The University of Oxford’s Big Data Institute advised the NHS this week that “a contact-tracing app could help stop the coronavirus pandemic, but 80 percent of current smartphone owners would need to use it.”
Can you imagine trying to get 80 percent of Americans, from the privacy and security aware to coronavirus “truthers,” to download a tracking app? I mean, it would be really good if I got an alert letting me know I was near someone who tested positive -- for myself and the people I care about. My plan is for us to live through this. But I have massive surveillance PTSD from Big Tech’s consent allergies, and yesterday the federal government's team lead used a press briefing to suggest using an "injection" of disinfectant into people infected with COVID-19, NBC News reported, "as a deterrent to the virus."
Plus, I think everyone sucks at security and few things are as bad as app security. I know this can be done right. I understand the security, privacy and cultural constraints of how to make a contact tracing app successful while not trampling our human rights. But does anyone pushing us to the inevitability of contact tracing apps get it?
That said, contact tracing apps are not just unavoidable; we desperately need them. They’re already in use in different countries, yet implementation is slow for Western countries. Basically, we’re next.
Contact tracing is when health workers stem the spread of a disease by locating an infected person, documenting where they went and with whom they came into contact then finding out if those people have symptoms, and determining potential testing and quarantine. It has been used all over the world when fighting contagious infectious diseases like Ebola. Right now, contact tracing with quarantines and widespread, accurate testing are absolutely vital in stopping the COVID-19 pandemic.
The phrase “contact tracing” as we know it online has become a catch-all for digital alternatives, such as apps that reduce risk time, minimize everyone’s exposure and save lives.
It could also save a lot of money; our economy is bleeding out before our eyes. But it’s also not cheap to implement. “Contact tracing on a national level could cost in the billions of dollars and require hiring more than 100,000 people,” NBC News reported.
"Every clinician in the city who cares for someone with COVID-19 and every laboratory that processes a positive test must report the case to the Department of Public Health, which is how San Francisco is building out its database of contacts," NBC further explained. The implementation of contact tracing is labor- and time-consuming:
San Francisco plans to use a workforce of 140 people, including medical students from the University of California, San Francisco, librarians and staff from the city attorney’s office, to go through lists of people who have tested positive for the virus and interview them.
While SF gears up for at least 140 people for its 883,000 citizens, on Wednesday California Governor Gavin Newsom announced that the state is readying to train up to 10,000 contact tracers.
San Francisco’s health department is employing the use of software for its contact tracing, though that software is used by the tracers themselves to track and monitor people’s cases. It’s not being forced on the city’s population. On Monday SF’s public health director, Dr. Grant Colfax, told press that “participation in contact tracing is voluntary and no one will be asked about their immigration status or for their Social Security number or bank details.”
That’s reassuring from a privacy and anti-surveillance perspective, which is the aspect filling so many of us with crushing dread. Make no mistake, we’re talking about an event — the coronavirus pandemic — creating an opportunity for a worldwide digital security and privacy apocalypse. We can be sure that the dictators and data dealers are all salivating over all that Big Brother brand toothpaste that can never be put back in the tube.
That’s probably what brought the DP-3T Project, a group of digital security and privacy professionals, to publish an astonishingly comprehensive report this week: The Privacy and Security Risk Evaluation of Digital Proximity Tracing Systems. In it, they plainly explain that all contact tracing apps use Bluetooth to estimate proximity between two phones, and all the system needs to do is inform the phone’s owner they’ve been near an infected person. “The system does not need to reveal to anyone who the potential contagious contact was with, or when and where it happened.”
The report goes on to list risks everyone will need to know about. That includes the potential for app makers to abuse all the data (including access to people’s social graphs), that in all Bluetooth tracing systems “a powerful antenna can trigger false alerts,” adversaries could track users, and more.
The thing is, in order for contact tracing apps to work, they must be universally adopted by everyone. It would help enormously if makers of these apps addressed the concerns and risks in DP-3T Project’s paper. Because contact tracing apps are working in some places, but not others, and it all comes down to voluntary adoption.
Everyone’s doing it… differently
Contact-tracing smartphone apps are already in use by countries including China, Germany, Hong Kong, India, Israel, Italy, Singapore, South Korea, and Taiwan — all with varying results. Australia and the UK’s NHS plan to, and so do EU member states, which is why the European Commission (EC) just published guidelines for EU app devs.
The US is also interested; different states are pursuing their own solutions, with around 20 different state and local governments interested in using MIT’s open source “Privacy by Design” Private Kit. New York announced his week it will launch its own tri-state virus tracing program (with a huge cash infusion from Michael Bloomberg).
Then there’s Google and Apple’s unholy alliance; the companies are building APIs -— the actual contact tracing phone apps will come from public health orgs. The tech giants are calling it “Privacy-Preserving Contact Tracing,” and they already hit a few snags with the UK’s NHS.
