On Doing More Harm Than Good ⇥ washingtonpost.com

Reed Albergotti and Drew Harwell, Washington Post:

Apple and Google’s announcement last month of a joint effort to track the coronavirus by smartphone sparked a wave of excitement among public health officials hoping the technology would help alert them to potential new infections and map the pandemic’s spread.

But as the tech giants have revealed more details, officials now say the software will be of little use. Due to strict rules imposed by the companies, the system will notify smartphone users if they’ve potentially come into contact with an infected person, but it won’t share any data with health officials or reveal where those meetings took place.

Local health authorities in states like North Dakota, as well as in countries such as Canada and the United Kingdom, say they’ve pleaded with the companies to give them more control over the kinds of information their apps can collect. Without the companies’ help, some worry their contact tracing systems will remain dangerously strained.

These are the opening paragraphs of an article that, careful readers will note, is fundamentally wrong. Let’s start with this statement:

Due to strict rules imposed by the companies, the system will notify smartphone users if they’ve potentially come into contact with an infected person, but it won’t share any data with health officials or reveal where those meetings took place.

It may not track specific locations, but that’s not necessary for what this API is trying to help accomplish. Furthermore, public health officials absolutely will be involved in the collection and use of this data: apps using this API must be from health authorities.

Sara Morrison explains at Vox Recode:

As previously reported, the first phase of the rollout will be an API that will allow iOS and Android devices to exchange anonymized proximity keys using Bluetooth. Apple and Google have now revealed that the Bluetooth metadata from the devices will be encrypted, so it can’t be used to try to identify a device. Public health authorities will then be able to build their own contact tracing apps using this API, and they will set the exposure length, the amount of time the two devices need to be near each other in order to exchange keys. The maximum allowed exposure time will now be 30 minutes. Again, this will make it harder to link a rotating key to a specific user.

And how about this statement? Again quoting from those first three paragraphs:

Without the companies’ help, some worry their contact tracing systems will remain dangerously strained.

Again, from Morrison:

Oh, and about that terminology. Apple and Google have replaced the “contact tracing” label with “exposure notification.” The companies said they believe it better describes what the tool does, and that it’s only part of a public health authority’s contact tracing program. This seems a bit trivial, but it’s actually a good reminder that these apps and their deployment are run through public health authorities, and it’s up to those authorities to make sure positive test cases are properly vetted. Meanwhile, it’s essential that populations that may not have access to iOS and Android devices are included in their contact tracing programs. Apple and Google aren’t doing this alone.

Of course this must be used in conjunction with human contact tracing efforts. It is a way to more efficiently and more privately implement existing electronic contact tracing apps.

This is sloppy work. It’s articles like these that do make me worry about the efficacy of contact tracing with the assistance of smartphones, but only because of how poorly it explains how the system works, what it is intended to do, and how it differs from existing smartphone contact tracing efforts. This article is so poor as to misinform the reader into thinking that Apple and Google are taking advantage of a pandemic to collect a bunch of user data while keeping it secret from public health authorities — which is almost the opposite of what this effort does.

I worry that this kind of bad information will cause people to entirely reject contact tracing apps — even those that are built in a privacy-friendly, energy-efficient manner. Then it really will be ineffective, but not for the reasons in this Post piece.