Public health officials have long relied on tracking infectious diseases as common as tuberculosis and as lethal as ebola as a way to stop their spread. But manual contact tracing requires boots on the ground – people who track down patients, interview them about where they've been and who they've met with, and then find those people and let them know they've been in contact with someone who has tested positive. If any of them test positive, their "contacts" must also be interviewed.
Technology-enhanced contact tracing – using smartphone apps and geolocation data, for example – could help cut down on delays in tracking contacts and potentially provide more accurate information to public health officials. After all, it can be hard for the very ill to remember who they met weeks ago at a dark nightclub or which bus driver they might have coughed on.
So it's easy to see why tech-enhanced COVID-19 contact tracing holds such great promise for public health officials, politicians, and app developers. But with great data collection comes great responsibility, and experts worry that without proper planning, today's decisions about developing contact-tracing apps could have unforeseen consequences in the years to come.
Variety of Plans
Contact-tracing methods and technologies vary widely. While Taiwan's contact-tracing program has been hailed as a possible model for the United States, China's program would be considered invasive by the West's standards. Meanwhile, Israel is involuntarily collecting geolocation data, Singapore has built an open source contact-tracing system based on Bluetooth beacons, and the United Kingdom is struggling to find its own way.
In April, Apple and Google announced their plan to jointly develop a decentralized COVID-19 contact-tracing system for Android and iOS. It will use automatic Bluetooth interactions between phones to pseudonymously identify when a person has come in proximity to an infected patient. As of now, Apple and Google are not making their own apps but building the cross-platform architecture that contact-tracing app developers can use.
Adding to the complexity is a lack of clear standards for what the apps should look like and how consumers will need to interact with them. Johannes Ullrich, head of the SANS Internet Storm Center, said he's concerned that hard-to-use app interfaces will open the door for developers to sneak features into the apps long after they've served their purpose.
"These applications and their APIs could encourage feature-creep to set in. [They] could be used for other types of tracing and reduce privacy," Ullrich said. "The consumer has no real idea how these work, and they could keep running even if the [COVID-19] conditions change later."
Privacy advocates and technologists are alerting developers to the risks.
The data that contact-tracing apps could collect goes beyond where the device owner has been, warns Richard Weaver, data protection officer at cybersecurity provider FireEye. It could include healthcare information, government identification numbers, and infection status — all of which could be abused by hackers.
"These apps could create a pool of data that resides on the phone," Weaver says. "As an app developer, you have to ask yourself at what point you even need the data anymore."
Developers should resist the temptation to retain data collected by their COVID-19 contact-tracing apps for longer than is necessary, he adds.
"App developers as a rule should follow data minimization" and not collect more than what's required to successfully aid contact tracers, Weaver says. Data minimization "is required in the European Union, but it's also best practices."
The American Civil Liberties Union established a series of privacy-protective protocols for organizations to adhere to when developing their contact-tracing systems. Microsoft vice presidents Julie Brill and Peter Lee have advocated for consumers to have control over how their data is shared, where the data is stored, that the data be used solely for public health purposes, that the minimum amount of data necessary for contact tracing be collected, and that the data should be deleted after the pandemic has receded.
A study on creating a privacy-sensitive protocol for mobile-device contact tracing (PACT) – co-authored by researchers from Microsoft, the University of Washington, the University of Pennsylvania, and the Boston Public Health Commission – recommended that location data kept locally on the device and only used in efforts to identify who else was near the infected patient might be safe from exploitation.
The system created by Apple and Google does anticipate some of these issues and institutes security and privacy precautions: For one, the system will use Bluetooth beacon key exchanges and not geolocation data. It also will likely require patients who test positive to COIVD-19 to only update the app with approval from a healthcare professional. In addition, the system recommends that app developers not store IP address information. Also of note: Apple and Google say they won't allow advertisers access to the system.
Not an Either/Or
Contact-tracing apps will not be effective unless they are paired with traditional, manual contact tracing, says Stefano Tessaro, an associate professor at the University of Washington College of Engineering, and co-author of the "PACT" study.
"All of this only makes sense on top of traditional contact tracing," Tessaro says. "I think there's a little bit of a misconception at this point. Somehow digital contact-tracing solutions are compared to manual contact-tracing solutions."
But it's not about replacing or cutting back on manual contact-tracing efforts, he says: "That would be the wrong approach."