Contact tracing is the process of identifying and monitoring persons who have been in contact with an infected person or persons. It has been used in one form or another for centuries.Footnote 1 More recently, it has been used effectively in the control of tuberculosis, Severe Acute Respiratory Syndrome (SARS), and Middle East Respiratory Syndrome (MERS).Footnote 2 Manual contact tracing has limitations in the number of persons that can be identified and interviewed in a timely manner. With about 8000 SARS infections and 800 deathsFootnote 3 and about 2500 instances of MERS and 858 deaths,Footnote 4 manual contact tracing proved sufficient. In the case of COVID-19, with 4.3 million confirmed cases and about 300,000 deaths worldwide at the time of this writing, complete and timely manual contact tracing may not be possible in many local jurisdictions.
Early in the COVID-19 pandemic, a number of countries leveraged smart phones to help automate contact tracing. Various types of relevant information are available on a smart phone. GPS and location services, which can add information about nearby WiFi hotspots, can be used with contact tracing apps but raises privacy concerns. In China, people are sent QR codes on their phones indicating their level of risk for COVID-19 and access to public transportation or public areas such as shopping malls is determined by the QR code granted to an individual.Footnote 5 These codes are based on self-reported information as well as possibly location services information (though the Chinese government has not been forthcoming on the data used to produce these codes). South Korea does not use such QR health codes, but publicizes details concerning individuals who have tested positive including the person’s age range, gender, and places they recently visited. QR codes can also be used to register visitors to businesses and users of public transportation.
Another approach that is believed to be more privacy preserving and more secure in a number of respects involves the use of Bluetooth rather than GPS or location services. Singapore has released an app called TraceTogether.Footnote 6 TraceTogether attempts to minimize the amount of personal information it gathers, but it does collect the cell phone numbers of users on a voluntary basis.Footnote 7
The ability to use Bluetooth and maintain a high level of privacy has been greatly assisted by the cooperation of Google and Apple in inserting new capabilities in both iOS and Android at the operating system level.Footnote 8 The Apple/Google protocol is based on privacy ideas emerging from the MIT-led PACT projectFootnote 9 and the European DP-3TFootnote 10 project.
The goal of the Apple/Google application protocol interface (API) is to provide a set of functions and procedures in the operating system that can be used by state or local authorities and software developers to develop user-level contact tracing apps. The two foundations of this methodology are:
Extensions of the Bluetooth protocol to determine “too close for too long”
A distributed architecture such that notifications of proximity to a confirmed case of COVID-19 are sent only to the user of a phone and no other parties.
Algorithms to determine “too close for too long,” however, are still under development. They have both a physical and biological component. The physical aspect involves the inference of distance between infectious and susceptible individuals from the observed information. The new interface provided by Apple/Google will give the app developer information about Received Signal Strength Indication (RSSI) for each transmission from a nearby (typically tens of meters) source.Footnote 11 The RSSI falls off with distance so it can be used to infer distance between phones but also falls off with attenuation due to phones being in pockets or handbags and intervening obstacles (e.g. walls or shelving), making the translation from RSSI to distance complex. The biological issue is how much exposure to an infected person at what distance indicates a high risk of infection. Tuning the criterion for “too close for too long” clearly will affect both the false positive and false negative rates.
The second foundation of this methodology is that only a user of the app is informed of a possible exposure, but no one else. The goal here is to achieve maximal privacy. The mechanism works as follows. An individual phone creates a seed at a particular time period, say each hour. That seed is used to generate changing values in each “chirp” emitted by the Bluetooth interface. Neighboring phones detect these chirps and record them along with timestamps. If an individual tests positive and they consent, their phone is accessed and the list of seeds over the infection time period are uploaded to a central database. The central database downloads the seeds with time stamps of all infected individuals to all users of the app. The user’s phone then generates the seeds of infected persons to generate chirp values, which they check against the user’s list of received chirps to see if the user has been exposed to any COVID-19 confirmed case. Thus, the recipient only knows that they have been potentially exposed to confirmed case of COVID-19. They do not know the identity of the person they were exposed to, nor does anyone else know that the user might be infected. The exposed app user is encouraged to seek diagnostic testing and to self-quarantine, but this is voluntary.
An important item to note is that while private information is withheld from unauthorized malicious or just curious agents, it is also withheld from health professionals and public health authorities, including human contact tracers. This information would undoubtedly be useful in determining with whom an infected individual came in contact, many of whom they may have forgotten or not noticed. While individuals who are notified about contact with infected individuals may be encouraged to contact health authorities, it would be voluntary and because of the anonymity protections, much of the work tracing back to previous contacts and forward to successive contacts would have to be repeated by the human contact tracers. Following the chain of individuals who are farther and farther removed from the diagnosed individual would be particularly useful for superspreader events where rapid identification and quarantine of all those exposed in the first several generations is critical. Identifying and isolating individuals with asymptomatic infections is also important. All of this information would have to be re-discovered by the human contact tracer.
A possible solution might be the voluntary submission of information to public health authorities by individuals who have gotten a match on their phone, perhaps through the app itself. The issue then is that more and more potentially private information is entered into the central cloud database.
These are all issues that are under active discussion. Since the Apple/Google interface is at the operating system and API level, however, different countries and regions will be able to choose to make different privacy decisions.
Such issues of privacy versus importance of data collection in emergency situations will apply to future post-COVID situations as well. Depending on the success of automated contact tracing in assisting in opening up commerce and day-to-day life, such apps, and perhaps their extension to wearables, may become more commonplace. Clearly, this is an issue where epidemiologists, infectious disease specialists, privacy and security experts, and medical ethicists must collaborate to identify and address risks and vulnerabilities.