Contact tracing for COVID-19 is critical to returning our nation to some semblance of normalcy, but we are far from a consensus on what effective, secure, cost-feasible and scalable contact tracing looks like. There are several documented, meaningful automated contact tracing efforts across the globe - not to mention more than 150 apps and initiatives in various stages of development.
Getting contact tracing off the ground in the US is fraught with obstacles that are formidable, but not insurmountable. Among the thorniest is data privacy: if we can’t convince citizens that it’s safe and non-invasive to share information about who they’ve been in touch with, contact tracing will fail.
The privacy guarantee
One way to get across this participation goal line is to ask people to apply a few minutes of critical thinking to understanding and being willing to settle on a few key privacy needs. What might those be? I’d suggest the following:
- Contact tracing should never require that any understandable information be transmitted to any Government.
- It should never allow anyone to track anyone else’s movements, connect anyone to any social contact, or even show targeted advertisements based on behavior or movement.
- It should never allow any individual to be identified based on any information they provide for contact tracing, including whether they are infected. That is, it should be truly anonymous.
In exchange for those privacy guarantees, what public good must such contact tracing provide? It must allow anyone to know whether in the last 14 days they have been exposed to significant risk of infection by way of contact with anyone later diagnosed. So far, so good — but only if the significant majority of us will agree to be bound by these principles.
Certifying the technology
If we’ve agreed on the guarantees we ask in exchange for participation, we need to know that the technology is up to the task. With so many candidate apps for contact tracing, it’s an excellent bet that very few, if any, meet our new standards. But how do we know for sure? A few actions by app creators can get us to confidence. First, the app you’re asked to install needs to be digitally signed using an appropriate certificate. That’s already the practice for the iOS app store. In Android, well - you need to dig a bit deeper.
Second, the source code of the app must be publicly available in full, so anyone can check that the code keeps your information private by the rules we agreed to above. Privacy protocols can be verified mathematically, for one thing: it’s called formal verification, and when done correctly can prove, not just guess, that privacy goals are always met by the protocol. In short, we can prove not only that the app and protocol does what it should: we can prove that it does only what it should.
Third, anyone should be able to verify that the publicly released code is exactly the same as the compiled app that we install on our phones. The compiled application you install on your phone needs to be provably derived from the source code we release for public inspection. Fourth, the app creator needs to pay a public watchdog to audit the privacy guarantees in the public source code using formal verification approaches, and openly publish the results.
The Google and Apple joint contact tracing effort seems a good starting point. An in-depth reading of their cryptographic and Bluetooth protocol diagrams looks promising. But, that’s not the same as meeting the guidelines above. In addition, there may be hiccups with their approach: are all phones capable of receiving enough Bluetooth beacons from the large number of phones that might be in range in a crowded place? Does the solution scale to reliably manage all of the Diagnosis Keys for a 14-day rolling period for every phone in a state? Our country? The world? What about the periodic (at least daily) download by every participating phone of every Diagnosis Key uploaded by diagnosed patients? These are just a few of the questions that require answers.
One problem with Bluetooth is that the strength of beacon can be disrupted by everyday objects (vehicles, humans) and fail to get through to receiving phones, even if those phones can handle the load. The opposite is also true. A Bluetooth beacon can sometimes be heard much further than 6 feet away, leading to false positives. Now some contact tracing apps try to take this ranging problem into account by measuring signal strength and using it in an equation to estimate risk. But not all such apps do that. False negatives are just as damaging as non-participation, while false positives will make an already stressed public even more edgy.
Tutto da solo
The anonymity Bluetooth contact tracing may provide from a signaling perspective can be undone by the reality of our interactions. Consider a Bad Guy who sits outside the hospital ER, wanting to learn whether the next person coming out the door has been infected. The person who emerges from the hospital just learned that they have COVID-19, and so have dutifully uploaded their Diagnosis Keys to the official server. Their phone broadcasts the usual beacon, and also immediately uploads (or has already done so) the Diagnosis key for that time period.
The Bad Guy sees her emerge, and immediately downloads all current Diagnosis keys using an app of their own devising. The Bad Guy’s phone receives the beacon, notices the connection and now knows that the patient walking across the parking lot is infected. It’s a trivial matter to pick out the license plate on her car and know who she is. Moral of the story? Even well-thought-out privacy guarantees are hard to guarantee against a determined threat. Is there another call to action for Apple and Google here? Yes. This vulnerability doesn’t seem hard to fix.
If we’re to convince the public to trust and participate in contact tracing, we need to remove the human factor and give them confidence in the solution technology. It’s about public agreement on privacy and public good goals; intentional transparency (through digital signatures, code hashing, open source release, third-party audit and formal verification), and thoughtful, intentional design of solutions.