Contact tracing has been an often-used method of trying to curb the spread of an infectious disease by finding the people who have contracted it. The aim is to notify and warn people who’ve been exposed to such carriers so they can take the proper precautions to isolate or treat themselves. As the coronavirus outbreak continues to spread, Apple and Google have come up with a plan to more easily implement contact tracing by building the necessary technology into their respective operating systems.
Last week, the two arch-rivals announced that their plan to pave the way for built-in contact tracing technology would arrive in two stages. Starting in May, Apple and Google will release application program interfaces (APIs) that would help public health authorities design apps with contact tracing capabilities. These apps would then be available in both Apple’s App Store and the Google Play store.
In the coming months, the companies would expand the initiative by building the necessary Bluetooth-based contact tracing platform into their operating systems. Apple referred to this as a “more robust solution than an API” as it would allow for a wider range of apps from government health authorities.
The overall goal is to use our mobile phones to expand contact tracing in a more ubiquitous and accessible way. In an online document about the initiative, Google explained more specifically how the process would work.
Alice and Bob meet in person for a conversation. Their phones exchange anonymous and frequently-changing identifier beacons. Bob is later diagnosed with COVID-19 symptoms and uses an app from a public health authority to enter his test results. With Bob’s consent, his phone uploads the last 14 days of beacon keys to the cloud.
Alice’s phone downloads the beacon keys of everyone who’s tested positive for COVID-19 in her region, and a match is discovered with Bob’s identifier beacons. Alice then receives an alert on her phone telling her that she’s recently been exposed to someone who has tested positive for COVID-19. The alert gives her instructions on what to do next.
The approach sounds like a feasible way to help temper the spread of the coronavirus. Even with social isolation the norm in many areas, we may still come in contact with people who have been exposed to the virus without knowing it. Contact tracing would at least be able to provide a head’s up in this event.
“Tracking exposure is an effective way to identify people that are at risk and limiting the spread of infection by having people exposed quarantine themselves,” Chris Hazelton, director of security solutions at mobile security provider Lookout, said. “Support by Apple and Google means essentially all mobile phones can be used, as together iOS and Android make up 100% of the smartphone market of the world.”
Of course, there are obstacles in the way of such an approach. In the interest of privacy and anonymity, the entire process would be opt-in. Even with the necessary technology built into our phones, people would have to actively download and use apps with contact tracing. Someone who tested positive would have to enter the results in the app and authorize that the information be shared to the cloud.
Further, people who have contracted the coronavirus would have to have been tested so they know they’ve caught it. With public testing still not as available as it should be, many carriers may still expose themselves to other people unless and until they start to exhibit severe symptoms.
Bluetooth also has certain limitations when used to track people’s precise locations and proximity to others, according to a report from the ACLU. In its report, the group said that data on the location of individuals may not be accurate enough for automated contact tracing. Further, the algorithms used to obtain this data may not be reliable. In one instance cited by the ACLU, a woman in Israel was identified as a “contact” and issued a quarantine order because she waved at her infected boyfriend from outside his apartment building.
Beyond the limitations in effectiveness, there are privacy issues, as expected. How do the companies ensure that the data is private and anonymized, and that it wouldn’t wind up in the wrong hands? Anticipating this concern, Apple and Google have both addressed it.
In one of its documents, Apple explained that the proximity identifier changes every 15 minutes and requires the necessary key in order to be traced back to the user. These identifiers are processed on the device and not in the cloud. Each user chooses whether to contribute to the contact tracing. Those diagnosed with COVID-19 must give their consent before sharing the data with the server.
In its own document, Google outlined several privacy considerations:
- Explicit user consent is required.
- The technology doesn’t collect personally identifiable information or user location data.
- The list of people with whom you’ve been in contact never leaves your phone.
- People who test positive are not identified to other users, to Google, or to Apple.
- The technology can only be used by apps from public health authorities for COVID-19 pandemic management.
But even if Apple and Google are focused on privacy, what about other parties involved in the process?
“There is significant concern that users will be identified in this process,” Hazelton said. “While Apple and Google state they will not capture user identities, this does not prevent public health authorities or any other government agency from doing so. Even if this data is anonymized, it can be paired with other data, like mobile analytics, to still identify users and their health status.”
Also, some governments value privacy less than others. In China, for example, tracing apps are keyed directly to a person’s government ID and phone number, Hazelton noted. In this case, a QR code is scanned and a person’s temperature is taken at certain places.
“Tracking apps could be used to maliciously and unjustly target specific individuals and groups of people, creating essentially an ankle bracelet with users’ mobile phones,” Hazelton added. “Misuse of these services could prevent targeted people from traveling or returning to a normal life, enabling governments to justify continued persecution of portions of their populations. Authoritative governments will use tracking apps to justify continued political repression and the exclusion of potential challengers.”
As with many issues, tracking and tracing the coronavirus is bound to bring up the usual conflict between privacy and security. But as the virus ravages its way around the world, a tool like contact tracing will inevitably be used to try to prevent more infections and more deaths.