There is an astounding amount of misinformation in terms of how contact tracing works in the digital space. Not only because of how new this technology is but because journalists are overworked and don’t have time to deep dive. I’m hoping to provide a layman’s guide to how this technology works now, how it’s going to work in future and my personal concerns.
The Australian government announced today it will in the next few weeks be releasing its own contact tracing app. Contact tracing in the context of epidemiology is basically about figuring out how individuals came in contact and who they came in contact with to figure out the degree of contagion of a particular vector that’s spread among a population.
Traditionally it would be done through assessment of surveillance footage, interviews, eyewitnesses, analysis — things of that nature. These days the vast majority of people carry computers in their pocket that are constantly communicating between each other and to the internet. The Australian Government is going to release an app that uses your mobile phone passively to keep a log of people you’ve been in contact with for a prolonged period of time.
Bluetrace — The Basics
Bluetrace is quite elegant and designed from the ground up to preserve privacy. You install the app. It generates a unique identifier for your device (not containing any personal information) and begins broadcasting it over bluetooth low energy. Basically you appear to other devices like an Apple Watch or Fitbit. Because of how the bluetooth spec works devices can (to a degree) figure out how far away other devices are from them based on the RSSI of the signal. This is how an Apple Watch can unlock a mac, if you’re near enough it will open based on proximity.
Keep in mind your phone and the devices you own are doing this constantly. Ever used handoff to send a thing from your iPhone to your Mac? That’s BLE. Ever used AirDrop? That’s BLE. Every time you flip open your AirPods case to check the battery levels it’s broadcasting a bluetooth LE signal that your iPhone detects to show you the cool animation with the battery levels. This technology is mature and well understood.
Your app records all of the identifiers that it comes in contact with over a rolling 21 day period if it sees that identifier for more than a certain period of time (at the moment this seems to be 15 minutes but that appears to be bound to Background App Refresh frequency windows, please email me if I’m wrong about this).
If 21 days sounds familiar, it is, it appears to be a decent statistical bound for the period in which, were you infected, you would exhibit symptoms.
Say you have the app installed and you’ve been using it for a few weeks. You come down with a fever and a cough. You go to your doctor and get a test — if you find out that you’re testing positive, you use a code given to you to indicate that you are a vector. You enter this code into the app.
This process sends your unique identifier to a server. All of the bluetrace apps are routinely hitting this server and downloading all of the vector identifiers and matching them up with their local database. If one of the identifiers in their local database matches one of the identifiers in the vector payload, the app alerts them (if the user has opted in to notifications) — they’ve been in contact with a COVID-19 confirmed infection and need to self isolate.
Thus far this all sounds pretty benign. The processing and storage of data all happens locally. Identifying as being COVID-19 positive never tells people you’ve been in contact with who you are or any personal information. It’s an impersonal but effective system to communicate to people a potential contact trace or vector for an infection.
This system is still incomplete.
Why doesn’t this work?
Given a set population, to do effective contact tracing in this manner you need substantial takeup. In the developed world mobile phone usage is relatively pervasive. Almost every Australian resident has a cellular phone plan. The vast vast majority of consumer cellular plans (98%+) have a phone that is running a variant of iOS and Android.
The Bluetrace model, whilst compelling falls apart because it relies on about 60%+ (based on these numbers from The Economist) of users to have it installed to do effective contact tracing. In the Australian market Apps that have that degree of penetration would be apps like Instagram, Facebook, Messenger. Apps that if your parents, or neighbours or friends couldn’t figure out to install they would reach out to somebody else to help them to get it installed because they help them communicate with or access a social network/service they want.
There is no similar pull for a contact tracing app. There are no photos on it, there are no grandchildren, you can’t win any gems on it, you can’t watch your shows on it. There are for the most part only exhortations that you’re doing your part to install this black box.
Excusing particularly on iOS how the Singaporean app has to work around iOS’s very stringent controls on broadcasting/receiving Bluetooth Low Energy packets, the system also doesn’t work particularly well, you’re told to keep your phone on or keep it facing down — this isn’t a good long-term solution.
Given the install base the BlueTrace solution in Singapore seems to have been a well-intentioned and well built failure. The mobile giants don’t give you enough wiggle room to build something like this effectively — but the protocol is well designed and seems to have inspired the next stage.
