Apple and Google partnered in early April to create a new smartphone app that uses Bluetooth to track coronavirus cases.
Using a technology called contact tracing, the app alerts a user when they come in contact with someone who has been positively diagnosed with COVID-19.
Apple and Google focus on a promise of privacy and data security, however, there are still concerns as contact tracing is new in the way of mobile technology.
Gokarna Sharma, Ph.D., assistant professor in Computer Science and the director of Scalable Computer Architecture & Emerging Technologies Laboratory (SCALE) in the Department of Computer Science at Kent State University, is experienced in algorithms, blockchain and smart technologies. Sharma recently answered some questions for Kent State Today about the new app based on his professional opinion.
Can you explain, in simple terms, what the app is and how it will work?
The contact tracing app hasn’t been deployed yet. The first step was to make the operating systems support such an app. In mid-April, Apple and Google released an update on iOS and Android OS that supports contact tracing. In the second step, a contact tracing app needs to be written and deployed on those phones to track the coronavirus cases.
Who would write such an app?
For example, the public health agencies, such as the Ohio Department of Health in the context of the State of Ohio, or even Apple, Google, and some other companies can come up with an app and make the app available in Apple and Google Play stores.
How would the app work?
Consider the case of two smartphone users Alice and Bob. Alice and Bob both download and install the app from their respective app stores. Alice and Bob then carry their phones with Bluetooth on, which is required for the app to perform contact tracing. Suppose at some point in time Alice comes closer than, say six feet (this distance is set by the user) to Bob. Their phones exchange random codes via Bluetooth and store the codes received. The random codes are generated by each app using some cryptographic method. Suppose Alice has a confirmed diagnosis of COVID-19 in the next 14 days (14 days is a typical duration of COVID-19 diagnosis after a possible contact). If Alice inputs her positive COVID-19 diagnosis information into the app, Bob will be notified with the information that he had been in contact with someone who was positively diagnosed with COVID-19 in the last 14 days. The notification to Bob does not reveal that Alice was the one who Bob was in contact with, keeping Alice’s diagnosis information confidential.
How would the app find a match and notify Bob?
The app on Alice’s phone sends the positive diagnosis information inputted by Alice to a cloud database, which is a collection of random codes and the cryptographic method representing those positively diagnosed with COVID-19. Bob’s phone stores random codes of people who came within that six-foot range over the last 14 days. For the matching, Bob’s phone downloads the cloud database and performs a matching with the random codes stored in his phone. If there is a match then Bob will get a notification that he has been in contact with someone infected by the virus. The download and matching are done every day so that Bob can delete the codes from his phone that are older than 14 days. It’s possible it could be done automatically, we’ll have to see what options the app offers.
What are your thoughts on the collaboration between Apple and Google on an app like this?
I think it is a very strong and effective partnership. For example, about 81% of people in the United States use smartphones. There is an estimate that among those users, 52% of the market use Android and 47% use Apple. So, if Apple and Google create this app and smartphone users are persuaded to use it, the app will be effective in tracing the coronavirus spread.
What are the risks of this app? How do you think these risks will play out once the app is open to the public?
There are definitely risks. When we talk about apps, we always worry about privacy and security of the collected data. The whole idea here is to not collect any information that compromises users’ private information such as name, identity, address, or anything like that. The use of random code is to do precisely that. The random codes are generated through a cryptographic method, which has no relation with users’ private information. To deter someone from interfering with a user’s private information through previously-used random codes, a different random code is used every 15 minutes or so. This makes it extremely difficult to map a random code to a particular user.
What is the specific privacy concern?
There are certain situations where the app (or phone) might collect user information that may reveal their identity. For example, suppose the phone has location information on. If the location information is combined with random codes, then it may reveal that the user is from some particular area, say Kent, Ohio. Nevertheless, there are benefits of using location data. For example, if Bob is from Ohio (Portage County) and has not travelled outside of Ohio (Portage County) in the last 14 days, then only the random code cloud database of last 14 days collected from Ohio (Portage County) can be matched to see whether Bob came in contact with someone positively diagnosed with COVID-19. This requires less time and memory compared to downloading, storing, and matching the random code cloud database of the users in the whole United States. The disadvantage is that the continuous collection of location information for a certain period of time may eventually provide a pattern that reveals where the user lives.
Apple and Google are promising that they will not collect any information beyond Bluetooth random code data. Furthermore, they are promising that the collected data will be stored securely and will not be used for advertising or any other purpose, except possibly disclosing to the public health agencies, such as the Ohio Department of Health, after thoroughly reviewing the disclosure requests they receive.
Another important point is that the positive COVID-19 diagnosis information for Alice must be verified before putting it in the cloud database. This is crucial in removing the false positive random codes from the cloud database. This can be done as follows: After Alice inputs the information in the app, it will be sent to the responsible public health agencies, such as the Ohio Department of Health, to verify the information. After verification, the information is put to the random code cloud database.
Will this software have a significant impact on combating the COVID-19 pandemic?
I think it will have an impact. The problem is that public health agencies and the creators of the app will have to convince the users to adopt it. For example, most of us are really worried about our privacy. Apple and Google should not just promise but go ahead and do whatever is needed to convince the smartphone users that there is no compromise on their privacy using this app and the collected data will be stored securely. I think a strong partnership between the government health agencies and Apple and Google is needed to achieve all this.
There have been reports of spam text messages claiming this exact thing. How will developers have to address that?
Yes. The app itself should provide the notification message to the user. The developers will have to make that clear. The user should only rely on the notifications received from the app, not the text messages received from cell phones.
What is the most important piece of this idea?
The effectiveness of the technology depends on the volume of users. Let’s suppose 5% of the population in the United States use it. The app might not be effective meaning that it wouldn't have the same impact we would want it to have. If you look at the United Kingdom, a recent study shows that for Bluetooth contact tracing to be effective, almost 56% of the population have to use it. In the United States we have a huge population, how do we manage that and make it work? Some other issues include: how do we make sure the users will have their Bluetooth on all the time? How do we ensure they will carry their phones, especially in public places?
While there are many issues concerning this new software, there are great benefits that may come of it. Ensuring significant user participation, accuracy of the diagnosis data, and privacy are all ways to prove a successful software.
Banner Image: Photo by Startup Stock Photos from Pexels