September 14, 2020
Privacy and Security While Responding to COVID-19
Prof. Alex Pentland
MIT Connection Science, Cambridge, MA, USA
C o-founder, AIWS Innovation Network (AIWS.net)
Governments and researchers around the world are implementing digital contact tracing solutions to stem the spread of infectious disease, namely COVID-19. Many of these solutions threaten individual rights and privacy. We need to break past the false dichotomy of eﬀective versus privacy-preserving contact tracing. We are encouraged by recent proposals for privacy- preserving contact tracing that could eliminate the need for a semi-trusted central authority, but add enormous complexity.
It is common practice for healthcare workers to interview individuals diagnosed with a communicable disease about their recent movements in order to identify and alert others who they may have come in contact with. This process is referred to as contact tracing and is crucial as health entities, communities and governments attempt to contain viral outbreaks. Manually performing contact tracing is highly resource-intensive, intrusive and time-consuming. Yet the ubiquitous use of personal digital devices provides access to detailed location histories collected automatically, providing the opportunity for a system to conduct this process at scale.
1.1. Privacy-preserving contact tracing
There currently are digital approaches to contact tracing that use location histories1 but they operate on a skewed trade-oﬀ between privacy and eﬀectiveness. Some rely on general public broadcasting of information that introduces uncertainty in the information disseminated. Other alternatives resort to the usage of technologies that risk violating individual rights against stigmatization and surveillance.
Even when systems do attempt to use location data while respecting individual privacy, their methods are often insuﬃcient: simply anonymizing user location histories by replacing users’ identiﬁers with random new ones fails to achieve privacy in a meaningful way. Secondary data that is not anonymized can be used to re-identify users by matching data points across the datasets. For example, our study using credit cards records has shown that only four data points from a user’s location history are enough to uniquely re-identify 90% of individuals.
The privacy and trust principles central to building a better approach are summarized below:
- Keep location data private. Locations visited are kept private for all users including those who are diagnosed disease
- Avoid surveillance. The system can detect points of contact between users without precise location histories being exposed
- Only allow one-way private data publication. Only diagnosed carriers ever publish data, but this data remains encrypted and private, and their identities remain. Other users can check if they came in contact with carriers without sharing their location histories.
- Transparently monitor the use of any centralized database. These data are useful to many actors that threaten democratic principles, the public should be able to monitor the use of the data.
Any privacy-preserving contact tracing framework should be considered a “best eﬀort” and avoid promising to be perfectly private. Our primary contribution to the space of existing frameworks and digital tools is the degree to which our cryptographic approach can preserve user privacy while providing highly useful and accurate information through individuals GPS location histories.
We are encouraged by recent privacy-sensitive proposals for contact tracing. Some of these even extend our notions of privacy by removing the need for trust in authorities who might abuse their access to diagnosed patients’ encrypted data and violate their privacy. However, these systems are more complex and require more infrastructure and coordination, making them more diﬃcult to implement. Our goal should be to propose a system that is more privacy and security preserving than the contact tracing technologies that we see governments around the world adopting, but that can also be practically implemented with the immediacy needed to both stem the spread of disease and stem the adoption of privacy-violating technologies.
A diﬃculty with public use of contact tracing apps is that it that a very large percentage of infected people appear to be asymptomatic, and thus will not appear in any scan. Further, current infection tests have a large percentage of false readings. Even the best tests currently being developed have a signiﬁcant number of false readings. Consequently, consumer contact checking will likely give rise to false conﬁdence in some situations, and erroneous avoidance in others. The social eﬀects of unreliable testing may be compounded by use of peer-to-peer Bluetooth contact sensing systems. Such systems signal the presence of an infected person in the users’ immediate visual neighborhood, they may result in unintended social eﬀects such as shunning, potentially violent confrontations, and so forth.
In addition to the trade-oﬀs between privacy, eﬀectiveness, and the speed of implementation for these technologies, we must consider adoption. None of these systems can have widespread impact without extensive adoption. To expand system adoption, the proposed app’s technology can be developed as an SDK (software development kit) and integrated into partnering applications that already collect user location histories, such as Google Maps. These partner applications can then ask the user for the extra permissions and content for this system’s use case. There are many such applications that already collect user location histories in the background. They often use this information to serve the user more relevant content and improve the user experience. However, this data collection more often serves private proﬁt. Now, in the face of the COVID-19 pandemic, is the time for industry and researchers to come together and for the ubiquitous collection of location data to serve the public good.