Lockdown endgame? There won't be one until the West figures out its approach to contact-tracing apps

What are the options, and who can we learn from?

68 Reg comments Got Tips?

Comment Most health experts agree stopping the coronavirus lockdown requires two things – testing and tracking – and you cannot have one without another. First, you need to know who is infected with COVID-19. Then you need to figure out who they've had contact with so they can be isolated.

This isn't inherently novel. It's a tactic that's long been used by epidemiologists, and was featured in the (eerily prophetic) Matt Damon flick Contagion. But unlike previous pandemics, governments can now rely upon the ubiquity of smartphones to trace the movements of individuals. And they are, bolstered by the support of tech companies and homegrown techies.

Apple and Google: a COVID-fighting tag team

As the makers of the biggest smartphone operating systems in the world, Apple and Google, are ideally placed to set the groundwork for any contact-tracing apps by offering developers in the sphere access to more sophisticated APIs. And indeed, that's exactly what's happening.

Earlier this month the two companies, which are otherwise fierce rivals, announced joint plans on this. The goal is to create a standard that would allow government agencies to build apps that track contact and physical proximity with infected COVID-19 sufferers.

This will be done via the Bluetooth radios found in almost every phone. The app will constantly broadcast beacons. When a phone enters range of another using the app, it'll perform a handshake and exchange beacon identifiers.

The app will also record the proximity between the two devices, as well as the duration of contact. If a person is later found to have COVID-19, the apps will then advise anyone who had contact with them to self-isolate or get tested.

Both companies are working to an incredibly tight deadline, with the initial APIs to be released next month. Of course, that won't be the end of the story. Though Apple is able to exert absolute control over its platform, and can push out updates on a whim, it's a very different story for Android.

For Android, updates are made available by developers and carriers. Android phones tend to have shorter update life cycles, too. Apple continues to serve system updates to the iPhone 6s (first released in 2015), but most Android phones fall by the wayside after a year or so. Even the Android One programme only offers three years of patches, which is comparatively paltry.

The end result is that a majority of Android phones will not be able to take advantage of these APIs. Furthermore, it may take a long time to see this patch make its way to individual users as vendors are famed for dragging their feet when it comes to software updates in normal times.

There's another question worth raising: will Android's contact-tracing APIs rely upon Google Mobile Services in any way? If so, that'll be problematic for China's millions of Android users, as well as those in the West who've bought one of Huawei's latest Google Mobile Services-free phones, like the Mate 30 Pro and the Honor 9X Pro. The Register has asked Google about this, and if we hear back we'll update this post.

privacy

Academics: We hate to ask, but could governments kindly refrain from building giant data-slurping, contact-tracing coronavirus monsters?

READ MORE

Perhaps the most fascinating thing about the Apple-Google partnership is that both companies have a fundamentally different (if not incompatible) ethos. Apple is primarily a hardware company, and makes its money by selling high-margin devices with a user-friendly UI. Google, on the other hand, is a services company, with advertising one of its primary revenue drivers.

With that in mind, how will privacy work within the context of this initiative?

First and foremost, both companies have stressed that the APIs will not hinge upon the collection of location data. Distance between contacts will be recorded by information from the Bluetooth, rather than using GPS.

Furthermore, because contacts will be recorded as anonymous beacon keys, rather than biographical information, there's little concern to individual privacy. If a person is informed that they had contact with someone carrying COVID-19, they won't be able to discern who from the information provided.

Both companies are working on a second iteration that would allow contact tracking to take place within the operating system without an app being installed. This is expected to land in June.

The Singapore solution

One of the few coronavirus "success stories" has been Singapore. Despite its proximity to regional hot spots like South Korea and China, the country managed to flatten its curve early, recording comparatively few deaths to some of its regional neighbours. And this is largely thanks to its enthusiastic adoption of smartphone contact tracking.

In early March, the Singapore government released its first contact-tracking app, called TraceTogether. Developed as a joint venture between the Government Technology Agency (GovTech) and the health ministry, it works on a similar basis to the aforementioned idea, using Bluetooth beacons to identify contacts.

Another striking similarity is that it does not use location data, although this is largely by design. GPS is ineffective indoors and in built-up areas, and Singapore is one of the most densely populated nations in the world, with towering skyscrapers that play havoc with GPS signals.

Although downloading the app isn't mandatory, the health ministry can request access to TraceTogether data at any point. The government also says that the app will be retired, and cease to function, after the COVID-19 panic has subsided. It has also since open-sourced the project, as we've previously noted.

TraceTogether represents the milder side of Singapore's anti-COVID efforts. The project cites over 1.1 million users. It already has more than 500,000 downloads on the Google Play Store. This is an impressive feat, given the population of Singapore is around 5.6 million.

Of course, the government of Singapore hasn't hesitated to use stronger measures, with potential fines of SGD$10,000 (around £5,700) for those who lie to the authorities about their movements. Offenders can also face up to six months in prison.

The app has also used the criminal justice system to enforce its lockdown, with one 71-year-old man arrested for refusing to go home after being caught eating in public.

Israeli intelligence

Israel was quick to implement a lockdown. Beyond that, it's also taken measures above and beyond perhaps any other nation. On 17 March, the Cabinet approved emergency measures that would allow it to track infected individuals by their phone to inform those they may have had contact with.

What's noteworthy about this is how it leans on anti-terrorism technology previously designed to help with its nearly 70-year-old struggle with Palestinian and Arab Nationalists. It was never intended to be used against its own people.

It's also a rare example of a government using a top-down approach to contact tracing. Even Singapore, a country known for its authoritarian tendencies, hasn't made use of TraceTogether mandatory. Singapore banned chewing gum and once caned an American teenager's derrière over a spot of petty vandalism.

Israel is well positioned to take advantage of surveillance technology in its battle against COVID-19. The country, surrounded by unfriendly neighbours like Syria and Lebanon, has long used intelligence to work against its enemies.

Early days in Europe

The UK is currently in week five of its national lockdown. For some countries, it's been longer. Others, shorter. But no matter where you go, the shattered sense of normality remains the same. Streets are quiet. The schools and bars are closed. The dole lines are swelling.

And with a vaccine still far away, the pressure is on these governments to find solutions that will allow a return to normal – or as normal as the situation can possibly allow.

Enter the Pan-European Privacy-Preserving Proximity Tracing: or PEPP-PT. This snappily named initiative, which is incorporated as a nonprofit in Switzerland, aims to create a standardised method of tracking the interactions and movements of COVID-19 infected, which would form the basis of future apps.

privacy

Academics: We hate to ask, but could governments kindly refrain from building giant data-slurping, contact-tracing coronavirus monsters?

READ MORE

PEPP-PT is an independent initiative, although it claims to have won the support of seven national governments. The project, however, has been fraught with turmoil, with many participants – including ETH Zurich, the CISPA Helmholtz Center for Information Security, and the Italian ISI foundation – withdrawing from the consortium over privacy concerns.

An analysis of preliminary protocol design [PDF] by rival initiative DP-3T (Decentralized Privacy-Preserving Proximity-Tracing) highlighted several problems, both technical and operational.

The proposed implementation by PEPP-PT, called NTK, effectively creates a permanent identifier for each user, which can be linked to individual encounters. DP-3T argues this could allow for feature-creep, with the project potentially metamorphosing into "an instrument of surveillance with considerable human rights implications".

DP-3T also argues that this data could be used to track the daily activities and movements of individual users.

"In the extreme, the backend could assign special keys to certain users (note that a user has no way to know whether their key changes over time or not) and leak them selectively, enabling long-term tracking by third parties," it says. "We note that this also works for communities, as one could assign specific identifiers to a target group of people."

Ultimately, this dispute is reflective of the overall failure of Western governments to get ahead of COVID-19. Other countries, like Israel and Singapore, took decisive action, but many European nations hesitated when it came to instituting lockdowns. Though Singapore has had TraceTogether for over a month, there's no clear consensus on the continent when it comes to a contract-tracing system.

While Europe dithers, the exit from lockdown looks even more elusive. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020