“Apple and Google are encouraging health services worldwide to build contact-tracing apps that operate in a decentralised way, allowing individuals to know when they’ve been in contact with an infected person but preventing governments from using that data to build a picture of population movements in aggregate,” reported press.
“But the policies, unveiled last week, apply only to apps that don’t result in the creation of a centralised database of contacts,” Guardian explained. “That means that if the NHS goes ahead with its original plans, its app would face severe limitations on its operation.”
Meanwhile the US federal government chose Peter Thiel and Palantir to create the HHS Protect Now “single source” COVID-19 data tracking platform. Protect Now integrates 187 Palantir data sources, which according to press includes “hospital capacity and inventories, supply chain data from the government and industry, diagnostic and geographic testing data.” A government spokesperson told Daily Beast HHS was also relying on “private sector partner contributions of data.” Yeah, because seamless data sharing between government and private companies always ends well.
“Palantir has already done work for the Trump administration, providing profiling tools to the Immigration and Customs Enforcement as part of the president’s draconian border crackdown,” Vanity Fair reminds us. “And then there’s Thiel’s personal links to Trump. An early Facebook investor and board member, Thiel joined Trump and CEO Mark Zuckerberg for a private dinner last year at the White House and he reportedly influenced the social media giant’s policy on political ads.”
The point is, it’s convenient for companies to argue that all the Hoovering of our data they’ve done over the past 10-15 years could make them uniquely positioned to ride in on a big, white syphilitic unicorn and save us. (We’d just need to surrender to a deeper surveillance state while a seamless data sharing deal is made between the private sector and the government.)
Except it won’t save us, at least according to a white paper from the ACLU Turns out, COVID-19 is a very unique situation.
“We have spoken with engineers and executives at a number of the largest US companies that hold location data on Americans’ movements and locations and generally they have told us that their data is not suitable for determining who was in contact with whom for purposes of Covid-19,” ACLU concluded in its April 8 paper, The Limits of Location Tracking in an Epidemic.
Implementation vs. adoption
But wait: let’s back up to the part where I mentioned all the different countries around the world that are already using contact tracing apps with varying degrees of success. On the one hand we’ve got China and Israel going full police state with invasive citizen surveillance, while countries like South Korea, Singapore, and Taiwan have balanced privacy and virus tracing.
“Top of mind has been whether authoritarian regimes have an edge over democracies, because they can mandate top-down measures like lockdowns and digital tracking of infected people’s movements and contacts,” wrote Harvard Business Review. But “the top and bottom performers in Covid-19 containment span the spectrum from autocratic to democratic. It’s true that China is effectively flattening the curve, but so is South Korea, a vibrant democracy. Other democracies — the U.S., Spain, Italy, and France, are faring less well.”
It’s no coincidence that the locations seeing success with contact tracing smartphone apps have at least two things in common: governments behind the apps are tech-savvy, and the places they’re working are those with more collectivist societies — specifically, those in East Asia. Most of those tech-savvy governments emphasize controls on digital privacy (like South Korea and Singapore), easing issues of trust that might create avoidance.
In the US, states have been fractured by the federal government and the union is splintering. States are forming coalitions and fighting the federal government for citizens’ survival. A contact tracing app from the federal government will never gain universal adoption for more reasons than can be listed here.
That’s okay, they’d just screw it up anyway.
Digital contact tracing for COVID-19 is inevitable. Because this means mass installation of a surveillance app on everyone’s phones in order for it to work, it’s a moment when we can decide that fighting for survival means fighting for our future, too.
I hate this moment in so many ways, and for so many reasons. I hate that this should be the moment that all our privacy and security mistakes with apps, companies, and people’s lives are just staring us in the face, screaming for someone to pay attention. Because this should be the promise of all this stupid technology, that when we are dying and oppressed, that we could use it to find a way and toss everyone who abused apps and tech to harm us.
There should be a contact tracing app that I want to use, and that I can trust. Not another grubby shitshow of vulnerabilities and privacy violations made by people I hate and corporations trying to make sure I have no choice.
That contact tracing app would do exactly what it needs to do, and no more -- just as described in The Privacy and Security Risk Evaluation of Digital Proximity Tracing Systems. And we’d use it as part of the things we incorporate to get through the next part of this game’s nightmare level, another tool for our arsenal of resilience, an acceptable accessory while we shift our perspective from preoccupation with fear and loss to focus on strength and resetting our worlds.
It would not sell us out, but instead help us survive and adapt -- both COVID-19 and the murderous, anti-science, profiteers and grifters trying to deep-six our freedoms and futures. Turns out survival and adaptability are evolutionary traits -- science! A definite advantage when your country’s idiot CEO is literally talking about blowing sunshine up your ass to cure the plague.