The Privacy of COVID-19 Apps — Reopening Alphaville
A few days ago I was sitting at home when I received an e-mail from the mayor of Alphaville. Searching the web, she had come across the privacy-tech-lab site as she was frantically looking for someone to help her. We set up a Zoom call. The mayor was in the process of reopening Alphaville after the lockdown. She just had seen Anthony Fauci, the rock solid advisor in the White House Coronavirus Task Force, expressing concerns on TV that reopening before establishing preventive measures could lead to little spikes that might turn into outbreaks [1]. “We could lose track again of the virus forcing us back into lockdown,” the mayor said, “but maybe a contact tracing app is the right solution here. That is the reason I wanted to talk with you.” True, using such app may be a good idea to keep the virus in check, I thought. However, it would possibly also require the collection of sensitive data from lots of people. Public health does not come for free; we will need to strike a balance with privacy considerations. “There are different types of apps with different functionalities,” I said, “do you have a few minutes?”
1. Three Privacy Sensitivity Levels of COVID-19 Apps
She nodded. I continued, “one way to evaluate contact tracing apps for their privacy sensitivity is to categorize them by the types of data they collect.” That is a reasonable first proxy, I thought, because what is not collected cannot be lost, misused, or compromised. Though, certainly, there are other criteria, such as whether contact tracing is centralized or decentralized, who is collecting the data, or how long it is retained. “On the sensitive end of the spectrum we have apps that are collecting personal data, such as e-mail addresses or phone numbers. The Healthy Together app, from the small social network company Twenty used in Utah [2], is an example. Once a user shows symptoms, they can be asked directly with whom they interacted previously. This approach is very effective but requires the exchange of personal data. Healthy Together collects data on a voluntary basis and explains their practices in a privacy policy [3].” The mayor nodded again, though, she seemed not quite convinced that this would be the right approach for Alphaville.
I went on, “other apps are only relying on location tracking. GPS can be accurate up to a few centimeters.” I knew that HowWeFeel uses that option with anonymous user identifiers [4]. This app was developed by a team of scientists and Pinterest co-founder and CEO Ben Silbermann. It is recommended by the Governor of Connecticut [5]. Likely people here in Middletown, where I live, are using it. So, maybe that was something of interest. But as the mayor showed no reaction I continued, “at the least sensitive end of the spectrum we have apps that are just using Bluetooth beacons to detect whether two phones are in proximity. Bluetooth will not keep track of locations,” I said. “Imagine two unrelated people, Michael and Ralf, standing side by side at a bus stop. The sensors in Michael’s and Ralf’s phones are just picking up a random string of characters from each other. If Michael shows symptoms of the disease, he can upload his string to a server. All other phones, including Ralf’s, are periodically downloading the strings from there. Once Michael’s string matches the string already on Ralf’s phone, Ralf is notified that he was in contact with a symptomatic person. This form of contact tracing is used in Apple’s and Google’s ExposureNotification [6]. It is the least privacy sensitive approach.” The mayors face lit up. “That’s great,” she said, “but do you think it will actually work?” “That’s a good question,” I replied. As the mayor had other work to do, we agreed that I would research this question and we would touch base again in a few days.
2. Will the Bluetooth-based Approach Work?
I found out that health officials in North Dakota, Canada, and the UK had asked Google and Apple for the ability to collect additional types of data beyond what ExposureNotification provides [7]. I also had heard that instead of relying on contact tracing technologies, health officials in states with the highest infection rates are now moving ahead to hire lots of manual contact tracers [8]. The mayor’s concern about Bluetooth-based solutions are valid. They may not reliably identify situations of potential transmission. Especially, people could be separated by walls in an apartment building, they could be in different floors of a building, or they could be in a park biking past each other. All of these situations may lead to false alarms [9]. Bluetooth can go through walls, albeit, with some loss in strength; it can be effective over distances of many meters [10]. So, working out thresholds for Bluetooth signal strengths that are good indicators for potential COVID-19 transmissions is likely one of the major tasks going forward. Another problem crossed my mind. Surely anyone who has ever tried to pair two devices via Bluetooth has experienced some problems getting it to work. Though, it looks like ExposureNotification would not require pairing but just rely on picking up signals of nearby devices. So, that is good.
I continued my research and found studies modeling the use of a Bluetooth app that were looking promising [11].
