Technology Advantages and Limitations
Contact-tracing apps were developed using two widely available technologies: Bluetooth and GPS. Bluetooth works by sending radio messages to announce the availability of a device to pair with applications running on another Bluetooth enabled device. Bluetooth apps will keep track of when the user’s phone sends out a Bluetooth announcement. If that individual tests positive, determining whose phone connected with those messages will provide the baseline for the contact tracing. Bluetooth based apps have been likened to a virtual “handshake” because its markers are designed to determine with whom you came into contact. In contrast, GPS-based systems can track where the potentially infected user has been, and at what time, and can then match up other users whose devices were at the same location during the same time period. This location data allows tracking of potential outbreaks or hotspots.
Both technologies are limited in their ability to properly assess risk, such as whether there was actual contact rather than just proximity (radio waves can travel through walls, but the virus cannot). GPS tends to be less precise, and Bluetooth signals can strengthen with distance due to reflection off metal surfaces. These limitations may reduce the effectiveness of this technology, and may create a false sense of security if individuals never receive an alert about potential exposures, or desensitize people who receive too many. Perhaps most importantly for purposes of this article, the Bluetooth markers likely do a better job protecting privacy than does the GPS technology, since Bluetooth, by itself, does not transmit location data to any central clearinghouse, and therefore does not involve location surveillance. Ultimately, governments and individuals will have to decide whether the compromise in reliability of the Bluetooth approach is worth the enhanced privacy protection.
How the data will be maintained presents additional concerns. As cell phone apps collect data it is either stored at remote centralized servers or on the users’ phones. Apps that use a centralized server will typically be able to access the phone IDs of an infected person’s contacts to verify that the correct people are receiving notifications of potential exposure once the user reports symptoms or tests positive. In the decentralized app approach, however, health departments only learn about people who actually respond to an alert from their app, and have no way of determining if other individuals were exposed who did not install and activate the app, or how many notified people failed to respond to the notification, and therefore might not be known to health authorities. Use of a centralized server therefore raises concerns about the potential to misuse the data, whereas the decentralized model likely will be less effective for public health officials since it relies on users’ voluntary installation and use.
International Approaches: The Experience in Asia, Australia, and Israel
Contact tracing has been instrumental in slowing the spread of COVID-19 in certain countries in East Asia. South Korea was among the first to institute a mobile contact-tracing app to monitor the movements of confirmed COVID-19 patients, building upon its government’s existing comprehensive surveillance efforts, which already gather mobile GPS stamps, camera records, and credit card transactions. The app, Corona 100m, collects government surveillance data and shows the date of a diagnosis, nationality, age, gender and where the person visited. Users are alerted when an individual comes into close proximity to a location visited by an infected person. Contact tracing has been credited as an important component of the country’s success in quickly flattening the curve of cases —although it is worth noting that South Korea may be facing an unexpected spike in the spread. Many other countries, however, have been hesitant to follow South Korea’s example over concerns that it is too intrusive.
China also embraced a very aggressive approach to contact tracing. For individuals wishing to travel outside of their home, local governments across the country deployed an app that determines how much freedom of movement any individual should have throughout society at large. Local governments created a database and health codes that were integrated into two widely popular apps for their technology, WeChat and Alipay. The Alipay Health Code app was launched in the city of Hangzhou as a project by the local government and Ant Financial. When individuals initiate the app, they are required to enter certain personal information, which generates a color-coded QR code to determine how restricted the individual’s movements should be. The QR-codes essentially act as an ever-present passport to enter and move about the city.
There is little transparency into what underlying factors determine how an individual is classified, causing confusion and some resentment of the program. Data is sent to a central server that constantly tracks an individual’s whereabouts. Since the application was developed in conjunction with law enforcement, user location, city name, and identifying codes are presumably shared with authorities, effectively providing constant surveillance of all users. China’s approach to contact tracing presents the most aggressive government control relative to individual liberties of any contact tracing program. While the invasive nature of this app has deterred widespread adoption elsewhere, some of its features are now emerging in apps that are being deployed in other countries.
For example, Singapore’s TraceTogether app technically is voluntary, and does not gather exact user location data, but it nevertheless represents one of the more comprehensive monitoring systems adopted. The app uses a cell phone’s Bluetooth function to detect and log instances of close contact between persons, stores it on the phone, and then shares that information with the Ministry of Health if a user tests positive. Public health authorities are able to use that data to trace the disease’s route of infection and to notify individuals who have come into close contact with a COVID-19 positive person for a period of 30 minutes or longer.
Singapore’s app became the model for Australia’s COVIDSafe. The app is voluntary, although it appears to have been widely adopted with over 4 million downloads in its first week, and allows the government to warn individuals that they have been exposed to someone who has tested positive. The Australian model will not provide the exposed individual with information on who may have infected them. Despite its widespread acceptance, several limitations were discovered soon after launching, specifically that the app failed to properly log all encounters on “locked” phones where the app was not running in the background.
Israel, similar to South Korea, deployed what is essentially a mandatory tracking program. The Health Ministry supplies the name, ID Number, and cell phone number of those infected with COVID-19 to Shin Bet, Israel’s Security Agency, which is then cross-referenced with the Tool, a classified security database that collects cellular data from anyone using telecom in Israel. Those individuals coming into close contact with the infected person receive a text message informing them to quarantine and register with the Health Ministry’s database.
The mandatory nature of the tracking, as well as disclosure of the Tool (which pre-dated the pandemic), has produced highly vocal disagreement over the perceived invasion of the privacy rights of Israelis. Criticism resulted in the temporary halt of the surveillance program and development of a voluntary app that initially relied on decentralized GPS for contact tracing, but was recently updated to use Bluetooth to address some of the errors discovered in the first iteration. Despite concerns regarding the sweeping Shin Bet program, it has been reintroduced as the government insisted it is the only way to stay on top of the virus.
The EU Experience
European countries have uniformly rejected mandatory technological tracing. The European Commission has recommended a common EU approach toward contact-tracing apps, but in the absence of an EU-wide mandate, significant differences in approach have emerged. Countries such as Ireland, Germany, Italy, Austria, and Switzerland have opted to use an application programming interface (API) developed jointly by Apple and Google. The Apple-Google API puts a high premium on privacy. The software allows public health authorities to develop mobile contact-tracing apps that utilize their technology. The API uses Bluetooth, there is no centralized storage of data, and the governments are not able to perform basic statistical analysis into a person’s contacts or characteristics, which obviously limits the efficacy of tracing in favor of the interests of greater privacy protections.
Other EU-member states, notably France, decided to strike a different balance by forgoing the off-the-shelf convenience of the Apple-Google API, instead investing in their own contact-tracing app that allows for centralized data control. The French junior minister for digital affairs has taken the position that the country’s health care crisis response should not be constrained by the privacy policies of Silicon Valley tech giants. By allowing health care professionals to access more precise but intrusive data, in theory France should be able to tackle the virus more effectively, thereby arguably justifying the potential compromise of individual privacy in favor of public health benefits. Supporters of this approach suggest that it will provide researchers with additional data to analyze the spread of COVID-19.
As France forged ahead with its own unique COVID-19 tracking app, however, initial reports suggested that it was not performing as hoped. Despite nearly 2 million downloads, the process had only alerted 14 individuals of possible exposure, even though 68 people informed the app of their infection.
The UK, which had planned to roll out a similar centralized data tracing app, has scrapped that plan for now. Instead, England recently announced trials of its new app, which uses Apple-Google API-based technology. The app uses Bluetooth to identify potential high-risk exposures to infection and will alert people when they have had contact with a person diagnosed with COVID-19. Additionally, it will ask users to scan QR codes at particular locations, so that they can receive alerts if they visited a site with multiple infections. Using the QR codes in addition to the Bluetooth function may address some of the accuracy concerns of Bluetooth effectiveness in highly trafficked locations, like a concert or bar.
The U.S. Experience: State-by-State Experiments
Because the perception and response to COVID-19 has been highly politicized in the United States, and perhaps cautioned by the challenges experienced by other countries, the United States has not adopted a unified approach to contact tracing, and the individual states have been slow to adopt contact-tracing apps. A small number of states have launched voluntary contact-tracing apps that rely on GPS stamps to record the location of COVID-19 positive persons, without––in theory––actually tracking a specifically identified individual.
In April 2020, the state of North Dakota launched an app known as CARE 19 Diary that works with the user to log locations. The app was developed through a partnership with North Dakota and ProudCrowd, a local tech company. Users receive random ID numbers, and locations they visit for longer than 10 minutes are automatically saved throughout the day. If users test positive, they may grant the app permission to share the data with the Health Department for contact tracing and to track the progression of the disease in communities. Neighboring South Dakota will also use the CARE 19 Diary application.
Wyoming has also collaborated with ProudCrowd to bring the application to that state, noting that the more individuals who voluntarily participate, the more effective it will be for contact tracing. The efficacy of these apps has not been validated, and anecdotal evidence based on app reviews suggests that the tracking is inaccurate.
Rhode Island’s response app combines the location diary application found in North Dakota’s app with a symptom diary. The location diary application tracks the places visited over the last 20 days. The symptom tracker also allows the user to log potential symptoms. The users provide their zip code, which allows the health department to track the spread. Ideally, the individual uses the survey on a daily basis, providing the health department with the most useful data. All individual data from the location diary and the symptom tracker is stored locally on the user’s phone and is only shared on a voluntary basis. Rhode Island’s app, Crush COVID-19 RI, had a greater number of downloads than any of the other states––though the rate of downloads is still sufficiently modest to call into question its efficacy as a public health protection.
Utah’s Healthy Together App allows users to assess their symptoms, find nearby test sites, get instructions for care, and find the hot spots in their state. At its launch, the app used both Bluetooth and GPS to track the location and movement of individuals with COVID-19 in an effort to help public health officials with contact tracing. Because the location tracking function was found to be unpopular, it was turned off (although users may opt-in), which essentially limits the app’s effectiveness to that of a personal health tool.
Texas launched a similar program, Texas Health Trace, which allows for a person who tested positive, has symptoms, or thinks he or she has been exposed, to register and receive information and support. Using this system, the Health Department is also able to call the individual to initiate traditional contact tracing. In August, a group of Texan citizens filed a lawsuit claiming that contact tracing is unconstitutional. While the complaint alleges that the government is tracking Texans involuntarily using their cell phones, the government website indicates that contact tracing is voluntary and provides no indication that movement is tracked or recorded. How this lawsuit develops may significantly inform other states in whether, and if so how, they introduce contact tracing technologies.
Several states have now developed new or supplemental apps based on the Apple-Google API, including Alabama, Nevada, Virginia, Wyoming, North Dakota, New York, New Jersey, Pennsylvania, Delaware, and the territory of Guam. Several others plan to develop an app, including Colorado, Connecticut, Maryland, Oregon, Washington, and the District of Columbia. As discussed above, this technology uses a decentralized identifier system that assigns keys on the user’s device. The public health agencies that utilize the app can determine which factors require notification of potential exposure to COVID-19.
On August 5, 2020, Virginia became the first state to launch an app using the API technology. Virginia’s app, Covidwise, is voluntary, free, and does not collect personal information or track its user’s locations. The app is too new to determine how widely used it will be or its overall efficacy, but the health department has already noted that the app will not work effectively outside the state since there is no federal or interstate coordination.
Conversely, many states have not developed any type of contact-tracing app. South Carolina, for instance, originally intended to utilize the Google-Apple API but lawmakers banned the use of digital contact-tracing apps in a spending bill. Lawmakers expressed privacy concerns that the technology could track users as one of the reasons for the ban. These states continue to use traditional contact tracing which has been known to present numerous challenges, including duplication of efforts by local and state agencies, privacy concerns, and lack of sufficient resources.
Other Examples of Contact Tracing: Higher Education
The challenges associated with contact tracing are not limited to public health agencies, and, in many situations, forgoing digital contact tracing is not an option. For example, as society struggles to return to something closer to normal, workplaces and schools in particular will be pressured to track infected individuals and their movement in more controlled and concentrated environments. Both the University of Arizona and the University of Alabama have stated they intend to implement contact-tracing apps. The University of Alabama’s return-to-school plan would require employees and students to log their symptoms. The University has implemented GuideSafe, which incorporates a health check, exposure notification, and an event passport. The exposure notification uses the Apple-Google API to log close contacts and report potential exposure to the user. The app protects user information by using encrypted identification numbers and it does not access GPS location or other data from the user’s phone.
Interestingly, COVID-19’s transmission is not the first time schools have embraced technology to monitor students on campus. In 2019, the University of Missouri rolled out an optional app to track student attendance. The app uses the school’s Wi-Fi and phone sensors to check students into class and ensures that they are present. However, since it does not use GPS, it will not track the students outside of class. The app is also being used by Syracuse and Virginia Commonwealth University.
The potentially “slippery slope” of digitally monitoring university students’ class attendance, however, could also become an uncontrolled social experiment, as schools continue to expand the use of these technologies, their functionality becomes more comprehensive, and the assessment of their efficacy continues to be ad hoc. For example, the University of California-Irvine has developed a Wi-Fi-based system that it will use to track an infected person’s movements across campus. One tool will be able to monitor how well students are social distancing using anonymized Wi-Fi connectivity datasets that can determine whether spaces are at or over occupancy. It will also employ a tool to monitor traffic flow that enables users to avoid crowded spaces and aid in sanitization efforts. The hot spot function will actually notify people when they have encountered an individual who has tested positive for COVID-19. UC-Irvine represents that each of these applications has built in privacy controls and suggests that they could be easily adaptable for other institutions of higher learning.
Other institutions are applying a technology that utilizes facial recognition technology to identify students. Molloy College has stated their intention to use infrared kiosks in the lobby of its buildings to measure whether students have a temperature greater than 100.4 degrees. This technology will be matched with a catalogue of photographs taken for student IDs.
The use of technological apps to safely return to school is not limited to higher education. Primary and secondary schools in Ohio, Pennsylvania, Massachusetts, and Tennessee have investigated the use of Bluetooth and Wi-Fi based systems to track movement, congregation, and social distancing. The Kiski School, a boarding school in Pennsylvania, is considering another unique solution––implementing a system that would track movement using smart ID cards and Bluetooth technology. While relying on cross-referencing data sets presents a greater risk of generating data that can be used to identify the individual, such systems unmistakably focus on addressing the COVID threat, with potentially unintended consequences to privacy interests.
Challenges Posed by Well-Intentioned Experiments
While the use of contact tracing technology in higher education will provide an interesting series of data sets by which to judge what are essentially one-off social experiments, a word of caution may be appropriate. Questions remain as to whether the data being gathered is commensurate with the interest being served, as well as the degree to which student participation is in fact “voluntary.” Questions as to how that data might be used for other purposes, or the risks posed by unauthorized access to or release of the data, will likely be addressed ad hoc as these apps are used more extensively. Likewise, in the rush to restart, the balance between data collection to combat the spread of COVID on the one hand, and meaningful and informed consent on the other, has not been carefully considered. While downloading an app may be voluntary, it is difficult to get to class without passing through infrared terminals or Bluetooth badges.
The concerns become even more challenging when the data includes sensitive health information. Overlaying temperature checks with student IDs and Bluetooth trackers could easily compromise the anonymity of a “decentralized” app. Given the relatively confined nature of the educational setting, its theoretical privacy protections may be compromised as individuals can likely trace an infection back to a particular class, building, or dormitory. A phone app with a pop-up alert may mean that you were exposed on a bus, elevator, or any random public space, whereas in higher education it will be more difficult to protect identities.
COVID, Privacy, and Antitrust: An Unprecedented Opportunity for Collaboration or a Dangerous Precedent?
Health experts agree that combating COVID-19 will require a great deal of cooperation between the private and public sectors to track and contain the spread of the virus. Some of the tech giants, notably Google and Apple, have leapt into the breach with impressive capabilities and resources that public sector resources simply cannot match, and which hold the promise of making a real difference in combatting the spread of this disease.
The Apple-Google partnership on the API presents an unprecedented breakthrough for the previously siloed technology of Android and IOS devices. The interoperability now available between the two operating systems allows nearly all smartphone users to exchange the Bluetooth “handshakes” necessary for contact tracing. The apps that use this technology will need to adhere to specific privacy controls, which effectively precludes any centralized apps from accessing the extraordinary collective reach of these combined technologies. The Apple-Google partnership, otherwise unimaginable from an antitrust perspective, makes it possible to change the trajectory of the war against COVID by combining their market penetrations with easily normalized applications on their devices.
Organizations with unprecedented market power can collaborate to offer solutions well beyond the reach of public health organizations, but that can present other challenges. It may be unrealistic to expect these collaborating tech giants to subjugate completely their business interests and stop short of using the access and information obtained by their combined monopoly power for other, less public-minded purposes.
The combined reach and technological savvy of the two operating systems opens up other new technological approaches to contact tracing. For example, several European nations initially sought to create a mobile app operable across borders. One approach, the Pan-European Privacy Preserving Proximity Tracing (PEPP-PT) would offer technology and services that integrate European privacy standards into a centralized approach. Similar to the API technology, it could be adopted by different apps. Like the Apple-Google function, the PEPP-PT approach would use cell phone data to assess whether an individual had come into close proximity with an infected person.
Germany initially planned to utilize the PEPP-PT, but eventually abandoned this approach when Apple, citing privacy concerns, refused to unlock its operating system to allow for central processing of Bluetooth data. Given Apple’s long-standing position on protecting the privacy interests of its users, its decision not to cooperate with Germany does not seem to have been motived by a desire to force Germany to adopt Apple’s API rather than develop one of its own. However, without Apple’s cooperation, Germany was unable to proceed with the technology. The centralized approach in theory could move forward, but it would be inaccessible to half the mobile market share.
A collaborative effort between two major competitors itself does not raise antitrust concerns per se, but it does invite greater scrutiny. In this case, the two largest market players are allowing interoperability to aid in the efficacy of public health apps during a global pandemic. While pragmatic and even laudatory under the circumstances, the use of their technology is not without its benefits to these dominant players. Whether intended or not, it may have the effect of incentivizing the use of apps compatible with their systems over apps that are incompatible, thus making their current market dominance all the more entrenched. Germany’s decision to abandon their own PEPP-PT is a case in point.
There is also the undeniable concern that Apple or Google may find ways to use the information that conceivably could be obtained for their own commercial purposes, even if the privacy of the individuals is not compromised. This data presents a once in a lifetime peek into consumer behaviors and patterns. Google’s history of covertly finding ways to mine and use data is well known, and hardly inspires public confidence. For its part, Apple historically has been clear to disavow any such uses, and given the linkage of its brand with privacy protection, Apple may have sufficient consumer credibility for the public to buy into an effective digital contact tracking program.
Those theoretical concerns aside, however, it bears repeating that on its face, the Apple-Google API Exposure technology incorporates privacy preservation features that make it a much superior option from the perspective of protecting individual liberties as compared to some of the centralized options that store individual data (the full extent of which remains uncertain) on central servers readily accessible to the government. The Apple and Google technology requires the user to opt-in to its use, assigns random identifiers that are not tied to an individual, and uses random Bluetooth trackers to limit tracking. The devices will send out a beacon via Bluetooth to other phones, and once a day they will be cross-referenced against beacons for confirmed COVID-19 cases. Those users with possible COVID-19 exposure would be notified by the app with information on next steps from the public health agency managing the regional COVID-19 response. All data will be stored on the device, and the technology is designed so that, at least in theory, none of it is shared with either Google or Apple. This should alleviate the concerns that Google or Apple will make any other use of the data: an entity cannot misuse data it does not have. Given the lack of transparency “behind the curtain” for both Apple and Google, however, privacy advocates are likely to remain skeptical.
Further, the proposed second phase of the technology, which will build the Bluetooth-based contact tracing platform into the underlying platform, has the potential to exacerbate privacy concerns. Apple notes that this stage will require special attention to “privacy, transparency, and consent,” as it is unclear how that data will be shared amongst apps and public health authorities, or even within the device’s operating ecosystem itself.
In theory, with the API Bluetooth app the only time information is transmitted from the user’s phone is when there is a hit on potential exposure or when an individual voluntarily enters their COVID-19 status. But the technological limitations require constant vigilance. By way of example, certain health and fitness apps previously available to iPhone users sent users’ personal information to Facebook regardless of the privacy settings selected by the users. While Apple indicated that these apps would need to be modified to remain available to its users, the potential for data collection creep, unintended or otherwise, can never be completely eliminated, even with the Apple-Google partnership. Although the technology is limited only to health authority apps, those are designed by third-party private app developers who may not be completely transparent in the functionality they install. And in contrast to more benign tracking of exercise data, or even consumer activity, the data now potentially at risk represents sensitive health information, and the collateral information that might be generated in connection with this core data may have untold value, and corresponding risk of compromise.
The fact that there have been other instances where the app developers shared data but failed to notify the users does not inspire confidence. For example, ProudCrowd indicated in its privacy settings that the location data would be private and stored only on their servers. Nevertheless, it was later discovered that, depending on certain user settings, the app was sending location and other data to third-parties in violation of its own privacy policy. Instead of stopping this practice, ProudCrowd simply updated its privacy policy to disclose the sharing. Because public confidence in the integrity of any digital tracking system is crucial for voluntary participation, app developers will have to more clearly state their privacy policies and adhere to them.
What’s Next?
These contact tracing solutions unquestionably are well-intentioned, but they all have limitations that could compromise privacy or individual liberties. In addition, once these technologies are adopted, when is it appropriate to stop using them? The probability that COVID-19 will one day just disappear seems unlikely. Will the threat of recurrence sometime in the future of a virus that has thus far largely confounded science justify the use of contact tracing for an extended period of time? As these undeniably intrusive technologies become more commonplace, will we find ourselves less sensitive to the use of surveillance technologies in the future? The longer and more broadly we use these applications, the more likely it will be for an extraordinary event to justify mining the data for purposes we cannot anticipate at present.
To ensure that individual liberties are protected, each contact-tracing app should conspicuously disclose how it is being used, the data it collects, the voluntary (or not) nature of its functionalities, and a very clear subset of clauses identifying when it will stop being used and what happens to the data collected once it is shut down. The use of vague language or imprecise concepts—a practice now ubiquitous in virtually all privacy policies––must be avoided. Privacy watchdogs have an equally important role to play, along with the app developer and healthcare authorities, to make these disclosures and protections meaningful. Beyond ensuring that contact-tracing apps are in fact deployed and functioning to protect public health, perhaps the single biggest challenge of achieving that protection will be developing a process that will appropriately protect privacy and personal liberties.
