As the global fight against the COVID-19 pandemic continues, much of the world is pinning its hopes of easing lockdowns on being able to quickly identify people who might have been exposed to the virus. But such ‘contact tracing’ is generally a laborious, slow process that relies on in-person interviews and detective work. Enter the smartphone: a new breed of app aims to automate the process of retracing a person’s movements to find people they might have infected — and possibly notify those people at the earliest possible stage.
The efficacy of such apps has yet to be proved. Modelling suggests they can help to slow the spread of the virus — but only if enough of the population uses them. A preprint from a group at the University of Oxford, UK, suggests that a take-up threshold of 60% of the population can bring an outbreak under control1. The apps have also raised privacy concerns, because some need to store user data on central servers if people are to be identified and tracked. And even proponents of the apps say that, to be most effective, they still require human contact tracers in the loop to conduct follow-up interviews.
Over the past two months, researchers and developers around the world have been racing to design protocols that can win public trust and gain wide adoption. They’ve received a boost from the tech giants Apple and Google, which are implementing a common platform through an operating-system update that is widely praised by cryptographers.
Still, there is no guarantee that any app will work as intended to help curb the pandemic. And without widespread testing for the virus and high levels of uptake, their efficacy will be muted. “The fundamental thing is, this could all turn out to be garbage. None of it could work,” says Matthew Green, a cryptographer at Johns Hopkins University in Baltimore, Maryland. “We have to try. We just don’t know.”
Contact tracing’s new era
Many regions that have made contact tracing a key part of their COVID-19 playbook — including China, South Korea, Taiwan and Israel — have empowered contact tracers with sensitive details of infected people, including CCTV footage, credit-card transactions and location data from mobile-phone carriers. But in places where such solutions are likely to be incompatible with privacy expectations, Bluetooth tracing has proved alluring.
During the past two months, several research groups have developed privacy-minded protocols, including the TraceTogether team in Singapore, the Private Automated Contact Tracing (PACT) group led by researchers at the Massachusetts Institute of Technology (MIT) in Cambridge, and the largely European consortium Decentralized Privacy-Preserving Proximity Tracing (DP-3T).
These three teams have embraced a basic common concept (see ‘App-based contact tracing’). A smartphone regularly broadcasts a random string of characters that serves as a pseudonym to other phones using Bluetooth’s low-energy specification for sending short bursts of data. The phone adopts a new string every 15 minutes or so to further anonymize the pseudonyms. At the same time, it logs every ‘chirp’ it hears from other phones, as well as information about the signal strength to estimate how close they are.
If a person is found to be infected, they can consent to uploading their phone’s list of encounters with other phones to a database maintained by the app’s operator. No identifying or location information is retained. Other phones can download that database, compare it with their encounter history, and alert the users if they have been exposed to the infected person for long enough to have put them at risk of infection. Or, as in Singapore, human contact tracers review the data and notify contacts manually.
Singapore’s TraceTogether app was developed by the country’s health ministry and technology agency, and was released on 20 March. Although groundbreaking, it exposed one glaring technical limitation to this general approach: because of the privacy measures imposed on Bluetooth function by Apple’s operating system, for the app to be useful, iPhones must remain unlocked all the time with the app open, a major inconvenience and a drain on the battery.
‘Gappling’ with solutions
On 10 April, Apple and Google announced that they would collaborate on a common contact-tracing platform. The two tech giants are implementing cryptographic functions to generate and process the pseudonyms directly into the operating systems. That would resolve the iPhone battery issue by allowing apps to collect contact data in the background. This also adds an extra layer of security — even the apps cannot see the raw chirps. Instead, the protocol will be accessible to public-health agencies wishing to use it for their own apps through an application-programming interface (API) called the ‘Exposure Notification API’, which will allow these apps to log and receive data. The API is expected to be released publicly by the end of May.
Security experts have hailed Google and Apple’s collaboration, dubbed ‘Gapple’. “It’s incredible that they were able to come up with this as quickly as they have, and also in partnership with each other,” says Sarah Kreps, a political scientist at Cornell University in Ithaca, New York, who studies surveillance systems and cybersecurity.
Although countries will still need to develop their own apps to take advantage of the new protocol, the handling of the pseudonyms takes place entirely on users’ phones.
Advocates of this ‘decentralized’ approach include TraceTogether, PACT and DP-3T, all of which say they have provided feedback to Apple and Google. “We’re very happy because their protocol is basically our protocol,” says James Larus, a computer scientist at the Swiss Federal Institute of Technology in Lausanne and a member of the DP-3T group.
The approach is not without risk, researchers acknowledge, but exploiting that risk would require significant effort by hackers for seemingly little reward. For example, they would have to turn on a different phone every time they came near a different person and wait several days to see if it reported a positive test result. “There’s this little tiny window for abuse, but it’s so small,” says Green.
