Mobile Phone-Based COVID-19 Contact Tracing
Using technology as a reliable method of tracking carriers of COVID-19 is a great idea, but it is extremely hard to do without creating huge privacy challenges.
What Is Contact Tracing and Why Is It Important?
Contact tracing is a way of identifying all the people that an infected person has interacted with. By identifying these interactions, it is possible to reach out to them and ensure that they are properly quarantined. Doing this is incredibly important if you want to stop the spread of an infectious disease. Historically, however, contact tracing has been very unreliable, as it often comes down to what a sick person does or doesn’t remember/want to reveal about their interactions.
Based on medical studies, it’s clear that countries that aggressively tracked contacts between known infected people and everyone else maintained a much more effective quarantine than those that didn’t. Knowing that this virus is extremely good at passing from one person to another, tracing everyone an infected person has had significant contact with makes a lot of sense. By tracing, and testing these likely contacts you can reinforce your quarantine, preventing it from becoming porous.
Source: National Center for Biotechnology Information
There is compelling evidence that aggressive contact tracing combined with rapid intervention, strong quarantine practices, and comprehensive universal testing is what enabled South Korea to stabilize its outbreak faster than almost any other country.
However, contact tracing is hard. Traditional methods involved giving the subject a questionnaire asking them where they have been and who they had come into contact with. Relying on the memory of a sick person can be a longshot at best. It’s easy to see the flaws,; one forgotten visit to a bar and hundreds of possible contacts may escape the net, breaking down the effectiveness of a quarantine.
Technology to the Rescue?
Some countries with a high density of surveillance cameras have successfully used them to plug some of these gaps. If you review footage, you can build a much more accurate picture of where a person has been. However, this approach also has significant down-sides. It’s highly resource-intensive, plus it is significantly more invasive for the individual being investigated. Lastly, it has significant gaps. For example: anywhere there is no camera coverage, there is no information.
As a result, there has been a natural progression towards the use of mobile phones for tracking. The same trends that made mobile devices the center of gravity for identity verification make them excellent for tracking peoples’ movements:
Everyone has one
They are connected
They support a wide range of protocols
They have a permissions model for secure communication
One of the first approaches for using mobile technology to track movement was creating invisible electronic barriers called geofences. A geofence surrounds an area and generates an alert if a device crosses it. One notable example is the system developed in Taiwan. A perimeter gets set for the registered location for each mobile phone user. If the signals from that user’s phone move outside of the set perimeter, it alerts authorities who respond to the location within 15 minutes.
This solution, too, has its weaknesses. Mobile phone signals are subject to interference and atmospheric conditions that mess with where a phone thinks it is. Additionally, contacting and tracking every phone user is a hugely intensive task. Last (and perhaps most problematic), what about people who don’t have mobile phones or visitors subscribed to foreign telecoms providers?
Source: T.H. Schee via Quartz
Hong Kong has improved on this model by combining mobile phone data with a smart wristband that creates a more flexible, intelligent geofence. The wristband connects to an app on the users’ phone called StayAtHomeSafe. StayAtHomeSafe works with the wristband to map your residence as you walk around it. That map is then used to create the geofence that enforces the quarantine. Users who breach their geofence face up to six months in prison and a fine of up to HK$25,000 ($3,200).
Since the system uses external signals to create a fingerprint map of your location, it is just as susceptible to issues with coverage and interference as the Taiwanese solution. The main advantage it offers over a pure mobile-based geofence is that it can be used on arriving visitors, as well as existing residents. Arrivals at Hong Kong International Airport are provided with wristbands that work with the mobile phone to enforce a mandatory 14-day quarantine.
Source: Twitter.
A Better Mobile-Based Approach
A much better mobile-based approach would be using mobile phones to recognize each other. By identifying phones that came into close proximity to the phone of an infected person during a stretch of time, it generates a much more useful dataset with much less effort. This approach still comes with some of the same gaps—like people who don’t have phones—but it produces a clearer picture with less effort.
Mobile phones also offer several wireless protocols that could be used for this kind of tracking. Some of them are already widely used for exactly this. However, each one comes with its own advantages and disadvantages.
Ultra Wideband (UWB) - A very high bandwidth low power protocol that can identify peer devices up to 200m away. UWB is an emerging protocol that can be found in devices like the Apple iPhone 11 and Samsung Galaxy S20. It would be ideal for something like contact tracing. However, as an emerging technology, support is currently limited, meaning it would not cover very many people.
