I thought I’d write down my thoughts on contact tracing apps, especially since a recent BFM suggested 53% of Malaysians wouldn’t download a contact tracing app due to privacy concerns. It’s important for us to address this, as I firmly believe, that contact tracing is an important weapon in our arsenal against COVID-19, and having 54% of Malaysians dismiss outright is concerning.
But first, let’s understand what Privacy is.
Privacy is Contextual
Privacy isn’t secrecy. Secrecy is not telling anyone, but privacy is about having control over who you tell and in what context.
For example, if you met someone for the first time, at a friends birthday party, it would be completely rude and unacceptable to ask questions like:
- What’s your weight?
- What’s your last drawn salary?
- What’s your age?
In that context you’re unlikely to find someone who will answer these questions truthfully.
Age and weight, are perfectly acceptable questions for a Doctor to ask you at a medical appointment, and your last drawn salary is something any company looking to hire you will ask. We’ve come to accept these questions as OK — under these contexts.
You might still not want to answer them, which might mean you don’t get the job, or the best healthcare — but you certainly can’t be concerned by them. Far more people will answer these same questions truthfully if you change the context from random stranger at a party to doctors appointment.
So privacy is contextual, to justify concerns we have to evaluate both the context and the question before coming to a conclusion.
So let’s look at both, starting with the context:
What’s the Context
The context is, we have a highly contagious virus spreading through society that threatens to over-load our health care system and kill millions of people.
These extraordinary times allow for extraordinary measures. I’d like the Government to stay out of my social interactions, but I’d also like our Hospitals to continue working.
Contextually, it’s reasonable (and even expected) of the government to ask questions of us. Especially if the sole reason is to assists in contact tracing. So what are the questions they’re asking?
What’s the question
The question is slightly different depending on which Contact Tracing protocol you’ll be using, but let’s look at BlueTrace and Google+Apple’s contact tracing.
Singapore’s BlueTrace protocol doesn’t really ask it’s users anything. Instead only those found to be infected have their contact data uploaded to central servers — and only after a manual process of interviewing the patient do authorities contact “individuals as-sessed to have a high likelihood of exposure to the disease“
So infected individuals upload their anonymized contact data to the a central server — that central server, will de-anonymize those contacts down actual phone numbers — that can be contacted by health authorities. Healthy individuals never upload their data to central servers (at least according to protocol specifications), and will only ever be called if they have been in close contact to a infected person (as you’d expect).
Google and Apple (GApple)
With Google and Apple (GApple)’s soon to be released contact tracing protocol actually does ask a question of all it’s users.
Can you check if you’ve come into contact with this device, as it belongs to an infected person.
In their design, all users constantly download a list of “Diagnosis Keys”, which contain the unique identifiers of devices belonging to infected users. Each user can then match up against a list of devices they’ve come in close contact with to determine if they’re at risk. This matching occurs on the device, and never leaves it.
The key difference GApple and BlueTrace is that GApple shifts the onus for determining contact to the user’s device and discretion. In contrast, BlueTrace requires a central server that will perform this action, and can de-anonymize the data (to a phone number), from where health authorities can reach out.
There are other differences as well — such as how the unique keys are generated (and by whom), but these are minor differences and be ignored.
In both scenarios, the contact data of healthy users are never uploaded to a central repository directly — data on your device remains on your device until (and unless) you are found to be infected.
Obviously as a techie whose political views border on libertarianism, I’d prefer GApple, but to be honest BlueTrace works for a country like Singapore, where trust in Government competence is extremely high, and generally they’re both pretty OK>
Having a central authority that knows who has be closed to an infected person has some pros, namely:
- It circumvents the problem of rogue patients, people who have are now feeling sick and know they’ve been in contact with an infected person, refusing to get tested, and continue to roam in public. Like that one lady in Korea.
- It can live across multiple devices, as you can re-register yourself. GApple’s approach would be null and void if you’d lost your device.
But at the same time, centralization has cons as well:
- Raises privacy concerns for individuals that don’t trust government
- Centralized repositories can sometimes end up leaking very private data on thousands of citizens — it’s happened before
If you’re looking for a conclusion on which one is ‘better’, the answer is nothing is perfect, but they’re both OK. But both have significant drawbacks — although that’s not protocol specific.
The real drawbacks
TraceTogether, the app that implements the protocol in Singapore, ask iOS users to keep the app in the foreground, something that’s quite a big ask for most folks. We can at least confirm with Australia’s COVIDSafe app that “two iOS devices running COVIDSafe in the background do not exchange identifiers.”
To be clear, this is a limitation of iOS, rather than a design choice of BlueTrace. The downside of GApple is that it doesn’t exist yet, and while it’s arrival is imminent — it is as yet unavailable.
Hopefully when GApple release their protocol, both issues will be resolved in one go.
So the context is, we’re under siege by an invisible enemy, and having contact tracing apps allow us one extra weapon in our combat against it.
The question is only ever asked of infected individuals, and personal data of healthy individuals never leave their device. Whether it’s BlueTrace or GApple they both seem to have taken privacy concerns seriously.
If this were 5 years ago, I guarantee you none of the privacy enhancing designs would even be a considered. These designs, while not perfect, are entirely reasonable and appropriate — provided they’re executed well!
And that is the crux, only if the Government executes this well, choosing either BlueTrace or GApple (don’t roll your own!), and then ensuring that government agencies and not private (politically connected) organizations are running these systems, will the necessary trust be earned.
Importantly, Government will also have to open-source their apps, and subject them to 3rd-party scrutiny — I know this is not common for Goverments, but if citizens are asked to do extraordinary things, so too must governments.
The Government (especially in Malaysia) needs to earn the trust of the people, at the moment it has none! In order for this to be useful, that trust must be earned through transparency and honesty!
Now … let me speak from my heart …
I was one of the first to detail out the Government’s purchase of spyware, and I created sayakenahack which was later blocked by MCMC. I’m no government shill.
Having privacy concerns is a good thing — but we cannot dismiss outright the benefit of contact tracing apps just because we’re “concerned”. We owe it to ourselves (and to those around us), to at least investigate further the veracity of these concerns, and change course if the facts point us in another direction.
After digging in on these protocols, I see no reason to be overly concerned. It is irresponsible (and immature) to dismiss a contact tracing app even before execution. We at least owe ourselves that!