Surveillance & Privacy

Lessons From Contact-Tracing and Exposure-Notification Apps

Susan Landau
Wednesday, May 26, 2021, 8:01 AM

The digital apps can be effective in curbing coronavirus spread—but not everyone will benefit from them.

A photo of a road sign in Australia taken on June 26, 2020. (Michael Coghlan, https://flic.kr/p/2jM3AA3; CC BY-SA 2.0, https://creativecommons.org/licenses/by-sa/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

It’s been a year since the first contact-tracing and exposure-notification apps for the novel coronavirus appeared. The apps, which could inform people of exposure before they became infectious, had the potential to stem coronavirus spread. A 2020 Oxford University study estimated that if 56 percent of the population were using the app, this would be enough to suppress the disease’s spread (later variants of the virus appear to spread more easily, so a higher adoption rate would be needed in the face of the variants). So, how well have the apps worked in practice?

To make sense of that question, it’s worth examining how the apps work. They rely on Bluetooth signals to determine the distance between two app users’ smartphones. Singapore’s TraceTogether is one such app. TraceTogether was launched early and has achieved a usage rate of 70 percent. While use of TraceTogether is nominally voluntary, the use of the app is needed to enter any number of Singaporean establishments, including shopping malls, restaurants, offices and schools.

TraceTogether works like this: If Alyssa and Ben are in close proximity to one another and their phones are running TraceTogether, the devices will exchange identifiers that remain only on their phones so long as neither of them tests positive for the virus. But if Ben later tests positive Covid-19, the identifiers his phone has collected will be shared with Singapore’s Ministry of Public Health. The ministry will learn not only that Ben and Alyssa were in close proximity but for how long. TraceTogether is called a centralized app because the proximity information is processed centrally. Proximity information can be very revealing; it can show a person meeting with a friend who works for a competitor or that someone on parole is spending time with someone they shouldn’t be seeing. In Singapore, TraceTogether’s information can even be used in criminal investigations.

The potential invasiveness of proximity information led the European Parliament to take a privacy-protective approach to phone apps, passing a resolution in April 2020 that stated contact-tracing apps should be decentralized. No processing would be done centrally; instead, only the users’ phones would hold the information of which identifiers had been logged (and thus which users had been in close proximity). Apps would provide information about exposure, but nothing more. Users would learn that they’d been exposed to someone who was infected with the coronavirus, but they wouldn’t learn when or where—or by whom—they’d been exposed. No one else would even learn that the person had been exposed. Google and Apple engineered an infrastructure, Google Apple Exposure Notification (GAEN), to support such apps. This approach differs from human contact tracers who have a three-pronged approach: test, trace and isolate—test the person; if the person is positive, trace that person’s contacts; have the contacts isolate. Exposure-notification apps, as the name suggests, provide notice of exposure; whether an exposed person isolates or gets tested is up to the individual.

Government contact-tracing apps of European Union nations, the U.K. National Health Service (NHS) and that of many U.S. states rely on the GAEN infrastructure. Unlike in Singapore, use of the apps in these states is voluntary, and, also unlike in Singapore, adoption rates have been low. But even low adoption rates of the apps can have an impact. A recent article in Nature showed that even low adoption rates can drop infection rates by appreciable amounts. Because the U.K.’s NHS Covid-19 app is designed for user privacy, it’s impossible to track who received notifications and acted on them. Instead, the researchers used statistical estimates; depending on assumptions, app use prevented between 317,000 and 914,000 cases from September to December 2020.

The impact of the app across the U.K., however, was not uniform. Its effectiveness differed by population group. The article in Nature noted unsurprisingly, “Greater app use is associated with areas being more rural, with less poverty and greater local GDP.” Tests of the app in 2020 on the Isle of Wight (largely white) and Newham, a racially mixed London borough (83 percent of the population identifies as Black, Asian or minority ethnic), showed three times as many downloads on the Isle of Wight as in Newham—though admittedly this was the second time the app was tested there (it was the first time in Newham). My colleagues Christy Lopez and Laura Moy observed a year ago that “there is reason to be concerned that adoption and use rates for any contact-tracing app may be lower in vulnerable communities.”

