Contact tracing – the privacy vs urgency dilemma for governments in the fight against Covid-19
- China has been quick to experiment with digital contact tracing, enlisting domestic tech giants to build QR-code-based quarantine apps during the pandemic
- The US approach to contact tracing has been fragmented and slow to launch, with no national program in place, although privacy has been top of mind
This story is part of an ongoing series on US-China relations, jointly produced by the South China Morning Post and POLITICO, with reporting from Asia and the United States.
Using an app on your smartphone to track whether you’ve been in close contact with people who have contracted Covid-19 seems – at first glance – like a perfectly plausible way to use new technology to help tackle a global health crisis that has sickened millions and brought the world economy to its knees.
There’s just one problem – data privacy.
Tracing the whereabouts of infected patients has become a central plank in government efforts around the world to contain the spread of the novel coronavirus. In the past, contact tracing was done through in-person interviews with medical professionals. Now smartphones have the power to streamline and automate that process.
China has been quick to experiment with digital contact tracing, enlisting domestic tech giants to build QR-code-based quarantine apps during the early stages of the outbreak. Collecting a vast swathe of user data – including location – China’s quarantine apps have empowered authorities to use big data to locate threats and take preventive action.
But this approach has raised enormous privacy and surveillance concerns in the West. To allay public fears, tech giants and many governments in the West have now trained their efforts on contact-tracing solutions that do not collect location data and analyse only anonymised and decentralised data – such as Bluetooth technology – despite some health authorities’ fears that those restrictions will blunt their effectiveness.
Others, including some US states, are pushing ahead with apps that track locations, though at the risk of spotty adoption by a public skittish about privacy. Indeed, fears over tracking in the West could spill over into public unwillingness to be tested for Covid-19 at all – hampering containment efforts.
“The fears over surveillance could ultimately lead to a decrease in testing at precisely the time that we want people to trust public health authorities and go and get tested when the tests become widely available,” said Jennifer Daskal, faculty director of the tech, law and security programme at American University in Washington.
As such, Daskal says that China’s centralised way of collecting data could be counterproductive in the West.
Last month, more than 300 scholars and researchers published an open letter warning of the huge negative effects that may come with the roll-out of location-data based contact tracing – chief among them being the potential for mass, intrusive surveillance by state and other non-state actors.
“Information might be reliable as a kind of a suggestion or a reminder, potentially for self-quarantine,” Ashkan Soltani, former chief technologist of the Federal Trade Commission, told the South China Morning Post. “But it’s not robust enough for making policy decisions, like who should be able to return to work, or who should be able to use public transport or even enter a grocery store.”
But what has been China’s approach and has it really infringed liberty? After all, many would argue that a cautious approach where a person has to willingly download an app, then consent to sharing their data, may also not be feasible when trying to stem the spread of a killer disease.
In China, the government collects the entire digital footprint of its citizens – their location data as well as their self-reported medical history – before labelling each citizen with a risk score and issuing them a coloured health code. The level of a person’s health code then dictates whether they can access public facilities, public transit or even private businesses.
China’s first health code for contact tracing was rolled out as early as mid-February when tech giant Alibaba’s sister company Ant Financial helped the local government in the eastern city of Hangzhou to introduce the so-called Alipay Health Code.
On Ant Financial’s popular payment app Alipay, users sign up under their real name ID and fill out relevant surveys to get assigned a coloured code – green, yellow, or red – indicating their health status, from low to high risk.
Local governments developed their own contact-tracing services using different approaches. Some required users to give the apps access to phone GPS location data, which many experts believe is more accurate than carrier location data. Others require users to voluntarily input their current location, travel history and body temperature on a daily basis.
However, there has been no consensus on which health code system to adopt on a national level, and when multiple bureaucracies collide, people have sometimes had to divulge their personal data to different versions of health apps developed by different parties for varied situations.
In reality, China’s health code programme is a hodgepodge of disjointed efforts by city and provincial governments, as well as its technology giants. This has created further problems, such as lack of inter-connectivity on data sharing and opaque algorithm development.
Chinese respiratory disease expert Zhong Nanshan praises Hong Kong's Covid-19 response
For example, health codes developed by municipal and district-level governments can assign the same person totally different risk levels and assigned colours. As such, people have complained about their health codes flickering from one colour to another even when they have not moved at all, seemingly without explanation.
