Surveilling encounters

Here’s Carol Yin detailing how her movements have been tracked across China since the lockdown came into place. Upon entering a train station, she has been having to share her location data of recent weeks. When booking a taxi, she needs to scan a QR code generated by WeChat or Alipay to “check-in”. The same applies to taking public transport or accessing any building. The tracking is done via a combination of QR codes and location data from the phone providers.

The code China is assigning to each citizen — red, yellow or green — reflects someone’s contagion risk.

Israel is tapping into cellphone data, nothing fancy.

Taiwan set up an ‘electronic fence’: your phone determines whether you are respecting the boundaries of the quarantine or not. Authorities are alerted if you switch it off or as soon as you leave the designated space.

In reality China’s system is way more confusing and less centralised than you might have read. There are at least four competing health codes generated by different entities (city, province, community, and app codes). Each of them obliges to different rules. You might never find out why you were assigned that one.

South Korea is throwing in the mix a little bit of everything: CCTV surveillance, bank transaction logs, mobile phone usage. Big data! Hurray!

Here’s a website with data released by the Ministry of Health of Singapore. You can see every known infection case, down to every movement and every connection a case had. It’s alright because it’s anonymised. Sure.

Hong Kong is slapping wristbands upon arrival at its airports. The wristband connects to a smartphone app, StayAtHomeSafe. It generates a unique fingerprint of your house by looking into the signals emitted by the devices surrounding you — nearby WiFi, your WiFi, Bluetooth and cellular. “As you walk around the home, the algorithm on the app will sample the signals of the home.”

Palantir is doing well. “The software company is in discussions with authorities in France, Germany, Austria and Switzerland.”

Singapore solution to contact tracing is an app called TraceTogether. The app creates a temporary ID by encrypting a user ID to a Ministry of Health owned public key and then broadcasts the temporary ID over Bluetooth. The Ministry of Health acts as a trusted third party (that can decrypt those IDs) and promises it will only use the information for COVID-19 related purposes.

You’d have noticed how (some) of these solutions are trying to do two things at once:

  • Help citizens with contact tracing
  • Help authorities surveilling whether the population is complying with the lockdown

Let’s neglect the latter (I hope we wouldn’t need or want to surveil). Here in the west we’ve got plenty of tools to self-diagnose our risk, yet we’re missing a widely adopted system to do contact tracing. If we want to go back to normality (where normality here simply stands for: going outside the house) it sounds likely that we’ll need a form of digital surveillance. Emphasis on likely: I am not in a position to weigh in on the efficacy of contact tracing — I know nothing — all I can say is that it seems to be a valuable tool if paired with other non-technical solutions.

That said, I worry that we’re going to do what we usually do when in panic mode: introduce purportedly temporary surveillance that ends up staying. We might adopt despotic tech, willingly, because it makes us feel safe without having evidence of any actual benefit. As before, we need to balance our need for security with some level of freedom.

It seems that we need:

  • A privacy-preserving system to track encounters. Using Bluetooth Low Energy (BLE) to detect nearby devices (= humans) seems to make the most sense to me. There are doubts whether location tracking — done via GPS or phone carriers — can offer a meaningful contribution in defeating the virus. We’re talking about maintaining a 2-meter distance here: GPS accuracy is around 5 meters. We don’t need to know the coordinates, but rather the proximity with other devices. Proximity tracking seems to matter more.
  • If location is important (e.g. we want to notify everyone who has recently been in a listed hotspot, being it the tube, a public park, or else) guess what: retailers have been surveilling you for a while. You could use beacons in public spaces and WiFi signals to let each smartphone log access locally. The smartphone could then check its recorded path against a hotspot database. No information needs to leave the device (this is MIT’s PrivateKit)
  • We probably don’t want to share our location data with third parties unless we become infected. We want to collect it locally until it makes sense to share (part of) it. Existing health apps (in the UK: the NHS app, or third parties that work with them such as Babylon) could gain access to this data in a similar fashion as they request access to the health database
  • A system to alert every user that came into close range with a case for an extended period

Governments and health authorities should explain in details what data they’re using and for what reason. Most governments’ apps are asking for name, sex, birth year, residence, travel history and a plethora of other unnecessary information. If this system ends up determining one’s ability to roam freely, you’ll want to know why you can’t leave the house.

Ideally, we wouldn’t get an app. This should be something baked into the OS. Google and Apple should provide privacy settings for contact tracing: that would give us a universal system to collect this kind of data locally and securely. Besides, the utility of such system is null without everyone using it. A pandemic is global: there needs to be a global way of dealing with it.

It is possible to build a system for contact tracing that is also privacy-preserving. Apple does something similar, albeit for other purposes. And there’s already a proposed protocol, the PEPP-PT:

  • Assign a unique and anonymous ID to every device
  • When two devices come in close contact for an extended period of time, exchange and log the IDs
  • When someone is diagnosed with the virus, alert all the logged IDs
  • Then and only then: ask the affected IDs, via an app, to self-diagnose themselves continuously, and if they report symptoms get them tested (ideally even if not)

You’ll notice that there is no leak of data to the government under this scenario. All the government knows is that an ID needs to be tested.

Especially if the problem is here to stay for a while, we need a solution that doesn’t permanently compromise our freedom. We also need something that all of us can use and trust, independently of the country we inhabit.

A lot of the tools above — like tracking GPS movements — seem unnecessary. Let’s not scramble up a solution by throwing random data into the mix. An app is not going to save us. All of this is going to be pointless if the more essential pieces of the puzzle (like testing) are not there.

Alas, don’t demand surveillance, because no one is going to turn it off when this is over.