How do we exit from our COVID-19 lockdown and revive our social and economic lives? Every current proposal involves extensive testing for coronavirus and tracing of the social contacts of infected persons. There are, however, many logistical and ethical challenges to doing the amount of testing that the pandemic will require. In this post, I discuss a proposal from cooperating engineering teams from Google and Apple that has attractive features in terms of efficiency, user autonomy, and privacy. In this post, I will offer the case for the Apple|Google (A|G) plan, and it’s the most attractive scheme that I have seen so far. But it still scares me, which I’ll discuss in a later post.
What’s the problem we are trying to solve? The problem with epidemics is that if each infected case transmits the infection to more than one other person — in the jargon, if (the transmission rate) R0 > 1 — then the number of cases explodes.* The coronavirus appears to spread primarily through person-to-person contact. The developed world is in a collective partial lockdown as a brute force means of reducing these contacts, thereby lowering R0. This has been partially successful but at a ruinous economic cost. Sooner or later, we will go back to work. However, when we go back to work the rate of interpersonal contacts will rise, and with it R0. So, how do we return to work without reviving the spread of the virus?
The standard public health answer is that instead of isolating everyone in lockdown, we test everyone with symptoms. Then, when we find a positive case, we isolate that person, stopping further transmission from him. Also, we identify everyone he has recently contacted and test all of them. We apply this procedure recursively to each new positive case we discover. If we do this quickly and thoroughly, we can reach and isolate enough infected people to drive R0 below 0. This will, eventually, extinguish the epidemic.
Unfortunately, COVID-19 will be difficult to control this way. First, the virus appears to be highly transmissible. A recent paper from the CDC found that in data from Wuhan, R0 > 5. Besides, because many infected people experience few if any symptoms, they do not come to the attention of public health workers, so their contacts can’t be traced. Finally, the virus is already widely diffused in the community. Testing and contact tracing is a labour-intensive process, so you need a lot of public health workers if you want to move fast enough not to be overwhelmed by the transmission of the virus to uninfected people
This is why Aaron argued recently that we need to do something bigger and more radical than traditional contact tracing. One proposal is from Paul Romer, who argues that we should test everyone every 7 days. If we could test that much, we’d suppress the COVID-19 pandemic. Moreover, if you tested everyone that frequently, you wouldn’t need to do much contact tracing.
But to do that we would need to be able to manufacture and distribute ~40 million tests a day, train many 100s of thousands of people to administer those tests, and get those testers deployed in every corner of the land. Even then, we’d need to get the people to the test. Would people show up at an office once a week for an invasive and unpleasant procedure? If they didn’t, would we send testers to their houses? And what would we do if they wouldn’t open the door?
A second proposal comes from the Center for American Progress (CAP). One of their ideas is to use technology to automate contact tracing.
[M]anual contact tracing is not nearly fast enough to slow transmission. However, technology can be used to conduct instantaneous contact tracing, eliminating the delay between the confirmation of a case and notification of contacts… [The idea is to] use mobile phone apps or mobile telecommunications infrastructure to notify individuals on their mobile phone through notifications or text messages if they have been in close proximity to an individual who has tested positive for COVID-19. These methods use GPS, Bluetooth, cell tower, and Wi-Fi network data to identify whether the user’s phone pinged the same signals as the phone of a COVID-19-positive individual during the same time period.
Please imagine that you have tested positive. Would you be able to remember everyone you had been in contact with in the past week? Yes, if you have been alone with your partner all week. No, if you have ridden a subway to work each day. The CAP plan would do a better job than an interview at identifying people who are likely unknown to a COVID+ person but may have been in contact with her. It also does this contact tracing far more cheaply and quickly. Hence, if the app works as designed, and if people who are informed that they have been near a COVID+ person proceed to get themselves tested, then this could be more effective than traditional contact tracing.
You will have noticed, however, that in the CAP plan the entity administering this system knows which cell phones belong to COVID-19 positive persons. Moreover, that entity will be tracking the whereabouts of everyone’s phones in real-time. The CAP authors recognize that this raises serious civil liberties concerns, and they describe a series of rules about how the data will be used that are designed to mitigate these threats. This means that the data are safe. That is, until a President decides that the government needs the data and a court accedes to his wishes. Or until the system gets hacked. The CAP authors sense that many people would be reluctant to download this app. To remedy that, they propose that
As a condition of receiving a COVID-19 test in the future, individuals may be required to download the app, which would include their test result.