There are complex reasons for this phenomenon. In the U.S., these range from historical distrust of public health authorities by the Black community due to decades of poorer and discriminatory health care practices to a fear in immigrant communities that using government health care might cause them to lose their chances of obtaining a green card or citizenship. This history makes the contact tracing success at Colorado Mesa University (CMU) all the more striking.

CMU educates nontraditional students; two-thirds of its student body of 10,000 consists of “students of color, low-income, or first in their family to go to college.” During the pandemic, most U.S. universities adopted some version of remote teaching; some did all remote, while others kept on-campus numbers low by varying which students could be on campus, who could attend classes in person and who had to do so remotely. But CMU brought all students back last fall—and it worked.

The university used an app, Scout, developed by scientists at the Broad Institute and a commercial firm, Fathom Information Design, to track campus outbreaks. Although many students came from demographics that might find many reasons not to trust such a system, CMU’s efforts at controlling the coronavirus on campus were a success.

Scout was part of an integrated system for containing the coronavirus. Students, faculty and staff did a daily symptom check, which they recorded on Scout before entering any campus buildings. They also reported close contacts to Scout. Unsurprisingly, not all students reported their close contacts accurately. But Scout wasn’t the only effort in CMU’s health care toolbox.

Students divided themselves into small, family-size groups called “mavilies” (the school’s symbol is a Maverick). CMU randomly tested 250 students each week, with members of higher-risk groups such as sports teams tested more frequently. The university also conducted wastewater testing, which collects data about groups, rather than individuals—and is less expensive to administer. A positive test won’t identify the ill individual but will alert that someone in the test pool is infected with the virus. Further testing can be done to identify the infected individual. Human contact tracers were also part of the effort, employing test, trace and isolate for exposed campus members.

Last fall, when an outbreak in the surrounding community led to an increased number of cases on campus, the university increased its amount of testing and number of contact tracers. When students went home at Thanksgiving (classes for the remainder of the fall term were held virtually), the university opened its testing facilities to the community, a practice it continued into the spring of 2021. After in-person classes in the spring, commencement occurred on campus on May 22, with each student permitted to bring eight guests to the outdoor event.

A year ago, CMU administrators were deeply worried that moving online for a semester or longer would lead to a permanent disruption in their students’ education. As a consequence, they were strongly committed to having students back last fall. Doing so involved building an integrated coronavirus tracking system that would work for the population. CMU relied on technical tools where appropriate—symptom reporting and wastewater tracking and public health expertise, including integrating the community, where many students worked, into CMU’s testing program. What’s the main lesson from CMU’s experience? University administrators and public health professionals should develop technical tools that the community will use, and provide the students and community with health care support. That’s one lesson worth paying attention to in Washington and elsewhere.

As the U.K. data shows, exposure-notification apps will have an impact for those who trust public health and are in a position to isolate upon notice of exposure. But for those who aren’t, the apps are a fancy technological tool for someone else. They will be less useful—and less used. CMU’s lessons provide an important takeaway regarding contact-tracing and exposure-notification apps. They work—but the technology works best as part of an integrated approach to public health.


Susan Landau is Professor of Cyber Security and Policy in Computer Science, Tufts University. Previously, as Bridge Professor of Cyber Security and Policy at The Fletcher School and School of Engineering, Department of Computer Science, Landau established an innovative MS degree in Cybersecurity and Public Policy joint between the schools. She has been a senior staff privacy analyst at Google, distinguished engineer at Sun Microsystems, and faculty at Worcester Polytechnic Institute, University of Massachusetts Amherst, and Wesleyan University. She has served at various boards at the National Academies of Science, Engineering and Medicine and for several government agencies. She is the author or co-author of four books and numerous research papers. She has received the USENIX Lifetime Achievement Award, shared with Steven Bellovin and Matt Blaze, and the American Mathematical Society's Bertrand Russell Prize.

Subscribe to Lawfare