Some of the biggest names in encryption are developing a smartphone app they hope will tamp down the coronavirus pandemic without trampling privacy.
Private Automated Contact Tracing, or PACT, is designed to let people figure out if they’ve been near others who’ve caught COVID-19, the respiratory disease caused by the novel coronavirus. If you’ve tested positive, you can use the app to voluntarily upload information to a server that then lets others find out they’ve been near someone infected. It will also let you find out if you’ve been near others who have the disease.
PACT does this without sharing your identity or phone number with anyone, including the government. The app also doesn’t record your location. All it needs to know is that you were near somebody else running the app, not where you both were.
Among those participating in the effort are Ron Rivest of MIT and Adi Shamir of the Weizmann Institute of Science in Israel. The two scientists are the “R” and “S” in RSA encryption technology, the pioneering process that secures communication on the internet. It also includes researchers at the Massachusetts General Hospital Center for Global Health, Boston University, Brown University, Carnegie Mellon University, SRI International and different divisions of MIT.
“The way to flatten the curve is to get people to be sequestered who have been exposed as quickly as you can,” said Rivest, one of the leaders of the project. “That means identifying people as quickly as you can.”
PACT, which hasn’t got a release date yet, is an example of a burst in innovation to address the coronavirus pandemic. Companies that make cars or gaming computers are now making ventilators. Ordinary citizens are mobilizing to sew masks and 3D-print face shields for physicians, nurses, and first responders.
Other contact-tracing apps, including COVID Watch and Pan-European Privacy-Preserving Proximity Tracing, have also been developed to deal with the pandemic. Rivest hopes that some of the projects can unite. “We’d like to see a common approach,” he said.
Contact tracing has historically been a manual process in which a health care professional painstakingly goes through a patient’s history to figure out who they were near. It can be used to track down the origins of a disease or predict where it might spread next. But it’s a laborious process. And even when patients have strong memories, they often can’t identify strangers like fellow passengers on a bus. That’s why apps are attractive to researchers.
Privacy-first contact tracing
Using smartphone apps to trace contacts isn’t a new idea. South Korea has used smartphone apps to track citizens’ whereabouts during the coronavirus lockdown. Access to cell phone location data could let governments track people even without an app, something the US government has reportedly done. Phone-based tracking has also been used in Israel and Singapore, though the American Civil Liberties Union points out that phone-based data can have flaws that hobble its medical usefulness.
That kind of access raises concerns among privacy advocates, who worry governments will end up knowing too much about you. Tracking you could reveal political activity, private medical conditions, and religious affiliations, and it can feel oppressive. “Privacy is a basic human need,” says security researcher Bruce Schneier.
Building a privacy-respecting alternative is important, says Kurt Opsahl, deputy executive director and lead lawyer at the Electronic Frontier Foundation, an online privacy group.
“Once you create things, they tend to stick around and get repurposed for other things,” Opsahl said. “We need to make sure we’re building something that’s for a future we would want to live in, not enabling a technology that may seem like a good idea now but that would last longer than the crisis.”
Opsahl cited the Patriot Act, which was signed into law shortly after the 2001 terrorist attacks, as an example. The law is still the center of an EFF legal fight about government surveillance.
The big challenge: Getting people to use the app
A barrier to PACT’s success, however, is getting enough people to use it. Without a critical mass of users, PACT won’t provide enough information about the spread of the disease to be useful. People might be leery about sharing that they’ve caught COVID-19 even with an app that’s designed to protect their privacy.
The app could also “cause a false fear” in people if it tells them they might have been in contact with an infected person, said Andrew Noymer, an associate professor of public health at the University of California at Irvine. That worry could be compounded by the difficulty of actually getting tested afterward.
“This is a well-intentioned scheme that’s going to have zero public health impact,” Noymer said.
Another potential pitfall is security. The idea of helping fight the coronavirus without harming civil liberties is good, but the app has to have robust security to thwart hackers or abuse from trolls, like the ones who are “Zoombombing” videoconferences, Opsahl said. “Someone could try to attack it by putting in false information to try to put somebody they didn’t like into quarantine,” he said.
Still, people can change, particularly if encouraged by authorities or otherwise prompted. A week ago, few people in the US were wearing masks, and a month ago, few people were staying at home.
How the PACT app works
The app works by broadcasting a random, frequently changing the ID number over Bluetooth and listening to others’ IDs. If you test positive for COVID-19, the disease caused by the coronavirus, you can upload your history of ID numbers to a central server. Or if you want to check whether you might have been exposed, the app can check if your contact history includes any ID numbers from infected people.
“You want to allow something to sense if you’re within 6 feet of someone for more than 10 minutes. Bluetooth can do that,” Rivest said.
To prevent abuse, the app would only be able to upload your information after a medical authority presents you with a QR code the app can scan, Rivest said. The ID number changes frequently, perhaps as often as once a minute, so individuals don’t have any persistent identifier.
PACT team members hope the app will get a boost from health officials and, perhaps, from Apple and Google, which offer coronavirus information pages and operate the two biggest app stores. Promotional placement in those stores would make a big difference. “We hope to have strong cooperation,” Rivest said. Apple and Google didn’t comment for this story.
Apple, which has a strong privacy protection agenda today, has tackled a similar idea with its Find My technology in which other people’s iPhones can help locate yours if it’s lost. Indeed, Rivest has discussed the technology in his classes, and it helped inspire PACT.
The increase in new COVID-19 cases appears to be flattening in the US, a good sign in the fight against the coronavirus pandemic. But even if the crisis abates, PACT could help prevent a rebound, said Robert Cunningham, an adjunct professor of cybersecurity at Carnegie Mellon University and member of the team.
“We can use this in a way to keep from flaring up again,” Cunningham said. “The trick is to get this in place.”