October 1, 2020

Test and trace with Apple and Google

After the shutdown, the testing and tracing. “Trace, test and treat is the mantra … no lockdowns, no roadblocks and no restriction on movement” in South Korea. “To suppress and control the epidemic, countries must isolate, test, treat and trace,” say WHO.
But what does “tracing” look like exactly? In Singapore, they use a “TraceTogether” app, which uses Bluetooth to track nearby phones (without location tracking), keeps local logs of those contacts, and only uploads them to the Ministry of Health when the user chooses/consents, presumably after a diagnosis, so those contacts can be alerted. Singapore plans to open-source the app.
In South Korea, the government texts people to let them know if they were in the vicinity of a diagnosed individual. The information conveyed can include the person’s age, gender, and detailed location history. Subsequently, even more details may be made available:

The level of detail provided by @Seoul_gov for each and every COVID-19 case in the city is astonishing:
Last name (which I’ve obscured)SexBirth yearDistrict of residenceProfessionTravel historyContact with known casesHospital where they’re being treated pic.twitter.com/GsI0QQPcVH
— Victoria Kim (@vicjkim) March 24, 2020

In China, as you might expect, the surveillance is even more pervasive and draconian. Here, the pervasive apps Alipay and WeChat now include health codes – green, yellow, or red – set by the Chinese government, using opaque criteria. This health status is then used in hundreds of cities (and soon nationwide) to determine whether people are allowed to e.g. ride the subway, take a train, enter a building, or even exit a highway.
What about us, in the rich democratic world? Are we OK with the Chinese model? Of course not. The South Korean model? …Probably not. The Singaporean model? …Maybe. (I suspect it would fly in my homeland of Canada, for instance.) But the need to install a separate app, with TraceTogether or the directionally similar MIT project Safe Paths, is a problem. It works in a city-state like Singapore but will be much more problematic in a huge, politically divided nation like America. This will lead to inferior data blinded by both noncompliance and selection bias.
More generally, at what point does the urgent need for better data collide with the need to protect individual privacy and avoid enabling the tools for an aspiring, or existing, police state? And let’s not kid ourselves; the pandemic increases, rather than diminishes, the authoritarian threat.
Maybe, like the UK’s NHS, creators of new pandemic data infrastructures will promise “Once the public health emergency situation has ended, data will either be destroyed or returned” — but not all organizations instill the required level of trust in their populace. This tension has provoked heated discussion around whether we should create new surveillance systems to help mitigate and control the pandemic.
This surprises me greatly. Wherever you may be on that spectrum, there is no sense whatsoever in creating a new surveillance system — seeing as how multiple options already exist. We don’t like to think about it, much, but the cold fact is that two groups of entities already collectively have essentially unfettered access to all our proximity (and location) data, as and when they choose to do so.
I refer of course to the major cell providers, and to Apple & Google. This was vividly illustrated by data company Tectonix in a viral visualization of the spread of Spring Break partygoers:

Want to see the true potential impact of ignoring social distancing? Through a partnership with @xmodesocial, we analyzed secondary locations of anonymized mobile devices that were active at a single Ft. Lauderdale beach during spring break. This is where they went across the US: pic.twitter.com/3A3ePn9Vin
— Tectonix GEO (@TectonixGEO) March 25, 2020

Needless to say, Apple and Google, purveyors of the OSes on all those phones, have essentially the same capability as and when they choose to exercise it. An open letter from “technologists, epidemiologists & medical professionals” calls on “Apple, Google, and other mobile operating system vendors” (the notion that any other vendors are remotely relevant is adorable) “to provide an opt-in, privacy preserving OS feature to support contact tracing.”
They’re right. Android and iOS could, and should, add and roll out privacy-preserving, interoperable, TraceTogether-like functionality at the OS level (or Google Play Services level, to split fine technical hairs.) Granted, this means relying on corporate surveillance, which makes all of us feel uneasy. But at least it doesn’t mean creating a whole new surveillance infrastructure. Furthermore, Apple and Google, especially compared to cellular providers, have a strong institutional history and focus on protecting privacy and limiting the remit of their surveillance.
(Don’t believe me? Apple’s commitment to privacy has long been a competitive advantage. Google offers a thorough set of tools to let you control your data and privacy settings. I ask you: where is your cell service provider’s equivalent? Ah. Do you expect it to ever create one? I see. Would you also be interested in this fine, very lightly used Brooklyn Bridge I have on sale?)
Apple and Google are also much better suited to the task of preserving privacy by “anonymizing” data sets (I know, I know, but see below), or, better yet, preserving privacy via some form(s) of differential privacy and/or homomorphic encryption — or even some kind of zero-knowledge cryptography, he handwaved wildly. And, on a practical level, they’re more able than a third-party app developer to ensure a background service like that stays active.
Obviously this should all be well and firmly regulated. But at the same time, we should remain cognizant of the fact that not every nation believes in such regulation. Building privacy deep into a contact-tracing system, to the maximum extent consonant with its efficacy, is especially important when we consider its potential usage in authoritarian nations who might demand the raw data. “Anonymized” location datasets admittedly tend to be something of an oxymoron, but authoritarians may still be technically stymied by the difficulty of deanonymization; and if individual privacy can be preserved even more securely than that via some elegant encryption scheme, so much the better.
Compared to the other alternatives — government surveillance; the phone companies; or some new app, with all the concomitant friction and barriers to usage — Apple and Google are by some distance the least objectionable option. What’s more, in the face of this global pandemic they could roll out their part of the test-and-trace solution to three billion users relatively quickly. If we need a pervasive pandemic surveillance system, then let’s use one which (though we don’t like to talk about it) already exists, in the least dangerous, most privacy-preserving way.

Via:: Test and trace with Apple and Google