As you may have heard lately, contact tracing is one of the latest topics in vogue due to the COVID-19 pandemic. I’m not going to explain contact tracing, it’s superbly explained here. That said, here’s the gist of it.
In the health world, the way to track and shut down an outbreak is by following the traces of sick people. This is a tedious and investigative work, that requires following the steps of infected people in order to identify who they may be in contact with, and if that contact was significant for them to transmit/acquire the sickness. Normally this is done by calling each one involved.
Because COVID-19 is so potent in its propagation, contact tracing becomes critical and also a challenge, due to the magnitude of people transmitting the sickness unknowingly.
Singapore has been a pioneer country in many ways, this pandemic is no exception. As one of the countries being hit first with the outbreak, they hit this wall of contact tracing fast.
Bluetooth Low Energy (BLE), is the latest iteration of Bluetooth, a protocol designed to interchange information between devices only when they’re close to each other, a situation that happened to behave exactly as a virus does: Interchanges happens only when two people are close to each other. For this reason, BLE fitted perfectly in trying to use and model who might become infected with COVID-19. After all, most of the world is carrying smartphones, yes that includes poor countries.
So, Singapore made a mobile platform to accelerate contact tracing, then they open sourced it. Followed by Apple & Google taking the idea and incorporating into their operating systems (iOS & Android, respectively).
First and foremost, iOS and Android will provide an API (connection) for contact tracing, however the operating system will not do it by themselves, an app has to invoke this functionality, and this app must be blessed/authorized by a governmental entity. The reasons for this are privacy, operations and some legal protection.
Let’s take the fictitious example John, Mary and Peter. John has an iPhone, Mary and Peter have Androids. They all installed the app from their local government called 91DIVOC (example name). They voluntarily allowed the app to start registering information. They don’t know each other, however they’re making the line/queue to enter the grocery store. Inadvertently, the three of them became too close, so close that their social distancing no longer was in place. So COVID-19 can jump among them, also BLE! Thanks to 91DIVOC their phones start to interchange random keys (serials, like alkjsdlkasjwe1231231l). The three phones store each of the key of one another (so, three keys) for 14 days. DIVOC91 is always checking with its central server for COVID-19 positive keys.
Some days later, John learns he’s COVID19 positive. Among the many things he does to prepare, he opens the app and notifies the app he is positive (voluntarily of course). The app uploads John’s key (alkjsdlkasjwe1231231l) to its central server. Mary and Peter 91DIVOC installation make -also- their daily request to its central server and noticed a key they have in storage (alkjsdlkasjwe1231231l) is COVID19 positive. The app notifies them (Mary & Peter) they’re potentially contaminated, proceed to further exams. Notice the apps are just interchanging keys not names, so it’s not possible to identify which one of the persons they were in contact with are positive. This method achieves contact tracing while maintaining privacy and being decentralized.
The big downside of the decentralized method is that anyone can declare themselves positive (without further examination) and the app could start to give false positive to many people. Therefore, many health organizations are opting for not using Apple-Google proposal. Those institutions apps might still use BLE, but they might store all the keys in a central server, some include location and other extra information. Needless to say, under these circumstances, privacy is lesser and more vulnerable. At the same time, the centralized method does allow granularity in whom to contact during the tracing. For example, even though the phones might have interchange keys (i.e. people were close to each other), their interaction wasn’t significant enough to warrant a cover-19 exam.
|Privacy is not that good||Better privacy protection|
|Granular control for positive notifications||False positive notifications easier|
|Allows geographical status tracking||No geographical information available|
Some countries/states/provinces will prefer one over the other. The UK is going centralized, while Ireland is going decentralized. Australia has a mix. As we have lived during this pandemic, there is no a black or white solution. We’ll need to chose the least bad (yeah, the least bad!), that allows us to solve the outbreak in order to prevent people dying from it.