How to balance privacy while using contact tracing for COVID-19

UChicago computer scientist Blase Ur examines smartphone tracking during pandemic

Scientific experts agree that widespread testing, contract tracing and isolation of infected individuals will be critical for reopening society until a vaccine for coronavirus becomes available. Contact tracing, the determination of who a person diagnosed with COVID-19 encountered while possibly infectious, has attracted the attention of technology companies. Most notably, Apple and Google have partnered to develop a tool that tracks interactions between people with smartphones running their operating systems, so that people who were recently nearby an infected individual will be notified and advised to receive testing.

While potentially a powerful approach to supplement human contact tracers, the technology also raises concerns about sacrificing privacy for public health. We spoke to Neubauer Family Assistant Professor Blase Ur, a University of Chicago expert on human-computer interaction and user-centered security and privacy, about how this contact tracing system works and whether the privacy fears are valid or outweighed by the benefits.

What is contact tracing and why is it needed?

As you open up during a pandemic, or even while things are closed and people are going about essential business, there's the concern that disease might spread through the population. You want to know how the disease spreads and the people that the disease has spread to, so that you know who needs to get tested. The reason this is particularly hard with COVID-19 is, you can get infected, be asymptomatic for a while, and transmit the virus to other people before you even show symptoms.

The whole idea of contact tracing, on a micro level, is that when someone realizes they have COVID-19, they are able to reach out to other people they’ve come in contact with during the period they're likely to have been able to transmit the virus, to let them know that they should go get tested. On a macro level, it also helps policymakers understand the spread of a virus in a population.

The contact tracing system attracting the most attention was co-designed by Apple and Google: How does it work?

You could imagine very privacy-invasive ways of doing contact tracing. Someone sets up a central database and everyone's phone, every couple of minutes, sends their GPS coordinates to that database along with a personal identifier. That's not at all what's happening.

The Google/Apple system uses Bluetooth Low Energy. Bluetooth is what you use to connect to your wireless speaker or connect your phone to your car stereo; your phone is sending out this little beacon. It's designed to transmit on the order of 10 feet, so it's actually a nice proxy for if you are within 10 feet of someone with COVID-19 for an extended amount of time, when there's a decent likelihood of virus transmission.

But it would not preserve privacy if you always broadcast who you are, or even if you just picked a single random name and always broadcast that. So what these schemes do is, every few minutes, they pick a new identifier. Your phone records every identifier that it has used or encountered for the last couple of weeks. And then, if you're brought into a hospital and they realize that you have COVID-19, you work with a health provider and basically publish the list of all the identifiers that you sent out. That list gets broadcast to everyone else with the app, and anyone who recorded encountering any of these identifiers is told that they probably came in contact with someone who was later diagnosed with COVID-19.

Where are the records of these interactions kept?

If you have not been diagnosed with COVID-19, all of the names you've announced and all the names you've seen are only on your phone. It's only when you're diagnosed with COVID-19 that the names you've announced get sent to everyone else. So there's no centralized database. It's a nice scheme, from a privacy point of view.

Privacy aside, would a location-tracking system work better?

Bluetooth transmits a short distance, and you can determine exactly how close I was to somebody from how strong the signal was and also how long I was that close to them. That's actually better than just keeping track of what locations you were in. If you’re keeping track of locations, then you'd have to keep very detailed timestamps, because you want to know who was in this location at the same time. So actually this scheme is not just more privacy-protected, but realistically, at least as effective, under the assumption that everyone is using the scheme.

Where location would work better is if you have someone who is not participating in a scheme or doesn't even have a cell phone. Then you could say, someone with COVID-19 was in this store at 2:32 p.m. on Friday in the vegetable aisle. That would be useful, but a lot of designers seem to assume that everyone's going to participate in contact tracing, so this location stuff just doesn't matter.

But these apps will likely be opt-in, so will they still be effective if only a fraction of the population choose, or are able, to participate?

Yes, anyone without a smartphone is being left out. Also anyone without a relatively recent smartphone that actually supports Bluetooth Low Energy; there are lots of smartphones that actually don't even have the technology to participate in these protocols. Who doesn't have a smartphone or doesn't have a new expensive smartphone? It tends to be the poor and the elderly, who are also being disproportionately hit hard by COVID-19. So that's a big problem.

And then the other place where non-participation comes up is people that have the technology and are either unaware of what's going on, or more commonly will probably just choose not to participate. Why would they choose not to participate? If they're worried about their privacy, or if they don't see the benefit. From a computer security nerd point of view, it's actually a very reasonable privacy-protective scheme for getting the data that's needed. I'm often skeptical of anything with tracking capabilities, but here I think it's actually a nicely designed scheme overall.

One of the things for me that's most interesting is the oversight and the end of life aspects of these protocols. Because there's always a danger where, when you build something for one purpose, it'll be repurposed toward some other end. So in these cases, who decides when we no longer need any contact tracing, and we can turn off this app because the pandemic is over? Because you can easily imagine this being misused for advertising or for government surveillance, once it's established that this technology is widely deployed, and can basically be flipped on at the level of a phone. Where is the oversight going to come from? And are we really going to commit ourselves as a society and as technologists to limiting the scope of this technology?

What are some of the research questions you’re interested in around this technology?

A group of us, including my colleagues David Cash, Nick Feamster, Jonathan Ozik, Jamie Saxon and Yang Wang, have started working out how to measure and understand the degree of non-participation and how it impacts epidemiological modeling. We're also interested in how you communicate to people why they should be participating in contact tracing, and understanding why people are not opting in. If we understand what people's concerns are, and if they're actually misconceptions rather than the actual privacy losses provided by these technologies, then we want to help crack people's misconceptions and hopefully encourage participation.

I'm normally one of the first people to say any technology with data privacy implications is a bad thing. But I'm also a privacy pragmatist, and there's a clear benefit to contact tracing. There are some risks, but I think the benefit of actually tracking COVID-19 as it passes through the population, tracking potential exposures, and maybe being able to go to the Lake again—in this case that might actually outweigh the privacy losses with responsible use of this technology. Whether it will be used responsibly is still a little bit up in the air, but I think there are reasons to believe that despite some privacy concerns, this is a net positive.

So you would opt in?

I would. And then if, at some point, people try to repurpose this for advertising or surveillance, I will have a very loud voice complaining about it.