Wifi - Every phone supports wifi, and an adaption of the natural beaconing built into the protocol could be readily used for this type of use case. Indeed, several tracking implementations have been built using Wifi already—from tracking users at conferences to open-source databases of wireless access points. The biggest challenges with wifi are device tracking of beacons when connected to a network, interference, and power consumption.
GPS - Most phones have GPS or AGPS units built into them and location is recorded as long as the device is powered on. However, this works independently of any other devices and would need a constant data link to a database that tracks movement, in realtime, to correlate it with everyone else’s movement. Not only would this be incredibly resource-intensive, but a real-time database of every mobile phone user’s location would be a huge privacy challenge. The final—and perhaps biggest—hurdle for GPS is coverage. You don’t get GPS signals indoors, so people in large complexes can move around without triggering any kind of alert. It is also very difficult to make a GPS based solution that embraces privacy by design.
Telecoms protocols - Telecoms Operators are able to tell where a device is at any given time. However, to be used for something like this, the challenges would be similar to using GPS with the added complication of getting the data from every single operator—something that may not even be possible with foreign mobile users. It also shares the same significant challenges with privacy as GPS based solutions, more if you consider the operators’ access to the data.
Bluetooth - Bluetooth is the clear winner. It has been designed to operate continuously with as little power as possible. Bluetooth devices are uniquely identifiable, able to find other devices within range, and—most importantly—has been around long enough that almost every smartphone on the market supports it.
Singapore has already started to roll out a Bluetooth based application called TraceTogether, based on a technology called BlueTrace”. Both Singapore and the group behind BlueTrace are releasing their technologies as open-source for the rest of the world to use. TraceTogether uses an opt-in model that requires users to download the app and consent to its use before it will work. Additionally, the data is stored in an encrypted format on the device unless it is needed by the authorities for contact tracing. When someone is confirmed as infected, the authorities will ask them to release their contact info and send them an authorization code to enable transmission. To prevent abuse of the tracking ID, it is rotated every 15 minutes using TempIDs generated in batches on the backend and downloaded to the device. This seems like a good approach from a privacy perspective, however, there will certainly be technical challenges. For example:
How will the app function when the device is locked and in your pocket?
How much power will it consume?
How will it judge when a contact is near enough?
While creating batches of IDs will reduce the number of times a device will have to talk to the backend server, it won’t eliminate that need. What happens when the device is out of coverage for an extended period or is unable to reach the server?
How is the authorization code generated? If this code gets broken, it is possible for a malicious party to upload false information, or worse.
Since the central server responsible for key management will also store identifiable information in the form of telephone numbers, there is a risk that it could be abused to track users.
Australia has launched it’s own app, COVIDSafe. The Australian Government modeled it after the Singaporean app TraceTogether which also uses the BlueTrace framework. As a result, it shares the same concerns as the Singaporean app. These concerns were quickly voiced by privacy experts at the University of Melbourne. Teardown and analysis of the Australian app validated some of these concerns while also showing the underlying framework is sound. I’ll get into more detail on these risks at the end of this article.
Both the Australian and Singaporean apps also use centralized servers for key management. These central platforms represent a risk, not just in terms of the risk of attack and breach, but also due to their role in managing tracking. Ultimately, whoever has access to the server has the ability to track users with extreme granularity.
European states and the UK have proposed a mixture of solutions, Almost all of these are based on BTLE contact tracing, however, the main differences center around whether to use centralized or decentralized implementations and how subscriber IDs should be managed. Most European states are implementing decentralized solutions, including one pan European group called DP3T. However, several prominent states including France and the UK are testing home-grown centralized solutions. Concerns have been raised both in the UK and globally on the risks posed by these centralized approaches. Germany planned on implementing a centralized solution but, after reviewing these concerns and encountering technical challenges, has now switched to a decentralized implementation.
Last, but by no means least, Apple and Google have announced a joint project that offers perhaps the most promising solution yet. This collaboration makes it the first joint mobile project of this nature, something that opens doors to many interesting possibilities. It also means that their solution will have a far wider reach than any single app or provider-based solution.
Like the Singaporean project, the device IDs collected will be stored on the phone using temporary IDs that rotate every 15 minutes. However, unlike the Singaporean solution, the keys are managed on the device. Once a day, the device derives a “daily tracing key”. This key is then used to create new “proximity IDs” every 15 minutes. Keeping the key management on the device is more secure, better for privacy, and more resistant to things like network or coverage issues. It’s a good design but it still raises several concerns that I will get into later.