But not all proposed protocols and apps follow these decentralized principles.
Some store all users’ interaction data on government servers that analyse the data and perform the contact matching. Proponents say that this ‘centralized’ model allows health authorities to use the database to piece together a view of the network of contacts, enabling further epidemiological insights such as revealing clusters and superspreaders.
But if the database is hacked, the anonymity provided by rotating pseudonyms is nullified, and individuals can be more easily tracked. Plus, says Kreps, “there’s a risk of function creep and state surveillance”. “I have little faith in government’s ability to keep data like this secure,” says Green.
A German-led effort sought to create a European consortium built around a centralized approach called Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT). But that attempt has faded as support has grown for the decentralized approach pushed by DP-3T. Germany itself switched to the Gapple approach on 26 April.
The United Kingdom and France are still pursuing centralized options, and the United Kingdom began testing its National Health Service app on the Isle of Wight on 4 May. But because this app eschews Apple and Google’s protocol, it will not be able to run in the background on iPhones. “That’s a nail in the coffin,” says Green. (A Gapple app for the United Kingdom is in parallel development, according to an 8 May report in the Financial Times.)
Some apps go even further and collect GPS location data, sending it to a central server. Examples include India’s Aarogya Setu app, which has been downloaded by 100 million users, as well as apps developed by several US states, including Utah and North and South Dakota. Apple and Google will not let apps that record location data use their APIs.
Beyond concerns over privacy, one key practical challenge to phone-based contact tracing is making accurate measurements of how close two devices are. Signal strength can vary on the basis of the orientation of the phone and whether it is in your hand or in your pocket, says Daniel Weitzner, a leader of the PACT group at MIT. “We’re going to need information besides just the Bluetooth signal strength to make those measurements work right,” he says.
Another challenge is ensuring that enough people download the app to make it effective. The TraceTogether team said that 1.1 million people had downloaded its (non-Gapple protocol) app as of 20 April — roughly one-fifth of Singapore’s population. But that means there’s just a 4% chance that any two given people will have the app, limiting its efficacy. One recent study2 of 2,612 Americans, by a team including Kreps, reports “widespread reluctance” to embrace smartphone-based contact tracing. Only about one in four respondents (27%) “expressed willingness to download a hypothetical app with GPS location tracking, while 32% were willing when the app was described as using non-location-tracking Bluetooth technology”, the team reported. According to a report in The New York Times, only about 3% of the population of North Dakota had downloaded that state’s Care19 app as of late April.
Apps also obviously exclude anyone who doesn’t own a smartphone — who are often among those most vulnerable to COVID-19, such as older people and migrant workers.
In Singapore, for instance, foreign workers have borne the brunt of the country’s roughly 24,000 cases. Many of those 1.4 million individuals cannot afford smartphones and live in crowded dormitories, with up to 20 people in a room. In such a scenario, contact tracing is less important, because almost everyone is exposed to the virus, says Hsu Li Yang, an infectious-diseases physician at the National University of Singapore.
But widespread access to Bluetooth-based tracing could alleviate another problem that the migrant-worker population faces in Singapore’s manual contact-tracing process, Hsu says — they are often not well served by in-person interviews because of language barriers. Another option would be to produce and distribute a cheap wearable device devoted to contact tracing. The authorities in Singapore have said they are exploring this possibility.
Still, in a white paper3, the developers of Singapore’s app caution against “an over-reliance on technology” and argue that contact tracing “should remain a human-fronted process”.
Indeed, distrust of governments and wariness of big tech could provide the biggest challenges to mobile-phone-based contact tracing. “We’re living in the era of the ‘techlash’,” says Kreps.
In the aftermath of the 2015 outbreak of Middle East respiratory syndrome (MERS) in South Korea — which resulted in 186 cases and 38 deaths — the country’s national assembly authorized the government to access records such as mobile-phone location data and release the reconstructed movements of infected cases to the public. Combined with a rapid ramp-up of virus testing and social distancing, this strategy worked well when COVID-19 struck. By the end of April, reported cases of community transmission had fallen to nearly zero. In mid-May, a new cluster of more than 160 cases emerged, traced to nightclubs in Seoul. But as of 17 May, the number of daily cases of local transmission had fallen again to single digits. Surveys show that the South Korean public broadly supports the interventions.
There’s no reason that other countries couldn’t do the same, except for a lack of trust in government, says Green. In the United States, he says, the infrastructure is already in place for widespread tracking. “Unfortunately, the idea of letting a government use that information is going to run into a lot of red flags from people, probably rightly. At the same time, this information is used every day — it’s just used in service of targeted advertising, which is something that we sort of put up with.”