Building a better contact tracing app

Contact tracing apps are critical to mitigate the spread of the virus, but user privacy must be built right into the technology.

Building a better contact tracing app

In mid-May, the first truly warm weekend of our strange pandemic era arrived. Starved for fresh air and human contact, people spilled out into streets and parks. But images quickly spread on social media of people packed together in dense crowds at Toronto’s Trinity Bellwoods park ignoring social distancing, and outrage soon followed.

Beyond the obvious reactions — “what were these people thinking?” — the situation felt symbolic. As we face COVID-19 being a part of our lives for months if not years, people will inevitably want to return to something approaching normalcy.  Yes, it’s about letting people return to parks or shopping, but also how everything from retail stores to office towers can open safely once more. How then do we ease into the new normal, without either remaining locked down in perpetuity or descending into the sort of recklessness on display in Toronto’s west end?

“There’s no rulebook right now, and it isn’t going to be enough to put hand sanitizer on every entrance,” says Cerys Goodall, chief operating officer at InnerSpace, an indoor location tracking company. “We’re dealing with something that is unprecedented for our times and the only thing that is going to inform better policy is information.”

When it comes to disease, a that information comes in the form of contact tracing, which involves tracking people who have been infected, informing others who may have been exposed to them, and helping quarantine people who do end up with the disease.

Historically, contact tracing has been a manual, analogue activity that involved armies of nurses doing the tricky and time-consuming work of tracking down people who might have been exposed to a disease. But this being the 21st century, contact tracing is now far more likely to have a digital element. Earlier this year, Apple and Google made the unusual move to partner to work on an update for smartphones that will allow users to be informed if they have come into contact with someone who is infected, and contact tracing apps are currently both being developed and deployed around the world.

But the idea of a contact tracing app is inherently fraught. Users are already tracked by various apps, and the concept of a tracing app connected to the state raises immediate privacy concerns. Personal data gathered about health may potentially be used (or misused) to constrain movement or employment, affect insurance or, as often happens, used to sell advertising. What’s more, in countries like China and India, governments are inching toward making the apps mandatory, which raises its own civil liberties questions. How then do we mitigate the spread of the virus while protecting user privacy?

David Fraser is a privacy lawyer with McInnes Cooper who lives in Halifax, Nova Scotia. He suggests that, as a start, any contact tracing app must follow certain general principles.

“You have to ask ‘what are good privacy practices?’” says Fraser. “You minimize the collection of data, minimize who might access to that information, and limiting it to specified purposes.”

Those principles generally guide how both commercial and government can collect information in Canada.  For their part, Apple and Google’s system, which was released on May 20th, relies on a phone’s Bluetooth connection. Once the new update installed, a phone will send out a randomized signal a few times an hour that other devices record as having received. If someone has marked themselves as having the virus, others they have come into contact will be notified that they’ve been exposed to someone with the virus.

The system is opt-in and can be turned off by a user. The idea is that countries can then build their own apps on top of the Apple-Google base, and indeed that is now starting to happen. Switzerland has done just that, and the U.K and Germany among others will soon follow. In Canada, where health systems differ from province to province, Prime Minister Trudeau has stated his preference for one unified app.

However, in order to be effective, public health organizations have to be able to collect that data, and it’s the aggregation of data itself that can often be the problem when it comes to privacy.

According to Scott Rankine, CEO of security company NXMLabs, it’s finding the balance in how that data is collected and stored that is key. “You want to be able to anonymize the data that’s useful, but you don’t want to have your personal information comingled with it, because that’s what hackers are looking for,” he says. “With a centralized database, once you get in, it’s like a fox in a henhouse.”

NXMLabs specializes in security for Internet of Things devices like smart home tech, and its solution is to eschew the idea of a central database of user information, instead keeping personal data on user’s devices, and also separating it from the kind of information that can be helpful for a company to know. Rankine gives the example of a smart thermostat: you’d want a company to know that the device was working well and receiving updates, but you wouldn’t want personal data such as your address spread.

That same model may not exactly work for public health, because some personally identifiable information might be useful in, say, tracking the spread of the virus. But the logic still applies, namely, that the lack of a single point of failure suggests that keeping personal data on people’s phones rather than a centralized database is the ideal scenario. And in fact, the Apple and Google API does not forward a user’s identity on to public health. Instead, it only acts as the framework through which people can be contacted and informed if they should self-isolate or seek testing.

A potential wrinkle, however, is that broad epidemiological data — say, where virus hotspots are, or key sites of transmission — cannot be gathered because the system doesn’t let location data be gathered. The upside is that it’s more private; the downside is that valuable information that may help contain the virus leaves states at a potential disadvantage in tackling a genuine health crisis.

The Apple-Google system is designed explicitly to be used by government-run health departments. But the private sector may also fill in gaps left by the more privacy-focused nature of public systems.

InnerSpace is a company in Toronto that specializes in indoor location tracking using Wi-Fi. They have adapted their technology to help track COVID-19 indoors so that a company can monitor potential exposure in an office tower where, for example, shared meeting spaces could still pose a risk because when people aren’t in the same space at the same time they may not get a contact tracing app based on Bluetooth.

President and COO Cerys Goodall believes that the key is helping people feel safe. “For us, it’s really about how to we get people back to work,” she says. “How do we help people rethink their office space? How do we give people confidence?”

For InnerSpace, that may involve solutions in which companies have their own in-house apps for contact tracing, in no small part because it avoids outsourcing sensitive employee data to a third party. Their solution works by tracing the MAC address that identifies a particular device but then immediately anonymizing it and never storing it.

When it comes to COVID-19, however, it’s important to get public buy-in for any potential app.

Privacy lawyer David Fraser believes what is vital in all this is trust in government institutions.

“Public health authorities have had access to sensitive health information and have done contact tracing long before this pandemic,” he says, “and polling suggests they’re very highly trusted, and I have more trust in public health than just about any other aspect of government.”

The challenge then lies in governments giving clear, accessible answers to some straightforward questions: who gets access to the data collected?; how long is kept for?; and is it to be used for any other purpose other than COVID-19?

Only if public institutions can give the right answers to those questions will technology-based contact tracing work as a system to mitigate the spread of a frightening pandemic, and not one more point of confusion in already uncertain times.