Primer on Decentralized Contact Tracing

Background information for the discussion at the MyData vs COVID-19 Wednesday call on 2020-04-15

Manu Eder (TCN, COVID Watch)

Why Contact Tracing?

What are our options with respect to COVID-19?

  1. Get it over with fast.
    Consequences: 2/3 of the population get COVID-19. Lots of people are sick at the same time.
    Lots of people die because the health care system is overwhelmed and no one can take care of them. Hopefully 2/3 of the population are now immune, which will stop the spread. (Currently it is unclear thoug how long immunity will last.)

  2. Get it over with, but slowly enough so as to not overwhelm the health care system.
    Consequences: 2/3 of the population get COVID-19, but not everyone at the same time.
    Fewer people die, but lockdown measures will have to be in place for over a year (depending on healthcare capacities). Again, what if immunity doesn’t last longer than a few months? Maybe there’ll be a vaccine at some point?

  3. Do not get it over with, that is, do not aim to infect 2/3 of the population, instead trying to contain the spread. The goal is that as few people as possible get sick. But how is this possible? There will always be new cases somewhere. Even if we manage to get numbers down at some point, how do we stop everything from starting anew?

Contact tracing is one tool that tries to help solve this problem. Other measures will be necessary as well if we try to aim for the last option, option 2.

Marcel Salathé (DP3T) on Twitter:

The idea behind contact tracing: find the contacts of an infected person - they may have been exposed, and should go into quarantine. I'm reposting the illustration that @ncasenmare made 2/12

— Marcel Salathé (@marcelsalathe) April 4, 2020

Contact tracing is most attractive if we are able to bring down the number of infections in some region to a small number once through other measures. Then we can realistically expect to be able to follow up with every single infection that shows up and break transmission chains before there are lots of infected people again. Some infections will go undetected intially, but through following up with all infections that are noticed and testing people we can hope to also eventually discover asymptomatic spreaders.

If we are in a situation where tens of thousands of infections go completely undetected and there are thousands of infections that we cannot follow up on because we lack resources, then contact tracing has much less of an impact.

Here we will focus on the optimistic scenario that we are first able to bring down infection numbers through a combination of measures (most likely including tight lockdown for a month or two). This will influence some choices in the discussion later on. If you do not believe that this scenario is realistic, then not all of those choices will make sense.

Why decentralized contact tracing? What does that mean?

By decentralized contact tracing we mean a solution to the contact tracing problem which does not require a single central authority to know where everyone is all the time. Such a solution is possible, and we think it’s easiest to build it around the Bluetooth technology built into almost all modern smartphones.

Why contact tracing based on Bluetooth?

GPS is relatively coarse-grained, doesn’t work in the Metro, in Buildings, etc. GPS data is also hard to anonymize / process in a privacy-preserving way. Uses quite a bit of battery.

Bluetooth has relatively short range (about 10m, depending on conditions) and allows devices to broadcast messages to nearby devices. With some calibration it’s probably possible to detect only devices which are approximately in the 2m range. Ideal building block for an app-based contact tracing solution.

(Ultrasound would be another option. This would allow quite precise distance measurements based on time-of-flight. This option hasn’t been explored so much. I suspect it wouldn’t work because of technical restrictions in current smartphone operating systems.)

How will such a system work?

On a very high level:

  1. Everyone installs an app on their smartphone that constantly communicates with all the surrounding smartphones with the same app installed.

  2. The app records some kind of information about the surrounding phones that will make it possible to notify these people later on.

  3. If a user gets sick, inform all the users whose smartphones were close to this user’s smartphone. Ask/instruct them to self-quarantine and contact health authorities so that they can get tested.

How should we fill out the details in such a way as to create a privacy-preserving system?

What are the main dangers of a Bluetooth-based contact tracing solution?

I think most people who are in favour of decentralized solutions are most worried about two scenarios that might arise if Bluetooth-based contact tracing is implemented without thought to privacy. (In the description we will call the person who tries to do something that we think is bad and they shouldn’t do the “adversary”.)

  1. Worry #1: An adversary will be able to track the movements of all the users of the app.
    Using Bluetooth instead of GPS already makes this harder for them, because Bluetooth doesn’t inherently contain location information. Still, someone who places Bluetooth devices in many spots around a city may be able to record communication between devices and recognize the same the device in multiple places.
    Even if it is not know “who” a device belongs to; where that device went to and when will tell the adversary a lot about its owner, and with other contextual information will easily reveal identities.

  2. Worry #2: An adversary will be able to record big parts of the “contact graph” of app users.
    (Below is the best picture I could find on Google for “contact graph” (from here).)
    Imagine that the dots represent devices and edges represent contacts between devices. Shorter edges represent repeated and longer contacts, longer edges represent brief or one-time contacts. Initially you might not know “who” a certain dot is. But imagine that you can find out through some other source of information that two of the green dots in the cluster in the middle are employees of the same company. Now you can guess that all of the green dots in that cluster are employees of that company. Now, from their connections, you find the families of those employees, and the companies that they work for. And by building on information that you already have, you can learn more and more about who the dots in your graph are and who they are in contact with.

 

Proponents of decentralized solutions believe that it is very important to prevent these two scenarios, because they give a single entity a lot of information about a lot of people - and therefore also a lot of power.
We are aware that we live in a world where big companies and governments are already collecting this kind of data in big quantities. We don’t want to help them even more.

There are a lot of other things that you should also think about. We just think that as a society these are the two things to be most wary about.

How?

This is again a comic by Nicky Case who has created these illustrations for DP3T: