Caution and Criticism: Contact Tracing through Mobile Apps
Jul 9, 2020 by BBB National Programs
Across the world, new apps are being created to facilitate contact tracing through mobile devices. The hope is that through these technologies, governments across the globe avoid future lockdowns and moderate social distancing orders. Though governments and corporations have marshalled impressive resources to develop these strategies, contact tracing powered by smartphones comes with inevitable challenges, regardless of the technologies used and the categories of contact data generated.
Availability of testing.
The goal of a contact tracing app is to inform individuals that they have had a close interaction with someone who has tested positive for coronavirus. Because coronavirus may be spread by individuals with mild or no symptoms of infection, widespread testing must be available for contact tracing to work. That way, even asymptomatic carriers can know whether they have the virus and log this information with the appropriate app.
“One of the most important assumptions, really important assumptions, is that if you’re the source case you’ve bothered to go and get tested,” said Mary-Louise McLaws, Professor of Epidemiology, Hospital Infections and Infectious Diseases control at the University of New South Wales, Sydney. “This app must be paired with a community responsibility and a bit of guilt.”
At this time, testing capacity in the United States remains somewhat limited and many of the existing tests are known for false positives and false negatives.
A sufficient user base.
Even if testing is available, a critical mass of users must be willing to download, install, and use a contact tracing app for the technology to be successful. Many individuals might be unwilling or unable to use this technology, especially individuals who are less tech-literate. Elderly individuals who are both more vulnerable to the virus and less likely to own smartphones might refrain from downloading or using a contact tracing app.
Technology adoption and use.
A system that relies on voluntary adoption of the tech, as opposed to a government-mandated adoption, might prevent a enough individuals from using the technology. In contrast, a system that is government-mandated and strictly enforced could generate a backlash from the public, in the same manner the promotion of masks and lockdown orders in the United States has created a backlash.
In the same way that users ignore notices for software updates, emails about suspicious banking behavior, and banners and icons about privacy choices, users might ignore advice from a contact tracing app to self-quarantine or change their behavior. Further, individuals using a contact tracing app may feel a false sense of security and fail to take necessary steps to sanitize and self-quarantine.
“Most Australians understand about sunscreen – we’re obsessed with sunscreen – we were told if you put this app on your phone it’ll be like sunscreen. And it’ll protect you,” said Ms. McLaws. “[The app] will only work if you get tested, and early. It won’t work if you don’t bother getting testing. So that’s another assumption that you’ll work it out that you need testing.”
Fragmented contact tracing efforts.
If state or local public health authorities do not coordinate with one another effectively about the spread of the virus, the contact tracing efforts might be frustrated. This issue is compounded with decentralized apps, which by design share little to no data with third-party public health authorities. On an international scale, a fragmented approach to contact tracing might prevent neighboring countries from effectively coordinating to stop the virus. A successful approach to contact tracing where there are multiple apps may therefore require some level of cross-border interoperability.
Compatibility issues regarding Bluetooth.
As discussed in our last article, the Google and Apple exposure notification API and many other contact tracing apps depend on use of Bluetooth LE. Many older handsets do not have the Bluetooth LE chip that would be necessary for such a contact tracing app to function.
Bluetooth challenges with the iPhone.
On Apple’s mobile operating system, iOS, Bluetooth does not run in the background while the device is locked. While the Google and Apple exposure notification API can alter this default for iOS, health authorities that decline to adopt the Google and Apple decentralized approach are faced with this problem on the iPhone versions of their apps.
Currently, contact tracing apps for iPhones in Australia, France, and Britain are not sending the necessary Bluetooth signals when a user’s iPhone is locked. To date Apple refuses to make any changes to its operating system absent adoption of the exposure notification API, which has put pressure on many governments to adopt Google and Apple’s model.
Bluetooth’s relative accuracy.
Due to Bluetooth’s inherent limitations, solutions relying on it may yield false positives or negatives. For instance, if John and Jane are on opposites sides of a thin apartment wall, and John has logged that he is positive for coronavirus, Jane could receive a false notification of contact. Similarly, if a user accidentally toggles their Bluetooth radio off or leaves their phone at home during a sundries run, correlation of Bluetooth IDs will be impossible even where viral exposure may have occurred.
Signals in a high-density locality.
In high-density locations, such as New York City, where a person might encounter many other individuals throughout their day, contact tracing may be less effective. Constant Bluetooth encounters could render such a notification system pointless. For example, if Jane lives in New York City and receives dozens of notifications each day that she has had contact with a coronavirus patient, she might be disinclined to change her behavior.
Bluetooth vs. location data.
Google, Apple, and many governments have opted to develop Bluetooth-based contact tracing technology, declining to utilize more precise location technologies such as GPS for their apps. Although this choice may increase personal privacy, it might also lead to less effective outcomes for tracing the spread of the virus. In the alternative, sharing users’ precise location data with a centralized public health authority has clear risks to user privacy. Public health authorities and corporations seeking to help during this pandemic must analyze and carefully consider the tradeoffs involved.
With contact tracing apps that rely on the use of location data, there is some risk of reidentification if location data is paired with other data points. For example, a security researcher recently found flaws in India’s Aarogya Setu contact tracing app that allowed him to identify individuals suffering from coronavirus within a certain geographic radius. These risks also exist with apps and operating systems that only use Bluetooth for contact tracing. Even if security measures are put in place to stop reidentification of users as a technical matter, a savvy user might be able to use a combination of her memory and an app’s notification to identify which person in her social network is positive for the virus, raising privacy concerns.
Setting precedent for future challenges.
The use of contact tracing apps, the storage of contact data with third-party corporations and health authorities, and the deployment of other means of data collection alongside these apps raise questions about the future of user privacy once coronavirus has subsided.
A Question of Success
At the end of May 2020, Google and Apple launched their joint exposure notification API, and across the world many contact tracing apps are becoming available for download. While these technologies are promising, whether these apps will be successful at slowing the spread of coronavirus remains to be seen.