The COVID-19 pandemic has seared contact tracing into our collective consciousness, but it doesn't mean the concept is anywhere near new.
Noted Deputy U.S. Chief Technology Officer Nicole Wong recently during an online event: Contact tracing was used to identify the original Typhoid Mary in 1907, as well as helping to quell outbreaks of smallpox, SARS and Ebola.
As COVID-19 continues to spread, entities around the world hope to use technological advancements to take contact tracing to the next level, including the possibility of using cellphones to monitor individuals and track who they have recently contacted. Such ideas are noble on paper. They also come with plenty of privacy concerns.
One of the most notable contact tracing plans has come from Apple and Google. The two tech companies have developed the "Exposure Notification System" to help public health authorities develop contact tracing applications to monitor the spread of COVID-19.
During an online IAPP Keynote Event recently, Apple Senior Director, Global Privacy Law and Policy Jane Horvath CIPP/G, CIPP/US and Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, said their companies were approached early in the days of the pandemic to determine whether existing technologies could be used for contact tracing. Apple and Google both had doctors on staff to help develop the system. Horvath said the companies reached out to the U.S. Centers for Disease Control and Prevention as well as data protection authorities in the European and Asian-Pacific to fully form the system.
As the companies prepared for their eventual collaboration, Apple and Google discovered cellphone location data would not suffice for this endeavor.
"Initially, we received a lot of inbound questions around location data, like maybe you would be able to use location data to support contact tracing," said Enright. "It turned out that wasn’t the right data step for a whole bunch of reasons. It’s not complete enough, it’s not accurate enough and obviously there are privacy concerns associated with location information that can be derived from someone’s device."
Those concerns were why Apple and Google turned to Bluetooth to power its Exposure Notification System, which allows for phones to exchange beacons with other devices that have downloaded an app developed by a public health authority. Should an individual come in contact with a person who entered their positive diagnosis into the app, they will be notified on their phone with a message from the public health authority about what to do next.
A major element of the system's development was an emphasis on user control. Anyone who downloads the app must give their explicit consent to send beacons between phones and enter a possible positive diagnosis. Enright said Google and Apple do not know the identities of anyone who may have COVID-19.
He added the companies prohibit any secondary use of the information, nor will Apple and Google use the information for revenue purposes. Any data gathered by an app must strictly be used for contact tracing.
"User control was essential to this. We did not want to create a system that was not completely transparent," said Enright. "We also wanted to make sure from the beginning that this doesn’t collect or use device location information, including for users that have tested positive."
As Apple and Google fleshed out the system, the companies had to make a decision other contact tracing developers have had to answer: Will the Exposure Notification System be centralized or decentralized?
The companies ultimately chose a decentralized approach. All information will be stored on a user's device rather than on a centralized server. Horvath said this approach fits in with the companies' commitments to user control, and it avoids any possibility of the creation of a social graph using an individual's contacts.
Enright said there were some proposals that included a centralized approach, but they were turned down early in the process.
"There were alternative designs that were proposed and were very actively discussed where you had central servers that were doing more of that processing and more of that association of diagnosis keys with individual users," said Enright. "We pushed back hard on that and we felt strongly that all of this exposure notification information being done on device and that processing being done under the strict controls of the user was an essential design feature to optimize the privacy of the system."
The Exposure Notification Aystem will grant one API per health authority and or jurisdiction to avoid fragmentation and to promote high user adoption, according to Enright.
While it may not seem like it now, the COVID-19 pandemic will eventually come to an end. The Exposure Notification System may be used anywhere from a couple of months to several years. When that day comes, Apple and Google do not plan to keep the information around for very long.
"We intend to disable this Exposure Notification System on a regional basis when it is no longer needed," said Enright. "We will remain in close partnership with the national health authorities and when present crisis has passed and we do not feel this technology is necessary anymore to contain COVID-19, we intend to shut it down."
Both Enright and Horvath acknowledge there will be some challenges with user adoption. Contact tracing apps may come with good intentions, but individuals will likely be skeptical of a system that will monitor them in any capacity.
Their hope is the Exposure Notification System is simple and clear enough to drive user toward the app, and while some may be concerned the tech companies' pivot to privacy may be to the system's detriment, Apple and Google don't see it that way.
"There have been a number of different press reports that are challenging whether we are too private, which is an interesting place to be," said Horvath. "The other thing that to be considered if you are less private, less people will download the app. You have to reach the right balance between privacy and effectiveness so hopefully we will get a big uptake in people using it."