How Digital Contact Tracing Could Work in the US, and Why It May Never Happen
It’s widely agreed that re-opening major portions of our economy relatively safely will require an extensive testing and contact-tracing system. Manual contact tracing — where those who test positive are interviewed about recent travel and person-to-person contacts — is expensive, hard to scale, and error-prone. So it is natural to see if digital technologies can help.
There are almost as many different approaches to how that might work as there are countries. But they fall into a few broad categories in terms of which technologies they use, how much data they store, and how they protect privacy. Here’s a look at some of the current and planned efforts, with a focus on those being piloted for deployment in the US.
All Roads Lead to the Smartphone
While there are some limited efforts using dedicated devices that have proven effective in controlled situations such as nursing homes, for broad deployment among the general public the obvious device of choice is the smartphone. Most people have one, they have a broad array of sensors, and they can be programmed to run custom apps. But “most people” isn’t “all people,” and many older phones don’t have the needed capability to run some of the proposed apps. So even phone-based solutions will need to deal with making their platform ubiquitous.
Stanford, Google, Apple: Protecting Privacy Via BLE
Perhaps the most “private” solution being proposed is one that was first publicized as Covid Watch, led by Stanford researcher Christina White and now embraced by the unlikely alliance of Apple and Google. This solution relies entirely on logging anonymized Bluetooth Low Energy (BLE) contacts between two users. Each phone broadcasts a random ID that changes every 10-20 minutes — meaning it should be impossible to use the IDs to track a specific user or find out more about them. At the same time, nearby phones log all the IDs they receive. So far, no data has left anyone’s phone.
When a user tests positive for infection, they can get a code from a medical professional that allows the app to upload the recent (probably last 14 days worth of) random IDs that their phone has broadcast. At least once a day, phones running the app download a full set of “infected” IDs, and compare them with the list they have logged. If there is a match, then the user gets the day, duration, and signal strength of the contact, so they know that they may have come in contact with someone who was infected.
Limits to Bluetooth-Based Tracking
Unfortunately, Bluetooth is limited when it comes to assessing the nature of a contact, in at least three important ways. First is that by itself, it doesn’t provide much help in ascertaining the nature of the contact. Was I simply walking behind someone on the sidewalk while practicing safe distancing and wearing a mask, or was I near them in a crowded store? The Stanford prototype only notes contacts that last more than 15 minutes. That’s helpful in screening out spurious events, but it might also screen out some important contacts — like the checkout line in a grocery store, or passing through a TSA checkpoint.
The second issue is that Bluetooth-only tracking doesn’t help with object-based infections. For example, when Singapore studied its early cases, they came to the conclusion that one patient got infected simply by using the same church pew that an infected person had earlier. Since the two people weren’t there at the same time, and no location information is recorded, a pure BLE solution wouldn’t have identified that situation as a possible contact. This would also hold true for the possible case where the virus survives in the air after the infected individual has left the area.
Finally, the BLE-only schemes don’t really make life any easier for those with the task of doing contact tracing manually. Because there isn’t any location data, and the contact data is anonymous, they need to start from scratch with the traditional interviews of the infected person and then painstakingly recreate their potential contacts. That’s one reason some government officials, like North Dakota governor and former Microsoft executive Doug Burgum, have urged that the adoption of solutions that include anonymized GPS-based location data, such as the state’s new Care19 app. He used the example of a checkout clerk in a big box store who tested positive. They could opt to share their data, which would allow anyone who had been in that store recently to be alerted.
On a broader level, the Google-Apple plan also isn’t a complete system. It requires public health agencies to implement the servers and the framework. However, many public health agencies have already said they would prefer a system that gave them access to data, including hot spots, rather than simply allowing users to interact essentially peer-to-peer. For these reasons, despite the obvious clout of Apple and Google, other groups are turning to solutions that include location data, typically acquired by logging GPS data.
MIT Private Kit: Safe Paths — A Proposal for “Safe” GPS-Based Tracking
Many people are concerned by the amount of location tracking that already takes place, so MIT researchers led by Ramesh Raskar realized they had taken on a difficult challenge when they set about designing a system to allow digital contact tracing while preserving privacy. Like the Google and Apple solution, their Private Kit mobile app uses Bluetooth to help determine possible contacts.
But it also uses GPS data and combines that with the Bluetooth data to create a location trail. If the user is infected, they can upload a 28-day history of their locations to the complementary web app Safe Places, where their health care provider can anonymize it. The user can specify certain locations such as their home to be removed from the log before it is shared. A redacted and hashed version is then distributed to other app users. By comparing the hashed results, that user can then be notified if they might have come into contact with an infected person.
There are a couple of major practical advantages to this approach. First, you can see where the contact occurred and thereby get a sense of how important it was likely to be (on a bike path or in a store, for example). The system also gains the ability to show locations you visited where an infected person had been there previously, even if they had already left by the time you arrived.
To help protect privacy, location data doesn’t leave your phone unless you are infected and opt to share your location trail with your healthcare provider. That data is then redacted and hashed before being shared. However, the current process for redacting, uploading, and then comparing location trails for matches currently involves a lot of manual steps. That helps with privacy but may not make it ideal for broad adoption.
Will Any Digital Contact Tracing System Work in the US?
There are good reasons to suspect that no contact tracing solution is going to become wildly popular or universally adopted in the US and in many countries in Europe. Getting people to do anything voluntarily is hard, and that’s especially true if it involves opting into a system that has potential for leaking yet more of their personal data — no matter how many promises are made by the organizations involved. Similar efforts fielded for flu or other pandemics have had fairly low take-up rates.
The approach of several Asian countries has been much more aggressive, partially because of new procedures put in place after the SARS epidemic. South Korea publishes the travel history of anyone who is confirmed to have Covid-19 — including what public transit they’ve taken — and broadcasts their location. Singapore’s popular TraceTogether app is similar to the Google/Apple proposal except instead of an automated, private, broadcast, contact tracers can access the information of all the other users that an infected individual was in contact with, and follow up with them directly. Even there, though, the TraceTogether app has only been downloaded by a minority of people. The most extreme is China, where the government has gone full Big Brother with travel and medical histories combined with various kinds of online data and scanned QR codes to control access to locations and even purchases.
It seems unlikely that the US, or most European countries, are willing to come close to the type of strong-arming it would take to mandate universal adherence to a digital contact tracking system. We may, however, get one or more solutions deployed broadly enough to at least make the job of human contact tracers a little easier.
- Apple and Google Team Up to Fight Coronavirus With Bluetooth
- After Bending the Curve: What We Will Need to Unwind the Great Lockdown
- The Future of COVID-19 Testing Could Be in Wearables