Technologists everywhere have been rushing to build apps, services, and systems for contact tracing: identifying and notifying all those who come in contact with a covid-19 carrier. Some are lightweight and temporary, while others are pervasive and invasive: China's system, for example, sucks up data including citizens' identity, location, and even online payment history so that local police can watch for those who break quarantine rules.

Opinions differ on whether these apps are just a technocratic daydream or—if done correctly—a potentially useful supplement to manual tracing. But the reality is that these services are already rolling out, and many more are likely to come in the next few months.

Despite the avalanche of services, however, we know very little about them or how they could affect society. How many people will download and use them, and how widely used do they have to be in order to succeed? What data will they collect, and who is it shared with? How will that information be used in the future? Are there policies in place to prevent abuse?

At MIT Technology Review, we started asking these questions and found that there were not always clear answers.

So to help monitor this fast-evolving situation, we've gathered the information into a single place for the first time with our Covid Tracing Tracker—a database to capture details of every significant automated contact tracing effort around the world.

We've been working with a range of experts to understand what we need to look at, pulling sources including government documents, announcements, and media reports, as well as talking directly to those who are making these apps to understand the technologies and policies involved.

Ask us anything about your country's automated contact tracing app, contact tracing more broadly, data privacy, or how you can participate in this project.

We're Bobbie Johnson, an editor and lead on the project, Tate Ryan-Mosley, Tech Review's research manager, and Patrick Howell O'Neill, its cybersecurity and privacy reporter. Ask us anything!

Proof: https://twitter.com/techreview/status/1261417679484620800

Comments: 448 • Responses: 45  • Date: 

triiimit288 karma

The mobile carriers collect location data (via tower triangulation, etc.). How precise & accurate is this data? Could it be used for contact tracing if needed?

techreview204 karma

Good question. We previously looked at technical issues surrounding the use of Bluetooth and we're looking at location data now. The short answer is that the precision and accuracy of location data varies drastically.

Triangulation depends on many variables (for instance, is your phone even connected to three towers? In rural areas, the answer could be as low as 0 towers.) but it boils down to the best case scenario being 3/4 of a mile precision which is not precise enough on an individual level but which can provide aggregate data that could in theory help understand an outbreak. To point out the other method being used for location tracking, GPS is generally far more precise in good conditions but also depends on many variables including the weather, your hardware, whether you're inside or outside, and availability of satellites.

All of that adds up to some problems that are impossible to pin down exactly but which are definitely significant. To answer your question (in what I'm sure is a pretty unsatisfying way, I'm sorry about that), yes it can be (and is being) used for contact tracing if needed but there will be significant problems including false positives and negatives that has to be accounted for.

There's another side/cost to location tracking which is the privacy dimension. That varies from project to project and it wasn't the point of your question so I won't delve into it but I felt it had to be at least pointed out. - Patrick

Banana_Shakespeare193 karma

Hi. I live in India and we have here "Arogya Setu" app. I want to know if it is safe ?

Thanks for the AMA

techreview217 karma

Hi -- We're not tracking the safety of apps with this project. We're tracking how the apps work (in Aarogya Setu's case, it uses Bluetooth and location data) and how the data is used, what kind of data it collects, if the data is ever destroyed, if the app is voluntary, and if the project is transparent. Some of those questions can also help you figure out if the app is safe for you.

In India's case, the app is not voluntary, data use is not effectively minimized or limited, and it's not been a particularly transparent effort. It does have over 100 million users and offers a wide range of services that no other app does.

It's a complicated decision, we're trying to provide more data to help inform people but we are not making recommendations. - Patrick

mickenrorty64 karma

How do you KNOW how data is stored? Is it a trust based system?

techreview130 karma

India's app is not open source right now, the project is not particularly transparent at the moment, and it doesn't have strong governance at this time so it lacks stars from us on all those accounts. So the answer to your question is that we don't know and we tried to have our database reflect those major blindspots. - Patrick

Iamthenewme3 karma

In India's case, the app is not voluntary

This is kind of a broad generalization, and can be misleading. The app is voluntary for the vast majority of people, and a lot of the hundred million adoption was driven by marketing and word-of-mouth (safety messages forwarded in eg WhatsApp groups by people often had "install Aarogya Setu" alongside wear masks and maintain social distancing). The Tech Review article linked in the other comment uses the few compulsory cases to create an image of widespread mandatory surveillance, but even its enforcement in government offices is haphazard, most private corporations don't care if their employees have it, and the part about landlords is most likely generalized from a few overeager ones. To be sure, for those to whom it's applied, the mandatory surveillance is a big concern, and the other data practices surrounding it are reprehensible (as has become routine for this administration), but summarising it as "In India's case, the app is not voluntary" would be misleading to most readers.

