The dangers of digital contact tracing: ancillary apps, social pressure and security

by Enrico Nardelli and Isabella Corradini

(versione italiana qua)

We are discussing these days how to manage getting back to “normality” ensuring at the same time the health situation remains under control. For this purpose, the so-called digital contact tracing has been proposed. It consists of recording encounters happened between people so that, when an individual is found positive for coronavirus, those who encountered in previous days can be quickly retrieved and alerted to block further infections.

Contact tracing is a WHO standard procedure for infectious diseases, usually implemented by healthcare professionals interviewing the infected person. However, it is argued that in the case of a large number of infected, the manual procedure is insufficient and an "automatic" approach based on digital technology is needed.

Let us debunk the myth that technology can do it all by itself. The team leader of the best-known contact tracing solution, the one used in Singapore, wrote: «No Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing. Not now and not for the foreseeable future». It is therefore necessary to equip national health systems with adequate resources.

There is no need to say that tracing contacts means entering the sphere of personal data, the area of privacy guaranteed by European laws. They say that it can be done without violating the law. Is it really possible? Let us first examine the issue from a technical point of view, then we consider some social aspects.

Contacts tracing can be done in two ways: absolute and relative. The "absolute" way relies on the operator of the mobile phone network, which constantly knows where each device is located: coarsely if the GPS is off, precisely if the GPS is active. While in the absence of GPS it is generally difficult to establish whether an "encounter" is significant in terms of health (if two people are at 1 or 10 meters away it is epidemiologically very different), when GPS is active these problems are overcome. The operator could record the contact list for each phone number, with duration and position. The problem with this solution is that anyone who comes into possession of this list gets an enormous power in terms of social control, even in absence of infections. It is no coincidence that digital tracing of people, in all democratic countries, requires judicial authorization on the basis of detailed evidence. Authorizing them for the whole population would likely question the foundations of democratic society.

The "relative" approach consists of using one of the communication sensors available on individuals’ smartphone and an appropriate app; in this way each device registers the list of its contacts, with duration and position, only locally. Nobody gets the entire list, overcoming the "Big Brother" problem, and they say the app can be built so as to record every encounter using an anonymous identifier that cannot be traced back to the device’s owner. But if we cannot identify them, how can we alert them that they have been in contact with an infected person? Each telephone would determine it locally, using the anonymous identifiers of the infected, which would be distributed to all by a centralized service that obtains them from those who, after a test, voluntarily disclose they are infected.
tin
As many civil right organizations have underlined, such an app has to be "open", meaning that the rules of its data exchange with other apps and its source code executed by the smartphone should be open to examination, in order to guarantee full transparency on how it actually operates. However, an open app is able to communicate with any other app that follows the same rules about data exchange.

What can happen then? Imagine that you discovered that you were in contact with an infected person for the first time three days ago. If you met that person in all the following days, in your local history there will be as many reports of infected people in all those days. The official app most probably will not provide you any detail, just warning you to contact a health facility for a check. However, it is not difficult to imagine the development of a market based on "ancillary" apps that offer this extra information related to the encounters (see a more detailed technical analysis). An "ancillary" app will tell you, for each day, how many times a day you met a specific infected person, and if in the same day you met just one person or more than one. This "ancillary" app will not be able to tell you who the individuals are or if the encounters of different days refer to the same individuals but, considering that in a normal situation each of us has a certain regularity of encounters and there are relatively few infected people around, this information combined with others (e. g. remembering what you did in the past days) would allow you to make more accurate deductions regarding identity of infected people you met.

Psychological and social motivations will contribute to the spreading of "ancillary" apps. On the one hand, in fact, the desire to know (human curiosity) is a very powerful force, and few are immune. On the other hand, the combination of the need of preserving one's health with that of protecting the loved ones will be a strong driver. Furthermore, the daily bombardment of news about rules and behaviors people must follow to avoid the diffusion of infections is developing strange reactions such as mistrust towards others, bordering on paranoia. For example, notice how, walking along the street, we tend these days to increase the distances from others, even changing sidewalk. A climate of generalized suspicion can easily grow, as we have seen in these weeks with people reporting to the police neighbors and passers-by for trivial violations of rules.

Besides the actual problem of a possible violation of privacy, this climate of suspicion generates other considerations. We know, in fact, that the "relative" solution for the digital contact tracing mentioned above has to be used by at least 60% of population to be effective. In this sense, we can imagine how social pressure can push individuals to agree to use app, developing prejudices towards those who, for whatever reason, decide not to use it.

How to overcome these critical issues?

(Foto di Gerd Altmann - Pixabay)

At this time, the only chance we see (which, however, contradicts the above requirement of openness hence it is not something we recommend) is to use "official" applications that "speak" only with other official applications. To ensure this, official applications should be implemented directly by international companies that currently have a monopoly on mobile operating systems (Android and iOS). In a world where people's data is the new oil, deciding to put the control of our privacy into the hands of companies - whose economic power is larger than many states’ one – is not a wise decision. It is no coincidence that these companies have already moved in this direction. We are the ones who should not give up our digital data because they are an integral part of our identity.

Finally, some considerations about security are worth being discussed. Technologies which can be used for relative contact tracing apps are WiFi and Bluetooth. Unfortunately, both of them, in the mode that should be used for contact tracing, have several vulnerabilities that can be exploited to compromise the integrity of our mobile devices.

Requiring that all citizens have Bluetooth (or another technology) active is equivalent to asking them not to lock their home door because the doctor is going to come for a medical examination. In the real world, this would expose people’s homes to a high risk of physical intrusion. The same would happen in the digital world, with the difference that here people do not perceive what happens, and tools to exploit these vulnerabilities to enter in our "digital home" are rather easily accessible and do not require a bad guy to be a professional hacker.

Once inside, the problem would be most serious, given that a hostile intruder would have access to our entire personal and professional existence, including sensitive information. Updating the smartphone is a valid countermeasure, but how many people do it on a regular basis? Could we rely on this for the entire population?

In the ongoing discussions, it is taken for granted that digital solutions are essential, despite the fact that those who used them extensively (Singapore) had to quarantine the country. Although the organizations mentioned above have underlined the need to carry out a cost-benefit assessment of digital tracing solutions, these analyses are not available.

Situations where unforeseen circumstances present us with exceptional problems are a fertile ground for digital solutionism, since the limited resources and the need to "hurry up" press to reduce the time for decisions. The epidemic we are facing now is one of these situations. This is why we have to be highly vigilant. In our opinion, introducing a mass digital tracing solution, which to be effective anyhow requires other organizational and sanitary measures, is not at all a real solution, considering the huge privacy and security problems it causes.

As in many other cases, technological solutions (now increasingly digital) cannot solve problems unless they are compatible with the socio-organizational scenario, equipped with adequate financial and material resources, and supported by political will.

If these elements are missing, the consequence is the destruction of social relations and the renounce to our freedom, hence to democracy.