Experts also point out that China’s health code system runs the risk of missing asymptomatic infections, acknowledging there are loopholes and blind spots for screening.
“The health code can only tell you that they have done some preliminary screening. In fact, there is no way to screen for asymptomatic infections,” said Zhang Wenhong, a pre-eminent doctor who oversees the treatment of Covid-19 in Shanghai, in an interview with China Central Television in April.
But Zhang clarified that China’s existing health code system is robust enough to detect most infected cases and their close contacts. For asymptomatic cases, Zhang said the gap will have to be filled by actual nucleic acid tests.
And China is not the only country whose government has taken an interventionist approach to contact tracing. Israel, Kenya, and Turkey seized some mobile data to monitor the interactions of potential carriers while South Korea’s government added powers to probe the data of suspected virus carriers.
However, Israel’s Supreme Court later banned its intelligence agency from tracing the phone location of those infected with Covid-19, until new laws are passed.
In contrast, the approach to contact tracing inside the US has been fragmented and slow to launch, with no national programme in place and every state left to decide whether, or how, to pursue the technology.
That means that by default, the closest thing to a unified US approach has been the initiative that Apple Inc and Alphabet Inc’s Google announced in April and launched last month, which provides technical tools that health authorities can use to design apps that detect when people have been in close proximity to others who have tested positive with the virus.
The two companies, whose operating systems power most of the world’s smart phones, also imposed a series of privacy restrictions on apps that work with their tools – for example, banning the use of location tracking, requiring users’ consent to share data, and mandating that information about suspected contacts be stored only in the person's phone, not in a central database.
Instead of GPS, their system relies on the Bluetooth feature on phones, which can tell only when two devices have been near each other.
Rather than depend on the two giants, at least a half-dozen states are building their own apps to pinpoint the spread of Covid-19. But those efforts have hit technical hurdles, such as spotty cellphone signals, and the problem of getting people to self-report their test results rather than collect the data automatically.
And with no way to require Americans to install the apps at all, it is an open question whether enough people will adopt them to help health officials keep tabs on the virus before new hotspots explode.
Almost 60 per cent of Americans said they could not or would not use the system Apple and Google are developing, according to a recent Washington Post-University of Maryland poll.
Some health experts say the effort may be stuck between two unattractive alternatives.
“Either you have a system unlikely to help people navigate their world, to leave their house and feel safe, or you have privacy trade-offs,” University of Washington Law School professor Ryan Calo told POLITICO. Calo recently co-authored a study that found widespread public discomfort with contact tracing technology.
Other states have decided to throw in their lot with Apple and Google, despite acknowledging that that also raises worries among some residents.
“While there’s no question we’ve gotten people who have voiced concerns, and there's always conspiracy theories out there, in the end it’s about risk and reward,” Vern Dosch, who heads North Dakota’s contact tracing efforts, said in a recent POLITICO story. “We want to fall on the side of giving our citizens every protection we can give them, and if that involves aligning with Apple and Google, then that’s what we’re going to do.”
And, truth be told, even less intrusive contact tracing tech has its opponents as some experts warn that there are still many ways in which hackers can reconstruct anonymised and decentralised data.
WHO members including China back investigation of UN body’s response to the Covid-19 pandemic
“Even though [Apple and Google’s contact tracing app] has a privacy preserving protocol, you can use it to identify who might be infected by recording, for example, additional information like video or audio signals from them,” Soltani said, “So I think initially people will be reluctant to use it.”
Privacy concerns aside, experts argue that there are also far too many ways in which such Bluetooth-powered contact tracing apps may simply fail to serve their purpose.
Soltani said one of his chief concerns is the potential for false positives.
“For example, if you live in a densely-populated flat, you are going to signal that you and your neighbour have been in contact, even if you haven’t been. So that’s going to generate a number of false positives, right?”
And you can never rule out pranksters, who could bring an extra element of farce to what is already a thorny public policy issue.
For example, as University of Cambridge security expert Ross Anderson warned in a recent blog post, “performance art people could tie a phone to a dog and let it run around the park.”
Josh Ye, Coco Feng, and Yujie Yu reported from Hong Kong, Shenzhen and Beijing for the South China Morning Post. POLITICO contributed from Washington.