14 May 2020

Would You Let The Government Track Your Smartphone If It Meant We Could Reopen Sooner?

BY DAVID H. FREEDMAN 

Before the pandemic, the plan would have seemed like something ripped from a distant dystopian future in which the human race fully surrenders to Big Tech. On the April 10 online document, the logos of Google and Apple sat atop a description of the companies' joint plan to enable America's cellphones to keep track of everyone with whom their owners come into contact.

Who would sign on to such extensive surveillance? Much of the world already has. In South Korea, health officials use apps and video cameras to track down people who came into contact with COVID-19 patients before symptoms appeared. China, Singapore and Australia already have phone-based contact-tracing in place, and much of Europe is following suit. The UK's National Health Service, for instance, has endorsed a scheme that's undergoing a pilot test, and Germany's government is close behind.

As U.S. governors consider how to open up and allow people to go back to work, experts warn that the coronavirus, which is still in circulation, is almost certain to flare up again. To avoid more emergency-room disasters like the one that overwhelmed New York City in April, public-health officials must act aggressively to stop small outbreaks before they develop into big ones. The key, experts say, is contact tracing. For each new COVID-19 case, health care workers would develop a list of people the patient might have interacted with before symptoms developed. Then they would contact each one and recommend self-quarantine.


Contact tracing was used effectively during previous outbreaks, notably HIV/AIDS. With COVID-19, inquiries wouldn't be as intrusive as questions about sexual partners, of course, but they would reach many more people—in a country where citizens take to the streets over such assaults against their liberty as the closing of hair salons and gyms. With the coronavirus infecting tens of thousands of people each day, tracking down all those contacts would take an army of health care workers: about 100,000, says the Johns Hopkins Center for Health Security.

Technology, the thinking goes, might help automate the process. It's worked in South Korea, which achieved COVID-19 numbers that are the envy of much of the world: as of early May, it logged fewer than 11,000 cases, in a population of 50 million, and just over 250 deaths—or 1/16th the U.S. per capita case rate, and 1/300th the death rate. More than 20 countries, including most of Asia, have already been enlisting cellphones to help identify those who might have been exposed to the infection, so those people can self-isolate or get cleared by a test. America, with its vaunted technology industry, is a laggard.

It sounds like great news for the U.S., then, that contact-tracing capabilities are coming soon to a phone near you. As many states consider allowing people to go back to work, health experts say that identifying individuals who come into contact with people who have tested positive for the virus, so they can follow up with voluntary self-quarantines, is essential for keeping the outbreak from getting out of control. But such contact-tracing efforts are time-consuming and labor intensive. The hope is that all the information our phones can pull in about us, including where we are and who or what's nearby, can provide a much-needed assist, as they have in South Korea and elsewhere.

But Americans are not quite like the rest of the world. Perhaps more than the population of any other country in the world, Americans tend to resist letting the government keep a close eye on them, even under life-and-death circumstances. In the case of contact tracing, that reluctance looks like an immovable obstacle. "In a fast-moving pandemic, protecting individuals' rights to privacy limits the ability of the government to protect the health of the population," says Eric Campbell, a researcher with the University of Colorado's medical campus specializing in health policy and bioethics.
A man wears a face mask as he check his phone in Times Square on March 22, 2020 in New York City.KENA BETANCUR/AFP/GETTY

The challenge is not technological. The Google-Apple plan and other proposed automated contact-tracing schemes check off all the boxes that privacy advocates have drawn. The challenge, rather, is that the privacy requirements themselves block data that health care officials need to keep people safe. None of the plans proposed so far gives officials and individuals enough reliable, detailed information to make a big difference.

The value Americans place on privacy virtually guarantees that automated contact tracing isn't going to make a big difference any time in the next several months and may never achieve the impact in the U.S. it's having elsewhere in the world.

Just saying no

Any U.S. contact-tracking scheme for cell phones, no matter how well crafted, is likely to run into a buzzsaw of noncompliance. No one expects the Trump administration to require participation. No state has floated a mandatory plan, either. States and localities that have mandated masks have seen angry protests in response. The town of Stillwater, Oklahoma, lifted its mask-wearing proclamation after businesses reported receiving serious threats from customers. On May 1, a store security guard in Flint, Mich. who demanded that a customer comply with the state's mask-wearing requirement was shot dead.

It's no wonder there's little appetite for requiring people to submit to electronic tracking. Any smartphone-based contact-tracing apps would have to be optional—optional to download, optional to activate, optional to self-isolate or get tested if notified of exposure, optional to report being infected, and optional to share related data with public-health officials or anyone else.

In Europe, optional participation is not expected to be a big impediment. An Oxford University survey found acceptance of contact-tracing apps in Germany, Italy and France would run between 68 and 86 percent. In the U.S., by contrast, only 45 percent of people find contact tracing with smartphones acceptable, according to a survey by the Pew Research Center in April. "To prove really useful, at least 60 percent of the population would have to participate," says Jennifer Daskal, director of the Tech, Law, Security Program at American University Washington College of Law. "With all the skepticism here, it's not clear how we'd get to that level of compliance." It doesn't help that individual users get no direct benefit from using an app, only the possible privilege of being notified of the need to go back into quarantine. The benefit accrues to everyone else.