techreview38 karma

Sure. Let me rephrase: In India's case, the app is not across-the-board voluntary. Millions of people are compelled to download the app and the policies around the app are often unclear but for most people in India it's not explicitly mandatory. It's important to be able to better understand the nuance, so I appreciate your post. - Patrick

techreview59 karma

This is Benji. Patrick also recently wrote this story about Aarogya Setu: https://www.technologyreview.com/2020/05/07/1001360/india-aarogya-setu-covid-app-mandatory/

_FaunaAndFirearms_155 karma

[deleted]

Nicod2729 karma

Could leave your phone at home when you go out.

techreview44 karma

This is Benji. Interesting question. I'm going to cross-post Bobbie's answer to another user. He was talking about flipping your phone into airplane mode, but leaving it at home has a similar effect:

> You're right: if you essentially flip your phone into airplane mode, these tracing apps don't work. We haven't seen any evidence of any app preventing a user from doing this, but here's a really important point: unless you live in one of a very small number of countries, nobody is forcing you to download a contact tracing app.

So if you're worried, just don't download it.We've reported on mandatory usage, for example, with India's confusing 'voluntary mandatory' policy, but most countries don't do this:

https://www.technologyreview.com/2020/05/07/1001360/india-aarogya-setu-covid-app-mandatory/

I want to be really clear here, though: contact tracing, whether it's done manually—by a healthcare worker calling you on the phone to warn you that you've been exposed and work out who else might have been infected—or automated, as in these apps, is a vitally important part of keeping an infectious disease from spreading. We're monitoring the privacy and transparency elements around each of these apps, because there are legitimate concerns about data use and surveillance—but that doesn't mean that contact tracing itself is problematic.

The most important thing you can do is follow guidelines and, if a contact tracer calls you to talk about your health, please pick up the phone, confirm they are who they say, and talk with them. —Bobbie

Winterplatypus9 karma

Hi, just a couple of formatting tips. To quote on reddit you can use the graterthan sign ">" then a space at the start of each paragraph. That way the text still does wordwrap and formats nicely. The format you used is triggered by 4 leading spaces and is designed for computer code where you don't want it to wordwrap on to new lines.

You're right: if you essentially flip your phone into airplane mode, these tracing apps don't work. We haven't seen any evidence of any app preventing a user from doing this, but here's a really important point: unless you live in one of a very small number of countries, nobody is forcing you to download a contact tracing app.

So if you're worried, just don't download it. We've reported on mandatory usage, for example, with India's confusing 'voluntary mandatory' policy, but most countries don't do this:

https://www.technologyreview.com/2020/05/07/1001360/india-aarogya-setu-covid-app-mandatory/

I want to be really clear here, though: contact tracing, whether it's done manually—by a healthcare worker calling you on the phone to warn you that you've been exposed and work out who else might have been infected—or automated, as in these apps, is a vitally important part of keeping an infectious disease from spreading. We're monitoring the privacy and transparency elements around each of these apps, because there are legitimate concerns about data use and surveillance—but that doesn't mean that contact tracing itself is problematic.

The most important thing you can do is follow guidelines and, if a contact tracer calls you to talk about your health, please pick up the phone, confirm they are who they say, and talk with them.

—Bobbie

techreview5 karma

It seems to me like this scale and kind of data collection is a novelty, compared to the way we have seen data collected up to now. At least, a mixing of technologies that have not seen each other before.

Will the exchange and archiving of these Bluetooth keys help bolster available data in any meaningful way?

In other words, is this scale and type of data collection a precursor to some technologies that would otherwise be possible without it?

If so, what would be some hypothetical capabilities of this emerging technology?

Thanks for the tip! I just fixed the two replies - Benji

Gebbeggeb91 karma

Why are you not tracking adoption targets (e.g. 60% use in the UK) and reported adoption rates? (Not a criticism, but wanted to know if you'd had that discussion)

techreview79 karma

Hi! Tate Ryan-Mosley here, one of the authors. It's a really great question because, yes, adoption rate is a direct link to efficacy. That said, efficacy of these apps is still really unclear. In short, we are tracking them. There isn't a lot of data on user downloads yet, so we decided to not include it in the skeleton database that you see embedded in our article, but you can find it in this public database - https://docs.google.com/spreadsheets/d/1ATalASO8KtZMx__zJREoOvFh0nmB-sAqJ1-CjVRSCOw/edit.

