UPDATED 19:00 EST / MAY 19 2020

APPS

The contact tracing debate: Do we need to sacrifice personal data privacy to get back to business?

SARS-CoV-2 is a sneaky little virus. Symptoms can vary widely, and without widespread testing there’s really no way to know if a person has the virus or not. As countries start to reopen, protecting against a new spike in infections is an ongoing concern.

Digital contact tracing is being suggested as the solution that will allow a pandemic-stricken world to return to business as usual. It could work, but it’s not a panacea. A fatal flaw may be that data privacy has to be sacrificed in order for contact tracing to be effective.

Trace, test, treat

According to a white paper published by Harvard University’s Edmond J. Safra Center for Ethics, effectively controlling the spread of the disease requires testing of up to 30% of the population daily. To put that in perspective, 99 million Americans would need to be tested per day — as many people as the combined populations of California, Texas, Florida and New York. That seems an unreachable goal when the world’s top economies seem unable to get widespread testing in place.

One solution is to only test those who have had known contact with an infected person. This is known as contact tracing. It works like this: If Joe meets Jane for coffee on Monday and is diagnosed with COVID-19 on Friday, Jane is contacted and told she has probably been exposed to the disease and should self-quarantine or go get a test. This breaks the chain of transmission faster than if people self-quarantine only when they have symptoms.

harvard-infection-graphic

With contact tracing in place, control measures could be effective with as little as 1% of the population being tested per day. This is still higher than the current U.S. testing figures, which are hovering between 200-400,000 a day. But it is an achievable goal.  

Can the Apple-Google collaboration find a balance?

Madhav Marathe, University of Virginia

Madhav Marathe, University of Virginia

“I am keenly aware of the dangers posed by this pandemic and believe that [contact tracing] is amongst the best solutions that can balance the health and economic impact of the pandemic,” said Madhav Marathe (pictured), professor at the Biocomplexity Institute and Department of Computer Science at the University of Virginia. “Combined with adequate testing, this might be an important solution until pharmaceutical interventions become available.”

Tracking the spread of a disease through contact tracing doesn’t need technology. But nondigital tracing relies on memory, and few humans have photographic recall. We do, however, have smartphones.

Apple Inc.’s iOS and Google LLC’s Android operating systems control the world’s mobile phones. Burying their rivalry, the companies have teamed up to create a coronavirus tracking technology that they hope will be adopted worldwide.

The Apple-Google solution, which is referred to as “exposure notification,” is anonymous and decentralized. Not an app itself, it is distributed via an application programming interface, commonly known as an API, that can be used by third-party developers (for example public health organizations) to create tracing apps.

The solution works by broadcasting an encrypted “rolling proximity identifier” via Bluetooth, which changes at regular intervals to protect user identity. A database of the identifier codes that the user interacts with is maintained on the phone. If a user marks him or herself as infected, the system transmits a “diagnosis key” that triggers alerts on phones that have been in proximity to the infected user.

As global technology leaders, Apple and Google have the technological expertise coupled with access to users phones.

Both [Apple and Google] have significant depths in computing and understand the issues related to privacy very well,” said Marathe. The companies’ control from the operating system level “allows them to undertake the development of projects that employ the complete software stack, thus making the solution efficient, scalable and useable,” Marathe added. 

False alerts are a major security concern

The three-part solution of testing, tracing and treating COVID-19-positive patients is the best solution to control the virus until a vaccine is created. But is tracing through phone apps secure? Most work via Bluetooth signals, which are broadcast over open channels. This makes the system vulnerable to trolls, spoofing, and false alerts.

“The performance-art people will tie a phone to a dog and let it run around the park; the Russians will use the app to run service-denial attacks and spread panic; and little Johnny will self-report symptoms to get the whole school sent home,” said Cambridge University security researcher Ross Anderson in his critique “Contact Tracing in the Real World.”

And while decentralized systems promise security by maintaining data in the user’s personal device, devices are not always secure. Many apps already use Bluetooth and other location tracking technologies for what is known as proximity marketing. This involves sharing data with third parties, which compromises user anonymity.

Even if the shared data is “scrubbed” of all identifiers, studies have shown that anonymized data can be easily re-identified.

“I don’t see why all of the existing beacon tracking tech wouldn’t incorporate this into their stacks. At that point AdTech (at minimum) probably knows who you are, where you’ve been, and that you are COVID-positive,” Moxie Marlinspike, chief executive officer of Signal Messenger, wrote in a Twitter thread.

Tracing apps and the privacy debate

The Google-Apple solution is only one of many contact tracing projects currently underway.

