Ryan Calo: Contact-Tracing Applications Pose Significant Risks

By TAP Staff Blogger

Posted on May 1, 2020


Is it possible to contain the coronavirus pandemic and allow businesses, schools, and services to reopen? Many health experts champion contact tracing as a crucial component to stop further outbreaks of COVID-19 while supporting peoples’ efforts to resume their daily work and activities.


In the United States, the Centers for Disease Control and Prevention (CDC) has contact tracing at the core of its “Multipronged Approach to Fight the COVID-19 Pandemic” and states, “contact tracing, a core disease control measure employed by local and state health department personnel for decades, is a key strategy for preventing further spread of COVID-19.”


In Europe, the Germans, Swiss, Estonians, and Austrians “have agreed to make their contact-tracing apps decentralised.” Britain and France are exploring a centralized approach. (Some Countries Want Central Databases For Contact-Tracing Apps,” The Economist)


In Asia, China launched several tracing apps that used either direct geo-localization via cellphone networks or data compiled from train, airline travel, and highway checkpoints; and, South Korea issued mass cellphone alerts about locations visited by infected patients, and demanded a tracking app was installed on the phone of anyone ordered into isolation. (Contact Tracing Apps: Which Countries Are Doing What,” Yahoo! News)


Contact tracing is the process of finding and reaching out to the contacts of someone who tests positive for an infectious pathogen. Those contacts are then quarantined or monitored, and if any of them are also positive, the process is repeated with their contacts, and on and on, until the chain of transmission is halted.


According to Robert Redfield, the Director of the CDC, the containment plan for the coronavirus “relies on not only ramped-up testing but "very aggressive" contact tracing of those who do test positive for the coronavirus, and a major scale-up of personnel to do the necessary work.” (CDC Director: 'Very Aggressive' Contact Tracing Needed For U.S. To Return To Normal” NPR’s Morning Edition)


Several technology companies are developing smartphone apps to aid in the contact-tracing efforts.


State and national governments worldwide have begun contracting with tech companies to build apps that would use Bluetooth or GPS location data to monitor when people come in contact with someone who's been identified as a COVID-19 carrier. Apple and Google are set to release an ambitious contact tracing technology for iPhone and Android users in the coming weeks. (Big Tech's Contact Tracing Apps Won't Be a Silver Bullet to Stop COVID-19” Business Insider)


University of Washington law professor Ryan Calo and his colleagues Ashkan Soltani (independent privacy researcher and technologist), and Carl Bergstrom (University of Washington biology professor) delved into the feasibility of whether contact-tracing apps can be effective. They also examined app technology’s potential for privacy and discrimination violations. Drawing from their three disciplines – law technology, and epidemiology – the scholars detailed the limits of contact-tracing technology in an article for Brookings TechStream: “Contact-Tracing Apps Are Not a Solution to the COVID-19 Crisis.”


Below are a few excerpts from “Contact-Tracing Apps Are Not a Solution to the COVID-19 Crisis:”


We are concerned by this rising enthusiasm for automated technology as a centerpiece of infection control. Between us, we hold extensive expertise in technology, law and policy, and epidemiology. We have serious doubts that voluntary, anonymous contact tracing through smartphone apps—as Apple, Google, and faculty at a number of academic institutions all propose—can free Americans of the terrible choice between staying home or risking exposure. We worry that contact-tracing apps will serve as vehicles for abuse and disinformation, while providing a false sense of security to justify reopening local and national economies well before it is safe to do so. Our recommendations are aimed at reducing the harm of a technological intervention that seems increasingly inevitable.


How Effective Would a Contact-Tracing App Be?


We and many others have pointed out a host of pitfalls for voluntary, self-reported coronavirus apps of the kind Apple, Google, and others contemplate. First, app notifications of contact with COVID-19 are likely to be simultaneously both over- and under-inclusive. Experts in several disciplines have shown why mobile phones and their sensors make for imperfect proxies for coronavirus exposure. False positives (reports of exposure when none existed) can arise easily. Individuals may be flagged as having contacted one another despite very low possibility of transmission—such as when the individuals are separated by walls porous enough for a Bluetooth signal to penetrate. Nor do the systems account for when individuals take precautions, such as the use of personal protective equipment, in their interactions with others.