Gebbeggeb33 karma

Hi Tate, thanks for this. I'm working on the issue in the UK (in between child care). If you're interested, I think one of the big unanswered questions for these apps is whether 60% use is even possible, particularly since governments seem vague as to whether that's 60% of the population, or 60% of adults, or 60% of smartphone users. I wrote a short blog post crunching the numbers for the UK here: https://jackmcdonald.org/notes/2020/05/covid-tracking-usage/

techreview26 karma

Yeah, that's really interesting. Although 60% appears to be the most common target, we've found that a lot of countries aren't talking about their targets openly—there are a few reasons for this. Possibilities include concern about messaging and perception, and whether the efforts end up being criticized for not reaching the target. Or perhaps they believe the better target is 'as many people as possible' because obviously 90% coverage is better than 80% is better than 50% etc. As you point out, there's a lot of assumption baked into the 60% model that I'm not sure even the people building apps know inside out. We're definitely chasing down this—Bobbie

Gebbeggeb7 karma

My working assumption is that the 60% figure is drawn from standard SIR modelling on herd immunity. I'm yet to see anything of any rigour on the necessity for that figure for contact tracing app adoption, but it is interesting how prevalent it is.

techreview9 karma

That's certainly the indication I've had so far. —Bobbie

redditproha90 karma

How would we go about tracking your tracing tracker to make sure you’re not tracking us?

techreview2 karma

I was going to give you a joke, but I'll take this question at face value given the upvotes: our tracker is a spreadsheet that collates information about automated contact tracing apps. It's tracking them, not tracking you. Maybe look at it in incognito mode and print it out if you're that worried? —Bobbie

CaptainSeagul61 karma

Could you tell me what I can do to opt out of this? Basically, what can I do to physically prevent you from tracking me?

Personally, I am much more worried about the misuse of this technology.

techreview24 karma

Yes, misuse is for sure a concern. The most essential consideration for you is whether the app in your country is indeed voluntary which basically means you can decide to just not download the app at all. Some of the apps also have the ability to turn off data streams once the app is on your phone such as data coming from GPS or Bluetooth. Let me also breakdown what the privacy attributes we use are because it took us a while to really grasp our own definitions and speaks to how complicated privacy is. We define them in our original article and they are based off of ACLU guidelines, but I'll explain.

We have: 1) Voluntary which I already described (Note: if there are large groups of people for which its mandatory like those infected or those employed at certain companies, we did not award a star. See India); 2) Limited means that the data collected gets used only by health authorities for tracing covid-19 spread (this speaks to your question about misuse); 3) Data Destruction indicates whether there is an explicit policy for destroying the data collected within 30 days; 4) Minimized means that the data collected is really essential for tracing covid-19 spread. (IE: its important that your phone number, name, preexisting conditions, etc aren't collected) and 5) The government is transparent about the app meaning the code is open sourced and its really easy for a user to understand exactly what data collect, how its collected, who has access to it, and how its used. - Tate

dznlead55 karma

Can you please give us a breakdown on various contact tracing technologies (Bluetooth, GPS, ultrasound) - and there respective pros and cons? I'd like to know about privacy, accuracy, battery impact, etc.

Thank you!

techreview44 karma

Ooh, that’s a big question! I think part of it is very difficult to answer both accurately and comprehensively. Not only are there very different implementations of each technology across lots of different apps (we’re currently tracking 26 distinct national efforts around the world and I’m sure there are more) and the impact on, say, your phone can still be very different to somebody else’s based on things like operating system, what other services you’re using, etc etc. Plus lots of them are not deployed yet!

We haven’t had many user reports on what the practical usage is like (though feel free to email them to us at [[email protected]](mailto:[email protected]), I’d love to see them)

So here’s what I can say with confidence.

Bluetooth is the most commonly deployed technology across all these apps, but the effectiveness and the impact on your phone varies wildly from app to app. There are a few emerging standards here, and they try to tap into Bluetooth Low Energy (LE). The notable ones are DP-3T, PEPP-PT out of Europe, and BlueTrace out of Singapore. We’re also going to see Apple and Google’s exposure notification API out in the wild very soon, which is Bluetooth LE based and may become dominant very quickly.

