For international readers: Electronic Frontier Finland – Effi is a Finnish non-governmental organization that works for civil rights in electronic realm meaning mostly Internet. The content on Effi pages is usually in Finnish. Due to the exeptional nature of the coronavirus pandemic it is important to discuss and fight it internationally, thus this translation of my original blogpost. I thank Salu Ylirisku for answering my request on Twitter seeking for a translator for my text. My belief to humanity got a boost: while I was in a teleconference yesterday evening he had replied me asking if I had found a translator. I did not notice his message until this morning. There was also a message including a link to translation. Thank you, Salu! Waiting to meet you face to face one of these days.
This text intends to explain the technology-mediated taming of the epidemic caused by the SARS-CoV-2 via applying the so-called ‘contact tracing’ approach, and addresses the technological and especially privacy concerns it raises. The text is authored by Elias Aarnio, the Vice Chair of the Electronic Frontier Finland – Effi Association, specialised in data security. You may contact Elias at elias.aarnio@effi.org.
Why is it important to trace the infection chains?
One of the key reasons SARS-CoV-2 has caused the epidemic is due its ability to infect others before the virus carrier displays any noticeable symptoms. A symptomless person can easily keep spreading the disease for a relatively long time. The incubation time, i.e. the time from infection to symptoms, is estimated to be at most 14 days. The 14-day duration of the quarantine period is based on this assumption. However, according to Chinese researchers, the incubation may be even as long as 24 days.
It is obvious that, if you are asked – even though being sharp and good at memorising things – where you have been and with whom you have been in closed contact during the last 14 days, the answer may not be very accurate. This greatly reduces the relevancy of mere memorising. Moreover, the enquiry into people’s memories is very laborious. And even though such interviews would be successful, the problem of contacting the potentially infected people still remains. The amount of information related to the epidemic is immense. Thus, information about one’s potential exposure to the virus due to an infected person’s visit to a public location, such as a kiosk or gas station, may be lost in the mass.
A more effective tracing of infection chains may yield two kinds of benefits, as I see it:
- In acute situations the workload of healthcare workers and health officials can be reduced, the tracking of infections becomes quicker, and the infected ones can be set to quarantine quicker.
- it is possible to prepare for the second wave of SARS-CoV-2 virus which, according to the current epidemiological information, most likely will happen before a vaccine will be available.
What does contact tracing mean?
Contact tracing means a method in which computer technology is employed to keep a record (a “contact list”) of all such events where a person has stayed in the close proximity of an infected person over a duration during which an infection may have occurred. As soon as a person becomes identified as infected, their contact list can be reviewed, and every possibly infected contact can be warned about the risk of infection. This information may also be connected to epidemiological modelling. This can provide officials with greater awareness of the situation as well as assist in modelling of the spreading of the disease.
It is worth noting that satellite positioning based solutions, such as GPS, cannot solve the dilemma. There are two reasons for this:
1) The resolution of GPS positioning is too rough for the purpose. The theoretical maximum of 5 meters accuracy of GPS system is way too coarse to serve the aim. If the GPS reception is poor or non-existent, as happens indoors, the GPS information becomes basically useless. The 200 people inside a steel-covered store do not receive any useful information from such a system during the GPS signal outage while they remain indoors.
2) And, even though the tracking was successful, a person within 3 meters might reside beyond a concrete wall, inside a neighbour’s apartment. The amount of false positives is potentially great, if you consider the way GPS signal fluctuates within indoors settings.
Furthermore, the tracing and storing of people’s whereabouts comes with grave privacy and legal concerns, which are beyond the current discussion, as this will not resolve the problem that we are at.
Contact tracing is possible to implement by using a technology that exists in basically all of today’s mobile phones: Bluetooth radio connection. Even though the ‘radio signal distance’ is a different matter than physical distance, the measuring of the strength of the Bluetooth signal gives a good approximation of the distance between people, when the phone is most of the time carried along in a pocket or purse. The distance is roughly the same as people’s distance while they move around. Nevertheless, the issue of false positives remains as Bluetooth is transmitted through the partitions of typical apartments. On the other hand, this source of error keeps repeating the same false positives.
People concerned about their privacy are already familiar with how some malls follow their clients quite accurately with so-called Bluetooth beacons. These enable picturing in great resolution people movements inside a building. For this reason those concerned of their privacy tend to switch off Bluetooth most of the time, and use it only when they truly need it.
All serious implementation and plans of contact tracing has been implemented through the use of Bluetooth technology, including the TraceTogether in Singapore, the Wetrace by a Swiss bank and Google, and the PEPP-PT created in collaboration with numerous European scientists. The D3-PT is currently the only publicly available documentation of the PEPP-PT collaboration. As far as I know the Finnish consortium that comprises pro bono involved software companies Reaktor and Futurice and state owned Business Finland, is working on the basis of the work by the PEPP-PT. This is most likely to be released as the “governmentally approved official” application.
Is contact tracing necessarily mass surveillance?
The short answer: No, if it is properly done.
The long answer: It is tricky, and it is very easy to get the implementation wrong.
The organisation behind the most prestigious annual conference of the security specialists, called Chaos Computer Club, has on the 6th of April 2020 released an excellent list of requirements that a contact tracing application must fulfil in order to become approved.
The requirements in a nutshell (though one should read the CCC blogpost linked above):
- The applications and the data is used only for the tracing of the SARS-CoV-2 contact chains. All other use is forbidden.
- The participation must be based on volunteering and refusals must not be sanctioned.
- Privacy is not compromised.
- The application and background software must be openly available in open source to ensure transparency and to enable verification.
- There must not exist a central organisation to be trusted.
- Only the necessary amount of data is collected.
- Anonymity: the technology must not enable the identification of the persons using it.
- No central data storage of people’s mobility and contacts.
- Unlinkability: the ID that is used to associate a person with the application data must not be derived from other data or be linked to such, for example, to user accounts on other services.
- Data encryption: an outsider must not be able to discern any information from the transmitted data about a person’s health or anything else stored by the application.
D3-PT mostly fulfils these requirements. It also fulfils the requirement 7 in an elegant manner: the application informs a person about a potential infection, and urges them to contact healthcare. This happens without having to involve officials in the whole. This is important to understand. For this reason it is possible to implement the application in a manner that people can refuse to release their information for research. The emphasis is on the users, not on the control by officials. This contributes to the trust for the application.
For those pondering how this is possible, it is necessary to mention that this is about the use of everyday cryptographic methods. There is nothing especially difficult for encryption specialists.
Why does data security and privacy protection have to be so waterproof?
In order for the contact tracing to yield actual benefits, the application should be installed for over half of the population, as far as I have understood it right. In his blog post (text in Finnish) the Finnish minister of transport and communication, Timo Harakka, aims for reaching over 60% coverage. In order to reach this level, the people must not have any doubt about the level of data security and privacy.
People who are very concerned about their privacy, such as myself, who are not using certain social media services for their abuse of personal information, are scarce. I would not even claim that we are thought leaders. I, nevertheless, argue that we have good reasons for our actions, and our voice should be heard especially here, if all want to be involved. We are thinking about these issues that “nobody is interested in” pretty much all of the time. Thus we should be involved in the process to ensure that the collecting of data is done in a manner that even the strictest data-privacy experts can accept it.
This furthermore makes the bigger problem a bit easier: the applied approach and the technological protocol that is used, should be roughly similar across Europe. The reason is simple: once people are free to move again, a system that fails to follow people across borders is rather useless. During the lockdown we need to allow the comings and goings of cargo drivers, and contacts in close proximity are inevitable. It is important that the implementation allows for the tracking of contacts even for the truck driver that travels from one country to another, if they are willing to be tracked.
In order to reach this aim, the application must be approved by our neighbour, Sweden, and also by the strict and thorough Germans as well as the citizens of the UK, as we keep on flying to Britain once the skies are open again. The distance of attitudes towards technology between the Finnish “it is probably going just fine if the officials are doing it” style of trust-based society and the UK culture, where even the introduction of a social security identification is damned as a big-brother scheme and governmental attempt of increased control.
In order for the system to function without official intervention, or without any central controlling body, a common identification protocol used by a phone application appears like a workable solution. The fit-for-all is, however, a great challenge. Although, if someone solved it – the Finns! The slogan of a former Finnish company “Connecting People” was never misplaced. We just need to re-redeem it now.
Tracking – not mapping
While I was writing this, I found out that the term ‘contact tracing’ becomes translated in Finland to ‘contact mapping’. The term to ‘trace’ means to ‘track’. For data security and privacy reasons we must not confuse the mapping of social contacts with the tracking of infection chains.
The need and benefits of technology-based solutions for contact tracing are not at all obvious but they do indeed open up a massive can-of-worms regarding privacy. We are talking about technology which could be adapted for detailed mass-surveillance here. Anyone in sane mind should not promote development of such applications under any excuse.
However, if genuinely necessary and proportionate, even extreme solutions could be deemed acceptable. This is the point where the technological solutions fail. In Finland, the problem is inadequate (read: barely existing) human resources for contact tracing. Hiring some furloughed staff as temporary tracing assistants is a viable alternative to developing tracing technology. Hence, using technology would be a matter of choice rather than of necessity and consequently, unacceptable.
During rampant epidemic, it is essential to concentrate on the most important factors and not waste energy on the microscopic tails of probability distributions. It is important to find the find the main contacts one has had just before and while falling ill, and this is something most are likely able to tell fairly easily. Extensive, detailed contact tracing is merely likely to result in a vast number of false alarms. Pretty soon everybody would get an infection warning – and the symptomless cases, they would not get identified because they still would not get tested. Perfection is the biggest enemy of good enough.
In the eradication phase, it may be more important to be able to trace contacts in a more detailed manner. The “human solution” has the benefit that during the low-intensity, remnant epidemic, a lot more effort can be spent on each case than during the main phase. Hence, the accuracy improves when it is needed, with the added benefit of hands-on learning. Even here, perfection is not necessary.