A mobile app can reduce transmission of COVID-19 at any stage of the epidemic, whether it is just emerging, at its peak, or to support a safe transition out of restricted movement or lockdown. This could help reduce the serious social, psychological and economic impacts caused by widespread lockdowns.
Christophe Fraser, one of the researchers who conducted the study, seems pretty confident [12].
We’ve simulated coronavirus in a model city of 1 million inhabitants with a wide range of realistic epidemiological configurations to explore options for controlling transmission. Our results suggest a digital contact tracing app, if carefully implemented alongside other measures, has the potential to substantially reduce the number of new coronavirus cases, hospitalisations and ICU admissions. Our models show we can stop the epidemic if approximately 60% of the population use the app, and even with lower numbers of app users, we still estimate a reduction in the number of coronavirus cases and deaths.”
I was satisfied with what I had found so far, but I was also wondering what the mayor was up to. As it turned out, she was quite busy as well.
3. How to Create the App? Where to Store the Data?
First, one of her staff members had alerted her of a Washington Post report explaining that a substantial number of people expressed skepticism as to whether Google, Apple, and other tech companies would protect the privacy of their data collected in COVID-19 apps. In a poll of 1,008 adults, 57 percent of smartphone users report having a ‘great deal’ or a ‘good amount’ of trust in public health agencies, but only 43 percent trust tech companies [13]. These numbers were somewhat alarming to the mayor. However, as she learned later, Apple and Google had decided that instead of building the apps or storing the data, they mostly limited themselves to enabling the necessary access to the iOS and Android ecosystems and leave decisions about implementing the COVID-19 apps and storage of data to the authorities. Thus, the mayor figured, the question of trust is really more directed towards her administration.
Google and Apple had programmed their mobile operating systems, Android and iOS, such that apps can use application programming interfaces, or APIs, to request the use of sensors. Once they had decided to support the COVID-19 contact tracing effort, they went to work on a special Bluetooth API — the ExposureNotification API [6]. Now, the mayor faced the decision whether to use the API in the Alphaville COVID-19 app. Maybe, it was also possible to team up with neighboring cities, she thought. In any case, she found out that the app would need an Entitlement as Apple and Google would only allow governments and their contractors to use the API [14]. In addition to making the entitlement request, she also found that she needed developers to program the app and servers to store the data on. Fortunately, Google and Apple published an open source reference implementation of an ExposureNotification server [15]. At this point, the mayor felt that she had all the pieces of the puzzle together.
4. Getting Sufficient Users: the Adoption Problem
We set up another Zoom meeting and exchanged what we had found. But there was one more point I wanted to bring up. “You know,” I said, “getting users is hard. And especially in this situation you will require broad levels of adoption of your app among residents to be effective. A few users here and there are not going to make a big difference. It is true that low adoption rates can already cut the number of cases and deaths, but stopping the spread of COVID-19 needs an adoption rate of about 60 percent [12]. Also, not everyone has a smartphone. So, reaching this level of coverage will be some tough going.” The mayor injected here explaining, “I heard that Apple and Google are implementing ExposureNotification into the iOS and Android operating systems themselves. So, that should help, right?” That was a very good point. Once users update their operating systems and opt in, the tracing will work without requiring an app to be installed [16]. And this increase may in fact result in moving the goalpost towards better public health without decreasing privacy levels. With high numbers of users the Bluetooth approach may be as effective as the more privacy sensitive approaches.
“OK,” the mayor said, “I think I know what to do now. But let us assume for the sake of argument that the Bluetooth-based approach is not working for us, maybe because we cannot get a sufficient number of users, and we want to build our own app, how would we go about that?” “Well,” I said, “in that case, you can just build a normal app and use the generic location APIs to get devices’ GPS locations, for example. Keep in mind, though, that this will lead to fragmentation between users using your app and others using a different one. That is not great, especially, when travel is picking up again and people from different places with different apps are interacting with each other. And here is one other important thing: unfortunately, the problem cannot currently be resolved by using location APIs and the ExposureNotification API in the same app because Apple’s and Google’s developer licenses prohibit such use [17]. I really hope that Apple and Google will reconsider this point. The bottom line is that everything should be done to keep the userbase uniform and making the different approaches interoperable to have the biggest possible improvement of public health.” The mayor nodded and seemed eager to get to work.