The next Stage
On the 11th of April both Apple and Google announced they were going to bring the contact tracing system in-house.
They were going to provide API (basically tools for app developers) to hook into their own low-level systems for doing contact tracing. This is promising for a few reasons:
- Apple/Google have more flexibility on their own apps than that of third party developers. They have more access to hardware and can do things that they wouldn’t let third party developers do (say constantly broadcast bluetooth low energy identifiers)
- Apple and Google have committed to a standard that works cross platform — with all the good will in the world if you have a huge gap between the different operating systems that users are running your system is effectively useless
- Apple and Google have released a cryptography spec and a bluetooth tracing spec that both look extremely promising
Singapore’s BlueTrace is a great idea but it’s just one country working very hard to provide a framework to solve this in a technical way. We cannot guarantee apart from promises from government figures that the Australian app works in this way.
We could obviously have a third party audit it or even (God Forbid) release the source code for the app. Given copyright/procurement/etc that’s not likely to happen before everybody in the country is effectively harangued to install this. This still realistically won’t work
Closing the Gap
Getting someone to install mobile apps is extremely hard. As someone who has made their living for years on selling or getting people to install apps it’s a complete nightmare. People don’t know their passwords, or don’t have credit cards (yes this can still impact downloading free apps), or don’t even know how to download an app from their app store of choice. App installation trends have been consistently going down over the past few years, getting people to install an app to solve this problem is never going to work.
That’s why the two big mobile vendors, Apple and Google have a second phase. They’re going to build contact tracing into their operating systems. This gets you opt-in basically at the ground level. Google does not have a great track record of deploying full operating system updates so is deploying this through their Google Play Services workaround — iOS has a userbase that are used to receiving updates and tend to apply them, so it’s a separate story.
Assuming an uptake of over 60% within 2 -3 months, once this “baked-in” system is deployed end of May (at an aggressively early estimate) we could have a fairly effective and aggressive contract tracing system ready to go end August / beginning of September. That’s frankly incredible. This is the equivalent of a manhattan-project style solution to a truly evil problem.
Contact tracing exists for one reason and one reason only, this virus is a demon, and we cannot let it hide. Contact tracing will help us bring to light who is infected and stop it from spreading.
Say we deploy this technology and it works, we have solved the core problem, we can track and trace those who are infected but there are still questions we have.
Concerns and next steps
Despite all of the good intentions in the world this system does have downsides:
- Your phone now has a list of every single individual you’ve been in proximity with over the past 14 days. Sure they’re anonymised, but that key is directly correlated to a device.
- In Australia at least it’s a crime to not unlock your phone for Police when ordered by a Magistrate (thanks to Rob Candelori for this — thanks to Bede Kelleher for clarifying). Given the phone unlock decrypts your device, unlocking it gives law enforcement potentially access to this database of other identifiers as well as your identifier. If Police are trying to prove you have been in proximity with another user it is a trivial exercise to match those identifiers
- Other stores of information have routinely been targets for hackers or state actors. If your device has a centrally known database that exists that has all of your identifiers, that’s a very juicy target. If state/other actors figure out an attack to exfiltrate that data (like they did with WhatsApp) that’s an incredibly valuable trove of data if third parties can collect it en-masse through vulnerabilities. Collecting this data incentivises trying to steal it.
- Both Apple and Google say that they can turn off the OS level tracing once all of this is done, but there’s no indications as to the mechanism they’ll use to do so
- We don’t know societally how this is all going to shake out long term. We live in very weird and uncertain times. We’re trying to save lives but we don’t know how this will impact our cultural psyche, values or how we work as a society long term.
Cryptographically and technically the contact tracing solution is extremely well thought through but we should still be wary.
We need to be very clear in terms of what these systems collect and how. Any murkiness or lack of clarity will defeat the project before we start. If people are sceptical because of a poor communication from the government or tech vendors the entire project will fail.
This is not a panacea, it’s a temporary stopgap that helps us corral and crush this demon. We are working on adrenalin now trying to deal with the hyper-focus of this problem — whilst valuable now the second this tool has served its purpose it must be destroyed.
Don’t give anybody too stupid to understand how dangerous this can be any ideas.