Phase one of the joint Apple/Google tracing project is releasing an API that allows it to be implemented into other health apps. It’s a smart way to ensure wide adoption. Rather than sticking with one app that may or may not get installed, they are allowing all the health apps out there to add this as a feature. Combined with the interoperability between IOS and Android, this should result in pretty good coverage. The app version will likely have the same issues as the Singaporean app. It’s also not clear how much power a contact tracing app continuously running on your phone will consume. Additionally, under IOS it’s not clear how this will work when the app is in the background or the device is locked and put away.
Phase two sees the technology integrated into the respective OSs. Both Android and IOS will incorporate contact tracing as an OS feature that can then be pushed out with an OS update in the future. This solves the app problems and ensures that every single up to date device will support this feature natively. However, this is not without risks.
It’s not clear yet what path the U.S. will take as there is currently no strong push towards contact tracing from policy leaders. However, several Federal agencies such as the CDC, HHS and NIH have made it clear they see contact tracing as a key aspect to a well-managed environment after the pandemic. As things stand, it is likely that we will see the Apple/Google version of contact tracing appear in the US, even if it is simply through organic use after the feature becomes available.
Conclusion and Some of the Risks Around Mobile Contact Tracing
It’s not clear from the Apple/Google specifications how the release will be triggered. The presentation seems to imply it is a manual process, triggered by the user. While other contact tracing implementations (such as anything based on Bluetrace) are clearly dependent on a manual action taken by the infected subscriber, others such as the centralized solutions being developed in UK and France or the non-BTLE based solutions automatically collect the data. If it is a manual release, while being good for privacy, it will become the weak link in the chain. How do you ensure information is released when it needs to be? How do you prevent it from being released when it shouldn’t? I can see authorities wanting this to become an automatic process. If sufficient users fail to release COVID contact information, then the data will have substantial holes in it. If it happens automatically further down the line, then the privacy risks grow.
When someone does release their information, a lot of the privacy strength gained from these designs is lost. In many ways this is unavoidable; if you are going to trace someone's contacts you need to be able to identify who they have been in contact with. However, this poses some significant challenges which have not yet been fully addressed.
How do you define what is and isn’t a contact? BTLE can travel significant distances and someone who is 100m away from you clearly doesn’t represent an infection risk. This could be solved through power management but that is likely to have its own challenges.
Tracking devices with BTLE is already a well-established thing. BTLE beacons can be found in use in many locations. BTLE is also already being extensively used for things like fleet, asset, and workforce tracking. Shops use BTLE because they can identify what products a shopper stops in-front of and routes they take through their premises. There are even solutions—like trash cans or vehicles with Wifi and BTLE tracking information—that can show where people live, work, and eat. This is why there is a strong focus on ensuring rotating temporary IDs. However, there is nothing stopping existing BTLE tracking systems from using these IDs for short periods of time, or for longer stretches by correlating them with other signals.
The Australian app, COVIDSafe, implemented a two-hour rotation and appears to have a bug that prevents rotation in some devices until they are rebooted. As a result, these tracking risks are magnified, and pre-existing commercial or free Bluetooth tracking tools can easily track COVIDSafe users for two hours or longer.
Both the Australian and Singaporean apps transmit model information about a phone. Ostensibly, this is to help with power decisions—as different devices transmit at different levels of power. Unfortunately, this poses a significant threat; when tracking more unique devices, tracking remains possible even with rotation if you enrich the device type data with other information, such as location.
Centralized tracking solutions pose significant challenges above and beyond those discussed above. Not only do they create a central point of control that holds all the PII (and potentially even medical information), but it also provides a central point of control. A point of control that could potentially be used further down the line to adapt this technology for other uses.
This brings me to the last, and perhaps greatest, concern for me—what about tomorrow? Contact tracing is surveillance technology. While this is a very good use of surveillance technology, and will likely be extremely helpful in maintaining the quarantine, it offers a large number of future possibilities, not all of which are friendly. There are quite a few ways this technology could be adapted to track people, or specific groups, for potentially problematic reasons. While intentions are generally good, and companies like Google and Apple have great track records in fighting for privacy, the problem with genies is that once you let them out of their bottles, they are notoriously difficult to stuff back in.