5. A Path Forward to Reopening
“Here is my recommendation,” I said. “As with many things in life, moderation is key. Try to strike a balance between public healthcare needs and individual privacy:
- As you know, app contact tracing has the potential to supplement manual contact tracing. Thus, I think you should make the call and adopt it.
- In terms of which type of app to use, consider using Apple’s and Google’s ExposureNotification before moving to any other solution. Several countries in Europe are already committed and we need a uniform approach. So, if possible at all, Alphaville should follow the same approach. If that does not quite meet your needs, consider additional options starting with the least privacy-sensitive that we discussed in our first call. If you do decide to go that route, though, do not drop ExposureNotification. That should really be the baseline. Once Android and iOS updates are there, it would be prudent to ask all residents to turn the setting on.
- Whether you are using ExposureNotification or your own homebrew solution, it is a good idea to use privacy by design and implement policies to mitigate against overreach and abuse as laid out by the ACLU, for example. (a) Voluntariness, (b) limitation of use to public health, (c) minimizing the types, amounts, and time periods of data stored, (d) erasing data once their purpose is served, (e) being transparent about your practices, and (f) avoiding mission creep will make a good foundation for your app [18].”
With that, the mayor seemed happy, logged out of Zoom, and went ahead to reopen Alphaville. I took a sip of green tea and glanced out of the window thinking about what life would be like again.
The story is fictional, the technologies are real. If you liked this post, learn more about our work on web and mobile app privacy at the privacy-tech-lab. You can also reach me at szimmeck@wesleyan.edu.
[1] NBC News, Fauci warns of ‘little spikes’ becoming outbreaks, May 13, 2020.
[2] CORONAVIRUS UTAH.GOV, Healthy Together Beta App, accessed May 16, 2020.
[3] Healthy Together, Privacy Policy, April 21, 2020 (“We may receive information from you when you register to use Healthy Together. That information may include, among other things, your full name, phone numbers, and device identifiers.”)
[4] HowWeFeel, Data Sharing and Privacy Notice, March 27, 2020 (“We also ask that you share your location via device settings or in response to a question. We are not asking your name and will use a token or other unique identifiers to recognize your data relates to one person so we can avoid duplicate reporting.”)
[5] The Office of Governor Ned Lamont, Governor Lamont Encourages Connecticut Residents to Use the ‘How We Feel’ App to Improve COVID-19 Response, April 20, 2020.
[6] Apple, Exposure Notification, accessed May 16, 2020.
[7] Reed Albergotti and Drew Harwell, Washington Post, Apple and Google are building a virus-tracking system. Health officials say it will be practically useless., May 15, 2020.
[8] Fred Vogelstein and Will Knight, Wired, Health Officials Say ‘No Thanks’ to Contact-Tracing Tech, May 8, 2020.
[9] Casey Newton, The Verge, Why Bluetooth apps are bad at discovering new cases of COVID-19, April 10, 2020.
[10] Jason Marcel, Bluetooth Blog, 3 Common Myths About Bluetooth, October 9, 2019.
[11] Oxford University, Nuffield Department of Medicine, Big Data Institute, Using a Mobile App for Contact Tracing Can Stop the Epidemic, accessed May 17, 2020
[12] Fraser Group, Oxford University, Big Data Institute, Digital contact tracing can slow or even stop coronavirus transmission and ease us out of lockdown, April 16, 2020.
[13] Craig Timberg, Drew Harwell, and Alauna Safarpour, Washington Post, Most Americans are not willing or able to use an app tracking coronavirus infections. That’s a problem for Big Tech’s plan to slow the pandemic, April 29, 2020.
[14] Apple, Exposure Notification APIs Addendum (to the Apple Developer Program License Agreement), May 4, 2020.
[15] Google, Exposure Notification Reference Server, accessed May 17, 2020.
[16] Google, Exposure Notification Frequently Asked Questions, v1.1, May 2020.
[17] Apple, Exposure Notification APIs Addendum (to the Apple Developer Program License Agreement), May 4, 2020 (“3.3. A Contact Tracing App may not use location-based APIs, may not use Bluetooth functionality (excluding Bluetooth functionality included in the Exposure Notification APIs) and may not collect any device information to identify the precise location of users.”)
[18] Jennifer Stisa Granick, ACLU, Apple and Google Announced a Coronavirus Tracking System. How Worried Should We Be?, May 16, 2020.
