moderator
Satisfaction with the government’s performance in handling COVID-19 moderated preferences given to a centralised system maintained by the UK government. Across the spectrum, however, the NHS-led centralised system remains the clear preference in the majority of comparisons.
Study 2
Study 2 repeated the data breach stimulus asking respondents about their preferred amount of human involvement in the process of contact tracing. The majority of citizens prefer a mixture between human-led and digital, with greater proportions preferring “Mostly digital” to “Mostly human.”Footnote 10 We find no significant treatment effects for exposure to data breaches, see Figure 5 and Table 4.
Discussion and Conclusions
Citizens prefer a balanced (human plus digital) approach to contract tracing. Privacy concerns were not as influential on the choice of the digital app as initially expected and as indicated by past research. Privacy concerns were overridden by trust in the NHS and the NHS centralised app is preferred to both the centralised government app and the decentralised system. The NHS has strong support amongst the UK public; support and research on other public services have found users have greater willingness to cooperate in the co-production of public services delivered by public organisations when compared with services delivered under contract to private companies (James and Jilke Reference James and Jilke.2020). Our findings are consistent with this line of research and demonstrate that when a trusted public health provider is involved in the development and deployment of the tracing app it can bring about the cooperation of the public necessary for its successful use in reducing the spread of infection.
Our results suggest two considerations for future research. First, to further understand the role of health care providers, research should examine the effect of institutional differences on coproduction, including whether the organisation is public or privately owned. The unique status of the NHS with its current high regard among the British public may not translate to coproduction in all other jurisdictions. Secondly, variation in the perceptions of the salience of the COVID-19 threat across different countries and populations might explain how the public responds to privacy concerns. The data breach treatment does not influence outcomes, possibly because of crisis perceptions which were likely high in the initial phase of the pandemic. Potential changes in responses over time as the pandemic develops and differences in findings between jurisdictions with different public health systems are particularly important topics for future research.
Supplementary material
To view supplementary material for this article, please visit https://doi.org/10.1017/XPS.2020.30.
Open access
