Contact Tracing Phone Apps: Health vs. Privacy

Google, Apple and the Massachusetts Institute of Technology last week made headlines with announcements of contact tracing mobile apps in the wings. Their purpose is to identify contacts of people who test positive for COVID-19 so appropriate actions can be taken to stem its spread.

However, a Cambridge University professor threw some cold water on those apps in a post published Sunday.

The apps proposed by Google, Apple and MIT all have voluntary aspects to them. That may address the privacy concerns such apps are raising, but it creates other problems, argued Ross John Anderson, professor of security engineering at the University of Cambridge in the United Kingdom.

“If the app’s voluntary, nobody has an incentive to use it, except tinkerers and people who religiously comply with whatever the government asks,” he wrote.

“If uptake remains at 10-15 percent, as in Singapore, it won’t be much use and we’ll need to hire more contact tracers instead,” Anderson continued.

“All that said, I suspect the tracing apps are really just do-something-itis. Most countries now seem past the point where contact tracing is a high priority; even Singapore has had to go into lockdown,” he pointed out.

“If it becomes a priority during the second wave, we will need a lot more contact tracers: Last week, 999 calls in Cambridge had a 40-minute wait and it took ambulances six hours to arrive. We cannot field an app that will cause more worried well people to phone 999,” Anderson argued.

He called for more resources going into expanding testing, making ventilators, retraining everyone with a clinical background from vet nurses to physiotherapists to use them, and building field hospitals.

“We must call out bullshit when we see it, and must not give policymakers the false hope that techno-magic might let them avoid the hard decisions,” Anderson added.

Pandemic Makes Strange Bedfellows

Apple CEO Tim Cook and Alphabet and Google CEO Sundar Pichai last week tweeted that the companies were working on a mobile phone application for contact tracing.

Contact tracing can help slow the spread of COVID-19 and can be done without compromising user privacy. We’re working with @sundarpichai & @Google to help health officials harness Bluetooth technology in a way that also respects transparency & consent.

— Tim Cook (@tim_cook) April 10, 2020

To help public health officials slow the spread of #COVID19, Google & @Apple are working on a contact tracing approach designed with strong controls and protections for user privacy. @tim_cook and I are committed to working together on these efforts.

— Sundar Pichai (@sundarpichai) April 10, 2020

The companies will be launching a comprehensive solution that includes application programming interfaces and operating system-level technology to assist in enabling contact tracing, they said.

Their solution will be launched in two phases:

  • In May, both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities. Users will be able to download those apps from Google Play and the Apple App Store.
  • Later in the year, the companies hope to enable a broader Bluetooth-based contact tracing platform by building this functionality into their underlying platforms. That will be a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities.

Cooperation Is a Necessity

Since Apple and Google essentially have a duopoly of the mobile phone market, they must cooperate to create a comprehensive COVID-19 contact tracing app that will serve the broader U.S. population, maintained Michael R. Levin, partner in Chicago-based market research firm Consumer Intelligence Research Partners.

“They’re loyalty rates are unbelievably high, so if they want to do some kind of comprehensive contact tracing, it’s going to have to work on both Android and iOS phones. They just can’t do one or the other,” he told TechNewsWorld.

“Ordinarily, they do everything they can do to prevent their competitor from succeeding — but there’s a larger mission here, so there’s an incentive to put together a capability that will work well,” Levin added.

A mobile app can be part of the contact tracing solution, but it’s no substitute for a massive scale-up in public health infrastructure that can contact trace retrospectively, maintained Michael Reid, MD, assistant professor of medicine and infectious diseases at the University of California, San Francisco.

“In the U.S. we need 100,000 people to be doing contact tracing if we’re serious about keeping a handle on the epidemic,” he told TechNewsWorld. “An app isn’t going to reduce the need for that.”

Technology solutions beyond mobile phone apps are needed to get a handle on contact tracing, Reid contended.

“We need CRM software that will allow you to work remotely and is simple enough so people can contact trace rapidly — something like a Salesforce application for contact tracing,” he said.

A Light in the Ocean

The Massachusetts Institute of Technology last week revealed that a research team was working on a contact tracing scheme based on Bluetooth technology.

The MIT-led approach is to have a phone constantly broadcast random strings of numbers, which the researchers likened to “chirps.” Nearby phones automatically would remember the chirps they received.

A person diagnosed with COVID-19 could upload the chirps broadcasted for the last 14 days to an online database. Meanwhile, people using the MIT app could check the database to see if the chirps their phones “heard” matched the chirps of people diagnosed with the virus.

“I keep track of what I’ve broadcasted, and you keep track of what you’ve heard, and this will allow us to tell if someone was in close proximity to an infected person,” said Ron Rivest, MIT’s principal investigator of the project.

Another investigator on the project, Marc Zissman, associate head of MIT Lincoln Laboratory’s Cyber Security and Information Science Division, explained the chirp system would work along the same lines as Apple’s “Find My” app.

“If my phone is lost, it can start broadcasting a Bluetooth signal that’s just a random number,”he said.

“It’s like being in the middle of the ocean and waving a light. If someone walks by with Bluetooth enabled, their phone doesn’t know anything about me. It will just tell Apple, ‘Hey, I saw this light,'” Zissman noted.

Privacy Challenge

MIT’s system protects privacy, but once it’s deployed on phones, there’s the potential for abuse, noted Quentin Rhoads, director of professional services at Critical Start, a network security consulting company in Plano, Texas.

“The way it has been designed by MIT means that only random numbers, along with the distance from that number, are stored in lists. No data around phone, email, name, or other identifiable data should be shared,” he told TechNewsWorld.

“However, this is MIT’s design and there is no telling how the OS developers will modify this method — meaning that OS developers could implement this in a way not originally intended, leading to the inadvertent sharing of privacy data or purposeful storing of privacy data,” Rhoads cautioned.

There will be privacy challenges for any application harvesting large amounts of data, maintained Jena Valdetero, data security and privacy lawyer at Bryan Cave Leighton Paisner in St. Louis.

“It would be important to understand exactly how those implementing the tracking truly anonymize the data. Previous studies have shown that it is extremely hard to do,” she told TechNewsWorld.

Still, tgathering tracing data doesn’t have to usher in Big Brother, Valdetero noted. “The idea of using personal data to combat coronavirus highlights issues we’ve been struggling with since the Internet was created. Essentially, how do you take advantage of all the good that can be done with technology while also protecting human rights and privacy?”

The demands of public health may require flexibility on the application of safeguards, she acknowledged.

“In the commercial context, we have given individuals greater control over personal data — consider the many restrictions and opt-out provisions in place with the GDPR and to lesser extent, California’s Consumer Privacy Act,” Valdetero explained.

“Right now the question is what are we willing to give up for the benefits that sharing our data will provide to better contain the pandemic?” she asked.

Relaxing safeguards could be a slippery slope.

“There is a legitimate concern about whether and how we go back to the old way of protecting user data once this crisis is over,” Valdetero said. “It will be incredibly important to narrowly craft any access to and use of this data during a time of national emergency to ensure such government tracking doesn’t become the new normal once the pandemic recedes.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reportersince 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, theBoston Phoenix, Megapixel.Net and GovernmentSecurity News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Privacy

Technewsworld Channels