Even though it’s the most common system being used, Bluetooth is a really tricky technology for avoiding false positives and negatives, as Patrick reported in some detail here: https://www.technologyreview.com/2020/04/22/1000353/bluetooth-contact-tracing-needs-bigger-better-data/

Other technologies are much less widely used.

GPS is used by a few of these apps, but its accuracy is typically around 15 feet.

For cellphone triangulation, see our answer in another question:

https://www.reddit.com/r/IAmA/comments/gmqsez/a_flood_of_coronavirus_apps_are_tracking_all_of/fr598b3/

And I’ve seen reports of some people building apps using ultrasonics, but I don’t believe we’ve seen anybody deploy an ultrasonic service at national/governmental scale. —Bobbie

dznlead16 karma

Thanks for your reply!

re: Bluetooth - while I agree that it is the most widely adopted solution, I think the biggest problem is that Bluetooth has been shown to have an effective range of 90 feet (~30 meters), and there is no correlation between relative signal strength indications and distance. Researchers from MIT and IBM have even discussed that using RSSI as a proxy for distance is effectively just guesswork. Any other users in the range of a Bluetooth scan from my device will be picked up as interacting with me - even if they were across the street in another house or apartment. Or, even more shockingly, if I was in Restaurant A, and someone next door in Restaurant B had the same app, it would say we interacted. This is unfortunately not a very accurate solution, and will lead to massive over-reporting, which renders the technology less useful, in my opinion. The signal-to-noise ratio on applications that use this technology is not valuable enough to warrant sustained use.

re: GPS - I'd actually argue that GPS is even worse than Bluetooth, as it's altitude agnostic, and would classify anyone in an entire apartment building as having interacted, even if that building had 40 stories. In urban environments, it's been shown that GPS accuracy can have variance of upwards of 100 feet, if not 200 feet, due to signal obfuscation from skyscrapers. In my humble opinion, any solutions that rely on GPS should be disregarded, as they are not only privacy invasive (they say who is sick, and where), but they are also incredibly inaccurate, specifically in the urban areas where contact tracing solutions are so desperately needed.

re: Ultrasound - I agree, there has not been a massive roll out yet for Ultrasonic based contact tracing apps. But I think this technology is our dark night, and it needs to be adopted very soon. It's the only technology I'm aware of that is actually capable of accurately gauging distance between people, using acoustic physics to gauge precise distances. https://novid.org should be the primary candidate.

I'd love to hear your thoughts on my points. Thank you again!

techreview12 karma

I agree mostly with what you've said. With ultrasonics, I think there would be the same or even greater privacy concerns than Bluetooth, given the history of that technology being used/abused by advertisers. As for its efficacy, I can't speak directly to that because the sample size is very small compared to Bluetooth protocols.

Actually, on that note with Bluetooth, I've spoken to a number of people who are working on improving signal interpretation and reducing the number of false positives and false negatives. There is a lot of guesswork—no technology here is going to be faultless—but the more advanced models I've seen use a combination of information and sensor data as they try to improve their modeling, including phone orientation, screen activation, and so on. I'm still not sure it will do what some people imagine, but that's one of the areas we're following closely. —Bobbie

Violent_Milk10 karma

Can you elaborate on ultrasonics being used/abused by advertisers?

techreview2 karma

There was a spate of apps using ultrasonics to listen to users without their knowledge a couple of years back—it turned out a lot of advertisers were hooked into this stuff. Here's an example: https://www.zdnet.com/article/hundreds-of-apps-are-using-ultrasonic-sounds-to-track-your-ad-habits/
—Bobbie

TheRiotman49 karma

Qatar recently made it mandatory for their app the be installed on your device before you leave the house for any reason, can you add it to the list? I would be interested to see how you rate it. The app is called EHTERAZ.

techreview39 karma

Thanks for pointing this out, we're adding it today. We appreciate your help! - Patrick

digdugbug37 karma

dumb question, so, if Location, GPS, bluetooth is turned off, these tracker apps fail? have you found evidence of apps circumventing user's ability to disable services?

techreview46 karma

It's not a dumb question. You're right: if you essentially flip your phone into airplane mode, these tracing apps don't work. We haven't seen any evidence of any app preventing a user from doing this, but here's a really important point: unless you live in one of a very small number of countries, nobody is forcing you to download a contact tracing app.

