There is an international effort underway to use apps and mobile technology to curtail the spread of COVID-19. Many are enthusiastic about the prospects of being able to go out again. Yet, this app depends on numerous types of sensitive personal data to function. Many governments and organizations creating these apps indicate that guarantees on privacy are essential, but is this even possible?
As designers with an engineering background, BMD Studio has vast experience in the technologies that are at the core of these apps. We find that technology is too often used to obscure and discount privacy arguments. Therefore, we have analyzed how popular proposals for corona apps (including the one from Apple and Google) can impact privacy directly.
We conclude that no corona-app can give guarantees on the protection of privacy, especially when it comes to anonymity. Therefore, we should have a discussion on how much privacy we are willing to give up for such apps, under which requirements and what we’ll receive in return. This is something we should discuss now , while the consequences for most countries remain hypothetical.
Why corona apps?
Corona apps are proposed as a means of making contact tracing more efficient. Normally, when a person is infected with a contagious disease, a health agency is tasked with investigating whom this person has been in contact with. When infections reach a pandemic scale, this process is too labour-intensive for health agencies. If a person can share their points of contact via an app, this work could be automated and in turn help curtail the spread of infections.
This is at the core of proposed corona-apps: logging when you have been in contact with whom. This is commonly done by having a smartphone monitor its environment in the background. When someone is infected, their points of contact are used to determine infection risk for those the person has been in contact with. By preemptively quarantining these persons, the spread of infection can be limited. This does require that a large part of the population installs this corona app.
In media reporting, and through app proposals, there is often the impression that this process can be made more resilient in terms of privacy through the use of technology. Some even claim that this type of contact tracing can be done completely anonymously. This is inconsistent with the technology that underpins the app proposals we have analysed. This is why it is necessary to explain this technology in plain terms. Additionally, we’ll show how the infrastructure for these technologies could be abused, and how this impacts your privacy.
Contact Tracing Technologies
There are two types of technologies for doing contact tracing: either the app logs your proximity to others (Bluetooth tracking), or the app logs your location (GPS-tracking). These are based on the widely published app proposals by European researchers: PEPP-PT and DP-3T, the latter of which was adopted into the proposal by Google and Apple. There are other ways of doing this type of investigation, but they are either more complicated, less applicable or not focused on individuals. Therefore, we’ll discuss these two technologies briefly.
When tracking proximity, your phone will constantly emit a Bluetooth signal for other app users. You could compare it to handing out individual puzzle pieces to passers-by. The puzzle pieces are based on a blueprint (the puzzle), which consists of an immeasurable amount of pieces. The blueprint is a secret key and unique for each user. We can identify puzzle pieces from the blueprint, but not the other way around.
For every interaction, both parties save their received puzzle pieces to their phone. When someone is infected, they can choose to release the blueprint key for their puzzle pieces. You can then check whether some of the puzzle pieces you have collected match this blueprint. If so, you have been in the proximity of this person. Depending on the time of contact and distance to the person, a risk score is calculated. When it is high, you are recommended to self-quarantine for fourteen days.
When tracking location, everyone keeps a detailed log of the places they visit. When someone is infected, they share their log with all app users. Your phone then checks if you have been in the same areas in the same periods, and calculates a risk score accordingly. Again, when it is high, you are asked to self-quarantine.
Storing data locally or centrally?
Both technologies could be set up differently in terms of how their data is stored. For the two examples above, we have assumed that most of the data is stored on individual phones. This means that there is no single database storing all interactions or locations. Everyone has their own database. However, when you’re infected, you should share your database. This counteracts worries of mass surveillance but does result in a certain loss of privacy for those who are infected. This is known as decentralised or local storage.
Contrastingly, apps could also store their data in a shared database, which would contain interactions or locations for all users. When someone is infected, health authorities could determine who is at risk from all those data points. They can then notify those at risk directly. This does require that this database is managed by someone we all trust, as the database contains sensitive data for millions of people. This is known as centralised storage.
The debate between these two forms of storage is central to the question of which privacy, and whose we are trying to protect. The centralised Chinese corona app shares all data with police and is actively used to monitor their citizens’ obedience. Despite some people having more trust in their respective countries, mass surveillance worries remain, and at least European politicians are unwilling to budge on this.
Decentralised storage seems far more appealing in this respect, but is not without its flaws. As those infected need to share their location or secret key, they effectively publicise all of their interactions for the given amount of time.
The most considered options (including DP-3T, on which the Apple and Google proposal is based) work by using Bluetooth-tracking with local storage, as it is perceived to be more privacy-friendly for the aforementioned reasons. Correspondingly, we will cover this variant in this article.
Risks and Exploits
When working with local storage, individuals share their blueprint key when infected. As this key is just a set of numbers, there is no direct link to this person. This is why these solutions are usually presented as being fully anonymous. Linking an individual to a puzzle piece is easy to do, however. When someone collecting puzzle pieces takes a photo at the same time, we can link a face to a puzzle piece. This could be extended to a blueprint key, when the key is marked as infected. This process of linking persons could even happen at a later time.
We can also register the location of the puzzle piece, we could effectively make a heat map of where infections are spreading. With about an hour of work, we were able to create a web application that automatically takes a picture when a Bluetooth device comes within range. Such a solution is thus very feasible to build.
These risks are also mentioned by the researchers. However, they are characterised as attacks that require technical skill and lots of time. We find this to be reductive, as a small risk can impact an individual severely. These individuals may be outliers at an app scale, but this risk might reveal an infected individuals’ identity, which is often described as a definitive no-go in corona apps.
While this risk does require access to the app infrastructure, this is often a matter of time, especially with open source being an oft-mentioned requirement for these apps. To give you an idea of how this could impact society, we have created an online service for this risk: https://domyneighbourshavecorona.com. It is a service that allows individuals and the public to link the puzzle pieces, blueprint keys, locations and pictures themselves.
Press enter or click to view image in full size
Do my neighbours have corona?
When using this service, you are required to install another app, in addition to the regular corona-app. When a puzzle piece is detected, it takes a picture and logs the location. You could either put a camera in front of your living room window or hide it in your front pocket when going out. After some time of use, we have collected dozens of photos and puzzle pieces.
As new infections are made public, we can see if any of the puzzle pieces match the published blueprint key. When it does, we can show a picture of the person you interacted with, where it happened and when. This allows an individual to monitor their environment for infected persons. Additionally, multiple app users can collaborate and create a database of these interactions. This effectively becomes a public database for those who are infected, containing their pictures, locations and movements.
What happens when this data is shared?
As it stands, it is comparatively easy to undo the anonymity that was initially promised by the puzzle pieces and the blueprint key. Spreading the now public information has both social, societal and economic consequences. Individuals could be avoided, ostracised or could retain lingering feelings of distrust. There are already examples of how infections are attributed to minorities or foreigners. Additionally, there’s the possibility of vigilantes creating Facebook groups to keep their neighbourhood ‘free’ from infections. Victims could face long-lasting consequences, far beyond the time they are infectious.
Not managing these effects of technology carefully could have disastrous consequences.
Limitations of technology
Apart from these concerns, there’s the question of whether this technology can be effective. For instance, the technologies do not account for walls, fences or other partitions. When your neighbour does get infected, does this mean you will have to be quarantined as well, even though you did not have any contact? Active misuse is also feasible, with individuals creating fake infections in public places or at competing businesses.
Furthermore, the app only gives a risk score for infection, but how is this score calculated? Workers at public places such as supermarkets are bound to have a high-risk score, but how does this impact someone shopping for groceries? Humans can easily make these difficult, individual distinctions. Yet, computers only offer a one-size-fits-all approach to evaluating individual risk.
These limitations can undermine public trust in a corona-app. This might lead to a spiralling drop in use and thus reduced effectiveness. As we are not health or public policy experts, we cannot speculate on the answers. However, answering these questions is of the utmost importance if the implementation of a corona-app is to be a success.
How much privacy are we willing to lose?
Privacy is most often mentioned as a basic requirement for a corona tracking app. Decentralisation is often mentioned as the best way to guarantee privacy. While we consider the proposed Bluetooth-tracking proposal to be less invasive, it is a far cry from being anonymous. At most, we can mask the individuals behind the data, not anonymise them. This means an infected individual is at risk of losing their anonymity when sharing their data.
We expect that it is only a question of time before the masks are dissolved, and individuals are revealed. Sharing data is at the core of a corona application. Thus, absolute privacy is unquestionably impossible. We would love to see new variants taking a crack at this problem. But given this friction between privacy and sharing data, we remain highly sceptical of new technologies that claim to be privacy-friendly, scalable and applicable.
Contrastingly, we do believe that a minimal violation of our privacies could be acceptable, given enough social interest. We do think that if we are to renounce some of our usual comforts, we should have a clear picture of what we lose, what we gain and what risks we are accepting. Hiding these risks behind vague terms like ‘privacy-friendly’ and ‘encrypted’ or even claims of anonymity is reprehensible and dangerous.
If it does come to the use of such an app, we hope that this decision is deliberately considered. We should account for the societal impact, the consequences for our individual and communal privacy and consideration of the shortcomings of technology. It is straightforward to limit ourselves to our individual consequences, but we should realise that our choices impact the privacy of others as well. Being honest about these choices is required if we are to opt for a corona tracking app. If this means we see anonymity as a prerequisite, using a corona tracking app is impossible.
This article was based on an earlier version in Dutch.
BMD Studio is a design studio, based in Eindhoven, the Netherlands. It is concerned with the interaction between humans and technology. The studio is specifically focused on the Internet of Things and Artificial Intelligence. BMD Studio consists of Joep Elderman, Pepijn Verburg, Paul van Beek, Jort Band, Tijs Duel and Marijn van der Steen.
Lei Nelissen is a graduate student in Industrial Design at Eindhoven University of Technology. His graduation project is concerned with making GDPR and CCA data rights tangible for citizens. He is partnered with BMD Studio for this project.
We thank Floor Elderman and Ylja Band for their input. For further questions or information, please get in touch with Lei Nelissen or Joep Elderman.