Several countries — and now individual US states — are planning or have rolled out their smartphone-based contact tracing apps. These apps are designed so that local health agencies can figure out who was near someone who was infected, in the hopes of gaining insight into the spread of infections. Let’s talk about what you need to know about these apps, and how to decide your own security strategy.
Several countries are planning or have rolled out smartphone-based contact tracing apps. What does this mean for our privacy?
There are several complicating factors:
First, how is this tracking data collected and who has access to it? How long does the agency keep this location data, for example? To prevent privacy invasions, the apps must go through some effort. Most only store the collected data on a user’s phone, for example. The ACLU is worried that this data isn’t all that accurate, and has raised other privacy issues in this paper. While the apps make use of various encryption protocols and layers, some are better than others. The goal here is to anonymize the user data and keep hackers at bay. Of course, no system is 100% fail safe, especially as the recent news of a hack on one of the potential Dutch tracking apps that was prematurely released.
Second, all the tracking data in the world is useless without enough actual patient testing and follow-up contact tracing. Many countries – such as the US – haven’t been able to test as many people as needed to find who is infected and who isn’t. This paper from Harvard goes into some of the details about how many tests will be needed for tracking to be effective. It turns out we need to be testing millions per day to really track down the spread of disease. And even after this hurdle, a health agency needs to have the manpower to follow up and trace these contacts to determine which communities are at risk.
A third weakness of these apps is that they all rely on the GPS network. This limits their utility given that precise locations aren’t really possible. How many of us have been directed down some odd street by a misbehaving GPS app? To make the apps more accurate means these have to cross-check with other data, such as with each user’s common locations or with Bluetooth scans of nearby users. For example, Taiwan has each user call the health department and cross-check their own location history against a central repository and request a test if there was an intersection.
Finally, just because you have a smartphone app doesn’t mean that everyone will use it. Some countries, such as China, require everyone entering the country to load the app and correlate their phone with their passport information. Others have been less successful: in Singapore, only a small number of people are running the app. A lot depends on the culture, the type of government and the trust in what the government is saying about the virus. None of these have anything to do with the underlying technology itself.
This page on Wikipedia lists more than a dozen countries where apps have been deployed. India has multiple app deployments from various state agencies. There are also apps available in China, Israel, Norway, Ghana, the Czech Republic and Australia.
But this situation is rapidly evolving. What helps (or hurts, depending on your point of view) is that there are four different development efforts underway that combine either open or closed-source approaches:
- The most well-known is a joint project from Google/Alphabet and Apple that is more a framework than an actual app. Vaughan-Nichols explains the actual mechanics and The Verge answers some of the questions about this effort. The UK is poised to test their app based on this framework sometime soon. Both vendors have stated that these protocols will be incorporated into later releases of Android and iOS later this summer.
- An open-source EU-based effort called DP-3T has developed an Apache/Python reference implementation here on Github. There are sample apps for Android and iOS too.
- A second joint EU-based closed-source effort called PEPP-PT has gotten support from 130 organizations in eight different countries. No current apps are yet available to my knowledge on either EU effort.
- Finally is something called BlueTrace/OpenTrace which is open source code developed by Singapore that is part of their tracing app called Trace Together. This was launched in late March and is the basis of a new Australian app. Singapore takes the information and stores the data in a central repository, which is also what the PEPP design uses.
What should you do? First, if your locale has an app, understand what it does and how it can be compromised. Make sure you check the permissions when you install any tracking app and from that, know what is being collected from your phone’s movements and usage.
Second, is the app really “privacy-enhancing” as its developers claim? One of the reasons why South Korea has been successful is that it doesn’t keep any private identity-related data, and just posts the confirmed patients’ location histories. However, there is a lot that can be learned about this, a better solution would be to not publish any location data but have a way to “jog memories to help people retrace their movements,” as the ACLU suggests.
Finally, for those of us that have a choice and value privacy over public access, don’t install any of these apps. When the phone operating systems update over the summer, remember to turn off the “contact tracing” setting.