This means that the CAP proposal would have the additional feature of discouraging people from seeking tests.
Here is where the A|G proposal comes in. Apple and Google engineers are working jointly on a phone app for both Android and iOS phones that automates contact tracing. Compared to the CAP plan, the A|G plan keeps far less information about people’s COVID-19 status and places more control over the use of the information in the hands of the user. There’s little detail about the project available yet. I’m just working from a post on a Google blog.† Therefore, read my words with caution. With that in mind, here’s how the app would work.
Suppose Alice and Bob are strangers who happen to sit near each other on a subway. Alice carries an iPhone, Bob carries Android, but each phone has the A|G app. Using Bluetooth, the phones sense each other’s presence. The phones — not Alice and Bob — exchange ID tokens. The tokens are long random numbers that uniquely identify the phones. Alice’s phone sends Bob’s phone her phone’s token, which Bob’s phone stores in a list, call it the ‘tokens that have been near me’ list. This list never leaves Bob’s phone. Moreover, it just stores Alice’s phone’s token and a timestamp. It doesn’t store the location of the contact. At the same time, Bob’s phone sends its token to Alice’s phone, which Alice’s phone stores in its own ‘tokens that have been near me’ list. Alice and Bob don’t have to do anything. They aren’t even aware that the exchange has occurred.
Suppose that a week later, Bob gets tested and turns out to be COVID-19 +. Bob enters this fact in the app. With Bob’s explicit permission, his phone uploads its ID token to a public health agency app. Bob’s phone uploads just Bob’s phone’s ID token, and not anything else about Bob or even the phone. (Or anything about Alice or her phone.) The public health app adds Bob’s phone’s ID token to its list of ID tokens for phones belonging to COVID-19 positive people (call it the ‘COVID+ token list’).
Independently of what Bob’s phone and the public health app does, we should assume that public health workers will interview Bob about the contacts Bob knows about. They will find out that he has a partner named Charlie, a co-worker Denise in the next cubicle, and that he recently visited his nephew Eric. Public health workers will contact and, if possible, test all those folks. But they learn nothing about Alice because, after all, Bob doesn’t know anything about her.
Now, back to Alice’s phone. Once a day, Alice’s phone (and every other phone with the app) downloads an encrypted copy of the COVID+ token list from the public health app. Alice’s phone decrypts the COVID+ list and compares it against its ‘tokens that have been near me’ list. “Hey,” sez Alice’s phone to itself, “There’s a token on both lists!” Alice’s phone sends a notification to Alice, and no one else, “You’ve been near someone who tested positive. Here’s a place you could get tested.” Now it’s up to Alice to decide what to do about that.
Of course, a government could have A|G build the app so that it also notifies the public health agency to send someone to test Alice. Doing that, however, would probably just mean that few people would put the A|G app on their phone. A government could require that every citizen install the app. Then the A|G plan becomes just a more secure version of the CAP plan. These choices are possible, but in my view, they’d radically diminish the acceptance of the app. The option of interest is the one that keeps Alice in control of what to do about her proximity to a COVID+ person.
I see at least three immediate questions about the A|G plan. First, is it as secure as it sounds? Well, how the hell would I know? What I can do is broadcast my “Avengers assemble!” call to all security engineers to start attacking this. Second, would people download the A|G app? Silicon Valley history proves that no one knows the answer to that until they try. All I do know is that I would be more likely to install it than a CAP app.
Third, would people who’ve gotten notified of a possible contact actually go seek testing? Surely, some would not. However, the notifications that successfully prompt people to get tested will often be contacts who would not have been identified using traditional contact tracing. This is the win that the A|G app could deliver: it multiplies the effectiveness of our contact tracing effort at low cost.
My view is that this option deserves consideration, starting right away. But the immediate concerns about security and feasibility aren’t the only things we should discuss. I’ll raise some longer-term worries in the next post.
*Literally, explodes. It’s the same math as nuclear fission.
†h/t to Benedict Evans and his superb tech newsletter.