COVID-19 Contact Tracing: Your Privacy for Your Health?

We continually hear of the need for COVID-19 contact tracing. But what exactly is contact tracing?

The U.S. Centers for Disease Control (CDC) published guidance on contact tracing during the 2006 Ebola epidemic. In that guide, it explained how tracing finds new cases quickly so that they can be isolated to stop further spread.

In 2006, the goal is the same as it is in 2020: Identify everyone who comes in direct contact with an infected individual, monitor that individual for a period of time from the last day of contact. If that individual develops symptoms, immediately isolate, test, provide care and repeat the cycle.

Therein lies the rub: Contact tracing, which worked in 2006, doesn’t scale well, as the process was conducted manually during the Ebola crisis. What is needed for this global pandemic is an automated process that easily identifies the contacts of those who become infected.

Tracking those infected and in isolation, monitoring for symptoms or contact tracing area all monumental tasks, and different locales are using technology to achieve similar goals differently.

Apple and Google recently issued a joint statement on their partnership in developing contact tracing technology, through which they are working to create an application programming interface (API) to assist in contact tracing. The implementation will be accomplished in two steps:

  • APIs that will allow for interoperability between Android and iOS devices using existing apps from public health authorities.
  • The development of the application itself, with privacy, transparency and consent being core elements. The tech specifications for the utilization of Bluetooth and cryptography were also shared.

The application will use the Bluetooth functionality of users’ smartphones to log two individuals in proximity for a given period of time. If either individual identifies themselves as being infected with COVID-19 into the app, all who were in proximity are then notified that they have been exposed.

Contact Tracing Abroad

Global tracing and tracking solutions exist in China, Singapore, South Korea and other Asian countries.

In China, returning expats and foreigners are being isolated and are required to download a health code app. The user is required to register with their state ID and provide their address, travel history and self-reported health status.

The app issues a QR code and color: green, red or yellow, based on the information given. The color code is designed to enable the relaxing of restrictions, as the World Economic Forum explains: “… typically green for good-to-go, yellow for a seven-day or shorter quarantine, and red for a 14-day quarantine. Once the system is in place, shops, mass transit stations, and offices may ask residents to show or scan their codes before granting them entry.”

The New York Times looked into China’s Health Code app a bit deeper and reported that the app shares information such as location, city, name and identification code with the police servers.

In Hong Kong, new arrivals are issued tracking wristbands to ensure compliance with mandatory self-quarantine orders. And in South Korea, smartphone applications are used to map the movements of those infected with the virus.

The city-state of Singapore (population ~5.6 million) has launched an application called “TraceTogether” that tells users and the government whether the user has been in close contact with an individual who has COVID-19. The idea is that TraceTogether allows the community to be protected.

Singapore’s implementation, according to the app’s FAQ on privacy, stores a user’s mobile number and assigns an anonymized user ID. Phones exchange proximity data via Bluetooth, storing the data of phones in proximity on the device and not on a government server. Having the app on one’s phone is a personal choice, and using the app is fully consensual.

Those diagnosed with COVID-19 may share the TraceTogether data with the Ministry of Health to enable notification to those exposed. The app does not provide GPS location data; thus, mapping of users isn’t part of the app’s functionality.

As of April 17, just over 20% of the population had voluntarily put the app on their phones and are part of the contact tracing community.

The government of Australia is racing to create a contact tracing application, which will be opt-in only, and estimates it will be ready in late April or early May for release. It received the application code of TraceTogether from Singapore, to assist in the development of the Australian solution. According to the Australian Broadcasting Company, the government estimates that at least 40% participation will be required for the contact tracing application to be effective on a national scale.

Germany is also developing similar tracing applications for use by its population. It, too, is looking at the Singapore TraceTogether application as model-worthy.

The European Commission is seeking a pan-European tracing solution, with an eye toward ensuring individual privacy.

As the Australian government noted, however, without substantive public participation, the ability to effectively trace on an automated scale may not be possible.

The bottom line is most, not all, governments are asking for voluntary participation. This places the onus on the individual to decide to participate in the tracing and tracking of COVID-19 and potentially quell the COVID-19 pandemic.

What will be your choice?

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher