Apple and Google Announce Partnership to Implement Contact Tracing to Track Novel Coronavirus Exposure
Derek Thompson, writing in the Atlantic earlier this week:
Our cellphones and smartphones have several means of logging our activity. GPS tracks our location, and Bluetooth exchanges signals with nearby devices. In its most basic form, cellphone tracing might go like this: If someone tests positive for COVID-19, health officials could obtain a record of that person’s cellphone activity and compare it with the data emitted by other phone owners. If officials saw any GPS overlaps (e.g., data showing that I went to a McDonald’s hot spot) or Bluetooth hits (e.g., data showing that I came within several feet of a new patient), they could contact me and urge me to self-isolate, or seek a test.
Casey Newton, the Verge:
All of these efforts seem to skip over the question of whether a Bluetooth-reported “contact event” is an effective method of contact tracing to begin with. On Thursday I spoke with Dr. Farzad Mostashari, the former national coordinator for health information technology at the Department of Health and Human Services. (Today he’s the the CEO of Aledade, which makes management software for physicians.) Mostashari had recently posted a Twitter thread expressing skepticism over Bluetooth-based contact tracing, and I asked him to elaborate.
The first problem he described is getting a meaningful number of people to install the app and make sure it’s active as everyone makes their way through the world. Most countries have made app installation voluntary, and adoption has been low. In Singapore, Mostashari told me, adoption has been about 12 percent of the population. If the United States had similar adoption, you’ve now made your big contact-tracing bet on the likelihood that two people passing one another have both installed this app on your phone. The statistical likelihood of this is about 1.44 percent. (It could be higher in areas with greater population density or where the app was more widely installed.)
A low adoption rate of contact tracing is something that could be resolved if, say, one or both of the world’s mobile operating system vendors hopped on this problem.
First, in May, both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities. These official apps will be available for users to download via their respective app stores.
Second, in the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms. This is a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities. Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders. We will openly publish information about our work for others to analyze.
The short version, from Ina Fried at Axios:
In mid-May, the companies will update their operating system to support the contact-sharing technique and allow for contact-tracing apps.
In the coming months, a further operating system update will allow the system to work without needing a specific app.
As reported in the New York Times, this partnership formed about two weeks ago, so it is not fully realized yet. However, to supplement this announcement, both companies have released draft technical documentation explaining how the system will be implemented. From the Bluetooth document:
The Contact Tracing Bluetooth Specification does not require the user’s location; any use of location is completely optional to the schema. In any case, the user must provide their explicit consent in order for their location to be optionally used.
Rolling Proximity Identifiers change on average every 15 minutes, making it unlikely that user location can be tracked via bluetooth over time.
Proximity identifiers obtained from other devices are processed exclusively on device.
What’s most interesting about this is that it seems to not actually be about location data—it’s about proximity data […]
This is a more privacy-sensitive version of some of the makeshift ideas documented by Thompson, above, and it address the problem of scale even though it’s still, rightly, opt-in.
Here’s another question that Newton raised in his piece:
The second problem is that when these Bluetooth chips do pass in the night, you should expect a large number of false positives.
“If I am in the wide open, my Bluetooth and your Bluetooth might ping each other even if you’re much more than six feet away,” Mostashari said. “You could be through the wall from me in an apartment, and it could ping that we’re having a proximity event. You could be on a different floor of the building and it could ping. You could be biking by me in the open air and it could ping.”
The snarky side of my brain wonders if this is a real problem given how unreliable Bluetooth connections often are in typical use. For what it’s worth, the Washington Post also pointed this out — so it is problematic that Bluetooth is apparently too sensitive and not sensitive enough.
It is understandable why this is being raised as a concern, but it beggars belief that it is something that would not be considered by either Apple or Google. They know Bluetooth signals pass through walls and floors, and that walls and floors often separate apartments and offices. I do not see a clear explanation of how this will be resolved in any of their documentation, so it is an open question, but it is surely not one that either company is unfamiliar with.
Another concern is an overwhelming amount of data creating patterns where none exist. In a Twitter thread, Ashkan Soltani points out the importance of avoiding noise that could interfere with other efforts. There are plenty of likely scenarios in Sultana’s thread where false negatives and false positives are plausible. But nobody is proposing that this technology should be used as a substitute for widespread testing and other policy initiatives. It is a complementary option, not a replacement.
There are reasonable concerns we should keep in mind about this initiative; however, on balance, I think we must see this as a contribution that has the possibility to more accurately direct resources and testing. It should not be trusted without verification, but it also should not be dismissed. There is no substitute for testing but, in the absence of good governance in critical countries, it becomes necessary to create supplements wherever possible.
Update: Maciej Cegłowski:
What this does highlight is the problem of governance. Deploying a new, nationwide contact-tracing technology should be something decided by a functioning Congress in consultation with a functioning CDC, not a fun crypto project for Chad and Brad in Cupertino and Mountain View.
It speaks to some deep-seated cynicism that many people would, apparently, prefer tech giants creating a contact tracing system than the CDC. I don’t think it’s wrong that Apple and Google are creating this system, but I do think it’s upsetting that they seemingly must.