The good and the bad of Apple-Google’s privacy-preserving Contact Tracing
“Please stay at home” and soon…“Please install the covid app”
In a first-of-its-kind effort Apple and Google have united forces to specify a bluetooth-based contact tracing framework any Government agency could use in their covid-19 contact tracing app. Will this become the de facto standard? Quite likely. And instead of “Please stay at home”, we will soon see public billboards and signs on balconies with “Please install the covid app”.
What is this all about?
For those who haven’t followed, contact tracing allows tracing back a potential chain of infections and give early warnings to potentially infected people. This usually starts with Alice being diagnosed with covid-19 telling a detective all her whereabouts and encounters from recollection of the last 14 days or so. While this a fastidious process prone to human recollection errors, technology can achieve the same automatically with great accuracy.
Simply put, using bluetooth low energy (BLE) Alice’s phone can transmit a signal at all times (up to 50m), which others can scan and log. This works both ways so Alice’s phone knows it was in proximity to Bob’s phone and Bob knows he was in proximity of Alice. The content carried by the signal needs to relate to the sender to know who was around and when in order to “trace back” a potential infection path when needed. But instead of sending a personal identifier, here’s the trick to stay anonymous: you just send a random number that you change from time to time that others save when scanning/seeing you. When Alice is diagnosed positively, she will send a message saying “I’m ill and I transmitted the following random numbers in the past 14 days. Whoever saw me for more than X min is at risk.” This message is sent to all phones that then individually check if they have those random numbers from Alice in their logs. If there’s a match, this means they’ve been in contact with Alice. With this approach, all the processing is done on the phone and not not the cloud (aka Google and Apple), which knows nothing about the people you encountered! This great infographic provides more details about this privacy-preserving approach.
With lock-down measures being gradually lifted soon, contact tracing could prevent and mitigate the resurgence of the so-called 2nd infection wave. Of course, this is not THE only solution and should be part of an array of tools and measures like serological tests.
Soon your governments or health agencies will recommend you to install their covid tracing app, which could look like this very nice prototype of the Dutch App. In a few weeks, your phone will also notify you about a new OS update with the usual security fix for x,w,z but also a new covid-19 OS contact tracing feature, yeah!
For this to work it is of utmost importance that a majority of the population opts in this feature and/or installs the same contact tracing app. If not, we’ll only get fragmented reports of potential infectious chains, which would render the whole system useless. Say we have Alice, Bob and Dave. Alice is diagnosed with covid and infected Bob who in turn infected Dave. if Bob doesn’t have the app installed, he and Dave will never know they should quarantine, wear a mask and distance even more from others as they are potentially infectious. We need massive adoption.
The best way to make sure contact tracing is adopted and works is for the population to fully understand what is at stake and also trust the technical solution put in place. This is what this blog post is about.
What are the main advantages of the Google-Apple framework?
It provides a universal framework working across all devices and even all apps based on it. This will make apps from different governments or health agencies compatible worldwide! No need to install yet another covid app when going to another country (when travel bans are lifted, obviously). Worst would be boarding a plane with tens of nationalities, all using different apps and different — and incompatible — contact tracing technologies.
Second, most of the technical work has been hashed out by Google and Apple. They solve all the technical hurdles from bluetooth peer discovery to matches all in a privacy-preserving way. It will also go unnoticed on your battery. A government is just left with designing the App’s Graphical User Interface (GUI) as most of the hard logic is now on Apple and Google’s side. This is a good task allocation split, no?
And actually, the App doesn’t even know about what is being advertised in the bluetooth signal so your governments cannot collect any logs. It just tells the OS, please run the contact tracing framework and notify me (and the user), I’m potentially at risk. That’s all the app has to handle, simple.
Third, Google-Apple’s new bluetooth framework will not require the user to grant any permissions. To use the existing bluetooth low-energy (BLE) of Android and iOS, Apple and Android require Apps to request the user to grant the location permission even though BLE doesn’t track your location per se like GPS. With Google-Apple’s solution, a government app focusing only on tracing contacts will not need to request any permissions and will not be able to track your location (either through GPS or cell location). Even with an open-source app, you don’t want to allow this permission.
