What privacy-preserving coronavirus tracing apps need to succeed
By Khari Johnson
At present, most of the U.S. population is being asked to stay home to flatten the curve of the coronavirus pandemic, but as hundreds of millions of people begin to think about how to return to normal life, the need to trace the spread of the disease becomes crucially important. Public health officials traditionally use manual methods to conduct contact tracing, or mapping out who has a disease and who they come into contact with.
But a tech solution could also be an efficient way of reaching people potentially infected with coronavirus. Quick and effective contact tracing is especially important as countries around the world consider lifting quarantines, restarting economies, and returning to normal life; health officials need to be able to quickly spot any outbreaks or clusters of infection so they can curb any potential re-emergence of an outbreak.
Dozens of nations are already using some form of surveillance for contact tracing. In countries including Hungary, leaders used the crisis as an excuse to seize additional powers by enacting emergency laws. In some places, civil liberty organizations have labeled compulsory location tracking apps draconian or warned of the end of privacy. Epidemiologists who are calling for more surveillance are stoking these fears. World Health Organization (WHO) executive director Dr. Michael Ryan recently insisted that surveillance coupled with testing must be part of the return to normal life in many places. Privacy advocates fear that governments will take away personal liberties in the name of fighting COVID-19 and will never give them back.
But it doesn’t have to be that way. Bluetooth contact tracing may provide the necessary tracking with a lower risk of violating civil liberties or handing sensitive data to governments. Epidemiologists, top researchers, major privacy advocates, and now Apple and Google are exploring Bluetooth contact tracing with this in mind. When it’s secured with cryptology, they say, it’s the best way to protect privacy, track movement, and leverage the devices most people around the world already have in their pockets.
Additional methods of contact tracing via smartphones use location tracking through cell phone tower triangulation, Wi-Fi triangulation, and GPS. Different groups working on improved contact tracing methods disagree on whether to use all or some of those methods, but they seem to agree that using Bluetooth is a good idea. Advocates of Bluetooth say it’s an ideal solution because it’s designed to reach short distances, and health authorities have said many COVID-19 infections happen when people are fewer than six feet apart. With distance estimated based on Bluetooth signal strength, interactions that last longer than a few minutes can be stored locally on devices. When a person tests positive, they enter a code so everyone at risk of exposure with the app downloaded is also alerted.
Beyond alerting coworkers or friends when they’ve been exposed, contact tracking apps also make it possible for public health officials to send notifications to people who perhaps sat near one another on a train or met at a school or religious gathering. In what may be the biggest endorsement yet for the Bluetooth contact tracing method, Apple and Google recently announced that they’re partnering on a solution that combines Bluetooth, cryptology, and location tracking. Apple and Google will release an API in May, followed by a platform for building Bluetooth tracing into software. In the coming months, Android and iOS operating system updates will enable the automatic tracking and storage of Bluetooth Low Energy signals being sent by other devices. That way, a public health authority can instruct a person to download a contract tracing app after they test positive to share contact episodes stored locally on a smartphone.
The news promises the potential proliferation of Bluetooth contact tracing apps.
“Through close cooperation and collaboration with developers, governments, and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID-19 and accelerate the return of everyday life,” reads a joint statement from Apple and Google. Research shows that accurate contact tracing may help contain COVID-19 in areas without wide community spread, but a lot has to happen before this privacy-preserving approach is truly possible. Lending further credibility to this approach, Democratic presidential candidate Joe Biden shared in a New York Times op-ed on Sunday that privacy-conscious contact tracing and abundant testing capabilities are essential aspects of his plan for restarting the economy.
If everything goes according to plan, such apps carry the promise of, as MIT professor Alex Pentland put it, “restarting the economy and avoiding Big Brother.” Apple and Google’s participation could remove a key hurdle to adoption for privacy-preserving contact tracing apps, but other challenges remain. VentureBeat spoke with the creators of COVID Watch and PrivateKit: Safe Paths in order to understand the difference between top offerings — and what needs to change. Both apps are open source and are being made in the U.S. by a mix of cryptographers, privacy advocates, public health experts, and engineers. For widespread adoption, these apps will require cooperation not just from Apple and Google but from governments, public health officials, and the average person.
A private path to contact tracing
Perhaps the furthest along of all Bluetooth tracing apps for COVID-19 is Private Kit: Safe Paths, which is designed to eliminate the risk of government surveillance. Creators of the app hail from MIT, Harvard University, and other East Coast institutions; they say they’re in talks with the WHO and over 30 countries around the world to work with Private Kit and make their own contact tracing apps. Trials are also underway in multiple parts of the U.S., from Alaska to Los Angeles and the Boston area. The team making Private Kit: Safe Paths represents some of the biggest names at the intersection of AI, privacy, and security.
