State of Digital Contact Tracing in the United States
Live free or die. I don’t get it. I say, “Regulate me gently. I’d rather live.”
In the last two months, I read Pale Rider by Laura Spinney to better understand how people reacted to the Spanish Flu. The book did a great job of using many local stories to capture a full global picture of the pandemic. I learned how much hasn't changed, and how most of the behavior we are seeing today is nothing new. Since then, I've spent a good part of the past month thinking about the relationship Americans have with the virus. We know that we should socially distance ourselves to curb the spread of the virus, but we're not doing so. Regulation is now a major topic as anti-mask & anti-lockdown protesters continue to fight against mandatory mask and social distancing rules set by the government and corporations. According to an NBC / WSJ poll, fifty-eight percent of registered voters didn't want lockdown restrictions lifted while thirty-two percent were more concerned about the economy. Yet, states slowly reopened. The rate at which the virus was spreading stagnated in May before spiking again in early June. States are now going under lockdown again. This ordeal reminded me of a passage I read in The Undoing Project by Michael Lewis.
Redelmeier was newly struck by the inability of human beings to judge risks, even when their misjudgment might kill them. When making judgments, people obviously could use help—say, by requiring all motorcyclists to wear helmets. Later Redelmeier said as much to one of his fellow students, an American. What is it with you freedom-loving Americans? he asked. Live free or die. I don’t get it. I say, “Regulate me gently. I’d rather live.”
Yes, some Americans have chosen to risk death over regulation. Choosing to risk death is a choice they have made not only for themselves, but by also for people around them.
Regulate me not
When people choose not to stay apart or wear masks, the least they can do is to let people they have interacted with know if they are feeling symptoms or if they have tested positive for the virus. This way, communities can curb the spread of the virus by self-quarantining. This is one of the first steps in contact tracing, and it is much difficult in practice. When a person is feeling symptoms, they can get tested for the virus. If the test is positive, they get a call from a health official that asks a series of health-related questions. The questions are meant to trace who and where they might have spread the disease to. People can expect to divulge sensitive information such as the names and contact information of those individuals so the health official can notify them also. As it stands, the process is taxing on both parties. There are sample scripts and guidelines online that show how the patient is placed in a very vulnerable position. The health official, on the other hand, has to deal with varying emotions over many of these conversations. This process is extremely inefficient. This is where technology, in the form of contact tracing apps, comes into play. An Oxford research showed that contact tracing apps can slow or even stop transmission depending on adoption. Unlike humans, the technology required is infinitely scalable and can work around the clock to notify people of exposure before they infect others. They estimate that the app could lower the notification delay from 72 hours down to 4 hours. Good thing the U.S. is a tech powerhouse, right?
So far, attempts at using technology to make contact tracing more efficient in the U.S has been slow. It's kind of disappointing, really. Privacy seems to be the reason behind the lack of adoption. These apps need to track where users go, and who they came in contact with. On top of that, the data may be linked to sensitive health records like diagnosis and visits. States are the main entities, if any, pushing these apps to support health officials. But not enough users trust them to keep their data safe. This doubt is warranted because healthcare institutions aren't known for their data security. According to Protenus, over forty-one million patient records were exposed in hundreds of breaches in 2019 alone. A forty-eight percent increase in the number of incidents. This is not a good sign because health-tech solutions are needed now more than ever in the history of the field.
Digital Contact Tracing in the United States
Choosing to give existing contact tracing apps the benefit of the doubt, I decided to see what the options were. "After all", I thought, "government-backed efforts have to be above average". To do this, I searched for "Contact Tracing" on July 11, 2020, in both major app stores. In total, I found 6 apps that claim to be affiliated with U.S. state or local governments.
The first issue I noticed was around discoverability. Of the six apps, four were available on Android, and all six were available on IOS. But when I searched for "Contact Tracing," only two of four results are returned in the play store, and five of the six in the app store.
From the app descriptions, it seemed like five states had official apps with some backing multiple states. But like anyone unwilling to trust app store descriptions, I inversed the search to see if state governments were promoting these apps on their .gov pages. Contact Tracing (the app) claims Daly City, but I couldn't find any mention of it on official government pages even though WSJ claimed they were working together. Citizen SafeTrace, the same company behind the social safety app, claims San Joaquin County, CA, but not the other way around. Utah claims Healthy Together; they paid $2.75M for it. North and South Dakota along with Wyoming claim Care19 Diary, and Teton County, Wyoming claims PathCheck SafePlaces. Finally, Rhode Island claims CRUSH COVID RI. Google and Apple can prevent bad actors from releasing malicious apps, but it is ultimately up to local governments to prove the credibility of their apps.
Location tracking is not popular
Though almost all six of the apps made privacy and security promises, Healthy Together caught my eye because actual government effort went into it in the form of taxpayer dollars. Here's a quote from their website:
We will retain personally identifiable health-related information that you share with us no longer than 30 days after you provide it, except when applicable legal requirements mandate a longer retention period. After 30 days, we will retain, use and share limited, de-identified health-related information only for COVID-19 response efforts or other public health or research purposes.
While most apps are struggling to gain adoption with solutions that anonymize data by default, Healthy Together doesn't try. In the event of a data breach, personal data can be traced back to a user within the first thirty days since that data was collected. We can assume that the data will live with them forever after those thirty days as long as the account remains active. It's important to note that thirty days is more than enough time for hackers to breach and potentially decrypt that data. Furthermore, keeping the data linked to users is not a good way to signal trust especially when that data is health related. This particular solution is not great. It led me to wonder why Utah paid over $2.7 million to a 7-day old company. The app failed to gain adoption, and no longer traces contacts because they learned that "location tracking isn’t popular". This scenario captures the current state of contact tracing tech solutions in the U.S.
With privacy in mind, Google and Apple created a solution that doesn't use GPS. Similar to some of the solutions above, Exposure Notification (EN) uses Bluetooth to approximate the distance between your phone and other broadcasting phones. But unlike most of the other apps, they've disconnected themselves from the data. EN is not an actual app. It is a framework that other developers can leverage in their apps. The API will work to generate unique keys and keep them anonymous as they bounce between phones. If an individual tests positive, they can choose to upload the keys they generated in the past two weeks. People will get alerted if their phone downloads a key belonging to someone that has tested positive.
Privacy-wise, the solution works. First, people have to opt in to enable the feature even though most devices should already be capable of EN. The unique keys are stored locally on each device ensuring control over the anonymous keys. People that test positive have to consent, again, to upload the last 14 days of their unique keys. At this stage, those keys are still useless as they should not be linked to any individual phone. Potential exposures are only surfaced after phones download and match the new list of keys that belong to anonymous users that have tested positive. An app based on this solution will check the privacy box. It is anonymous, private by design, and can only be used by apps created by health officials. The only issue would be if servers unintentionally log IP addresses or device information. But by limiting who can use EN, Google and Apple should be auditing the servers that end up with the list of keys. Their cryptography specification notes that:
The server must not retain metadata from clients uploading Diagnosis Keys after including those key in the aggregated list of Diagnosis Keys per day.
An app would check the privacy box, but there aren't many apps using the API. As of writing, none of the six apps mentioned used EN. Also, U.S. states aren't willing to back efforts that leverage this app. According to Business Insider, three states signed up, nineteen were still weighing options, and seventeen are not considering CT apps. None of the three states that signed up have started using apps that support the exposure notification.
Location tracking is necessary
When a person tests positive, a Bluetooth-based solution can help health officials quickly react to the virus by identifying individual cases and contacts. This is not enough. The virus will remain widespread if we continue to react instead of getting ahead of it. Only location tracking can help us anticipate potential hotspots before they become one. Google and Apple's approach is great for ensuring the privacy of the individual, but it is only a partial solution to the problem. Imagine EN, but with the following modifications:
- Encrypted location is saved locally along with those anonymous keys
- The encrypted location data can be uploaded when users (after testing positive) upload their keys to the server
- The server can then decrypt and detach it from the keys before marking the keys safe to download
All this can be accomplished without ever linking the data to individual users. A bad actor at a hospital would and should never be able to link data to any patient. However, given the circumstances, their approach is still essential in covering the part of the population that will never install a location tracker.
Before ending this, I wanted to highlight Tenton County's backing. PathCheck SafePlaces is the only open-source option on the list meaning people with understanding can figure out how things work under the hood. Their current GPS+ solution does a version of what I explained above. The data is encrypted but identifiable by health officials when a user chooses to upload it. They also developed another open-source solution that leverages Google and Apple's Exposure Notification. States won't even have to pay for it other than the cost to audit, secure, and host server. The PathCheck Foundation seems to have the most complete and transparent digital contact tracing solution in the U.S. But, as of writing, only a single county in the U.S. is leveraging that technology.
Thanks for reading. Like most people, I'm trying to make sense of the new normal. I'm not a medical professional. My little stint in biology ended when I dropped my Bioinformatics minor in my senior year of college.
If this is your first time reading one of my newsletters, consider subscribing for free. I mostly write about personal finance and investing, but the virus has been top of mind for me.
📚 Books I read since the last newsletter
Good To Great - I'm always curious about what separates two completely identical companies. What gives one an edge over the other?
Thinking in Bets (re-read) - most of this blog/newsletter is dedicated to taking calculated risks. This is one of my favorite books on the topic
Becoming - I really wanted to see the Obamas from Michelle's point of view
The Checklist Manifesto - before this book, I ran my life on checklists. Drawn and checked off on physical notepads. After the book, I decided to start using Notion to turn most of my workflows into repeatable checklists with templates.
Superforecasting - the fact that some people can be more informed about the future is intriguing.
Pale Rider, Talking to Strangers, Option B, The undoing project
📖 Currently reading
Options as a Strategic Investment