This article is part of Privacy in the Pandemic, a Future Tense series.
As we move past the initial stages of the COVID-19 pandemic, governments have started to make plans for what the next phase of containment will look like. A crucial element of these plans is likely to be the ability to automatically track down contacts of those found to be infected, using the radio technology built into smartphones. Unfortunately, plans to deploy these systems hit an unexpected snag this week, as the major European contact-tracing technical coalition found itself at odds with both smartphone manufacturers and privacy advocates. In the words of one scientist: “This has gone beyond a joke and descended into farce.” How did we get here?
Contact tracing is a process that’s designed to notify close contacts of patients who have been diagnosed with an infectious disease like COVID-19. Historically this was done by health care professionals who interviewed patients about each person they had had contact with. The problem with this approach is that it consumes precious time and resources, and worse, it may not capture every stranger the patient was in proximity to.
To streamline the process, governments have begun experimenting with automated tracing systems based on smartphone apps. These apps use Bluetooth, a short-range radio transmitter built into most phones. Once the appropriate software is installed, your phone can repeatedly transmit an identifying signal that will be picked up by any other phone that happens to be nearby. By transmitting a unique identifying number, phones can make a list of each person they came within several feet of. This data is more efficient than a pencil-and-paper contact log because it’s built automatically. If any user later receives a positive diagnosis, they can use this list to notify everyone—even strangers.
The power of this solution is also its risk. Privacy advocates worry that advertising corporations and hackers might use our Bluetooth signals to track us. And this isn’t theoretical: Several advertising companies already use existing Bluetooth data to track shoppers as they walk around stores. If a contact-tracing app uploads its data to a centralized server, that would create an even greater risk: The government—or any hacker who gets access to that server—could work out the movements and personal interactions of an entire population.
Fortunately there are ways to reduce these risks. A number of scientists along with Apple and Google have proposed a “decentralized” approach to contact tracing that protects users’ privacy. This technique relies on replacing your phone’s fixed identifier with a series of “pseudonyms”: random identifiers that change every 10 minutes. Your phone then becomes like someone at a costume party who changes his costume as he walks from room to room. Each pseudonym is just a long, random serial number and should reveal nothing about your identity.
Your own phone will make a list of every pseudonym it sees as you go about your day and store them locally in its memory. These numbers are normally meaningless. Only when participants are actually diagnosed with COVID-19 will they “unmask” themselves. This requires the infected patient to voluntarily publish a list of the pseudonyms they used on the specific days they were infectious. This list of infected pseudonyms will be distributed automatically to the public; your app can periodically download it and compare with the list of pseudonyms that it encountered as you walked around. If there’s a match, you’ve potentially been exposed.
Thus, the fundamental privacy guarantee of these “decentralized” systems hangs on two simple facts: Unless you’re positively diagnosed, your own pseudonyms will never leave the phone. Moreover, the pseudonyms of people you encounter in your daily business will also always stay on your own phone.
This design might seem complicated, but by the standards of modern privacy software, it’s very straightforward. Because of this, Apple and Google are on schedule to deliver the necessary software updates straight into their operating systems by the middle of May. This won’t activate every phone for contact tracing—you’ll still need to download an app—but it ensures all the infrastructure for privacy will be in place. Given the speed of this response, you might ask what remains to be done. And that brings us to the new controversy in Europe.
There are several European projects underway to develop contact-tracing apps. One of these, called the Pan-European Privacy-Preserving Proximity Tracing system, or PEPP-PT, is supported by German authorities and French institutions. At first glance, the PEPP-PT plan seems similar to the decentralized approach favored by Apple and Google. However, on closer examination, the concrete proposals for PEPP-PT so far differ fundamentally from the decentralized approach. For one thing, where the decentralized approaches propose to generate pseudonyms on your phone, the PEPP-PT protocols generate your pseudonyms on a centralized server. This server will be able to link each pseudonym back to your real identity. Worse: If you’re diagnosed positive, your phone will not simply upload the list of its own pseudonyms; it will also upload the identifiers of every person you’ve come into contact with so the authorities can track them down and notify them directly.
These changes might seem small, but the privacy impact is huge. If adopted, a single government-run server will store a list that maps every pseudonym to its real user’s identity. If anyone were to get hold of this list—perhaps a spy agency or a hacker—they could use it to track you out in the real world. And for anyone unfortunate enough to be diagnosed with COVID-19, the hacker will also gain a complete list of all their social contacts.
As if this isn’t concerning enough, PEPP-PT’s approach puts Europe in conflict with preexisting software rules for Apple iOS apps, rules that prevent third-party apps from running in the background and broadcasting Bluetooth signals. Those rules were developed for a very specific reason: to prevent abuse by advertising companies, which have tried to embed tracking code into various apps in order to track users in the real world. Apple’s own contact-tracing code is granted an exception to these rules because it’s designed to prevent this sort of tracking. Had PEPP-PT simply used Apple and Google’s system, it would be able to take advantage of this. By going it alone, and using a riskier centralized approach, the European authorities must now demand a special exception from Apple, something that could introduce further delays.
This might seem like an academic debate about privacy, but it’s more than that. Epidemiologists tell us that in order for contact-tracing apps to stop COVID-19, they may need to be installed by as much as 60 percent of the population. In a world where many already distrust technology, there is no room for doubt. Users must be absolutely assured that their privacy will be protected. The fact that even experts are skeptical of the PEPP-PT proposal bodes poorly for this trust. It also seems remarkable that European countries, long known for their embrace of privacy regulation, would propose a system with so many privacy risks.
At the end of the day, contact-tracing apps are a stopgap measure to be implemented alongside testing, social distancing, and (hopefully) a vaccine. But the risks are still the same: If we’re not careful, government agencies, operating through malice or carelessness, could easily build systems that massively undermine our privacy. And we might even cheer them on.
Disclosure: From 2014 to 2015, Matthew Green received a grant from Google’s Advanced Technology & Projects division. Green is also a signer on a joint letter signed by more than 300 scientists laying out principles for a privacy-preserving contact-tracing system.