Privacy advocates say there are legitimate fears about a contact-tracing policy that would allow organizations to identify individuals by name, along with personal information such as their locations, the names of people they're with and, especially, health information such as whether or not they've been diagnosed with COVID-19 or exposed to it and what symptoms they might have. The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, limits the sharing of information about underlying health conditions among health care organizations but doesn't prevent most companies from sharing information they happen to get their hands on.

The Google-Apple scheme, like other proposals from MIT, Stanford and elsewhere, is designed to head off those concerns. For instance, it doesn't record locations or names. Instead, it assigns each phone a unique number, which changes every 15 minutes or so to make it nearly impossible to associate the number to a name. The only information the software grabs for each phone are the unique numbers of other phones lingering nearby—close enough to flag possible coronavirus transmission, should the holder of any of those phones turn out to be infected.

To accommodate privacy concerns, the Google-Apple software stops short of providing full contact-tracing capabilities. Users have to download contact-tracing apps that can make use of the unique identifiers the phone gathers. If a user is infected, they voluntarily report that fact to the app, which then, with permission, sends out a list of unique numbers representing the phones of the people who might have been infected too in recent days. Those numbers would go to a computer run by whatever organization is managing the contact-tracing effort—most likely a government health department—which would send out some sort of "you might have been exposed" notification, along with instructions for quarantine and testing.
Protesters rally, to demand an end to the state wide 'stay at home advisory' and the new law enforcing everyone to wear a mask in public, outside the Massachusetts State House in Boston, Massachusetts on May 4, 2020.JOSEPH PREZIOSO/AFP/GETTY

Where would the apps come from, and who would oversee them? In all non-U.S. countries with automated contact tracing, government health agencies at the national level, such as the UK's National Health Service, select the app and determine key details: how users report infections, who is notified when, what information is stored where. But the U.S. has no such organization. The closest thing is the Centers for Disease Control and Prevention (CDC), which does not have the authority to dictate detailed policies. "We've never had a national public-health infrastructure capable of handling this sort of task," says John Christiansen, an Olympia, Wash., attorney specializing in public and private health information technology. "We don't even have many state public health agencies that are strong enough. Most public health infrastructure happens at the local level, if it happens anywhere at all."

The thought of a patchwork of city- or county-level programs across the nation all specifying their own apps and policies doesn't inspire much confidence. But neither do the alternatives. Let Google, Apple or other tech giants run a national contact-tracing program and take control of the information? Unlikely. A study by the Kaiser Family Foundation found that half as many people would download a contact-tracing app from a tech company as from a public-health agency.

The best bet for a quasi-trusted authority capable of managing a large contact-tracing-app program might be a coalition of state-level health care players including hospitals, insurers and state health agencies, says Christiansen. Some states, including Washington, have coalitions in place to manage health-record sharing and uniform billing. But whether enough of these coalitions could be formed in time, and whether they'd be able to effectively manage such a massive public-health effort and reach a large-enough share of the population, are shaky propositions, he adds.

Is it secure?

Most of the world's automated contact-tracing schemes take measures to hide individual identities, typically through some form of "information blurring"—stripping out identifiable information such as names, randomly altering just enough of the data to prevent personal identification or replacing detailed data with aggregated summaries.

The Google-Apple plan goes further: it never records identifiable information in the first place, and it stores what information it does record on each user's phone and nowhere else.

The trouble is, phones are easily hacked. Companies, for instance, routinely harvest data from the phones of people who wander into stores, via open Bluetooth and wifi channels. That data includes mobile tracking numbers assigned to each device. The data is often sold to third-party data brokers where it becomes part of the information economy, exploited for targeting ads and other purposes. The Google-Apple system relies on an always-on Bluetooth connection on each user's phone in order to detect nearby phones and to swap the special contact-tracing numbers unique to each phone. "That significantly increases the privacy risks of any contact-tracing system that uses Bluetooth," says Alan Butler, interim executive director and general counsel at the Electronic Privacy Information Center, a privacy advocacy group in Washington, D.C. And it's one big reason the UK chose to go with a scheme that stores information on centralized servers rather than on individuals' phones.
A customer takes a selfie in front of a sign recommending social distancing while waiting to enter the Industry City Costco store on April 28, 2020 in the Brooklyn borough of New York City.MIKE LAWRIE/GETTY

Anonymity is another soft spot for contact-tracing schemes. Google-Apple's system of using ever-changing identifiers is meant to ensure that information can't be used to identify the individuals to whom the phones belong. But no such scheme has ever proven unbreakable—all kinds of supposedly "de-identified" information has later been "re-identified." One easy way to do it is to glean health-related comments from social media along with the names of the posters and correlate the comments with de-identified medical information. In 2018, Facebook worked with Stanford University's health care system and the American College of Cardiology to explore exactly that sort of approach. And last year Facebook for a time allowed outside companies to pore over supposedly private group posts to extract health information that could in theory be used for that purpose as well.