Team lead Ramesh Raskar was an executive at Alphabet’s experimental X unit, a member of Apple’s privacy team, and leader of a Facebook team working with Bluetooth. Quick containment, Raskar argued in a white paper accompanying the launch of Private Kit last month, is a key component of ending an outbreak, providing community spread hasn’t already become pervasive. Private Kit: Safe Paths was inspired by Apple’s Find My feature, which locates a lost device via Bluetooth, and it was created to act as a proof of concept for Apple, Google, and Microsoft. The next version of Private Kit: Safe Paths will include encryption, helped along by MIT professor Ron Rivest, a cryptologist and cocreator of the RSA security algorithm.
Collaborators include members of the MIT Alliance for Distributed and Private Machine Learning who have contributed to projects related to differential privacy, federated learning, and other influential privacy-related methods for machine learning. Advisors on the project include the WHO, Harvard Medical School, the Mayo Clinic, and Mila professor and deep learning pioneer Yoshua Bengio — who’s developing another location tracking app being considered by Canadian authorities.
Another key element for Bluetooth tracing app success is interoperability between apps. Created earlier this month by a coalition of 10 organizations, the open source Temporary Contact Number (TCN) protocol is designed to collectively share contact event numbers and ensure Bluetooth signals are received no matter what tracing app a user chooses to download. Makers of the TCN protocol say Apple and Google’s Bluetooth contact tracing plan is virtually identical to their own. Bluetooth proximity tracing apps can offer different levels of privacy and features, but Raskar said they’re designed for international tracking.
“Safe Paths is a platform to create completely interoperable standards. So we expect most apps to be based on the safe paths repository,” he said. “And in case Brazil creates one and Mexico creates one, and so on, [for] anyone who travels from one country to another, it’s the same base for everyone because we don’t expect Brazil to use an MIT app.” An open letter signed by roughly 100 researchers, privacy advocates, and public health officials and distributed by COVID Watch privacy advisor Peter Eckersley says ensuring Android and iOS interoperability is one of the best things tech companies can do to fight the pandemic.
Achieving mass adoption
An obvious barrier to any app-based contact tracing is mass adoption. Tina White, the executive director of the COVID Watch group that makes the eponymous app, hopes to launch it with a big PR campaign, which ideally will encourage more people to download it. It would be even easier if Apple and Google pushed out updates to iOS and Android, respectively, that include a choice to add contact tracing apps. No matter how contact tracing apps dependent on widespread adoption roll out, White said Apple needs to fix the foreground-background issue with location tracking apps. This issue means iPhones can’t exchange Bluetooth contact numbers if they’re locked. COVID Watch, TraceTogether (a tracking app launched in Singapore), and other apps have the same problem. The way things work now, a person with an iPhone would have to walk around with their phone on all the time for a contact tracing app to work.
“With the current protocol … the app would have to be put on in the foreground on their phone while they go around, which is annoying, and we’re trying to get around that. We’d have to get cooperation from Apple to change the battery policy about foreground versus background, which is another hurdle that’s in the way,” she said. A COVID Watch spokesperson said the organization expects this issue to be addressed as part of its work on an API with Google, but Apple hasn’t confirmed plans to do so yet. VentureBeat reached out to Apple to ask whether Bluetooth interoperability issues currently being addressed include allowing contact tracing apps to operate in the background.
Speaking with VentureBeat a week before the Apple-Google partnership was announced, White argued that Apple should only allow apps that follow a decentralized approach to run in the background on iOS devices, and she suggested it would be smart for mobile operating system providers in general to back a decentralized approach to location tracking. For Android’s part, COVID Watch noted in a white paper last month that the operating system has multiple bugs that cause phones to lock up when they’re trying to connect to too many Bluetooth devices at once. Because your phone’s contact tracing app needs to have Bluetooth always on for the app to work as designed, that could create problems. In addition to the need for continued cooperation from Apple and Google, Private Kits: Safe Paths lead Raskar said organizers may release an app for mobile Windows devices for use in workplace settings.
Cooperation from public health officials
The cooperation of public health officials is essential for a number of reasons, not least of which is the need to assure notifications sent to users are credible and trustworthy. To avoid the potential for false positives or the need to rely on less accurate methods like self-reporting, Bluetooth tracing apps will need public health officials to distribute special codes to people who test positive for COVID-19. The makers of COVID Watch said public health official cooperation is important because people need to trust that the notifications they get from the app are based on credible exposure. As countries around the world move forward with location tracking apps, federal public health authorities in the United States have shared little guidance on their approach. VentureBeat reached out to the Centers for Disease Control and Prevention’s (CDC) COVID-19 team for details about federal guidance on location tracking that balances privacy requirements with the demands of controlling the pandemic, but we had not heard back at the time this story was published.
