In the fight against the novel coronavirus, there are two main strategies being deployed in the digital arena – location tracking and contact tracing.
The former is being used in a number of countries to find out if quarantined or infected people have moved out of their designated areas, such as containment zones and disease hotspots. Typically, a smartphone app relays this location data to a monitoring authority (India), or this data may be obtained by the authority directly from the mobile phone operators (Israel, Belgium).
The location tracking of persons is done by following their mobile phone trail. A phone’s connection to multiple cellular towers or WiFi hotspots is used to compute its location. Alternatively, a mobile phone, equipped with a suitable receiver, can directly communicate with a network of satellites (GPS i.e. Global Positioning System).
The precision of these technologies in pinpointing location varies from a few meters for the GPS system to a few hundred meters for a cellular/WIFi-based system (depending strongly upon the density of the cell towers and WiFi hotspots). Often these technologies can work in tandem to provide the location of a device to within a couple of metres, but not always.
The second strategy, of contact tracing, focuses on determining who all were in the proximity of a person over a given period. It does not need information about absolute location (latitude, longitude). Proximity, in the context of the COVID-19 disease, is defined as being within two metres of each other. If a person tests positive for the infection, this information can be used to find all the people who had come in contact with her during the prior asymptomatic (but still infectious) period.
In principle, location data can be used to “trace contacts” by finding the intersections between mobile location trails of people. This will show who crossed whom, where and when.
However, this will not work in practice because the pinpointing accuracy of cellular/WIFi triangulation varies from a few meters to hundreds of meters. GPS does not work well inside buildings. So these location tracking technologies will not be able to estimate the distance between two phones with the necessary precision if each phone itself cannot be pinpointed accurately.
To the rescue
Bluetooth Low Energy (BLE) technology – when used to create wireless connections with other smartphones – offers a way to address this problem. A smartphone discovers other smartphones in its neighbourhood by detecting their bluetooth signals, much like the phone would discover a headphone or speaker.
Post discovery, the smartphones need to exchange at least three pieces of information with each other: a device id (that is tied to each smartphone, like a unique name), signal strength, and a timestamp when the phones encountered each other. Phones have to be in proximity at least for a few minutes because the bluetooth beacon emits signals periodically. This data is stored for all encounters that occur over a given period, typically 30 days, like a list inside the mobile phone (this list cannot be viewed by the user and the entries are encrypted).
If the owner of a given smartphone gets the infection then this list is sent to a central server which then informs all the phones found in the list, that they have had a “contact” with an infected person, and so should take whatever action is mandated by the rules (go for a test, or impose self quarantine or report current state of wellness). All the data exchange between phones is mediated through the (same) app on both the smartphones, as also the interaction of the phone with the server. This is how a minimal system works and nothing more is really required for contact tracing.
This kind of contact tracing is effective only if lots of people have the app installed. Only then there is the possibility of data exchange; else a few smartphones will keep encountering a majority of other phones which do not have the app. The most obvious limitation of this technology is the fraction of the population that has smartphones. Then, not everyone is willing to install and use the app due to “trust” issues (e.g. people fear that their data uploaded to a central server is not secure or that they will be locked up if their phone shows up in a list).
In India, the Central government-promoted Aarogya Setu app has been downloaded by 75 million users (April 25, 2020) but the number of actual (active) users will be less – it is hard to get an estimate by how much. India has around 400 million smartphones out of a total of about a 1,000 million mobile subscriber base. Even if we take the numbers literally, 75 million out of a 1000 million is 7.5% i.e. the percentage of mobile users who have the app downloaded. Singapore has about 17% people who installed the app. An Oxford University study suggests that even in a country like the UK – with much higher smartphone density – around 56 to 70% people need to have the app installed for it to be effective. So will it really work in a country like India?
Next are the issues with the Bluetooth signal itself. Apps try to estimate the distance between two phones by using the signal strength received (RSSI). This is not as easy as it seems because the phone placement (pocket or hand), orientation, Bluetooth version, phone operating system (Apple-ios, Google-android) can affect the signal quality. Plus objects in the signal path (whether these absorb or reflect) and WiFi interference can modify the signal strength. It requires sophisticated signal processing to “clean” the signal but the distance measure may still not be accurate giving rise to false positives and negatives. In any case, false positives will be generated by people in proximity but in rooms separated by a wall or a ceiling. There will be a huge number of unreliable entries in crowded places like metro stations! Consequently, many healthy people may be sent to hospital or quarantined for no good reason.
The problem with apps
Many nations and entities have released apps which do contact tracing, using Bluetooth, in the manner described above.
First, apps may, by intent or by carelessness, be very intrusive. So they will ask for permission to access all kinds of “irrelevant” material on the phone, such as, contacts, images, multimedia, microphone, camera, and much more.
Second, there are encryption choices that can be made and some are more secure than others.