Smartphone penetration in the United States remains at about 81 percent—meaning that even if we had 100 percent installation of these apps (which is extremely unlikely without mandatory policies in place), we would still only see a fraction of the total exposure events (65 percent according to Metcalf’s Law). Furthermore, people don’t always have their phones on them. Imagine the delivery person who leaves her phone in the car. Or consider that the coronavirus can be transmitted via the surfaces on which it lingers long after a person and their phone has left the area. The people in the highest risk groups—the aging or under-resourced—are perhaps least likely to download the app while needing safety most. Others may download the app but fail to report a positive status—out of fear, because they are never tested, or because they are among the significant percentage of carriers who are asymptomatic.


Contact-tracing apps therefore cannot offer assurance that going out is safe, just because no disease has been reported in the vicinity. Ultimately, contact tracing is a public health intervention, not an individual health one. It can reduce the spread of disease through the population, but does not confer direct protection on any individual. This creates incentive problems that need careful thought: What is in it for the user who will sometimes be instructed to miss work and avoid socializing, but does not derive immediate benefits from the system?


Privacy Vulnerabilities and Malicious Uses


Some of the contact-tracing frameworks have been designed with security and privacy in mind, to some degree. The Apple-Google proposal, for example, stores the information about what “contacts” the device has made on each users’ device, rather than reporting that information to a central server as is the case with some of the other approaches. This “decentralized” architecture isn’t completely free of privacy and security concerns, however, and actually opens apps based on these APIs to new and different classes of privacy and security vulnerabilities. For example, because these contact-tracing systems reveal health status in connection with a unique (if rotating) identifier, it is possible to correlate infected people with their pictures using a stationary camera connected to a Bluetooth device in a public place.


And finally, the issue of malicious use is paramount—particularly given this current climate of disinformation, astroturfing, and political manipulation. Imagine an unscrupulous political operative who wanted to dampen voting participation in a given district, or a desperate business owner who wanted to stifle competition. Either could falsely report incidences of coronavirus without much fear of repercussion. Trolls could sow chaos for the malicious pleasure of it. Protesters could trigger panic as a form of civil disobedience. A foreign intelligence operation could shut down an entire city by falsely reporting COVID-19 infections in every neighborhood. There are a great many vulnerabilities underlying this platform that have still yet to be explored.




Therefore, we urge developers of contact-tracing apps, as well the companies enabling their development, to be candid about the limitations and implications of the technology. To be ethical stewards of these new public health tools, they must also provide explicit guidelines and “best practice” recommendations for the development of the apps. These should include recommendations for how back-end systems should be secured and how long data should be retained, criteria for what public health entities can qualify to use these technologies, and explicit app store policies for what additional information, such as GPS or government ID numbers, can be collected. They should adopt commonly accepted practices such as security auditing, bug bounties, and abusability testing to identify vulnerabilities and unintended consequences of a potentially global new technology. Finally, app creators—as well as the platforms that enable these applications—should make explicit commitments for when these apps and their underlying APIs will be sunsetted.


Lawmakers, for their part, must be proactive and rapidly impose safeguards with respect to the privacy of data, while protecting those communities who can be—and historically have been— harmed by the collection and exploitation of personal data. Protections need to be put in place to expressly prohibit economic and social discrimination on the basis of information and technology designed to address the pandemic. For example, academics in the United Kingdom have proposed model legislation to prevent compulsory or coerced use of these untested systems to prevent people from going back to work, school, or accessing public resources. The prospect of surveillance during this crisis only serves to reveal how few safeguards exist to consumer privacy, especially at the federal level.


Read the full article: “Contact-Tracing Apps Are Not a Solution to the COVID-19 Crisis” (Brookings TechStream)