/covid

The real problem with contact tracing

TL;DR

Most tech solutions to contact tracing have failed because of lack of trust in big tech companies and we’ve been left with a set of poor and insecure alternatives (e.g random Google forms to fill in).

I’d argue this is caused by two things: the lack of self-awareness of big-tech and a lack of consideration for where the real responsibility for contact tracing should lie: with the individual rather than businesses. This is indicative of many tech projects which to start from a design which fits the circumstances.

Introduction

2020 has been a strange year, we’ve all learned new things like R nought and contact-tracing. Now that Victoria (my home) is reopening there are QR codes and ‘low-fi’ contact tracing solutions filling cafes and restaurants. This has got me thinking about why so many tech-based contact tracing efforts have failed and what the real root cause is.

It has been a condition of businesses reopening that they must keep records (names, phone numbers) of the people who visit them, so that if they are made aware of a potential infection at their premises, they can quickly alert the authorities who was there at the same time.

There is some irony that the public rejected a series of tech-based contact tracing efforts only to have them replaced by simpler and much less secure efforts.

The tech solutions

As a quick refresher most contact tracing applications made use of the privacy preserving contact tracing approach which is detailed here examples include Australia’s COVIDSafe and the UK’s NHS COVID-19.

Applications implementing this framework did not require any data to be shared with a central authority, instead the information is all stored locally on a user’s device and non-identifying information is only shared with a central server if a user is diagnosed with COVID-19 and needs to alert others they were in contact with of a potential risk of infection. This is all achieved with random numbers, Bluetooth and public-key cryptography and at no point is any GPS or identifying information used or shared.

The issue is that this approach is very complicated to understand and in a world of stories like Cambridge Analytica people were not willing to believe big tech companies asking them to ‘just trust them’.

So, what did we end-up with?

In most instances we have a QR code which points to a google form or even more low-tech a notepad where you write your name and phone number.

These solutions have several serious problems:

  • Privacy and security: who owns the Google form? What security settings does it have? Who is purging the data? And… if it’s a notebook, what’s to stop people taking photos of it?
  • Accuracy: are people going to give accurate information? Given the points above I imagine some folks are going to purposefully give incorrect information

I think it’s fair to say that these are serious deficiencies.

Why?

Arguably we ended up here because big tech’s efforts fell flat because of their own reputations for being less than honest with respect to people’s data.

Honesty might be the wrong word, but certainly big tech does not have a good reputation for being straightforward with respect to how your data is used. Google’s T&Cs are more than 3,400 words long and Apple’s are more than 7,000 words long (there's more information about this here). On top of that the reading complexity scores for the text put Google’s at 10th-12th grade level and Apple’s at college level. When the average American can only read at 7th to 8th grade level that means that most people using these services have no idea what their rights vs the tech giant’s rights are.

But further, we’ve ended up here because the responsibility for contact tracing has been given to businesses who host people, rather than to the people themselves.

Who should be responsible for this?

In a world where COVID-19 and other similar diseases are a reality, knowing where you’ve been and who you’ve been with is a personal responsibility. It is not your government, school, employer, or café’s job.

Once you look at it this way, it means that each person needs a solution to record where they’ve been and for how long. This however is not the whole story; you also need a method to tell them if they might have been exposed to a communicable disease. But that is easy – especially if you remove all the technical bells and whistles (which nobody understands anyway).

My solution

My approach borrows from the Apple and Google solution, but replaces difficult to understand concepts like keys, ephemeral IDs and Bluetooth with taking a photo.

Basic elements:

  • QR codes: printed and displayed in locations where people can gather, each one uniquely identifying the location
  • Phone app: which people use to capture photos of the QR codes, and which stores 14 days’ of history locally on the device. This app also receives push notifications containing location IDs and time windows for compromised locations
  • Backend server: which provides a service to push notifications to user devices containing location IDs and time windows for compromised locations. This backend service would also be responsible for issuing QR codes and maintaining the link between those IDs and the details for each location.

In this model no information about the user or where they have been ever leaves their device. Nothing is exchanged with any nearby devices or any backend server.

Under normal circumstances users would be capturing the codes and these would reside on their devices for 14 days, along with the time of capture.

If a user had a case of COVID-19 they could be asked to provide all the IDs from their phone along with the times. This could be directly submitted to the backend server excluding any identifying information about them. This would then allow the backend server to trigger notifications to all the other devices on the network which would then check against their local data and trigger and alert to their user if a match was found.

If the user with COVID did not want to share this information directly, then through the normal course of contact tracing they would be telling the authorities all the places they have been, this information can be manually entered into the backend server (via a UI) which could then also trigger alerts to users who had been in those locations at the times a COVID positive person was present.

Conclusion

It is possible to design a viable and safe contact tracing approach which is easy for people to understand, however it requires reframing the problem and considering different requirements.

I’ve been involved in lots of tech projects which have had difficulties because of similar situations – they don’t challenge their circumstances and reframe the problems they’ve been asked to solve – and if they had, they might not have gone ahead – but sometimes that’s a better outcome.

-- Richard, Dec 2020