SALT LAKE CITY — In China, a simple red, yellow or green symbol dictates how people live their lives. Whether or not they can use the subway, eat at restaurants or visit their parents is determined by a government app that records their travel history and who they’ve been in contact with, monitors their symptoms and assigns a COVID-19 risk level.
The concept of examining someone’s connections to see if they may have encountered an infected person is called “contact tracing,” and in addition to China, it’s being implemented in countries like Singapore, South Korea and now the U.S.
Apple and Google have announced plans to release contact tracing technology in May that will integrate with public health agency apps. But the two tech superpowers are assuaging fears of mass surveillance by promising that their opt-in version will be much more secure and private than China’s.
The companies will use Bluetooth signals to indicate when two phones are near each other instead of GPS which reveals a person’s actual location. They say they will not store personal identifying information and have indicated they will not to use the program for purposes beyond the pandemic.
“Privacy, transparency and consent are of utmost importance in this effort,” reads a statement from Google. “We will openly publish information about our work for others to analyze.”
Still, some Americans may be wary of new technology that keeps track of everyone they come in contact with. Mayank Varia, a research associate professor in computer science at Boston University said that developers must consider how the technology could potentially be misused for government or commercial surveillance in the future.
“I do think it’s important to be concerned, always, whenever any technology is built, about the potential for surveillance creep,” said Varia, who has been working with a team of researchers to build a contact tracing system similar to Apple and Google’s. “It is feasible that this kind of technology could be used for other purposes, like in a law enforcement context.”
Kurt Opsahl, deputy executive director for the Electronic Frontier Foundation, said representatives at the nonprofit, which works to defend civil liberties in the digital world, will take a close look at the specs provided by Google and Apple and carefully examine the safeguards built into the system.
“I think it’s a situation where you trust but verify. Take them at their word but investigate to see if there’s anything going on, whether it’s a coding mistake or something more nefarious,” said Opsahl. “That’s why we demand transparency.”
How it works
Public health officials have traditionally carried out contact tracing by interviewing infected people about who they’ve been around in recent weeks and trying to get in touch with those individuals. But this process is slow and hard to scale, said Opsahl. An automated version could inform people of potential exposure much more quickly, he said.
Apple and Google, typically rivals, hope that widespread use of contact tracing will stay the spread of the virus as stay-home orders are lifted and people gradually begin to venture back into society.
When a person opts in to Apple and Google’s system, their phone will use Bluetooth signaling to broadcast a random string of numbers. Those numbers will change at regular intervals and will be automatically received and saved by any phone in close proximity. Later on, if one of those individuals gets diagnosed with COVID-19 and they report that information, those numbers will be checked against a secure database to see if there are any matches. If so, a notification will be sent to those who might have been exposed, Varia explained.
Josephine Wolff, an assistant professor of cybersecurity policy at The Fletcher School at Tufts University, called the design “careful and thoughtful.” She said the random strings of numbers protect people’s identities and the fact that it is opt-in lets individuals decide how they value their privacy. For example, if someone only interacts with a small number of people and they don’t want those associates to find out about a COVID-19 diagnosis, they can choose not to participate.
The success of the technology will come down to execution and whether there are any bugs, she said. According to Google’s announcement, contact tracing capabilities will eventually be built directly into Apple and Android operating systems, but initially, the technology will work through apps developed by public health authorities.
“Those apps could have bugs too,” said Opsahl. When Zoom suddenly spiked in popularity because people were stuck indoors and couldn’t meet in person, users discovered multiple bugs in the program, he said.
“The Zoom example illustrates that if you have an app or technology that everyone is going to use, it becomes a huge target,” said Opsahl. “Rigorous testing for privacy and security vulnerabilities is critical.”
Lessons from abroad
A number of countries have implemented a wide range of contact tracing systems. Singapore has a Bluetooth-based opt-in app that is most similar to what Google and Apple plan to release. South Korea has had a more aggressive alert system in which they send out personal information about the individuals who test positive, including their age, their gender, where they work and where they live. Russia is using facial recognition to enforce quarantine orders. And Israel has said that it will access a set of phone and credit card data to track where people have been and who they’ve come into contact with.
China’s Health Code app has been criticized by international human rights advocates because it shares people’s location with Chinese law enforcement.
“Something that was created to help solve a public health crisis, could instead be used to restrict people’s liberty,” said Opsahl. “Hopefully we get to a place where we have an app that is not sacrificing our fundamental rights, and that preserves the privacy and liberty we all cherish.”
Despite the fact that a good number of countries have experimented with contact tracing technology, little data exists to show whether these programs are having a significant impact on the spread of the coronavirus, said Wolff.
A simulation carried out by researchers at Oxford University in the United Kingdom shows that with widespread adoption, a contact tracing mobile app can be effective in slowing the spread of the disease and reducing the burden on the health care system. But Wolff says more research needs to be done.
“These technologies have not really been tested whether they really work or not,” said Wolff. “Potentially they could help alert individuals who are high risk and need to isolate, but we just don’t have enough data to really understand how much of a difference it’s going to make.”
Is it safe?
Ultimately, Wolff believes that Apple and Google are developing this contact tracing technology as a public service, and not to profit off of it. However, she says the companies will probably benefit from the good publicity.
“One of the advantages to having Apple and Google create this technology is that those companies already have so much data, there is not a lot that they gain,” said Wolff. “Google already has location data on everybody that uses Google maps. They don’t need Bluetooth data.”
The fact that the contact tracing system involves health data isn’t all that new either. Opsahl noted that Google has already conducted flu tracking and Apple already has applications for health.
“What is new about that this is that they are distilling down the information they can get from people. They are putting aside location tracking, monitoring the steps you take, and focusing on what we really want to know here which is proximity: whether an infected person has been in close contact with someone else,” said Opsahl.
“It’s an important idea to try, but it requires safeguards including informed consent, data minimization, security engineering and transparency,” he added.
More than the risk of private information being revealed, Varia is concerned about accuracy and the potential for false positives that could unnecessarily scare people.
“From an integrity point of view, you have to make sure that if people are trolling or hacking the system, it’s not possible to inject spurious content,” Varia said. The program he and his colleagues built includes safeguards that thwart these integrity questions.
As long as Apple and Google’s system includes the same protections, Varia recommends that everyone opts in to the system.
“The earlier we identify potential exposure, the more we can do to flatten the curve,” said Varia.
But Opsahl warns that Apple and Google will not be able to provide a complete solution to the coronavirus crisis.
“Technology is part of a larger solution that requires also widespread testing and interview-based contact tracing. And an app can’t make up for effective treatments or shortages in equipment,” said Opsahl. “You can’t resolve a pandemic with a perfect app.”
Correction: A previous version incorrectly said Mayank Varia is a research associate professor in computer science at Massachusetts Institute of Technology. He works at Boston University.