April 12, 2020

Testing, not tracing, is the privacy-preserving response to COVID-19.

Technology enabled contact tracing seems like a rational response to the current pandemic. However, both the characteristics of SARS-CoV-2 and the unintended consequences of implementing some of the suggested technologies suggest that a coordinated social response is a better road forward.

Testing, not tracing, is the privacy-preserving response to COVID-19.
This was originally posted on Medium on 2010-04-12.

Google and Apple have announced a partnership on a privacy preserving COVID-19 contact tracing technology. The Pan-European Privacy-Preserving Proximity Tracing project (PEPP-PT) claims to enable tracing of infection chains across national borders. Both of these efforts claim to be privacy preserving technology efforts at contact tracing. Why are technologists choosing to respond to COVID-19 with contact tracing solutions? And are they protecting privacy?


Some things we know about COVID-19:

  • It is a zoonotic disease (a disease of animals) for which humans have no natural immunity.
  • Indications so far are that the number of people who actually fall ill is a small percentage of the infected. Perhaps as many as 80% of those infected show no or only slight symptoms, they are still contagious.
  • The symptoms of the COVID-19 are unspecific and similar to other common and minor illnesses.
  • There is not effective vaccine or real treatment (as with most viral diseases). Treatment consists of treating the symptoms.
  • Only a reliable test procedure will identify affected persons.

We know it will take more than a year to develop a vaccine or treatment. The rational policy response is to limit the spread of the disease so that treating the symptoms of the seriously ill will not overwhelm the health system, or ‘bend the curve’. The primary way to accomplish this is for people to modify their own behaviour. What each person chooses to do can save lives. To avoid becoming infected people should practice physical (social) distancing, good hygiene, and clean regularly. Governments globally have issued various forms of stay-at-home orders to implement this policy, with varying levels of enforcement severity. And many governments are looking at contact tracing as a way to enforce or reinforce these policies. But will contact tracing give better and useful data? And will it substantially change people’s behaviour? And are there any risks associated with this kind of contact tracing?

Contact Tracing

Sound policy depends on good epidemiological models, and that modelling depends on understanding people’s actual behaviour combined with accurate data. On the face of it, therefore, developing and implementing contact tracing technologies would seem to provide better data and therefore be a worthwhile endeavour.

Contact tracing involves three steps:

  • Contact identification — identify the people that are likely to have been in contact with someone with a confirmed infection
  • Contact listing — list and contact all the identified persons with information about the disease and recommended responses.
  • Contact follow-up — Monitor and test for symptoms

Note that both the first and third steps require testing for the disease.

According to their press release, “Google and Apple are announcing a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.” They are proceeding in two steps. Their first is to release an Application Programming Interface (API) to enable developers for mobile devices to develop software for contact tracing. When people use apps built on this API, they will self report that they have tested positive for COVID-19 and other uses of the app that have been near them will be notified that they have been in contact with a COVID-19 positive person. This will be done by exchanging encrypted keys on a central server so that devices can search for contacts. The second step will be to build elements of this functionality into their respective operating systems such that any Android or IOS phone will be able to do contact tracing.

The Pan-European effort is similar. By using anonymous identifiers and storing location history on each person’s device, the system endeavours to reduce or eliminate the disclosure of information without the person’s consent or knowledge. Like the Apple/Google effort, a centralized and trusted service is required to mediate the system. As far as this system is concerned there are three kinds of people:

  1. People who are not infected yet.
  2. People who are infected and contagious but who have no symptoms
  3. People who are infected and contagious and who are showing symptoms.

Other firms are jumping in, but with motives less apparently altruistic. Corona virus tracing, after all, creates a new market opportunity.

If these technologies are implemented, how many people will be contacted who will then need to be tested? As of April 11, 2020, the Government of Canada reported 404,651 tests resulting in 23,301 confirmed cases of COVID-19. If I assume that each of those people had an average of 3 contacts and that contact tracing needs to go back two weeks, that means that 978,642 Canadians need to be contacted and tested. And if it turns out that each of those 3 people generates another contact list of 3 people then the number explodes to 2,935,926. That is 8.4% of the Canadian population. The number is much larger if you consider that the consensus is that the reported cases are a much smaller number than the actual cases in the population. When the potential numbers of people needing to be contacted and tested is such a significant portion of the population, the question becomes whether or not the effort necessary to do contact tracing is the best use of resources? Should we skip the contact tracing and go right to mass testing and random testing to obtain the necessary data as quickly as possible. In either case, the clear necessity is a very large number of tests in a short period of time.

It should also be noted that implementing contact tracing through smart phone API’s and smart phone operating system updates raises the possibility that only people with reasonably current model, or expensive phones, will be able ‘take advantage’ of the new systems. In other words, this approach raises the possibility of, yet again, exacerbating digital divides and putting the poor and marginalized at greater risk.

If the benefits of contact tracing are less than they first appear, what about the risks? The technology proposals, notwithstanding the claims to be privacy protective, increase the speed of transition to a surveillance society. It is already the case that everyone with a smart phone is carrying a self-identifying surveillance device. These proposals create the surveillance infrastructure to accompany the surveillance device. The projects’ claims to be privacy protective are contradictory. Both apply privacy by design, and build their conception of privacy into their proposals. But does the current technological conceptualization of privacy align with peoples’ lived experiences?

Privacy shouldn’t be thought of as secrecy or be based on the notion of people seeking solitude. Privacy is sometimes characterized as the “The right to be left alone” but that fails to capture the essence of privacy. The formulation of privacy as the claim of individuals to determine what information about them is communicated to others [Westin, Privacy and Freedom] is better. But privacy is not just an individual right. To think that is to miss the fundamentally social and relational nature of privacy. Whether I choose to share intimate details of my life with a close friend, or I choose to share an interesting life experience with a group of colleagues at a social event, I am choosing what I disclose and to whom using a set of social rules and conventions that I share (usually) with the person or people with whom I share the information. Information disclosed this way becomes co-managed and jointly owned. Systems based on ‘notice and consent’ or ‘terms of use’ do not work this way. Rather they involve transferring management of the information to another and losing control. This approach or understanding of privacy works for ‘surveillance capitalism’ but tends to be disempowering for individuals — even in the context of contact tracing based on centralized services and systems. These proposals have a potentially dystopian end-state.

I’m pretty sure that someone, somewhere, has come up with the idea that the unit cost per population for a wrist worn device that has GPS and Bluetooth with a QR code display would be cheap and allow for population wide mandatory contact tracing — and any other population surveillance that the state deems appropriate. What could possibly go wrong?

Notwithstanding the contact tracing technologies described above, it is likely that accurate and reliable epidemiological models of the current pandemic will not be available until after the pandemic has receded and full data sets are available. Those models can be used to improve preparations for future outbreaks and to provide lessons for the next ‘new’ virus outbreak. In the meantime a better use of our limited resources right now would be to expand testing. This will provide better data now, enabling more people to self-isolate and to inform governments and others where to provide the supports necessary for individuals and health service providers.

We need a social solution, not a technical solution, to limiting the spread of this type of pandemic[^As opposed to the clear and present necessity for contact tracing for a viral infection like Ebola]. Governments that proactively and transparently engage and inform their citizen’s have the best chance of dealing with this pandemic without risking the creation of an authoritarian toolkit available for any future government to pick up.

Addendum: See Ross Anderson’s post “Contact Tracing in the Real World” for a leading security expert’s view on this.