The Switzerland-based Pan-European Privacy-Preserving Proximity Tracing, or PEPP-PT, project has proposed a Decentralized Privacy-Preserving Proximity Tracing, or DP3T, system. Like Apple and Google’s solution, DP3T is decentralized. And like Apple and Google’s solution, it has been criticized for being subject to false alerts and other privacy issues.

Image: UK Department of Health & Social Care

Image: UK Department of Health & Social Care

While Europe works on DP3T, the United Kingdom is going it alone. The country’s centralized app is being developed by the technology department of its national health system, NHSX. The benefit of a centralized database is the ability to analyze the data and eliminate the false positives that could make Apple and Google’s solution essentially useless.

“A small amount of privacy exposure is entirely acceptable in the context of a pandemic,” Anderson argues. But he has one caveat: that all data is destroyed when the pandemic is over. The U.K.’s health service has agreed not to keep data longer than needed. But asking any organization to throw away valuable data is like asking a dragon to give up its hoard.

“We have absolutely no reason to believe that the government agencies that are eager to expand their power in response to COVID-19 will be willing to see those authorities lapse once the virus is eradicated,” Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, told CNBC.

If you make opting in optional, most people will opt-out

While more authoritarian countries can enforce contact tracing, Western democracies are making apps “opt-in” to protect personal privacy and prevent a “big brother is watching” scenario. But this causes an issue: Estimates say that between 40% to 60% of the population would need to opt-in for contact tracing to work.

According to the Pew Research Center, around 20% of the U.S. population doesn’t own smartphones. Add the people who have old phones that don’t meet the technical requirements of the Google and Apple system, and you have eliminated older and lower-income citizens — which means that the most vulnerable to the virus are least likely to be traced.

Even those who do have the technology to download and use the app aren’t motivated to do it. In a current poll by the 1World Online website, 76% of respondents say they do not trust Apple and Google to protect their privacy on a tracking app.

Australia trials COVIDSafe

On April 27, the government of Australia released the COVIDSafe app as part of its plan to reopen the country’s businesses and get back to normal. While authorities stress that data will only be accessible by health officials, privacy concerns remain. Three days after release, the downloads had yet to reach 5 million, which is a far cry from the 10 to 15 million needed.

TheCUBE spoke with one lawyer based in Sydney, who has decided not to download the app because she does not trust the government to “get the technology right and secure the data.”

The lawyer, who requested to remain anonymous, told theCUBE: “I have no control over who may access data and how the data is used, and I don’t trust the government not to use the data differently from the way they say they will now.”

Concerns over discrimination are another sticking point, as some minorities fear the repercussions of being seen as the “obvious”  infected party when a proximity notification is sent.

“My worry is that if I am out for a walk or at the supermarket and someone gets a notification that they are near someone who have the illness, I will be lynched before I can defend myself,” Martha Anachury de Bruxelles, national representative for justice for Colombia at U.K. non-profit GMB Union told theCUBE.

Encouraging people to opt-in to contact tracing apps

Whether the benefits of digital contact tracing outweigh the negatives is still out for discussion. But privacy issues are moot if no one is using the apps. Can the government convince people into willingly opting-in to contact tracing solutions?

Yes, said Marathe, who lists a series of tactics that would work, including demonstrating the app is secure, encouraging high-profile use by trusted personalities and influencers, and offering monetary incentives to users.

It’s easier than that, according to Daniel Schreiber, chief executive officer and co-founder of home and rental insurance agency Lemonade Inc. He suggests that global retail corporations build the Apple and Google system into their marketing plans.

Think of the places everyone misses the most — movie theaters, restaurants, malls, and airlines. If these required customers to swipe the app to gain entrance or board a plane, then we’d all get back to work and play much faster. Customers would win by being able to access the goods and services they want, businesses would win by having customers again, and the government would win by being able to watch everywhere we go.

It’s an interesting theory and plausible to think that many would choose the physical and immediate pleasure of a meal out or a trip to the movies over a theoretical loss of privacy in the future.

All three steps must be in place for trace, test, treat to work

Regardless of the number of people who agree to be traced via an app, contact tracing is a three-step process. Those who are alerted that they have been in proximity to a COVID-positive patient will need to have access to testing for the system to work. And while the U.S. is ramping up its testing capabilities, realistic figures are for 8 million tests a month, according to Admiral Giroir.

“If we do testing in a smart way, like all those who were symptomatic and contact-traced and you targeted asymptomatic screening, that’s really the way to go,” he told Time.

With manufacturers repurposing lines to build ventilators and scientists around the world working on a vaccine for COVID-19, the cure part is also in the works.

But as for protecting personal data and privacy, that may be a first-world privilege that is sacrificed in the quest for a return to “normal” life.

Image by: Gerd Altmann/Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU