Contact Tracing Technology to combat COVID-19 — An in-depth look
With many countries having just seen the peak of their first COVID-19 curve, governments, citizens, and businesses world-wide are wondering: How do we go back to normal? And how do we avoid a second wave of cases and accompanying restrictions?
One answer to this problem lies in contact-tracing, a public health containment-method which has been used for decades, to identify, communicate with, and isolate specific persons who may have been exposed to the virus. Tech-savvy entrepreneurs and privacy experts have come together to add scale and speed to this previously manual process, by putting it in a form that most of us are familiar with: an app.
Lessons from South Korea and Singapore
South Korea and Singapore are the two countries often cited as having successfully ‘conquered’ the COVID-19 virus through tech-based contact-tracing efforts.
South Korea: effective but invasive
South-Korea used a combination of mobile location data, credit card histories, and CCTV footage to precisely track people’s movements, while simultaneously testing for the virus on a large scale—reaching nearly 750,000 tests on a population of about 50 million. When someone tests positive, the government sends out an alert to anyone who may have been exposed, containing the individual’s last name, sex, age, district of residence, and previous location data. This strategy led to a drop in new cases of 90% after kick-off of the strict measures. However, that drop could partially be explained by the fact that South-Koreans have become weary of being tested, considering the huge amount of personal data being made public about them. Such a huge invasion of privacy would be unthinkable in a Western democracy. The country saw a second spike in late April-early May, when a cluster infection was linked to night-club visits.
Singapore: the world’s first nationwide bluetooth-tracking app as a model for the world
Singapore solved the problem in a more elegant, privacy-preserving way by releasing the government app TraceTogether. It works on Android and iOS and uses Bluetooth Low Energy (BLE) signals to broadcast an anonymous ID and check whether other app-users are within an epidemiologically relevant range for a relevant time-frame. If this is the case, the anonymous ID of this second user is encrypted and temporarily stored on the phone of the first user. The list of anonymous IDs is also referred to as ‘proximity data’. If a user tests positive for COVID 19, the Singapore Ministry of Health asks the user for consent to upload their proximity data, to perform contact-tracing and contact users that may have been exposed. The MoH will also automatically organize a COVID-19 test for users who have been exposed. Upon setup, the app asks for a mobile number for each user to be paired to their anonymous ID. Users are prompted to consent to the tracking of proximity data and the uploading of this data in case of a positive test.
This solution uses a minimal amount of personal information, does not require the tracking of location data, and is entirely consent-based.
By now, around. 25% of the Singapore population have installed the app. Privacy concerns and iPhone battery drainage were mentioned as the two main reasons for this relatively low adoption rate. The first wave of infections plateaued in early April, after which Singapore unfortunately saw a new uptake in infection cases, mostly caused by infected citizens returning home.
Of course, TraceTogether has not been a stand-alone measure: the Singaporan government restricted travel drastically, the country’s testing capacity was increased, a network of health clinics to treat respiratory illnesses were set up, and infected people were hospitalised until they could be considered healthy. The government also utilized GPS phone tracking and CCTV and credit card transaction monitoring for more effective surveillance.
The adoption rate problem
TraceTogether’s consent-based model and code were adopted by many initiatives in the past months and weeks. These solutions suffer from the same problem as TraceTogether—they can only be effective if a significant number of people install the app, or a group of apps based on the same protocol. Unfortunately the requirement of user-consent automatically diminishes the size of the data-set a government can work with. The trade-off is privacy vs. proliferation.
And for the older generations, who are more vulnerable to the COVID-19 disease, many won’t have the ability to use contact tracing tech, as they’re much less likely to have a smartphone. (60% of adults 50 and older have smartphones in the US vs. ~90% for other adults.) The same goes for certain other underrepresented groups, such as the prison population or the homeless. Smartphone usage is also slightly more common amongst groups with a higher income, and amongst caucasion vs. black or hispanic persons.
As mentioned above, Singapore’s TraceTogether is currently used by 25% of the population: a number which according to the country’s development minister Lawrence Wrong is not high enough. The overall consensus is that a minimum proliferation of 60-75% would be needed to perform effective contact tracing. The need for a high adoption rate in the population is underscored by Iceland’s 40% adoption of it’s contact tracing app so far, which proved “useful” but not as impactful as hoped
Protocol vs. app
Protocols are developed to serve as the foundation for apps to be built upon. Apps developed on the same protocol will be interoperable, meaning they can ‘talk to each other’ and exchange proximity or location data. Especially in a decentralized political system like the EU, or a federal system like the USA, having a single foundational protocol is extremely valuable. It gives the independent states and health organizations the ability to build their own apps adhering to regional privacy laws, fitting to their population and speaking to their audience groups, while still guaranteeing an effective contact-tracing system. This would allow for relaxing travel restrictions in general, because we can then effectively isolate only those who meet the criteria of being potentially infectious.
There are already several protocols released and in the works, created by international teams of epidemiologists, privacy experts, and tech entrepreneurs. It is important that each region has one clear protocol ‘front-runner’, and/or to ensure that the different protocols are also interoperable.
Google & Apple: solving the problem at the operating system level
Google and Apple combined forces and officially joined the race to develop a comprehensive contact-tracing protocol right before Easter. Their concept functions similarly to the TraceTogether protocol, broadcasting anonymous IDs via Bluetooth, and locally storing proximity data. In phase one of their project, they will rely on app-developers to use their API, just like the protocols developed by the international alliances discussed below. However in phase two, set to start in summer, they aim to enable contact-tracing at the level of their operating systems—Android and iOS. This is where the real difference can be felt. Individual users will still be able to opt-out of automated contact tracing by deselecting that feature when upgrading their OS, but a large section of the three billions Google and Apple users will most likely upgrade with it enabled. The companies plan to notify people who have opted in even if they have not downloaded a contact-tracing app. This could bring us to a 30-40% adoption rate across the globe, which would be a massive jump for most contact-tracing initiatives.
Google and Apple are employing strong privacy-preserving technologies to ensure the security of the data they collect, by refraining to collect any personal information, encrypting and storing data locally and employing clever security techniques. The companies have vowed not to combine the contact-tracing data with the wealth of data they already hold on their users. However, we can’t forget that these are tech behemoths with a strong commercial interest in data-collection, and especially Google has proven to be a poor data custodian in the past. This makes it essential that data collected via the Google/Apple contact-tracing API will be permanently deleted once the pandemic is over.
The Singaporean TraceTogether team is currently working with Apple and Google to make their app more effective, to prepare for Singaporean businesses reopening on June 1st.
In early May, Google and Apple showed their immense power and drastically limited the decision-making room for governments, by refusing to open their API to developers opting for centralized storage, a method they consider to be too sensitive to surveillance-creep. The Google/Apple API now only allows for centralized Bluetooth exchanges to be successful if a device is unlocked and the app is running in the foreground: hardly a workable solution. The two tech giants also made it clear that they will only allow for one contact-tracing app per country or geographical area, to avoid a proliferation of apps. After the German government spent most of April pushing for a centralized approach using the PEPP-PT’s centralized standard described below, it was forced to change course after this announcement and make the switch to a decentralized solution. France is still pushing ahead with its centralized StopCovid app and the United Kingdom’s NHSX centralized contact-tracing is stuck in limbo, with officials stating that they want to keep every avenue open.
Even though Google and Apple may have made these decisions with only the best of intentions - to avoid state surveillance and increase the adoption rates of national contact-tracing apps -, it is still shocking to see that the most efficient privacy regulators in the world are now two of the largest commercial tech companies. The fact is that Google and Apple are calling the shots, and governments are effectively forced to follow suit, without any independent body being able to overturn or offer recourse. So far Apple & Google have done the right things from an individual privacy perspective, but the premise of large corporations making decisions of public health impact is worrying.
The privacy preservation problem
Bluetooth vs. Location data
Most initiatives discussed above opted to use BLE signals to broadcast anonymous ID’s to avoid storing individual location data, due to this being the most privacy-preserving option: compared to location history, it is far more difficult—though not impossible—to link proximity history to an individual. The tradeoff is that these apps depend on bluetooth running in the background, which will require a change in habit for battery-conscious users.
A benefit to location data comes from the fact that it’s not as privacy preserving, and therefore more precise. As opposed to BLE, location history provides a history of the places a user has visited. Additionally, because many apps already track your location, people can opt-in to any contract-tracing app after they test positive for Covid-19 and share the historic location data from those other apps.This helps to significantly drop the “adoption hurdle” because once someone tests positive and opts-in, analysts can view the areas the contagious person has been and inform anyone else (who’s opted-in) if they were in the same location at the same time.
Access to accurate data to help determine whether a user has been exposed to the virus is vital to the success of the contact-tracing technology. It only works if users actually quarantine themselves or get tested after having been alerted by the app. After receiving several false alerts, users will be less likely to follow these procedures. According to Christian Boos, founder of the Pan-European PEPP-PT project, the accuracy-quota of the protocol’s BLE proximity tracing currently lies between 70%-80%, due to the signal easily being thrown off by things like thin walls. Bluetooth can be disrupted by large concentrations of water, like the human body. This makes it possible for two phones failing to establish contact, even though two people might be standing side by side. Measuring distances between phones appears to be even more complicated. The resulting accuracy gaps could cause false positives or negatives, eventually leading to app-users ignoring the warnings they receive.
Centralization vs. Decentralization: Lessons from PEPP-PT
A key-difference between the active initiatives lies in whether the proximity, geolocation, and/or health data are being stored in a decentralized manner, most commonly on the phones of each individual user, or centralized in a database.
Pooled data always constitutes a privacy risk, since it’s central database poses an attractive goal for hackers, especially with the sensitive health data collected. Besides hackers, governments might also be tempted to use such a valuable pot of data to implement various “useful” privacy-violating initiatives at best, and at worst use it to implement a surveillance state. A centralized solution is as secure as its database, and as ethical as the people maintaining it. Those in favor of a centralized solution however argue that this is the best way to provide governments with the tools to understand and model the behavior of COVID-19. That there is a definite concern for the individuals' privacy showed the data deals the UK NHS made with big tech companies, which now had to be made public.
Decentralized solutions rely on data being exchanged locally, which could potentially be ‘eavesdropped’ on and used by clever users to reverse engineer the location of other users. The experts working on decentralized protocols such as DP-3T are aware of these risks and estimate them to be small and manageable.
As Christian Boos, the founder of the PEPP-PT initiative stated, that the question of centralized vs. decentralized is at the center of a ‘religious war’ between two schools of privacy experts and comes down to the question who can be trusted more: a large group of individuals or one central server. According to him, there is a strong preference for a decentralized solution in the crypto community, whereas the health community favors the centralized way. PEPP-PT is a pan-European initiative, which launched in early April and spearheaded the discussion around contact-tracing in Europe. The project aimed to support both a centralized and decentralized protocol to allow governments to choose the best approach for their states, an idea which was entirely derailed by Google and Apple’s announcement to only support decentralized solutions. The key organizations who had been a part of the PEPP-PT group, such as the Fraunhofer HHI and the Swiss group responsible for the DP-3T protocol, have abandoned the project, due to a lack of transparency and errors in communication on PEPP-PT’s side. The DP-3T group, a group of computer scientists from the Swiss Federal Institute of Lausanne responsible for a decentralized contact-tracing protocol, outlined their main privacy concerns regarding the centralized PEPP-PT approach publicly. Google and Apple will integrate with the DP-3T framework, making it the current frontrunner protocol for the german contact-tracing app.
On April 17th, the European Parliament adopted a resolution to further coordinate EU action to combat the pandemic, in which it clearly showed its preference for a decentralized option.
Overview of international initiatives
(Non-exhaustive) list of country-based initiatives
Stopp Corona (Austria, Red Cross)
NOVID20 (Austria, private)
Covid 19 Tracking Narrativa (Spain, private)
Corona Datenspende (Germany, Robert-Koch-Institut)
Rakning C-19 (Iceland)
Aarogya Setu App (India)
HSE App (Ireland)
Hamagen App (Israel, government)
Bending Spoons (Italy)
eRouška (Czech republic)
Multi-Source Contact Tracing (Slovakia)
Use of Mobile Network Data (Israel)
Multi-Source Contact Tracing (South-Korea)
NHSX / University of Oxford tracking app (UK, government)
Tech companies, privacy experts, and epidemiologists around the globe have combined forces to craft technology that allows us out of the complete lockdown that most of the Western world is currently suffering through. On one hand, Apple and Google are the logical parties to take on the mission of providing contact-tracing tech, thanks to their direct access to approximately 40% of the world’s population, their wealth of experience with hosting and analyzing vast data-sets, and their powerful teams of tech-professionals. On the other hand, they might lack the trust of the general population to take over such an important task. Especially Google, an ad tech giant, has a poor track-record when it comes to guaranteeing privacy. Now that Google and Apple have the power to call the shots in terms of how and where proximity data should be stored and how many national contact-tracing apps there may be, we find ourselves in a worrisome place, where big tech has the power to overrule national governments.
To mitigate this problem, it is important for non-commercial alliances, such as the US-based Covid Alliance and the European PEPP-PT and DP-3T, to develop alternative protocols, which should be interoperable with each other and the Google/Apple API. Most initiatives have chosen to make their source-code open source and there is an overall strong spirit of collaboration, which is promising.
None of the protocols or apps currently being developed can be used by non-iOS or non-Android users. There will be a blind spot for certain parts of the population, especially the elderly, which will need to be filled by different (partially manual) measures. In any case, contact-tracing apps are only a piece of the puzzle: large-scale testing and an increased number of medical facilities remain indispensable.