Home → Magazine Archive → December 2020 (Vol. 63, No. 12) → Tracking COVID, Discreetly → Full Text

Tracking COVID, Discreetly

By Neil Savage

Communications of the ACM, Vol. 63 No. 12, Pages 9-11

[article image]

Save PDF

As the world continues to grapple with the Coronavirus pandemic, health officials are relying on a tried-and-true method of limiting the spread of the potentially deadly disease: contact tracing. Figuring out who has been close enough to an infected person long enough to catch the disease, then taking steps to prevent those people from passing it to others, is a method that dates back to the 1920s, when health authorities used it to rein in the spread of syphilis. In the era of smartphones, it seems only natural to add a technological dimension to contact tracing.

Using smartphone apps for contact tracing raises questions, though. For one thing, it is not entirely clear how effective that is; the answer depends on both how well a smartphone can measure contacts and on how many people actually decide to use the apps. Perhaps the chief concern, though, is privacy. How do you design a system that identifies who has been in contact with whom without giving all sorts of personal information to governments or data thieves that might abuse it?

Civil libertarians have raised alarms about potential invasions of privacy. A report in June from Amnesty International warned governments' collection and storage of too much information about individuals posed a significant threat, especially in some countries. "Bahrain, Kuwait, and Norway have run roughshod over people's privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle COVID-19," said Claudio Guarnieri, head of Amnesty International's Security Lab, in a statement that accompanied those findings. The Norwegian government, also facing pressure from the European Data Protection Authority, suspended use of its app, called Smittestopp.

Problems with these apps included identifiers that could be tied to people. Smittestopp made users register with their telephone number, for instance, while Bahrain, Kuwait, and Qatar required use of a national identification number. Early apps often had location-based tracking, which can make it possible to re-identify anonymized users and keep tabs on potentially sensitive information such as who someone was visiting or whether they were taking part in protests. Several countries, including France, Iceland, and Singapore, had centralized storage of the data, where access to it would be out of an individual's control.

Back to Top

The Tech Giants

Over the summer, however, governments adopting apps moved to a different model, and many now rely on the Exposure Notification System specification jointly developed by Apple and Google. In that system, individual phones generate random numbers, which change every few minutes, and share them with nearby phones over Bluetooth. The Bluetooth signal can be used to estimate the distance between phones and the length of the contact—being within six feet of someone for 15 minutes is generally defined as a contact. The data is stored on the user's phone and automatically deleted after a specified period of time.

An app avoids the risk of someone, whether the government or a hacker, getting their hands on personal data by not collecting such data in the first place.

If someone using the app tests positive for COVID-19, they enter that into the app, which then uploads all stored contacts to a master list on cloud storage platforms. Another user's app periodically checks that master list, and if it finds its own key, it notifies the user that she should get tested or self-quarantine. Once the incubation period has passed, keys are deleted from the master list. The system specifically bars apps from collecting GPS data.

An app avoids the risk of someone, whether the government or a hacker, getting their hands on personal data by not collecting such data in the first place. "A solution should not be about confidentiality or anonymity. It should be about privacy, in which even the company doesn't know who you are," says Ramesh Raskar, professor in the Massachusetts Institute of Technology's Media Lab who launched the PathCheck Foundation. The non-profit has developed an app based on the Apple-Google framework to track COVID-19 cases using "privacy by computation." Data can only be seen by someone with physical access to the phone handset, and even then the amount of useful information that could be obtained would be limited, Raskar says.

Back to Top

Location, Location, Location

Last March, Robert Kleinman, a psychiatrist then at Stanford University and now at Massachusetts General Hospital, decided to combine his interests in geospatial data and access to healthcare. He and software engineer Colin Merkel designed a prototype tracking app that used GPS location data to identify where exposures took place. They eventually scrapped it, as did most other developers who focused on GPS early on.

The problem, aside from possible public discomfort with having one's location tracked, is that GPS location is not precise enough for contact tracing. "It's quite remarkable for a consumer technology to get within three meters or five meters, but there is a lot of variability in that, and it's different in indoor settings and outdoor locations," Kleinman says. "It would just have a lot of limitations for identifying contacts in a reliable way, and you would end up getting a lot of false positive and false negative identifications."

Either is a problem. False negatives could mean missing actual cases of disease transmission, but false positives would result in people being told to isolate themselves unnecessarily, which can be disruptive to work, personal life, and mental health.

There are also problems with Bluetooth, which is not designed to measure distance. The space between phones can be inferred by the strength of the signal, but the orientation of the phone, a wall, or even the user's own body can alter apparent signal strength.

Back to Top

Keeping Score

One way to deal with that weakness in Bluetooth is to use scoring algorithms to help decide whether a phone contact is enough of an in-person contact to trigger an alert, says Stefano Tessaro, a cryptographer and computer security expert at the University of Washington (UW). Tessaro and a loose coalition of researchers from UW, Microsoft Research, the University of Pennsylvania, and the Boston Public Health Commission developed what they dubbed PACT, privacy-sensitive protocols and mechanisms for mobile contact tracing.

It would be useful to come up with formulas that use factors such as signal strength and length of contact to score whether something counts as actual exposure, rather than triggering an alert for, say, every student who walks by a professor's window and later tests positive. The difficulty, Tessaro says, is that despite a large number of cases, the disease is still rare enough that real-world data is lacking. "There's not enough positive cases, fortunately, to be in a situation where you can really see a lot of such false positives," Tessaro says. Additionally, the same restrictions that protect users' privacy also make it more difficult for researchers to collect data that can tell them how good a job an app is doing at correctly identifying contacts.

One outstanding question is how many people must adopt contract tracing apps for them to be effective in slowing the pandemic.

While Tessaro understands why people might be uncomfortable having their location tracked, he also recognizes public health experts would love to have GPS data help them trace the spread of the disease and identify hotspots. He and his colleagues have proposed what they call narrowcasting, in which a user's phone collects its own location data but does not send it to anyone. Then, if a health department finds an infected person was in a particular park or grocery store at a given time, it could broadcast that information through an app, and if the health department information matches data stored on the phone, the user gets an alert.

Of course, old-fashioned manual contact tracing does not strictly protect people's privacy, either. Health workers talk with infected people and ask where they have been and who has been near them. "It's considered a fairly essential public health approach to addressing infectious disease. The question of where the appropriate line is, that's really a question for society," Kleinman says. One major difference is that traditional contact tracing starts with a known infected person and builds outward, ignoring those who have not been in contact with a patient, whereas apps collect some amount of information from everyone who uses them, he says.

One outstanding question is how many people must adopt the contact tracing apps for them to be effective in slowing the pandemic, and uptake depends in part on how comfortable people are that the apps are safe to use. Models made in April by the Big Data Group at Oxford University in the U.K. suggested if 60% of the population would use them, it could stop the disease in its tracks. More recent pilot studies Oxford ran on England's Isle of Wight indicated the spread could be slowed if just 15% to 20% of people used the app as recommended. That includes scanning QR codes to check into stores and restaurants, so health authorities can keep tabs on those businesses.

Tessaro says a lot is still unknown about what impact contact tracing apps could have, but they are unlikely to provide a quick fix. He thinks they may work best as a supplement to human-run contact tracing, with the apps filling in information that would be difficult for people to find, such as who shared a subway car with an infected person. "The metric that people apply to these tools is that of a silver bullet, that there's one thing that is going to fix everything," he says. "But it's really not true."

* Further Reading

Kleinman, R. and Merkel, C. Digital Contact Tracing for COVID-19, CMAJ, 192 (24) 2020. www.cmaj.ca/content/192/24/E653

Chan, J., Foster, D., Gollakota, S., Horvitz, E., Jaeger, J. Kakade, S., Kohno, T., Langford, J., Larson, J., Sharma, P., Singanamalla, S., Sunshine, J., and Tessaro, S. PACT: Privacy-Sensitive Protocols and Mechanisms for Mobile Contact Tracing, ArXiv, 2020. arxiv.org/abs/2004.03544

Singh, P., Singh, A., Cojocaru, G., Vepakomma, P., and Raskar, R. PPContactTracing: A Privacy-Preserving Contact Tracing Protocol for COVID-19 Pandemic, ArXiv, 2020. arxiv.org/abs/2008.06648

Ferretti, L., Wymant, C., Kendall, M., Zhao, L., Nurtay, A., Abeler-Dörner, L., Parker, M., Bonsall, D., and Fraser, C. Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing, Science, Vol. 368, Issue 6491, 2020. science.sciencemag.org/content/368/6491/eabb6936

Exposure Notifications System: Helping Health Authorities fight COVID-19 https://www.youtube.com/watch?v=1Cz2Xzm6knM&feature=emb_logo

Back to Top


Neil Savage is a science and technology writer based in Lowell, MA, USA.

©2020 ACM  0001-0782/20/12

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from [email protected] or fax (212) 869-0481.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2020 ACM, Inc.


No entries found