As countries around the world struggle to track the spread of coronavirus infections using cellphone data, a debate has developed over a technical issue related to privacy: Should governments or health care regulators collect anonymized data and store it in one central database, or take a more decentralized approach, allowing computations to occur on people’s individual devices?
While some countries with more expansive surveillance systems are taking more aggressive steps to actively monitor citizens’ locations and movements, European governments and a global group of security experts have been engaged in a heated debate in recent weeks over how to create a contact tracing system in a way that protects individual privacy and can’t later be abused.
Most engineers agree that using GPS data or other cellphone location information is not only more invasive but less effective, because it isn’t precise enough to determine exact location or whether or not someone has been within 6 feet of another person who is infected. The favored means of digitally tracking social interactions is through Bluetooth technology, the same technology that allows people to connect wearable fitness trackers and wireless headphones to their cellphones.
Put simply, individuals phones with low-energy Bluetooth capabilities switched on would be able to send out wireless beacons searching for other nearby devices. The two devices would exchange anonymous identifiers and keep a record of the contact. If someone is diagnosed with the virus, that information would be sent out anonymously, alerting anyone they recently came into contact and providing them with relevant health guidelines and instructions on how to self-quarantine to prevent further spread.
Where cryptographers and security experts diverge is on where those anonymous bits of information, linked to individual cellphones, should be stored. Some argue the information should be pushed out to a central server managed by a trustworthy government or health care entity, while others insist that data remain on individual devices.
James Larus, a computer scientist and dean of the School of Computer and Communication Science at École Polytechnique Fédérale de Lausanne in Switzerland, is one of a group of technologists who strongly believe the data should live on individual cellphones to prevent compromise or misuse of a central database.
“When the debate got started in Europe about five or six weeks ago, everybody insisted that it be privacy preserving,” he told Yahoo News during a phone interview.
The key difference between approaches, he explained, is that a central database of even anonymous information about cellphone users’ Bluetooth signals would have complete information about that phone’s network and contacts. While having that information might be useful for graphing social networks, perhaps even predicting the next hot spot, it may be less privacy friendly, he said.
The group sent an open letter on April 19 urging countries to adopt a Bluetooth-enabled model without a central database to prevent “mission creep,” or what they describe as “a form of government or private sector surveillance that would catastrophically hamper trust in and acceptance of such an application” because it could be used to reconstruct movements of groups of individuals over time. “Solutions which allow reconstructing invasive information about the population should be rejected without further discussion,” wrote the authors, who are scientists and cryptographers from 27 countries, not just in Europe or the United States.
The Pan-European Privacy-Preserving Proximity Tracing team, which is working on a framework for individual governments and companies to adopt, is developing technology that would allow both a central database and a decentralized model, depending on which system is preferable for a given country. The group’s system is also focused on being compliant with European privacy laws, particularly the general data protection regulation, or GDPR.
Finally, researchers on the Pan-European team aim to ensure that the different systems it offers will be able to communicate with each other, so that travelers between European countries will be able to take advantage of the tracking app when they cross borders.
Hans-Christian Boos, a member of the PEPP-PT project, told TechCrunch that the group wants to offer both options because of some potential disadvantages of the decentralized model. In order to function, this kind of app would have to continuously broadcast anonymous IDs of infected people to all individuals using the app rather than one central repository, giving more people access to the information. Users could match the anonymous identifiers of new infections with those they’ve recently come into contact with. “Some countries’ health legislation will absolutely forbid that,” Boos explained, arguing that health care workers want fewer people to have access to sensitive information, not more.
For example, the French government is interested in pursuing the centralized model. It’s called the “Stop COVID” app, which would ideally push information about contact tracing continuously to a central repository managed by countries’ health organizations. However, Apple’s technology, which prevents Bluetooth information from leaving the device while it’s locked, is creating a hurdle.
Singapore’s version of the Bluetooth contact tracing application, called TraceTogether, did not function on iPhones unless the devices were perpetually unlocked, allowing the app to send information about the specific user to a central location. That may have been one reason that the application was not downloaded at the rate necessary to be more effective, according to most researchers.
No model is necessarily perfect for privacy.
The DP-3T Project, the name of a group of scientists behind the decentralized model, acknowledged that any contact tracing app is vulnerable to certain kinds of attacks. On Tuesday, it published an updated paper with extensive details on potential technical attacks on their style of tracking technology.
“These are the games cryptographers play, thinking about this malicious adversary with all sorts of powers, what would they do,” Larus told Yahoo News. “These attacks are inherent in the system but they’re not a reason not to do this.”
Laurus argued that the decentralized model is one of the best options governments have in protecting privacy while enacting a surveillance regime to stop the spread of the disease.
Additionally, researchers are pushing governments and developers from all sides to create transparent, open-source solutions that can be analyzed by the broader community. In Norway, the government at first refused to provide the code for its contact tracing app, arguing that releasing it would be a “security risk,” according to a developer named Glenn Henriksen, who posted on Twitter. However, once the app was released, it took researchers less than a week to reverse engineer it and find security flaws.
Ultimately, the debate in Europe over which model of Bluetooth tracing app will win out might be settled by the companies in charge of the world’s most heavily used mobile operating systems: Google and Apple. France has so far been unable to convince Apple to allow Bluetooth to send information about the phone while it’s locked, and, given the company’s history of fighting governments to protect its users’ privacy, that is unlikely to change.
In early April, Google and Apple announced a joint effort using “Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.” The API, or programming interfaces, as well as the Bluetooth technology updates required to conduct the tracing, will be released in May, according to the companies.
Based upon documentation released by the companies, the decentralized model appears to be the favored route for Silicon Valley.
If governments and app developers want their solutions to work for the largest number of users, explained Larus, they may need to follow Google and Apple’s lead, though he said it’s likely every country will have its own solution. “I think that in the end if Apple holds to this line, which I think they will, that pretty well settles the debate,” said Larus.
In Europe, being forced to toe the line of big American companies might not be the favored outcome. “Here we have two powerful global corporations laying down the law to territorial sovereigns,” wrote John Naughton, an Irish academic in an op-ed published in the Guardian.
Depending on how long the crisis continues, there may be additional technical options to reach a portion of the world’s population that might be less dependent on cellphones.
In Italy, a tech startup called Bending Spoons is considering developing a Bluetooth-enabled bracelet that could send the same beacons a cellphone uses in order to determine contact with infected people. For the elderly or people without Bluetooth-enabled phones, currently tens of millions of people, these types of small devices might help increase participation and help slow down additional outbreaks.
But for now, utilizing a preexisting network of people with cellphones is probably the best option to get the highest number of people back to work. Once the architecture is in place, the hard work of convincing people to download whichever app their country favors begins — a daunting task, as Singapore has already seen.
Johannes Abeler, an economist and associate professor at Oxford University, told Yahoo News that from a behavioral perspective, “the most important thing is that the app works from an epidemiological standpoint” and that enough people are convinced to participate.
Abeler and several colleagues conducted a survey of support for the application in the U.S., the U.K., Germany, Italy and France, and found that respondents, regardless of age and racem were likeliest to say they would install the app based on their trust in government.
Abeler said that anything that increases trust — whether increased privacy measures, easy installation, government control or leadership from the technology companies — would be important in stopping the spread of the disease. “Privacy is important but it’s not the only thing,” he said.
Click here for the latest coronavirus news and updates. According to experts, people over 60 and those who are immunocompromised continue to be the most at risk. If you have questions, please refer to the CDC’s and WHO’s resource guides.