Centralized vs. decentralized tracing
White told VentureBeat that collaborators started work on the privacy-conscious location tracking app in February after it emerged that China and South Korea were using location tracking apps to slow the spread of COVID-19. China uses GPS and can assign risk scores based on location history to determine an individual’s freedom of movement. South Korea also used smartphone tracking. Neither government anonymized the personal data, which created privacy concerns. The COVID Watch group, which comprises around 200 Bluetooth experts, developers, privacy advocates, public health officials, and academic researchers, is working to discover the least privacy-invasive way to track people during a pandemic. White says they’ve found it, in the form of decentralized Bluetooth tracing.
“I think it’s the best option for privacy,” White said. “This is the method we think minimizes privacy harms.” “Everybody’s trying to stop the virus, so it makes sense that people are making privacy trade-offs. I think that if this Bluetooth method were not available, I would be advocating for making at least a little bit of a trade-off because it’s really important to stop this right now, and I’d probably be advocating for whatever the other minimal trade-off is. But we think this is probably the best one, where you don’t have to provide any identifying information at all.” A COVID Watch spokesperson told VentureBeat the organization is extremely glad Apple sided with decentralization, and since the European Commission also recommended data be decentralized last week, the centralization approach seems dead in the water.
COVID Watch says partnering with others is necessary to avoid reinventing the wheel. That spirit is reflected in the group’s willingness to collaborate with other contact tracing apps on the TCN protocol. Made by nearly a dozen organizations, the protocol uses anonymized numbers to represent each device. The protocol is designed so that phones can get notifications without revealing any identifiable tracking information, no matter which app they download. The group also works with Community Epidemiology in Action (CoEpi), Private Kit: Safe Paths, and TraceTogether, and is advised by public health and epidemiological experts from New York University and Stanford University.
Despite a willingness to partner with others, COVID Watch draws a sharp contrast between its approach and that of other proximity app makers. Both Private Kit: Safe Paths and COVID Watch offer anonymized Bluetooth contact numbers, use the TCN protocol, and offer cryptographically secure contact tracing, but COVID Watch considers GPS tracking like the kind Private Kit: Safe Paths does to have significant potential privacy implications. Future features for COVID Watch may include personalized recommendations, the ability to self-report symptoms, and advice on how to get home testing. The app’s makers may also be able to get it to work with inexpensive Bluetooth hardware in countries with low smartphone penetration.
Like the makers of Private Kit: Safe Paths, the COVID Watch team planned to create a heat map using epidemiological models, but they found that GPS anonymization is more challenging than Bluetooth anonymization and comes with increased privacy risks. The current version of Private Kit: Safe Paths can use both centralized and decentralized approaches, and Raskar believes an approach that combines Bluetooth with GPS and Wi-Fi network tracking is required in order to provide people with heat maps and supply health officials with data.
“So the healthy people never have to share their data, but for infected people, they can release that data in an anonymized, aggregated, and redacted fashion. The next version will be encrypted as well,” Raskar said. Similar debates around centralization versus decentralization are taking place in Europe, where multiple transnational Bluetooth tracking projects are currently underway. A team of 25 professors and researchers from France, Germany, Netherlands, and Switzerland released a white paper last week called “Decentralized Privacy-Preserving Proximity Tracing” (DP3T). With DP3T, each person’s tracing data is used to power a virus contraction risk score algorithm locally, on each smartphone. That decentralized tracking method, they say, is the best way forward.
The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project also launched recently. The app exchanges anonymous identifier codes like other Bluetooth apps do and is based on the idea that the current health care crisis shouldn’t lead to a backslide in privacy rights. But in contrast to DP3T, it offers a mix of centralized and decentralized approaches. Singapore’s TraceTogether uses a blend of centralized and decentralized methods. “We strongly urge governments, health authorities, and researchers that any deployment of proximity tracing follows a decentralized design similar to our system to avoid the creation of centralized systems that have the potential to become surveillance infrastructures,” the DP3T group said in the paper. “Compared to a central design in which the backend would compute risks and inform users, our design protects interaction graphs from the backend, and only a determined tech-savvy adversary can learn any extra information besides the one made visible by the app. The centralized system, in comparison, leaks a lot of unnecessary information about contacts to the backend and requires large amounts of trust in a central entity.”
ACLU surveillance and cybersecurity counsel Jennifer Granick was equally firm about the need for decentralization in a statement she made following the Apple-Google contact tracing news last week. “To their credit, Apple and Google have announced an approach that appears to mitigate the worst privacy and centralization risks, but there is still room for improvement. We will remain vigilant moving forward to make sure any contract tracing app remains voluntary and decentralized and used only for public health purposes and only for the duration of this pandemic,” Granick said in a statement provided to VentureBeat. In a post Sunday, however, University of Cambridge security engineering professor Ross Anderson — who is currently advising the U.K. government officials considering contact tracing apps — said decentralization is no panacea, and some cryptographers say they see flaws.