The Aarogya Setu app ensures privacy by encrypting all personal information (name, age, gender, mobile number), at the time of registration, and links it to a unique Digital ID (DID). When a proximity event occurs phones exchange only DIDs. This is a static ID and is more easily amenable to de-anonymisation i.e. identifying the owner, in case someone else gets hold of the DID, because there is only a single layer of encryption. The TraceTogether app from Singapore uses dynamic (temporary) IDs which adds an additional layer of security; however, in this app the dynamic IDs are generated by the central server which has to remain in touch with the app on the phone. A more secure way would be to generate the dynamic IDs in the phone itself – thus no frequent interactions with the server are needed – but this complicates the algorithms.
A related issue is that of creating social graphs from the proximity data versus simply building a list of proximity encounters. Social graphs are made up of data from multiple users collated together and then represented in the form of networks of connections. Such graphs show who is meeting whom, at what frequency, and can be an effective surveillance tool. It is used routinely for workplace surveillance. If all user data is stored on a central server this possibility becomes real but is avoided if data stays on phones locally.
Fourth, the most significant problem with apps is that of “scope creep”. This refers to adding features to an app beyond its originally stated objective. Aarogya Setu, from its inception, went beyond Bluetooth based contact tracing and incorporated location tracking as well – it also records GPS latitude and longitude. This information is not needed for contact tracing. If these location logs are accessed and decrypted by a hacker, or even a state agency, they can reveal not just the identity but also the absolute movements of people. In contrast, decrypted proximity event lists, stored centrally, will reveal identity but not movements. Even anonymised location data is quite vulnerable to deanonymisation.
Further, it has already been proposed that the app be used as an e-pass to allow free movement during lockdowns, which was never its stated purpose. CISF has proposed that access to the Delhi metro be through this app. Some government organisations have already made this mandatory for employees. And now even a section for donating to the PM-CARES fund is built into the app! It has been argued that the Aarogya Setu app should be implemented only through a new law with clear limitations and legislative oversight but that is unlikely to happen.
More worrisome is the proposal to acquire, particularly intrusive, wrist-bands which will have Aarogya Setu app embedded inside so that location tracking and contact tracing can be done more conveniently. It is not clear whether a mobile phone app will be needed to make the band work. But the scope of the wrist-band sounds ominous. It will “detect, prevent and investigate threats to national security using CDR, IPDR, Tower, Mobile Phone Forensics Data, and Open Street Maps, Google Maps and Offline Maps without internet”, and also monitor “everyday behaviour of the person, including where s/he orders food from and the places s/he regularly visits, the multiple routes s/he could take”. All of it in the name of COVID-19!
Big tech jumps in
It is interesting that Google and Apple are in the process of collaboratively developing a framework for contact tracing using Bluetooth technology. The plan is to incorporate this, first at the level of apps and then at the operating system level to make it a part of the system settings. These initiatives will be coordinated with nodal health authorities. The adoption of this framework will lead to a lot more people using the contact tracing features because it is baked into the operating system and will therefore not require the installation of an app, rather just a toggle to activate it.
Importantly, the European Union is driving new “privacy protecting” standards that contact tracing apps, including the framework being developed by Google and Apple, should follow. Some argue that incorporating contract tracing features into the phone software actually provides a permanent mechanism for surveillance. Hoepman’s technical blog says, “… the technology is pushed down the stack into the operating system layer creating a Bluetooth-based contact tracing platform. This means the technology is available all the time, for all kinds of applications. Contact tracing is therefore no longer limited in time, or limited in use purely to trace and contain the spread of the COVID-19 virus”.
A more optimistic view is represented by this public letter written by 300 academics who say that Bluetooth contract tracing, as described by Google and Apple, is far more “privacy preserving than apps that collect location data in a central store”. Yet, Hoepman, like many privacy advocates, insists that what is stored on a phone can very easily be sent to a central server, and that malicious apps can track infected and uninfected people. More perilous is of course the fact that this system will be controlled by Big Tech with their propensity to use data for revenue seeking. Also, nothing prevents authoritarian governments or spying agencies from deploying this technology at specific locations for monitoring movements and meetings.
“China could consider it to further monitor Uyghurs. Israel could use it to further monitor Palestinians. You could monitor the visitors of abortion clinics, coffee shops, gay bars,…”.
Someone comments on the blog, “Just give up on the apps and spend the money in face masks and hospital workers”. Perhaps this is sane advice.
In response to public feedback and privacy concerns, Google and Apple have decided to rename this system by a more positive sounding “exposure notification” instead of the original, somewhat dreaded, “contact tracing”. They have also promised that they will remove this feature from phones wherever the pandemic ends.
So, what now
Bluetooth contact tracing technology may be useful in some contexts and countries but in most cases it will remain a “something is better than nothing” initiative. We need to wait for the data to come in to see how far the Bluetooth system has “spread” and how many cases of COVID-19 were actually found because of it.
Given that the digital universe is being flooded with more and more “innovation” to extract more and more data of every sort under the pretext of fighting the COVID-19 this is a good time to push for comprehensive data protection laws everywhere. There is a rising demand for data laws in countries where they do not exist. In the US there is no federal law yet on data privacy and security, and California has set an example. In India we have a draft law – which needs much improvement especially in terms of amendments that will provide protection from state agencies – pending in parliament.
Anurag Mehra teaches engineering and policy at IIT Bombay. His policy focus is the interface between technology, culture and politics.