Co-authored by: Pratik Sinha MD PhD1,2, Alastair E Paterson3 M.Eng
With over 215,000 dead globally and with close to 26 million newly unemployed in America alone, COVID-19 has resulted in a unique amalgamative failure of economics, healthcare, and society. While pressure is mounting on politicians to restart the economy, the precise mechanism to resuming “normal” activity remains unknown. That an effective vaccine is developed is far from certain and by most estimates would take 18 months to scale.
The challenges to contact tracing at scale
Can mobile technology come to the rescue in the meantime and help us adapt to a ‘new normal’?
Current public health consensus seems to align on the need to test, trace and isolate infected individuals with a stepwise repeal of lock-down measures. Policy-makers are, therefore, turning their attention towards how best to instigate such programs. The infrastructure for capacity to test and trace are woefully underdeveloped worldwide.
In the US, it is estimated that 180,000 contact-tracers would be required and it is estimated only 0.5% of that number currently exist . Scientists in the UK have put this number at 100,000 . Moreover, contact tracing for infectious diseases has traditionally worked on the prior assumption of a slow spreading infection. Incumbent programs are not built for speed. 
Fortunately, this is where ‘Big Tech’ is seeking to provide some innovative solutions to address the unmet challenges of contact-tracing. A well-publicized example of this is the recently announced Apple and Google joint venture to develop a cross platform application programming interface (API) to enable contact tracing apps to use their mobile operating systems for this purpose. Several other organizations are simultaneously working on apps to facilitate contact tracing using a variety of platforms. Most of these apps propose using location data to identify contacts of infected patients.
These solutions, at first-glance seem ideal, however, they pose a significant risk to digital security and patient privacy. Outlined below are some of the most likely apps that will be used for contact tracing and the attendant threats they pose.
Contact Tracing: What are the proposed Apps and how do they work?
Broadly speaking there are four categories of apps being proposed as potential solutions for digital contact tracing (Table 1 at bottom). Technical specification aside, they vary from one another by the degree of invasiveness in terms of privacy and security. Self-reporting apps, such the one developed by King’s College, London require the user to voluntarily report their symptoms and contacts. Unfortunately, the veracity and velocity of the reporting severely limits its utility and these types of apps are going to be limited to research.
The more likely contenders are based on using smartphones’ location data or Bluetooth interactions to determine individual’s location. Critical decisions for developers of contact tracing apps is whether to publish the source code, i.e. they are ‘open source’, or keep it private and are ‘closed source’.
Closed source applications are generally considered higher risk since they cannot be so easily scrutinized for security flaws by third-parties. They have unknown privacy implications since the inner-workings of the apps will only be known to the developers and may collect un-consented data. A critical second decision that healthcare systems using such apps have to make is whether the framework on which the apps are built use a centralized system for data repository or use a de-centralized platform where most location data remains on individuals’ phones as proposed by the Google/Apple API.
Worryingly, many countries including China, Russia, The U.K., Norway and Vietnam are taking a closed source approach to developing their apps and using centralized frameworks. The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) is another closed source approach backed by at least seven European countries including France and Italy.
Further, the intention is to centralize data collection in a ‘trusted’ platform, which will likely come with associated privacy concerns since governments would potentially have access to citizen’s location data, the ‘social graph’ of all the other people they physically met, and any other data this framework chooses to store that the app is able to access from the phone. If these databases are attacked by malicious third parties, that data could end up with criminals, the private sector, or other nation states.
Addressing the trade-off between health and privacy
The trade-off between security and privacy has always been a balancing act, especially in the post-911 and post-Snowden era as governments desire broader access to prevent terrorism, while civil liberties groups protest overreach into our private lives.
For many people, as Maslow’s Hierarchy would dictate, health comes first, but privacy advocates are understandably worried about how our location data is tracked and stored, who has access to it, and what happens to it when this is all over?
To give an example, the South Korean contact tracing laws permit the government to ascertain the immigration status of infected individuals. If other countries such as the US adopted the same approach, implications may be two-fold.
First, undocumented communities may not report their problems.
Second, it is not inconceivable, that over time the same technology and laws could be used to track undocumented migrants. Once a precedent is set, governments seldom trackback on the powers granted to them in times of crisis.
Highlighting these concerns, the UK’s approach to app development has drawn criticism from over 200 UK scientists who wrote an open letter to the UK Government April 29th stating “it is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance.” In particular, there are worries that authoritarian and non-democratic leaders could use the crisis as an excuse to grab more power.
The lack of trust in these apps will carry huge implications in terms of efficacy of the intervention.
First, they may lead to a lack of uptake by the public. To be effective, it is estimated that approximately 80% of smartphone users will need to use the app, emphasizing the need for public trusts and buy-in for these apps.
Second, a lack of clarity and unanimous consensus of its utility may lead to a propagation of conspiracy theories and mistrust of the app. Governments need to have greater transparency and assurances before individuals will be willing to trust these apps. To that end, citing privacy concerns, Germany was originally part of the PEPP-PT initiative but has recently dropped out and is now pursuing an open-source approach called DP-3T (Decentralized Privacy-Preserving Proximity Tracing), a rival joint initiative backed by Austria, Estonia and Switzerland based on Apple/Google’s decentralized standard discussed below.
What is the Big Tech solution?
Apple-Google are pushing a decentralized model where data will be stored at the device level rather than centralized platforms. Further, given Google Android and Apple iOS jointly possess almost 99% of the global smart phone operating systems market share, it seems likely that ultimately the Apple-Google approach will be hugely influential in how the majority of contact-tracing apps operate.
In a departure from their presumed indolence to data privacy, Big Tech companies are in this case advocating a more privacy-preserving decentralized model. Paradoxically, the government of France is currently in dispute with Apple and Google asking them to weaken some of the privacy protections they have in place to help PEPP-PT implement a centralized tracking approach. The resolution of this dispute will have widespread implications as it is likely to set the precedence for other countries.
Importantly, if countries do not use Apple/Google’s API they will not have access to some critical operating system functionality making the apps less effective. Singapore created their app before the API was available and this meant that iPhone users would need to keep the app running in the foreground with an unlocked phone to keep Bluetooth running. The consequent debilitating demands of battery power meant that only 17% of the population used the app.
It is worth emphasizing that Apple or Google not supplying an app – it is incumbent on individual countries and regions to build an app on top of their API. Given that this API is the leading global standard it is worth studying it in greater granularity.
Rather than building a huge, centralized database of every user’s locations and giving it to governments to look up, most of the data stays on individual’s phone. Each phone broadcasts an identifier over Bluetooth at regular intervals and all phones will also record which other identifiers they can pick nearby. Each phone will keep changing their identifier making it difficult to track. However, once infected, all the individual’s identifiers generated by the phone in the preceding two weeks are released.
In theory, this approach is good for privacy, since no data about the individual is stored centrally about you unless you are infected. According to early proposals, it seems that Apple or Google will not get any additional data beyond what they already currently collect. Conceptually, at first glance, the de-centralized and open-source approach appears encouraging and helps to balance access versus privacy effectively.
The crucial questions that need to be addressed
Regardless of the approach taken, the following critical factors must be considered:
- Open source scrutiny: All apps should be open source and vetted by the security community. Any other approach will lack trust with the public due to privacy and security concerns, slowing adoption and efficacy, and raising the risk of abuse by authorities and malicious third parties. It is unclear if local authorities and health services have in-house skills to develop these apps rapidly and securely, and any proposed app requires careful independent scrutiny.
- Decentralized: A decentralized approach such as the one proposed by Apple-Google has the benefit of not storing location data in a central ‘trusted’ database that could be subject to abuse, data loss, and all the associated privacy risks.
- Collaboration: It seems illogical that each country and region have their different approach to solving the same problem. Pooling resources and testing robust, open-source software would likely expedite the implementation of these apps and allow external validation. Efforts like DP-3T seem like great examples of this. In the US different states are forming individual policies, and for now, it is unclear if they will use the same apps.
- Legal: Any new laws needed for storage of medical and location data should have sunset clauses and be revisited regularly and dismantled as soon as practical to do so, unlike the Patriot Act following 9/11 that is still active today. These new powers need to be used for their intended purpose only and only data relevant for COVID-19 contact tracing should be sent and stored. If a centralized approach is taken, The California Consumer Privacy Act (CCPA) may become the default standard for the US, especially if the US apps are developed in Silicon Valley. In Europe, GDPR will apply where, for example the use of contact tracing applications should be voluntary and based on proximity, not indiscriminate tracing of individuals’ movements. Anonymisation of personal data is critical, and the purpose it is used for must be as stated, necessary, and proportionate.
- Efficacy: Does the approach actually work? The proposed technologies are currently unproven. For example, Bluetooth has limited precision, especially in environments like The London Underground or New York’s subway system. Many apps are expected to poll once every 5 minutes which would be too slow for many purposes like this. It must be rapidly tested and validated before mass roll-out.
- Uptake: In Singapore, uptake is said to be less than 20% currently. Governments will have to work hard to convince people to do so, which is again why privacy and security must be clearly guarded and communicated as part of a broader public information and health campaign. These apps must remain voluntary, and fortunately Apple and Google have said they will not allow the apps to be made mandatory out of privacy concerns.
Technology may not be the whole answer here, however, when applied thoughtfully, it may play a key part in reviving the economy and restoring livelihoods in this pandemic. It may be that in the age of COVID-19, it is Big Tech that may offer the best solutions that safeguard both our privacy and our health.
- Simmons-Duffin S. We Asked All 50 States About Their Contact Tracing Capacity. Here’s What We Learned. NPR Apr 28, 2020. https://www.npr.org/sections/health-shots/2020/04/28/846736937/we-asked-all-50-states-about-their-contact-tracing-capacity-heres-what-we-learne
- Kates G. Contact tracing for coronavirus: How it works and why it could be so difficult. CBS Apr 15, 2020. https://www.cbsnews.com/news/contact-tracing-for-coronavirus-how-it-works-and-why-it-could-be-difficult/
- Albrecht M, Aparicio-Navarro F, Arief B, et al. Joint statement of U.K. scientist working in the field of privacy and security. 29 April 2020. (https://drive.google.com/file/d/1uB4LcQHMVP-oLzIIHA9SjKj1uMd3erGu/view)
- Hinch R, Probert W, Nurtay A, et al. Effective configuration of Digital Contact Tracing App: A report to NHSX. 16 April 2020 https://045.medsci.ox.ac.uk/files/files/report-effective-app-configurations.pdf.
- Privacy-preserving contact tracing. April 2020. (https://www.apple.com/covid19/contacttracing)
- Hern A. France urges Apple and Google to ease privacy rules on contact tracing. Guardian 21 April 2020. https://www.theguardian.com/world/2020/apr/21/france-apple-google-privacy-contact-tracing-coronavirus
- Holmes A. Singapore is using a high-tech surveillance app to track the coronavirus, keeping schools and businesses open. Here’s how it works. Business Insider 24 March 2020. https://www.businessinsider.com/singapore-coronavirus-app-tracking-testing-no-shutdown-how-it-works-2020-3
- Vaughan A. There are many reasons why covid-19 contact-tracing apps may not work. New Scientist 17 April 2020. (https://www.newscientist.com/article/2241041-there-are-many-reasons-why-covid-19-contact-tracing-apps-may-not-work/#ixzz6LJV3kf8y)
- Lizzie Roberts Contact tracing: how has it worked for other countries, and could it really help ease UK lockdown? (https://www.telegraph.co.uk/news/0/contact-tracing-uk-lockdown/)
|Type||Example||Auto-location detection||Based on Apple/Google API||Centralized Database||Notes|
|Self Reporting Apps||Kings College-backed ‘C-19 COVID Symptom Tracker’, Healthcast, ZeroBase||No||No||Yes||While they may provide useful research data and indicators if adopted widely, they are unlikely to be useful for contact tracing since they cannot automatically identify who the reporters have been in contact with or the veracity of their claims.|
|Custom-Built Closed-Source Location Tracking Apps and Frameworks||Norway, Russia, Vietnam, China, UK PEPP-PT (7 EU countries including France, Italy)||Yes||No||Yes||Lack of published, scrutinized source code increases risk of security flaws or hidden surveillance. Centralized database is at risk of attack and data breaches. Not using Apple/Google API may cause battery life and other efficacy issues.|
|Open Source Apps & Frameworks|
(not using Google/Apple API)
(Singapore TraceTogether, Australia COVID-19 Safe).
TCN Protocol, Israel
|Yes||No||Yes||Published source code enhances security and trust, but centralized database may be open to attack and data breaches. Not using Apple/Google API may cause battery life and other efficacy issues.|
|Apps Using Google/Apple API||DP-3T (Germany, Austria, Estonia, Netherlands), California||Yes||Yes||No||Using Google/Apple API is the only way to use native operating system functionality which is lighter on battery use and better for location tracking. Lack of centralized database is good for privacy, but limits data deemed necessary by France and other countries’ Governments.|
PEPP-PT = Privacy-Preserving Proximity Tracing, API = Application Programming Interface, TCN = Temporary Contact Numbers,
DP-3T = Decentralized Privacy-Preserving Proximity Tracing