Even Google-Apple's extensive protections can't guarantee the privacy of contact-tracing participants, says Butler. "There are lots of ways hackers and others could reverse-engineer the system to re-identify people who have been infected," he says. (Google did not respond to a request for comment. An Apple spokesperson referred Newsweek to previously published material from the two companies.)

The downside risk for users of contact-tracing apps is high. Information about who is infected or who was in proximity to whom, if hacked, could have an impact on individuals' employment, personal relationships and public reputations. "It's not hard to understand why law enforcement, intelligence agencies or foreign malicious actors might want to make use of proximity-tracking data," says Daskal.

Proponents argue that the risk of misuse of data could be contained by ensuring data is regularly deleted as it becomes irrelevant to managing infection—after about two weeks, according to the Google-Apple scheme—and that the entire system is dismantled when the pandemic crisis has passed. But privacy advocates note that most of the "temporary" investigatory mechanisms put in place in the U.S. in the immediate aftermath of 9/11 remain in effect today.

Questioning the benefits

All of these risks might prove acceptable to a big swath of the American public if a proposed contact-tracing system could be counted on to play a big role in taming the pandemic. But even if enough people opted in to the system and chose to faithfully report their own infections and comply with self-isolation, plans like Google-Apple's would likely have so many false alarms and missed exposures that people would lose faith in them, says Ryan Calo, a law professor at the University of Washington Law School and co-director of the school's Tech Policy Lab. "They just wouldn't be effective, and in fact could do more harm than good."

Calo, who recently testified to the Senate on privacy issues in the coronavirus response, notes that Bluetooth signals can easily penetrate walls, car windows and other barriers that the coronavirus can't. That means many of the "you need to self-isolate" notifications sent out by Bluetooth-based systems like Google-Apple's would go to people who couldn't have been exposed. By the same token, the system would completely miss serious exposures caused by contacting, say, particles on surfaces or in the air freshly coughed-out by an infected person who has just walked away or left their phone in the other room or back in their car, out of reach of proximity detection. "You'd get false reassurances that you haven't been exposed, and there'd be a whole range of situations where you wouldn't get notified when you need to be," says Calo.

The system itself is vulnerable to misdirection as well, Calo says. Political operatives hoping to discourage voter participation or malicious agents eager to disrupt a neighborhood or an entire city could arrange for dozens or even hundreds of people to falsely report infections, triggering a slew of phony notifications. South Korea and many other countries limit these sorts of problems simply by allowing their contact-tracing systems to gather and store more data, including GPS location data, personal health records and video-camera images. This extra data can validate or eliminate proximity alerts, as well as improve the accuracy of infection reporting. But it exacts a high cost in privacy that most Americans wouldn't be willing to pay.
Government Technology Agency (GovTech) staff demonstrate Singapore's new contact-tracing smartphone app called TraceTogether, as a preventive measure against the COVID-19 coronavirus in Singapore on March 20, 2020.CATHERINE LAI/AFP/GETTY

If these obstacles were overcome, another problem would remain: the vast inequities such a system might inject into the coronavirus battle. About 20 percent of Americans don't have smartphones, locking them out of the system. Most live in vulnerable and predominantly minority communities, which frequently harbor an especially deep distrust of sharing information with public officials, particularly out of fear it may be shared with law enforcement agencies. And many people in those same communities will simply choose to ignore any notification to self-isolate because they need to keep working to meet their families' most basic necessities, undermining the essential function of the app. "People in these communities would be invisible to the whole automated contact-tracing model," says Kirsten Ostherr, director of Rice University's Medical Futures Lab.

Lowering expectations

Still, to say that cellphone contact tracing is going to return incomplete and flawed information, fall far short of needed adoption rates, and may carry privacy risks, is not to say we should skip it altogether. Even the most ineffective versions of the proposed schemes could still get hundreds of thousands of people to self-isolate or get tested when exposed, slicing off at least a small chunk of the new-infection rate. Tens of millions of Americans will decide any extra risks to their privacy will be a small price to pay for a chance to help contain the disease.

The biggest danger to automated contact-tracing schemes is that authorities and the public misplace their faith in how much those schemes can contribute and shortchange the tactics that likely will do a much better job. That includes conventional contact-training carried out by trained workers, making rapid testing widely available, and continuing to encourage and when necessary enforce social-distancing and self-isolation policies.

If we take all those steps, says Daskal, we have a real chance of reducing the infection rate to manageable levels—and that's when automated contact-tracing might actually become a more workable scheme. "If we can get closer to normal, then phone contact-tracing can be useful in protecting against small flare-ups becoming massive ones," she says.

In the dystopia we now seem to inhabit, though, "normal" seems so far away.

No comments: