How Contact Tracing Can Be Effective While Guarding Privacy

Vipin Bharathan is chair of the Hyperledger Identity Working Group where he researches solutions for privacy in public settings.

As the COVID-19 virus has spread unchecked in the U.S., complete shutdowns are the adopted solution. Contact tracing and isolation along with the necessary corollary, testing, are needed for opening the economy safely and to prevent a second wave and another shutdown and consequent deepening of economic distress.

In classic public health practice, human contact tracers interview the newly infected, attempting to jog their memory and find all the epidemiologically significant encounters that might have passed on infections. The tracers contact exposed people and persuade them to self-isolate and get tested. The effort has to be local because most of the contacts happen locally. When the infection is in its infancy with hot spots, rapid contact tracing and isolation can be very effective, as proven in many countries. Rapid contact tracing needs technology support. Many countries have used intrusive contact tracing apps. 

See also: Citizen App's New Contact Tracing Feature Raises Privacy Red Flags

Contact tracing works to isolate the infected and their epidemiologically significant contacts instead of the whole population. Contact tracing and isolation works by limiting the number of new cases created by a single infected individual. Done well, it can stop an infectious disease in its tracks.  

The U.S., the European Union and the U.K. are unique because of the large numbers of active cases. Laws, customs and culture prevent overt subversion of privacy. COVID-19, with its long pre-symptomatic infective period and extreme virulence for a few, presents unique challenges. Tracing and isolation have to be rapid for it to be effective. A human-based interview process is inherently time consuming and error prone due to its reliance on memory and the possibility of missing anonymous contacts. Phone-based interviews and detective work could also fail in the U.S. due to our resistance to anonymous robocalls. 

These realities are acknowledged by contact tracing experts. Public officials are still forging ahead, recruiting thousands. Public health experts are also resistant to exposure tracing apps, skeptical of their privacy guarantees. 

A survey conducted in March says many people worry that once started, proximity notification will continue well past the coronavirus scare (38%). The next two big concerns are the vulnerability of mobile appliances (33%) and the evergreen “do not want to be worried” (26%). This trust deficit can result in a less than ideal adoption of 60%. 

This article argues for privacy-preserving proximity notification apps based on bluetooth. Bluetooth is granular enough to be effective to measure proximity. Although there are many competing proposals, privacy design of proximity notification apps have converged. The current winner for government adoption seems to be the Google/Apple (Gapple) framework. I call this a framework because it requires an overlay from the local public health system to work. The framework will be released as a patch to the operating systems covering the majority of cell phones in the world. Users do not need to explicitly download the framework. 

To preserve the privacy of users and to be useful at the same time is a challenge. Privacy is enhanced by decentralization, by key schedule design and minimal collection of data. The proposed design of the Gapple framework shows how the app preserves privacy and is useful.

Users are in control and need to opt-in through downloading their local public health authority app. Data never leaves the user’s phone if they are never diagnosed positive. 

A daily random key is generated on the user’s phone. The daily random key deterministically generates many proximity keys that are broadcast using Bluetooth. Deterministically means that if a daily random key is known then all proximity keys can be regenerated.  These proximity keys are captured on each user’s phones that run the same app when proximity parameters are met. These proximity keys are equivalent to random noise; meaning the phones that broadcast them can not be identified by correlation. Proximity parameters are determined by local health authorities, usually more than 15 minutes continuously at less than six feet. At this point, all data resides on the user’s phones and never leaves them.

If any user is diagnosed and found to be positive, the user can opt to upload his or her list of daily random keys to the local public health server for their pre-symptomatic but infective days before the diagnosis. A testing code is needed for this to prevent malicious uploads. The daily random keys from infected users are fanned out to all the users in the local area. The app on the target phones then re-runs the same deterministic algorithm and looks for matches with the previously stored proximity keys. If there is a match, the app warns the owner of the phone to seek testing and to call the local health authorities. If the person tests positive, the process of notification starts over again. 

See also: European Contact Tracing Consortium Faces Wave of Defections Over Centralization Concerns

The public health servers only distribute the data and never knowing anything about the users. Gapple can never find anything more about the users. The app will be turned off when the virus subsides.

It is natural for the public and the public health officials to be suspicious of proximity notification functions implemented by companies like Google and Apple, which are in the business of harvesting private user data and monetizing it. Apple and Google have to agree to have an independent audit or open source their implementation for review to allay this fear. 

Widespread adoption of a proximity notification app is not just a technical challenge. Public health authorities have to welcome it as a useful addition to their contact tracing arsenal. This may not happen in the first opening; but if subsequent waves of infection hit, and classic contact tracing by itself proved unworkable for the coronavirus, more of the common people and authorities may be open to alternatives. 

Here are some suggestions for improving adoption of proximity notification apps to aid classic contact tracing. Public support by trusted influencers are vital to widespread adoption. These influencers need to be from a spectrum of trustworthy sources: scientists, health authorities, privacy advocates. 

Incentives are important for adoption. Once proof of proximity can be given through a QR code, faster testing must be made available for the exposed. In addition, if proximity is proven and you have to quarantine, financial or housing support could be provided for loss of income as well as quarantine hotels, food, laundry and mental health support. The installed app should trigger disability and employment laws to force continued employment. 

Adoption may not happen after the first wave, but may happen if a second wave shuts down the local economy and communities become more receptive to such an app.