Last but not least, this framework will run continuously in the background, even when your phone is in your pocket. Apple and Google have severe background restrictions for most apps. Unless you are a navigation app like Waze, most apps cannot and are not allowed to run in the background, this in order to save on battery. Android even has doze and standby modes where the device goes completely to sleep after the phone hasn’t been used by the user for a while. With the new framework, BLE will be continuously advertising and scanning in the background since managed by the OS (and not an app) so it won’t be missing any — potentially important — contacts. Well, your phone still needs to save on battery and the Google-Apple specs specify that scans will only be performed every 5min at minimum so some contacts will be missed. For example, Alice might have hopped on a bus for 1 or 2 stops and infected you without your phone logging she was even there. 5min is still a good tradeoff given what we know about the covid-19 infection likelihood with co-location time. Actually, we could learn a lot if we could analyse contact traces. More on that later.
What this means for existing contact-tracing initiatives?
The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project has taken a stand to preserve privacy. The Google-Apple framework more or less re-uses their privacy-preserving approach. Good job!
Like others, apps based on the PEPP-PT framework itself relying on the “older” BLE framework provided by Apple and Google will be impacted by the background restrictions mentioned above. This will result in many missed contacts. I challenge the partners of this project to provide a quantitative estimation of the impact of those restrictions. To illustrate this, let’s take the the example of the Alice->BoB->Dave infection chain where all are running the PETT-PT-based app. If all have phones are in their pockets while being close by, phones are “sleeping”, BLE is not running and the infection chain will not be uncovered. Same result as not having the app installed basically. And also, since I’ve been there before, we shouldn’t underestimate the difficulty to implement the technology, making sure it is not depleting your phone’s battery. Better leave this to those who implemented the bluetooth stack in the first place and leave this running where it should be running — at the OS level, not the app level.
The one million life question?
Now the main dilemma our political deciders will be faced with is either use the Google-Apple framework being universal, battery-efficient, privacy-preserving where all the technical hurdles have been solved and just needs to be plugged into a nice GUI at the expense of losing some sovereignty on how this is implemented since closed-source vs. use an open-source solution, publicly auditable but less efficient solution (and prone to battery issues) resulting in more missed contacts.
While the former looks way more appealing, it also comes with its downsides. To take a concrete example, say epidemiologists want to analyse the contact data to better understand how the virus spreads (assuming data can be collected which is NOT the case with current frameworks reviewed here), those epidemiologists will have to go to Google and Apple and beg to access the data. This is very unlikely to happen as this would require Google-Apple to collect data which could in fine jeopardise the trust we put in our phones and this new tracing feature. With the PEPP-PT approach, this could be implemented fast under a more transparent governance. A subset of people could be asked if they want to contribute their contact data for research, PEPP-PT collecting the data and providing it to all research institutes who want to analyse it. Way more likely to happen.
I think the public should be broadly aware of this tradeoff between the two main solutions that many countries might consider using. None of those approaches are optimal, it’s just a tradeoff in the hands of our political leaders to decide on. But ask yourself, who do you trust more to get this working at large and have any meaningful impact on the current situation. For me the answer is quite clear, and you?
This blog post is the first of a series dwelling into contact tracing and the different approaches currently being developed. I’d like to thank families and friends who provided feedback on this post.
Disclaimer: I’m not affiliated with any of the projects listed above. I researched mobility-models based on contact traces using the same bluetooth technologies. I co-created p2pkit.io, a iOS/Android peer discovery framework. At Refunite.org, I developed a decentralised peer-to-peer social networking Android app using the same technology.
FAQ — How are we sure Google and Apple will not send your contact logs to their cloud?
We can’t be sure. But clearly they will definitely be under scrutiny of all the crypto and privacy-preserving communities, be it academic or NGOs.
FAQ — I’ll add most FAQ here.