Fear Not the Tracing Apps, Fear How Little They Will Say

Smartphone data, tied to coronavirus testing, will play a critical role in the next phase of government response to the COVID-19 pandemic. Just about everyone in America carries a smartphone in their pocket capable of informing the user about what they’re coming in contact within their environment. Concerns about the privacy implications of various “tracing” apps are well documented, but as developers scramble to build them with the right balance of security and privacy, less clear is whether they will actually work.

Apple and Google are moving forward with guidelines to help developers build apps to alert people when they’ve come in contact with someone that may be infected with COVID-19. 

Countries around the world are experimenting with different solutions, based on a variety of factors, like local privacy laws and the strength of local testing regimes. Cybersecurity company FireEye on Tuesday released a list of security features that developers should keep in mind when coding such apps. 

Most of these apps have been described as “contact tracing apps” a term that refers to the epidemiological practice of tracing the social and real-world contacts of infected people. What’s emerging instead, some technologists argue, would better be described as “exposure notification” apps. 

This will not end up looking like China. Rather than use a centralized database of people’s logged locations, similar to what the Chinese government rolled out during the beginning of that country’s post-lockdown phase, new apps would rely on Bluetooth to alert an individual when they had come in contact with an exposed person. Google and Apple have said that developers using their API won’t be allowed to use location tracking, making proximity alert via Bluetooth the only option.

That requirement may immediately turn away national security professionals who have long known that one basic step to keeping nearby unwanted eyeballs out of your phone is to turn off its Bluetooth (and other location-tracking apps.) But the stipulation means that the apps that emerge at least will adhere to what privacy advocates like ACLU have recommended. 

How well will such apps work?

“I think there are serious questions about the realistic efficacy of any of the various approaches to digital exposure alerting being floated, but from a privacy perspective, that approach [the Apple Google approach] seems about as good as one could hope for: decentralized, anonymous, and voluntary,” said Julian Sanchez, senior fellow at CATO. 

Sanchez says that Bluetooth exposure alerting isn’t going to give governments a good sense of how transmissions are progressing. Moreover, an exposure notification system won’t function well if nationwide, or global, testing remains spotty and inconsistent. More and more individuals are able to access testing via their health insurance, but others only may see a test upon hitting an emergency room, and sometimes not even then. Any government is going to be operating in the dark until that testing reaches the population equally. 

Cell-location data is already feeding into tools that inform governments' counter-virus policies. But in many states, the data are not saying what policymakers want. 

Many governors are relaxing social distancing measures, saying they come at too high a cost to business. But research taken from anonymous location data contradicts that idea. An April 20 paper published by the National Bureau of Economic Research looked at publicly available anonymized, aggregated place visitation data gathered by tech company PlaceIQ and packaged by researchers at Berkeley to understand how people changed their behaviors as a result of the pandemic in March and April. The data allowed researchers to see how people moved around before and after most social distancing guidelines were implemented. They were able to look at a state and county level. But more importantly, it allowed them to watch the movement in realtime, as opposed to waiting on government or market reports, which can lag by as much as 14 days. 

The researchers found that most people began a sort of self-imposed lockdown before local governments made such isolation mandatory. “Although they may well be important from a public health point of view, our estimates so far suggest that government policies have mainly served as a small supplement to the voluntary increases in social distancing that individuals, families, and businesses have adopted on their own.”. 

That aligns with what other researchers have observed looking at data like restaurant reservations. 

A nice chart making the rounds shows that OpenTable reservations fell prior to state lockdowns. @CharlesFLehman 2/n pic.twitter.com/VmYlETzGYq

— Joel Waldfogel (@JWaldfogel) April 17, 2020

Basically, people are more inclined to act in accordance with their own perceptions of relative safety and danger, rather than punitive government measures. But that doesn’t mean that lifting said bans won’t have a public health impact. The paper’s authors say that it could well make matters worse. Whereas people were already primed to stay apart from each other before governments made their official decrees, when some governments begin to lift those restrictions it may prime people to loosen their own self-imposed rules even faster than they would have. 

“In this case, lifting the ban could have large impacts even if applying the ban had minor impacts," they wrote.