Last weekend, Google and Apple announced a partnership to enable Bluetooth contact tracing to fight coronavirus. Contact tracing is the process of identifying carriers of coronavirus, and whom they’ve come into contact with, so they can quarantine as needed.
The proposal forgoes a system based on location tracking for Bluetooth proximity tracking. The idea is that rather than tracking your location, the system will use the Bluetooth on your phone, which will briefly register what other Bluetooth devices come within six feet of it.
“At a high level I would say that Bluetooth-based contact tracing is the best technology, because compared to other methods like GPS or cell-tower location it’s more difficult to repurpose for surveillance, and it has the potential to be a user-respecting system,” said Henry de Valence, a cryptographer at the Zcash Foundation working on fast, safe zero-knowledge cryptography for privacy-preserving systems. “So it’s great that Apple and Google are working on it, and while the Zcash Foundation has some small reservations about technical details, this is a huge step forward.”
But blockchain-based privacy advocates, computer scientists and others would rather wait for the systems to be rolled out before making any final judgments.
How the system works
Apple and Google won plaudits for eschewing more invasive measures such as location tracking and facial recognition, methods employed in Israel, China and South Korea.
The system will be rolled out in two phases. The first involves Apple and Google making software updates in May to support contact tracing APIs, which public health authorities can incorporate into apps they are building. These apps could then be downloaded from the Apple and Google stores and users can start reporting if they’re infected.
The second phase involves building Bluetooth-based contact tracing capabilities into the iOS and Android operating systems over the course of the next few months. This is a more robust solution than an API and will enable these operating systems to notify people about potential exposure to coronavirus even if they have not downloaded any app (assuming they opt to receive such alerts). It will then encourage them to download the relevant app. This is seemingly a workaround for notifying people who don’t want to download a government app. These apps will only be effective if people opt into them, and it’s unclear what percentage of the population needs to sign up.
The system will work to ensure users privacy through a few different mechanisms. While an app would broadcast your Bluetooth signal, logging other Bluetooth signals it came across, the signal is an anonymized key that regularly changes, making identification difficult. And if a person shares that they’ve been infected, the app will only share their keys from the period in which they were contagious.
“Privacy, transparency and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders,” said Apple and Google in a statement. “We will openly publish information about our work for others to analyze.”
With the approval of health agencies, people could upload the digital IDs their phone broadcasts to a database of shared keys. Your individual phone would then do the cryptographic actions that cross-check whether you came into contact with one of these shared keys. This action would be performed locally, so you would not be uploading your own keys to any database.
Google provided infographics that help illustrate how the system functions.
In a conference call with journalists on Monday, the companies said the system would be dismantled when appropriate (something that is incredibly hard to predict at this point), that only authorized public health authorities would have access to the API and that the data systems will not be used for targeted advertising.
Still, a large part of the opt-in these companies and governments are asking for requires you to trust these companies, and that’s something critics aren’t necessarily ready to do.
“Moving forward, I’d like to see a bit of iteration on the protocol to make it more extensible and decentralized with respect to who collects and authenticates test results,” said de Valence.
“Right now, it assumes that there’s a single entity that can decide which test results are valid, but there’s not much discussion of who that entity is or what infrastructure they have to run.”
Others in the privacy-tech and blockchain space question the companies’ commitment to privacy and wondered about the potential for false positives and negatives that may result because of the use of Bluetooth.
“When one hears ‘Google and Apple’ together, privacy and security are not the first things that come to mind,” said ZP Hou, the CEO of Suterusu, which is working to develop privacy protection over smart contracts, transactions and data for blockchain networks. “Their intentions are in the right place, in trying to use tech for good and help reduce the transmission of COVID-19. But in reality, these are two of the largest tech mega-corporations in existence, and their historical commitment to privacy is lackluster at best.”
Keith Robinson, the head of Product Management at Scentrics, a data privacy and security company, sees the benefits of the system not gathering location data or sharing information widely, but says it doesn’t go into enough detail.
“There is no mention of how data shared with the server will be used or how long it will be retained for,” he said. “Nor is there mention of how the application should dispose of its own data, or the matches it has found.”
He also points out there wasn’t working code available to test or to scrutinize for potential information leakage or abuse and questioned why Google and Apple weren’t collaborating with the open source community, which has proposed similar systems.
Akshan Soltani, former Federal Trade Commission CTO and an Obama White House senior adviser, worries about the potential for false positives and negatives that might occur as a result of Bluetooth.
“Bluetooth signals traverse walls, linking you to your neighbor even if you’ve never actually been in actual physical contact (for example, in an apartment building),” he tweeted.
The system also doesn’t account for those who might not have smartphones, such as children or the elderly, Soltani added. And, believe it or not, we don’t carry our smartphones all the time.
Not only will these issues limit the effectiveness of an app, they might have tangible consequences for people’s movement.
“While I suspect these tools will be framed as ‘voluntary/opt-in’ – they will eventually become compulsory once policymakers begin to rely on them in order to decide, for example, who can leave the house or who can return to work – setting an incredibly dangerous precedent,” Soltani wrote, likening it to the health pass required to travel around China.
The Verge’s Casey Newton wrote that Apple recognizes there are environmental factors that can limit Bluetooth’s accuracy, such as how your device is arranged in your pocket, whether it’s in a backpack or if it’s covered by something.
Finally, contact tracing is only as good as the ability of health authorities to test people quickly and accurately, something the U.S. has struggled to do. Many cities are demanding more tests while others have problems processing the backlog of tests they have. Experts say the U.S. will need millions of tests a day and the supply so far has not come close to that.
“There is nothing to input without testing,” said Elizabeth Renieris, a fellow at the Berkman Klein Center for Internet and Society at Harvard University. “And there is no public health value without testing. The whole thing breaks down without testing.”