Is Bluetooth Contact Tracing Too Blue-Sky?

Wednesday 24 June 2020 By Richard Taylor

Topics: Threats, Mobile App Development, API Security, Healthcare

Blue Sky 1

Contact tracing has been in the news a lot in recent months. No wonder. It’s widely seen as playing a key role in opening our societies up again after lockdown, and an important part of the strategy for countries that have already done well in suppressing transmissions. As technologists we, and many like us, immediately jumped onto the possibilities of Bluetooth. A ready made technology available on just about every smartphone designed for ubiquitous short range radio communication. Perfect. We just need to throw an app together and we can map all the contacts people are having day to day, so if anyone gets sick we can automatically alert anyone else that might have been exposed. Cool. Should be ready in a couple of weeks, right?

What was immediately obvious is that there might be some privacy concerns. If everyone’s phone is broadcasting the same identifier all the time then they could be tracked by anyone. So pretty quickly the various teams working on this developed various clever cryptographic techniques to prevent such tracking. Without the right secret keys the broadcasts look just like a sequence of random numbers.

There was an immediate schism in approaches though.

In the centralised model, your phone soaks up and remembers all of the random identifiers its been exposed to. If you get sick, then all those numbers get uploaded to your health authority. It knows how those random numbers relate to real people and what their contact details are. So they can phone them, offer them advice and ask them to get tested and/or self-isolate. But this also means that the health authority also has access to the “social graph” - all the people you’ve met who are also using the app. Do you really trust them with that data? What if they get hacked, could the data get abused and will it ever really be deleted in the future?

The decentralised approach puts privacy first. When somebody gets sick they just upload the random identifiers their phone was transmitting in the past. Everybody else’s phone checks those against what it’s seen. If they match then there has been a contact. The crucial point is that the contacts are never exposed in the cloud. But this does mean that you get an exposure notification in the app, but nobody else knows. There is much more self reliance to then follow advice as a matter of civic duty. You’re not going to get a call from anyone at the health authority. They can’t know you’ve been exposed. Of course it’s a bit more complex than civic duty, we are also asking people to self isolate for a period of time and that can cause loss of earnings in many cases and significant challenges for those that are supporting others. We have to recognise that getting high levels of compliance in the decentralised system is also about the other support mechanisms, financial and otherwise, that are in place.

For Bluetooth contact tracing to work at all though, you need a high percentage of the population adopting it. So unless you plan to force people to use it, you have to convince them that it will actually work and their privacy won’t be completely compromised. In short, it mustn’t appear to be the slippery slope to total Government or Corporate surveillance. Thus most realised that the privacy first decentralised approach was the right way to go with this, buoyed by Apple and Google’s excellent work on building privacy preserving exposure notification directly into the Operating System. As it turns out, Apple had another ace card that would push the world in the direction of its approach. Due to existing privacy constraints, it's very difficult to get an iOS app to broadcast anything on Bluetooth when not running in the foreground.  So this makes centralised contact tracing apps unworkable or kludgy at best. If you use Apple and Google’s decentralised approach background operation works smoothly. So now even the UK, after a series of embarrassing prevarications and delays has finally made a U-turn and is adopting the decentralised model.

Time has marched on and, despite best efforts, the first Apple/Google decentralised apps have only recently been released. Moreover, we can’t escape the fact that this endeavour is a very public experiment with this new technology. “Technology is a word that describes something that doesn’t work yet”, as Douglas Adams famously said. We know that Bluetooth in real life is not good with estimating distances - it’s a really hard problem. The exposure parameters need to be tuned, and there is an unavoidable statistical tradeoff there. Do we set it so people get notifications when their distance exposure might have been too great and generate too many alerts that people will learn to ignore. Or do we tune it down and potentially lose some real exposures. Then there’s also the whole issue of Bluetooth travelling through walls. Are you going to get an alert just because your neighbour, who you rarely see, becomes sick? Since the technology is anonymous by design it's impossible to know what alerts to ignore. As we’ve discussed before, there are also possibilities of cyberattacks against the system.

The bigger issue though is public trust in an automated contact tracing app approach. The issues have played out far too publicly and now 7 in 10 Americans won’t use a contact tracing app. There is insufficient trust. Statements about US Police contact tracing protesters are not helping. Not everyone is going to read the Apple/Google whitepaper or analyze their reference code, or trust anyone that does. It’s difficult to see how the cynicism surrounding this automated technology can be turned around. But with low uptake levels the technology simply isn’t going to work effectively. No amount of technology can fix that.

A further blindspot in the rush to a technological app fix is that smartphones are not actually ubiquitous, and many older smartphones don’t support the required Bluetooth protocols anyway. Older people and those already disadvantaged in our society are less likely to have access to a smartphone. Many are those at higher risk to Covid-19 too - exactly those that we should be striving to help the most. This crisis has already highlighted many of the widening inequities that exist in our society. Our rush as technologists to fix things with technology risks widening those gaps further. That’s simply not good enough.

So where does this leave us exactly? In the UK in particular, in a pretty bad place is the answer, with public confidence in the approach completely undermined and the Government publicly downplaying the importance of the technology after its humiliating failures to deliver. This isn’t going to motivate installations if and when the app does eventually turn up. Even in France, where the deployment hasn’t been quite as publicly embarrassing, things are not going well, with 0.5 million of the only 1.9 million that installed it at all simply uninstalling it again. Perhaps this is no surprise when it has only sent 14 notifications so far. In the US only 3 states have agreed to use the Apple/Google technology. There continues to be widespread confusion, with the BBC pushing out an article explaining that the exposure notification menus now appearing on Apple and Google phones are not the contact tracing app, after widespread confusion on social media. Bluetooth contact tracing is rapidly becoming an example of that overhyped technology that fails to deliver. In short, it doesn’t seem like things are going that well.

In the meantime a renewed focus has been placed on the manual contact tracing approach. Contact tracers attempt to contact anyone who has had a positive test for Covid, to discuss their movements in the immediately preceding period when they may have been infectious to others. Time is of the essence here of course, and in many cases contact tracers are unable to get in touch. In many situations those with the positive test will have already informed those they have been in contact with, and don’t really see what additional value the contact tracers are really providing. When the contact tracing process is started, it requires a laborious process of remembering the names and contact numbers of recent contacts so that the tracers can go on and try to call them to advise them to self isolate, frequently unsuccessfully. It’s all a significant invasion of privacy, with this information being stored in databases with very unclear security policies, extracted from somebody who is ill and probably scared. The disparity between the lofty ambitions of the privacy preserving cryptography of Bluetooth contact tracing apps, and the privacy invasion of the manual alternative, as Bluetooth fails to deliver as yet, is stark.

Maybe we’ve aimed too high, and there is some more achievable alternative that seeks to automate the manual process, and perhaps the technology that we should have perfected first. We’ll explore that in our next blog.

Contact Us