Several thousand Swiss citizens – mostly members of academia, the Swiss Army, and hospital staff – just began what may be the most important trial of a mobile app in human history.
On Monday, May 25, SwissCovid became the first official application supported by Apple and Google’s APIs for tracing contacts at risk of transmission of COVID-19 to be deployed in a large pilot project. Like other mobile contact tracing apps that have been released around the world so far, the purpose is to signal a user that they have been in significant contact with at least one other person that has tested positive for COVID-19. People being notified by the app can then take precautions to limit their own transmission of the virus.
But there is one important distinction between SwissCovid and all other contact tracing apps released to date: it uses a decentralized architecture known as Decentralized Privacy-Preserving Proximity Tracing (DP3T), ensuring the privacy of users while performing its function.
“We reached out to Apple and Google early and initiated discussions regarding a joint API and are, even now, heavily involved in shaping the discussions around the API based on our experiments and measurements,” said Mathias Payer, a professor at the EPFL School of Computer and Communication Studies. “D3T focuses on a single aspect: decentralized privacy preserving proximity tracing. Any additional functionality, if desired by a country, could be offered through other apps or measurements. DP3T is a privacy-preserving approach towards a single goal and we avoid feature creep by design.”
This process diagram highlights the key differences of a centralized approach vs. a decentralized approach to contract tracing with mobile apps. (Info-Tech)
So far, contact tracing apps released in different jurisdictions have been mostly ineffective. But their centralized design has been a major factor in that. The centralized approach sees all contacts made between users logged on a central server, where newly infected cases can be cross-referenced. That opens the door to a new government surveillance mechanism that holds potential to know details about an individual’s movements and who they associate with. Also, it doesn’t work well for iPhone users. Because Apple limits permissions to use Bluetooth functions, apps that aren’t using its released APIs won’t be able to do contact tracing in the background.
The next phase of contact tracing mobile apps, also referred to as exposure notification apps, have potential to achieve a goal that most developers would never think possible. The app could save lives by limiting COVID-19’s spread and help reopen economies that have been throttled by strict lockdown measures. Researchers at Oxford University estimate that the epidemic could be stopped if 60% of the population adopts such an app, but even if we fall short of that, every two users of the app could prevent one additional infection.
Bridging the trust deficit
Achieving an adoption level of 60% would be a stunning achievement. Consider that even the Facebook mobile app, which is the most popular mobile app that must be downloaded to a smartphone in the US has adoption of 68.6% after years of availability. But using a decentralized approach should help encourage people to adopt it, since it doesn’t ask that users put their trust in any monolithic institution.
In our Tech Trend 2020 report at Info-Tech Research Group, we examined the idea of distributed trust. The modern era was defined by a trust system that is no longer working. Large institutions, namely governments and banks, acted as trusted third parties that could facilitate transactions between strangers. But in 2020, trust in those institutions is diminished. Whether that effect is happening for good reason or not can be debated but the effects can’t be. Requiring people to put too much trust in a third party can now cause friction in transactional systems. In the report released earlier this year, we examined blockchain as the first example of a commercial-grade solution for distributed trust. Now a peer-to-peer system that facilitates contact tracing stands to become another example.
“No stone has been left unturned in protecting privacy,” said Ann Cavoukian, executive director of the Global Privacy & Security by Design Centre at Ryerson University. Cavoukian is also in discussion with Apple in regard to its contact tracing framework. “There is no way to identify the user.”
Cavoukian takes issue with discussion about trading off privacy rights for improved methods to prevent the spread of COVID-19. That’s a zero-sum mindset that assumes there is a trade-off between privacy and public health, she says. “It’s nonsense, it’s so yesterday. We can have both privacy and public health. We can do this.”
At least one survey indicates that the design of a contact tracing mobile app will make a difference in how many people adopt it. A Henry J. Kaiser Foundation survey found that 50% of Americans are willing to download an app that is decentralized, only alerting them directly if they’ve come into contact with COVID-19. Slightly less, 45%, would be willing to do so if that app provided the same information to public health officials.
Based on other survey data, it appears Americans would also be most likely to trust an app:
- That is issued by their local jurisdiction health authority (rather than a tech company).
- Does not use location data as a factor.
- Enables a return to more normal activities.
- Has high security.
Why the centralized versions haven’t been a success
Australia was early to launch a COVID-19 contact tracing app in the western world, and at first it looked like its centralized design would be well adopted. On April 28, just 24 hours after its launch, two million Australians had downloaded the app, COVIDSafe. By May 6, it passed five million downloads and registrations – halfway to its goal of 40% of its population. But the progress has stalled there and by May 23, was hovering around six million registered users.
Built by the Digital Transformation Agency with a centralized design, the iPhone version wasn’t effective. It wouldn’t log “Bluetooth handshakes” with other devices unless the device was running on the screen, making it impractical for most users. A recent update was intended to address this issue, but fully resolving it would require redesigning the app to be compatible with the Apple and Google APIs. Only one case has been reported of a user being identified through the data generated by the mobile apps, reports The Guardian.
