State-Based Contact-Tracing Apps Could Be a Mess

While governments around the world have launched nationwide Covid-19 contact-tracing smartphone apps over the last months, the United States has pointedly not. Instead, it seems like the apps designed to detect coronavirus exposure stateside will launch on a state-by-state basis—and they may be anything but united.

When Google and Apple officially launched their exposure notification API for Android and iOS last week, their announcement included statements from three states—North Dakota, Alabama, and South Carolina—that are already building apps that will integrate the company’s Bluetooth-based system.

But it increasingly seems that neither the Center for Disease Control, nor the Department of Health and Human Services, nor any other US federal agency will release a nationwide Covid-19 contact-tracing app. “There is no effort I know of at the national level to build anything” like a contact-tracing app, says someone familiar with the White House Covid-19 task force deliberations led by President Trump’s son-in-law Jared Kushner, speaking to WIRED under the condition of anonymity. “Just like you’ve seen with the plan on testing and reopening, it’s being pushed to the states.”

Another advisor to that task force, Andy Slavitt, who led medicare and medicaid policy in the Obama administration and reportedly offered recommendations to Kushner, tells WIRED that any contact-tracing smartphone apps are almost certain to be left to the states alone. “I don’t think the federal government wants the responsibility to figure out the best and most efficient way to execute a contact tracing app,” says Slavitt. “If it’s like everything else they’re doing, they’re going to want to make sure the states have the responsibility.” Neither the CDC nor the Department of Health and Human Services answered WIRED’s request for comment about any plans to launch a national Covid-19 tracking or notification app.

“If this is getting done on a state-by-state level or even a confederacy of states, like the Western Pact, the question is then around security and interoperability,” says Ashkan Soltani, the former lead technologist for the Federal Trade Commission, who has been analyzing Covid-19 tracing and notification apps. “If each state is trying to put this together you run the risk of commercial entities building this, the systems’ backends not being secure, and reliability issues.”

The potential for privacy disasters from contact-tracing apps have already been well demonstrated. North Dakota’s app was found to be sharing data with Foursquare and Google’s advertising system. India’s contact-tracing app made it possible to locate some Covid-19-infected users by spoofing GPS locations. And a flaw in Qatar’s contact-tracing system leaked hundreds of thousands of users’ personal data, including health status and locations.

Rather than auditing one national app for security and privacy issues, Soltani says, every state-level contact tracing or exposure notification system will have to be individually vetted for those sorts of issues. And for each one, the devil will be in the details of its implementation.

Google and Apple’s Bluetooth-based system, for instance, offers app-makers a relatively privacy-preserving approach: It doesn’t collect any location information from phones, and doesn’t even collect any information at all from the phones of users who don’t voluntarily mark themselves as having been diagnosed as Covid-19 positive. For the vast majority of users, no information is ever uploaded to the server of the organization running the app.

But when a Covid-19 patient self-reports as positive through the system, their apps upload a set of rotating codes that their phones have transmitted to other users via Bluetooth for the previous two weeks. While those codes aren’t identifying in themselves, every app maker will have to take care not to collect the IP addresses of those Covid-19 patients’ smartphones, which could be used to identify infected individuals. Or if they do collect those IP addresses—say, to prevent distributed denial of service attacks on their servers—they’ll have to be careful not to keep the data for too long or allow it to leak.

Those sorts of implementation issues only become more critical if some states choose to use other systems that, unlike the one designed by Google and Apple, instead collect location information—as the contact-tracing app launched in the state of Utah does. That could potentially leave state agencies responsible for protecting sensitive information about the movements of millions of people. “I definitely don’t trust 50 different state health departments to do this as reliably as one federal agency,” says Matthew Green, a cryptographer at Johns Hopkins who has analyzed the security of contact-tracing and exposure notification apps.

More fundamentally, Green argues, a state-by-state approach raises the potential for states to use different, incompatible systems, so that Covid-19 exposure events might be missed if a user crosses state lines. “If I’m in New York and a lot of people are coming in from New Jersey, it seems like it’s going to be a big problem,” Green says. “It’s the opposite of a network effect.”

Green notes that if two states’ apps are both using Google and Apple’s protocol, that interoperability problem becomes more manageable. The two states simply share the unique codes that have been uploaded by Covid-19 positive users, so that people who have come into Bluetooth proximity with them in either state can be warned. Apple and Google have even suggested that multiple states’ apps could be designed to run on the same backend server infrastructure.

But that interoperability falls apart if one state, like Utah, opts for a location-based system, while others are using a Bluetooth-based one—or even if one state is using a decentralized Bluetooth-based system like the Google and Apple system, while another deploys a centralized model implemented by countries like Australia and Singapore. “It’s very easy to make decentralized apps interoperable,” says Cristina White, a Stanford professor and executive director of the decentralized exposure notification system CovidWatch. “If everyone is doing different things, with some decentralized and some centralized, and everyone’s using different protocols, that’s harder.”

a man walking in the street in boston

Another contact-tracing app project, the MIT spinoff nonprofit Pathcheck, says it’s currently in talks with a dozen states or “jurisdictions”—multi-state regions—about rolling out contact-tracing or exposure notification apps for those areas. But MIT professor Ramesh Rashkar, one of the group’s founders, says that most of the agencies he’s talked to have expressed more interest in location-based contact-tracing apps than in the Bluetooth-based system developed by by Google and Apple. And he concedes that could create interoperability issues until a standard is established. “My expectation is that in the immediate version, there’ll be a mess with the respect to interoperability, but that it will get fixed as we deploy more solutions,” says Rashkar.

Contact-tracing and exposure notification apps, regardless, represent at best one tool in the toolkit that will help Americans return to normal life. Obama-era healthcare czar Andy Slavitt says, for instance, that he sees the apps as “between 10 and 20 percent” of a larger picture that depends far more on manual contact-tracing and widespread testing.

But now, with no nationwide app in the US, fragmentation threatens to become another hurdle to even that relatively modest role for Covid-19 alert and tracking apps. Until states can agree on a standard or build interoperability between their systems, every line on the US map could represent another constraint on a technology that might otherwise help chip away at the global pandemic’s effects.

Additional reporting by Fred Vogelstein.


More Great WIRED Stories

Read More

LEAVE A REPLY

Please enter your comment!
Please enter your name here