“[D]ecentralized systems are all very nice in theory but are a complete pain in practice, as they’re too hard to update,” he said. “Relying on cryptography tends to make things even more complex, fragile, and hard to change. In the pandemic, the public health folks may have to tweak all sorts of parameters weekly, or even daily. You can’t do that with apps on 169 different types of phone and with peer-to-peer communications.” Anderson has a number of reservations about contact tracing apps, including the National Health Service’s (NHS) poor record with data protection. And he is concerned a system for lightly anonymized data collection won’t be disassembled when the crisis is over.
He also said there are other practical considerations to consider, like the fact that people with COVID-19 may be too sick to operate a smartphone and the likelihood of false positive scenarios, like when speaking with a neighbor through a closed window or when Bluetooth passes through plaster walls. Efforts should focus foremost on things like making testing and ventilators available before worrying about apps, he said. But decentralization advocates DP3T and COVID Watch believe strong personal privacy protection and high user trust can lead to higher rates of adoption for Bluetooth proximity tracing apps.
“A common concern with systems like these is that the data and infrastructure might be used beyond its originally intended purpose,” the DP3T report reads. “Such assurances will likely be important to achieve the necessary level of adoption in each country and across Europe, by providing citizens with the confidence and trust that their personal data is protected and used appropriately and carefully.” Higher levels of user trust may also lead to higher rates of self-reported surveillance data and higher levels of opt-in participation. Spokespeople from both Google and Apple stressed that in order for its contact tracing initiative to succeed, mass adoption is not possible if people don’t trust the system and choose not to participate because they fear their privacy is at risk.
The need for testing
In order for contact tracing apps to have the greatest impact and give people confidence to return to work, they need to be paired with COVID-19 testing. In the absence of testing, health officials can’t confirm who actually has the disease, which dilutes the accuracy and impact of the tracking. We’re still learning who has immunity and whether people who have recovered can experience a resurgence of the virus; and of course, there’s no vaccine or cure yet. It’s unclear whether widespread testing will be available as lockdown orders begin to lift. Federal health officials are considering solutions like saliva testing, more at-home testing, and Abbott tests that deliver results in minutes. The United States still trails behind nations like Germany and South Korea in per capita testing, and some experts say the U.S. needs to quadruple testing capabilities in order to adequately respond to future needs.
In March, President Trump said anyone who needed testing would be able to get it, but on multiple occasions in recent days he has cautioned against a need for widespread testing except in specific cities. In what might be the biggest decision of his presidency, Trump set May 1 as a date to reopen the economy and resume normal life, a date some experts say might prove unrealistic. Dr. Anthony Fauci of the National Institute of Allergy and Infectious Diseases said antibody testing will become increasingly available in the coming days.
In the absence of testing, contact tracing apps can collect self-reported symptoms from users. Some epidemiologists and public health officials have said increased surveillance or self-reported information that reveals influenza-like illness can be good indicators of COVID-19 outbreaks or show where resources are most needed. Examples include anonymized data from companies like Apple, Facebook, and Google and surveys like COVID Near You, which asks people how they’re feeling. To date, the COVID Near You website, which was created by tech engineers and hospitals, has recorded how more than 400,000 people are feeling across the United States, Canada, and Mexico.
The road ahead
Some argue that because COVID-19’s incubation period is up to two weeks, tracking people’s movements must be a key part of any long-term strategy. And vaccine developers say we shouldn’t expect any effective cure for 18 months or more, making an interim solution essential. When it comes to implementing contact tracing apps, COVID Watch executive director White perhaps best summed up what we need next. “The important thing is buy-in from public health and Apple’s battery policy. Those are the two things we need from the outside. Everything else, the technical challenges, I think we can handle,” she said. Alongside widespread testing, fully anonymized Bluetooth tracing apps could in theory allow people around the world to participate in contact tracing without sacrificing privacy, but initial adoption has been slow.
With some of the biggest names in AI and security attached to it, Private Kit: Safe Paths attracted a fair amount of media attention when it launched last month. But in the weeks since, the app has seen only 10,000 downloads. COVID Watch hopes to make a bigger splash with a coordinated PR campaign when its app launched soon. Even if location tracking apps with encryption and Bluetooth emerge as top methods for contact tracing — successfully balancing a need for surveillance with privacy protections — they can’t work without buy-in from individuals, help from Apple and Google, and coordination with national public health officials.