A centralized design also hindered success for Singapore’s TraceTogether app, which was one of the first of such apps to grab headlines about contact tracing. The app saw about 1.4 million users as of May 18, about one-quarter of the population, according to the South China Morning Post, far short of the goal of 75%. A survey reveals the main motivation for those that were aware of the app but didn’t download it is they did not want the government to trace their movements.
In Canada, Alberta released AB Trace Together, another centralized scheme. The province has seen 11% of residents adopt the app after news headlines about its release focused on the fact it did not work well with iPhones and the fact it was under review by the Alberta Office of the Information and Privacy Commissioner.
Another centralized app is being trialed on the UK’s Isle of Wight, but the government has already committed to produce another decentralized app that will focus on augmenting manual contact tracing efforts. The series of poor performances has groups like the Electronic Frontier Foundation calling for governments to only approve decentralized versions of the app going forward.
That being said, the decentralized apps also have their own weaknesses.
What could go wrong?
A previously known attack method, Bluetooth sniffing, could track users of a contact tracing app. A Github project by Otto Seiskari, the chief technology officer of Helsinki-based IndoorAtlas, demonstrates how such an attack would be possible. In his theoretical demonstration, 400 Bluetooth sniffing devices are deployed over an area of 1,500 square meters and the movement of 300 people is simulated. Movement paths and hot spots are revealed, showing that it might be possible to track an individual’s movements with such a network. In some cases, the persistent identification of an individual is possible despite the Bluetooth IDs cycling every 15 minutes because some aspects of Bluetooth address creation are signatures of specific devices. This problem is particularly true of older Android phones.
A hypothetical Bluetooth sniffing network demonstrates how it could turn Bluetooth ID broadcasting into a location tracking mechanism. (Source: Seisakri, Github)
Setting up a network of Bluetooth sniffing devices might seem far-fetched, but Seiskari points out that it could most easily be accomplished by hacking mobile phones to listen for the broadcasts and then upload the IDs to a server. The demonstration is meant to show that using Bluetooth IDs isn’t necessarily better than relying on GPS when it comes to protecting privacy. The risk is also mitigated if apps can effectively implement randomization of the broadcast IDs.
Another downside of the Bluetooth-based method of contact tracing is that it is prone to false positives. Since your device won’t know when physical walls separate you from others, users of such apps that live in high-density areas will likely receive contact warnings when their neighbors get sick. But it’s entirely possible that you’d never really be in a risky scenario with that neighbor. This factor is making some public health officials hesitant to recommend contact tracing apps.
Another reason they aren’t rushing to advocate for such apps is that it won’t help them collect more data to understand and combat COVID-19. The decentralized nature of apps based on Apple & Google’s APIs is designed to prevent health authorities from harvesting data. But that also means that jurisdictions that want more information about infection hot spots, or to see how well their population is following physical distancing measures, will require another solution.
Other technologists believe that the best of both worlds is possible and that new privacy-enhancing technologies could enable a decentralized contact tracing system that also provides health authorities with effective ways to collaborate on the data.
The best of both worlds
Homomorphic encryption is one possibility. The technique allows for data to be shared and processing applied without decrypting it, so the data owner doesn’t have to reveal its contents to a service provider. It’s been hailed by privacy experts in the past, and the creator of the technology is now the co-founder of a startup called Duality. In a webinar presented by the International Telecommunications Union, Duality’s SecurePlus Query capability is suggested as a way contact tracing solutions could see the sharing of sensitive information without the privacy of unexposed individuals being compromised.
Another option could be to use a data fabric as an intermediary. Cinchy is a Toronto-based startup that’s held discussions with the Ontario government about using its platform to facilitate collaboration between a contact tracing app and healthcare authorities. In an interview, Cinchy CEO Dan Demers explains that the platform allows for collaboration on data without the need to create copies of it. This ensures the owner of the data is in control of how it’s used and can choose to retract it. The data fabric could provide healthcare teams with a command center dashboard based on data shared by mobile app users that opt in.
Apple and Google pushed out updates to their mobile operating systems on May 20 to make their contact tracing APIs available. Now it’s up to public health agencies to organize the mobile apps that will integrate with those APIs and make them available on Google Play and the App Store. The tech giants are clear that the tool isn’t intended to replace other methods of fighting COVID-19. Physical distancing, effective hand washing, and conducting as many tests as possible remain paramount to preventing its spread. The mobile app option is just one more tool for public health officials that are looking for help with contact tracing.
In the upcoming weeks, Apple and Google will enter phase two of their collaboration and release another update that bakes “exposure notification” into the operating system, meaning that users won’t have to install a third-party app first before opting in.
Whether mobile phones can be used as an effective tool to prevent the spread of COVID-19 in the meantime is in the hands of governments to release an app and promote its use and in the hands of individuals with the choice to adopt those apps.