Original article was published on Communications of the ACM – Artificial Intelligence
May 14, 2020
The global response to the COVID-19 pandemic follows a pattern. This gives governments in the U.S. and Europe a glimpse of the future; they can analyze technologies developed in countries that are emerging from the pandemic as they implement their own.
In China, thermal scanners and vision algorithms measure travelers’ temperatures in transport hubs to detect fevers. Health Code, an app that runs on the Aliplay and WeChat platforms, assigns QR codes that permit (or restrict) citizens’ movements depending on their location histories and health. In Singapore, the TraceTogether app notifies users if they have had close contact with an infected person.
These measures are helping to control the spread of COVID-19. However, privacy and health stigma concerns were quickly raised. Privacy International is tracking global responses to COVID-19, while in India, Citizen Matters is reviewing privacy in government-issued apps.
It is against this complex, fast-moving backdrop that technologies are being developed in the U.S. and Europe, and contact tracing apps are dominating the field. A crowdsourced list on GitHub and Google Docs share information on numerous projects. On April 10, Google and Apple announced they had partnered to launch their own Contact Tracing Framework Documentation (API).
Contact tracing limits the transmission of viruses, such as Ebola or SARS-CoV-2, the novel coronavirus that causes COVID-19, by notifying people who have been close (within one to two meters) to an infected person that they should seek medical attention and/or self-quarantine.
In a study by the University of Oxford, researchers used mathematical modeling and algorithms based on epidemiological principles to investigate COVID-19 infectiousness. They demonstrated that the spread of the virus occurs too fast to be contained by manual tracing, but could by controlled by the rapid opt-in of contact tracing apps by a sufficient percentage of the population (around 60%).
Open-source and privacy first
On April 5, the newly-formed global TCN Coalition announced a privacy protocol for anonymized contact tracing. The open-source, free specification, available on GitHub, is being used by Android and iOS apps to share a 128-bit Temporary Contact Number (TCN) with nearby apps using Bluetooth Low Energy (BLE).
The global coalition includes projects such as Coalition Network and Covid Watch in the U.S. and Cotect in Germany. If tech companies, developers, and governments adopt the shared protocol, says the team, it will ensure interoperability between apps.
“Regardless of which app a user chooses to use, we should be able to see alerts across this ecosystem of apps, regardless of where you are in the world,” explains Dana Lewis, co-founder and developer of Community Epidemiology in Action (CoEpi), a symptom-alerting app based on the TCN protocol.
Unlike Singapore’s TraceTogether, apps based on the TCN protocol do not require personally identifiable data, such as phone numbers, and there is no centralized database. “All the ones [apps] using the TCN protocol are specifically designed around a decentralized model where the data goes to a server, but nobody sees the data in the server,” says Lewis.
The randomized TCNs are generated locally within the app and are temporary. In CoEpi’s case, they change every 15 minutes. The TCNs require a device-based digital key to both generate and decrypt them. “If you hacked into the server and pulled down these random numbers without devices A or B’s key, that are local on those phones, you’re not going to be able to intuit anything about that randomly generated number between the two devices,” says Lewis.
When Google and Apple released draft technical documentation for contact tracing “to help governments and health agencies reduce the spread of the virus,” questions were quickly raised about the future of the TCN protocol.
However, Lewis supports the Google/Apple announcement and believes the TCN protocol remains vital as a grassroots, open-source option. “People are going to want to choose what apps and what kind of security protocol they use, and we think that that gives another choice,” she says.
On April 10, the TCN Coalition stated its own commitment to interoperability between protocols and expressed its hope that Google and Apple will finalize their own specification in collaboration with other teams.
A global effort
At the Massachusetts Institute of Technology (MIT) Media Lab, a team led by Ramesh Raskar is developing citizen-centric contact tracing tools, such as the Safe Paths platform, based on PrivateKit. They are also researching Split Learning to train machine learning models without sharing raw data.
The MIT team worked with Co-Epi on Bluetooth methodologies and is also partnering with COVID Watch, a non-profit project in collaboration with Stanford University and Canada’s University of Waterloo. COVID Watch has released its own source code and epidemiological model for contact tracing, and published a white paper on the use of crowdsourced data to slow infectious diseases.
In Europe, the Pan-European Privacy Preserving Proximity Tracing (PEPP-PT) organization provides contact tracing tools, standards, and technologies to developers, governments, and health authorities. It brings together 130 researchers from eight countries.
The PEPP-PT reference implementation is based on Europe’s General Data Protection Regulation (GDPR) and includes Bluetooth Low Energy (BLE), anonymized mapping, and privacy protocols. The source code will be available under a Mozilla license.
The use of COVID-19 virus transmission-limiting technologies in Asia is already established, while in Europe and the U.S., decisions are being made now. The U.K., France, Germany, and Switzerland have announced they are working on contact tracing projects.
Researchers at Imperial College, London, have published eight privacy questions governments should ask when developing contact tracing apps. Public trust requires more than high-level reassurances; things must be done properly from a technical perspective, says Yves-Alexandre de Montjoye, head of Imperial’s Computational Privacy Group.
Questions include considering how much data a person controlling a sever has access to, how the anonymity of users is guaranteed, and ensuring external parties cannot exploit the system to track users or to infer who is infected.
Transparency and reproducibility are key. “It is good practice, especially in cases like this, to have completely open specification and protocol,” says de Montjoye. “We need to make sure that if I install something on my phone, I can verify that what I’m installing is exactly what I see in the source code.”
Technologies designed to limit the spread of COVID-19 inevitably will become part of our daily lives. As with the pandemic itself, if we can see the pattern unfold, we can see what is coming.
Karen Emslie is a location-independent freelance journalist and essayist.
No entries found