Public health experts agree that a robust contact tracing network that can notify people if they’ve potentially been exposed to the COVID-19 virus will have to be a key part of any effort to contain the pandemic. But the rollout of apps to monitor potential exposures have been dogged by concerns about data privacy and location tracking, leaving most of the country unable to keep up with the virus’ spread.
Now the state of Colorado is set to partner with Google and Apple on a digital tool officials say can keep citizens aware of potential exposures while also keeping their digital data secure. The exposure notification service, which will launch later this month, is entirely voluntary and will be available as part of an operating system update for Apple and an app for Android devices. When two phones with the feature turned on are in close proximity to each other, they will trade anonymized “tokens” that register the interaction. If someone then tests positive for COVID-19, they can register the test with the notification service, which will then use the tokens to alert others of their potential exposure and provide tips on what they should do next. Users could be directed to a public health agency for a more robust investigation of the exposure.
Sarah Tuneberg, the lead of the state’s COVID-19 advisory and innovation response team, said at a press conference Tuesday that the feature becomes more effective the more people download it, and emphasized that it is a “completely anonymized service that contains no personal health information.” Rather than tracking location or personal identities, the exposure notification system only relies on the anonymous tokens that refresh every 15 minutes and look like what Tuneberg described as a “list of gobbledygook letters.”
Experts say the system — designed by Apple and Google and provided to states for free — is a potentially safer alternative to ones that would rely on GPS or identifying information to track people’s movements.
Nolen Scaife, an assistant professor at the University of Colorado Boulder department of computer science and technology, said that any time you install an app on your phone, there’s “some risk” that it will report some information or store data in a way that is not evident. But he added that the exposure notification feature appears to have been designed “from the outset to keep any medical information private.”
“From what I can see, this is not a protocol designed for data harvesting,” Scaife said. “In this pandemic, we’ve seen a lot of technologists in academia and industry explore ways to use technology to help, and this is one aspect of that.”
Whether the public trusts it is another question.
Contact tracing efforts have been dogged from the start by privacy and cybersecurity concerns; a Kaiser Family Foundation poll in April found that only half of people would be willing to download an app that would alert them if they had been in contact with someone who tested positive for the coronavirus (47% said they would be unwilling), and just 68% said they would be willing to share a positive test result through an app.
A number of high-profile failures have also sapped public trust for some contact tracing apps, especially ones developed by tech companies. North Dakota admitted in May that its app, called Care19, had been sharing users’ location data to the marketing company Foursquare, an issue that has since been fixed. Experts found potential security flaws in apps launched in the United Kingdom, India and Qatar.
Denise Maes, public policy director for the ACLU of Colorado, said her group remains concerned about the Apple-Google partnership, even with its reliance on anonymized tokens.
She said there is still the potential for the system to be hacked, and added that it could “over-notify” people, warning them of an exposure where there was little chance of viral spread and prompting them to disclose personal information to a contact tracer unnecessarily. (According to a state website, a positive result can only be uploaded if it comes from a qualified testing site and is verified by a public health authority.)
“In this situation, we’re rushing into this without thinking through the consequences,” Maes said. “The state ought to say we’re not going to jump into this technology without some guardrails and some notification to the public of the consequences, perhaps even pushing Google and Apple to refine the technology.”
We’re rushing into this without thinking through the consequences. -Denise Maes, public policy director for ACLU of Colorado
“I’m sure for some of these people who have reservations, in their mind this will be equated with tracking and violating their privacy,” Michaud said. “Not that the app would do that, but it will require significant education to dispel the misperceptions that are out there.”
A state website about the feature contains answers to questions about privacy and security, and a spokesman said CDPHE “is working with our local public health agencies so they can provide support and information about exposure notifications to their communities — including those who aren’t as accustomed to digital technology.”
Michaud said it will be incumbent on public health agencies to not just assure users of their safety, but to reach minority and low-income populations that may have more barriers to downloading or using a digital tool.
“We know the pandemic itself has played out differently across different populations,” Michaud said. “One of the considerations has to be whether you need targeted or extra communication for those populations to reach the benefits of this app.”