Several countries are planning or have rolled out smartphone-based contact tracing apps. What does this mean for our privacy?
Several countries — and now individual US states — are planning or have rolled out their smartphone-based contact tracing apps. These apps are designed so that local health agencies can figure out who was near someone who was infected, in the hopes of gaining insight into the spread of infections. Let’s talk about what you need to know about these apps, and how to decide your own security strategy.
Second, all the tracking data in the world is useless without enough actual patient testing and follow-up contact tracing. Many countries – such as the US – haven’t been able to test as many people as needed to find who is infected and who isn’t. This paper from Harvard goes into some of the details about how many tests will be needed for tracking to be effective. It turns out we need to be testing millions per day to really track down the spread of disease. And even after this hurdle, a health agency needs to have the manpower to follow up and trace these contacts to determine which communities are at risk.
A third weakness of these apps is that they all rely on the GPS network. This limits their utility given that precise locations aren’t really possible. How many of us have been directed down some odd street by a misbehaving GPS app? To make the apps more accurate means these have to cross-check with other data, such as with each user’s common locations or with Bluetooth scans of nearby users. For example, Taiwan has each user call the health department and cross-check their own location history against a central repository and request a test if there was an intersection.
Finally, just because you have a smartphone app doesn’t mean that everyone will use it. Some countries, such as China, require everyone entering the country to load the app and correlate their phone with their passport information. Others have been less successful: in Singapore, only a small number of people are running the app. A lot depends on the culture, the type of government and the trust in what the government is saying about the virus. None of these have anything to do with the underlying technology itself.
But this situation is rapidly evolving. What helps (or hurts, depending on your point of view) is that there are four different development efforts underway that combine either open or closed-source approaches:
A second joint EU-based closed-source effort called PEPP-PT has gotten support from 130 organizations in eight different countries. No current apps are yet available to my knowledge on either EU effort.
Finally is something called BlueTrace/OpenTrace which is open source code developed by Singapore that is part of their tracing app called Trace Together. This was launched in late March and is the basis of a new Australian app. Singapore takes the information and stores the data in a central repository, which is also what the PEPP design uses.
What should you do? First, if your locale has an app, understand what it does and how it can be compromised. Make sure you check the permissions when you install any tracking app and from that, know what is being collected from your phone’s movements and usage.
Second, is the app really “privacy-enhancing” as its developers claim? One of the reasons why South Korea has been successful is that it doesn’t keep any private identity-related data, and just posts the confirmed patients’ location histories. However, there is a lot that can be learned about this, a better solution would be to not publish any location data but have a way to “jog memories to help people retrace their movements,” as the ACLU suggests.
Finally, for those of us that have a choice and value privacy over public access, don’t install any of these apps. When the phone operating systems update over the summer, remember to turn off the “contact tracing” setting.