Contact tracing; can’t live with it—can’t live without it. Whether or not there’s something “irresistible-ish about it” remains to be seen, as initial adoption will be up to the volunteers. Us. Will we download the CDC-approved app released by a joint Apple-Google effort, or will we wait until it hits the operating systems? Or will we do something different? No longer a debate, the growing reality of encryption (and all its uses) presents itself at the forefront of our national debate, our public health, and our civil liberties. It’s a good time for the numbers.
Contact tracing: Coming to an OS near you
With Google and Apple’s contact tracing coming in May, let’s look at what we are getting into.
Russia, China and South Korea have all been early adopters of similar practices. Some state-implemented ideas to “stop the spread” have included facial recognition (Russia), a color-coded human tracking symbol that limits your movement (China), and an alert system that sends out the age, gender, workplace and home location of infected individuals (South Korea). Stay safe.
According to their April 10 announcement, the two typically rival companies “will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing.” In other words, it actions as Bluetooth tracking between devices, upon download of the app available next month.
That’s phase one.
Contact Tracing Built into the OS
Phase two rolls out with a more heavy-handed, though technically still voluntary, measure. Quotes the announcement, “in the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms.”
Or, if you’re using the Android or iPhone OS after a few months, you’ll have contact tracing already built in. While some say it’s necessary to the public safety, others have weighted concerns about safety of a different sort.
"We just don’t have enough data”
“Something that was created to help solve a public health crisis, could instead be used to restrict people’s liberty,” said Kurt Opsahl, deputy executive director for the Electronic Frontier Foundation.
The move flies curiously in the face of rhetoric about “sunsetting pandemic provisions” only intended for the immediate crisis. Something about building permanent contact tracing solutions into two of the most ubiquitous operating systems in the world doesn’t strike me as temporary.
Adding to the concern, the decisive move by the two tech giants might seem iffy for one more reason:
“These technologies have not really been tested whether they really work or not,” said Josephine Wolff, assistant professor of cybersecurity policy at The Fletcher School at Tufts University.
“Potentially they could help alert individuals who are high risk and need to isolate, but we just don’t have enough data to really understand how much of a difference it’s going to make.”
For not having those basic questions vetted out, that’s a big commitment to build into your software going forward. And data sharing can still be risky if you cannot be certain of its encryption status and who can access it. More on that to follow.
- RSA Survey: Should Governments Regulate Social Media Data Collection?
What we know about contact tracing privacy
As I covered above, next month, approved apps run by government health agencies will have the ability to track physical proximity between phones, using Bluetooth capabilities. Let’s look at how Phase I (the voluntary app phase in May) rolls out.
What Do We Know?
- The data can be used to notify you if you’ve been in contact with someone with COVID-19
- The program is opt-in
- The program is Bluetooth only
- No location data is collected
- Only data on those diagnosed positive with COVID-19 will be collected
- The Bluetooth codes are derived from cryptographic keys that change daily for security
- The information (of everyone other than COVID-19 positive users) is anonymous
Along with those facts, are factual rebuttals:
- Bluetooth is a wireless technology that is difficult to secure
- The app doesn’t account for mistaken diagnoses
- A recent study by the Imperial College of London reports that even anonymized data sets are not enough to secure personal information. The sets can be reverse-engineered “easily and accurately” to identify individuals—meaning even those without COVID-19.
As an article in WIRED summed up, “The result is a complicated picture—an unproven system whose imperfections could drive users away from adopting it, or even result in unintended privacy violations.”
How long will it last
In addition to the app, other contact tracing strategies are being used, “including artificial intelligence, thermal imaging, facial recognition, IoT sensors, and more.”
"These companies we're talking to, and many of them are governments... want to be able to, at a moment's notice, separate people,” said Marty Sprinze, CEO of Vantiq, a firm specializing in surveillance technologies.
“At first, when we were being pulled in to build these apps or work with our partners to build these apps, at first we started thinking that, 'Oh, this is something that's going to last for a few months.' That's not the case."