So if you're worried, just don't download it.
We've reported on mandatory usage, for example, with India's confusing 'voluntary mandatory' policy, but most countries don't do this:
https://www.technologyreview.com/2020/05/07/1001360/india-aarogya-setu-covid-app-mandatory/

I want to be really clear here, though: contact tracing, whether it's done manually—by a healthcare worker calling you on the phone to warn you that you've been exposed and work out who else might have been infected—or automated, as in these apps, is a vitally important part of keeping an infectious disease from spreading. We're monitoring the privacy and transparency elements around each of these apps, because there are legitimate concerns about data use and surveillance—but that doesn't mean that contact tracing itself is problematic.

The most important thing you can do is follow guidelines and, if a contact tracer calls you to talk about your health, please pick up the phone, confirm they are who they say, and talk with them. —Bobbie

StGerGer21 karma

How do you suggest we verify a genuine call versus a scam call (which I assume could start happening soon)?

techreview23 karma

EDITED: for clarity

Contact tracing teams have different protocols in different places, but mostly they offer a couple of details that your local government will know in order to confirm your ID (for example your date of birth and address.) Other than that, they don't need other personal information like your social security number, banking information, and so on. Never give those out! They're concerned with places you've been and other people you may have been exposed to.

I would suggest you treat it the same as you should with your bank; don't give out any personal information without being confident that they are who they say they are. You can always take their number, check it against your local health department's listings, and call them back when you're satisfied.--Bobbie

MarkShapiero6 karma

Contact tracing teams have different protocols in different places, but mostly they ask a couple of details that your local government will know in order to confirm your ID (for example your date of birth and address.) For the most part these are not particularly private, often available in public records—so you may not be giving a scammer anything they couldn't get some other way.

What a farce, you are priming people to become victims of social engineering. People are much better off if they maintain the habit of not sharing any personal information. It's as important as washing your hands.

techreview8 karma

I'll edit my above answer to be more clear: that's not what I'm suggesting. But that's exactly why I suggest not giving information out if you're worried about their identity and instead getting their details and contacting the health department yourself.

cdnkevin24 karma

I am a frontline healthcare worker. I think that the world could have done a better job tracking infection earlier in the pandemic, before this was a pandemic, but there were/are massive privacy and civil liberty issues that go along with this.

Historically tracing happened, most famously, with John Snow. There were no privacy or civil liberty issues then but he collected less invasive information and it was a different social period.

In your team’s opinion, what is a good balance for these apps between protecting the health of larger communities and individual choice?

People that really want to circumvent tracking apps can delete them/restore phone or not take their phone with them. Would less invasive data collection be received better when some people refuse to get routine vaccinations and don’t trust the ‘system’/‘man’?

techreview7 karma

You're right, kevin—if anybody really wants to circumvent tracking apps, they can do that by not taking their phone with them. But remember—they aren't being forced to use the tracking apps in the first place, so it's easier to just opt out and not download them.
That's why we track whether these systems are voluntary or not (in nearly every democracy they are voluntary.)

It's really important to note your point that the work of manual contact tracers, even if they're a bit more technologically-assisted than John Snow was with cholera, is ABSOLUTELY VITAL to keeping this disease under control.

I think people who are worried about tracking apps forget that most of the real work in tracing contacts isn't about hi-tech surveillance, it's done by humans who are working hard to keep you and the people you love safe. The apps are really there to help cover larger numbers of people, to help both you and them understand whether you might have been exposed, at which point the human process takes over.

In India, a family who avoided testing and weren't helpful to contact tracers ended up exposing hundreds of people, putting them and their families in danger, and making vast amounts of work for the local team trying to keep the disease under control, as we reported here.
https://www.technologyreview.com/2020/04/13/999313/kerala-fight-covid-19-india-coronavirus/

That said, the reality is that while most people have the choice on whether to download an app or not, they don't have choice about which app to download. Your country, or your state, probably has a single service that it wants everyone to use. So that's why we think it's important that using an app remains an individual choice, based on people's individual circumstances. Think about your needs, your loved ones, your community, and take into account whether you're comfortable with what you're being asked to do. Unless it's mandatory—and the chances are it's not—you still have choices. —Bobbie

userxxyz24 karma

Did you know that Thailand introduced mandatory tracking app few days ago? It has a bar code which has to be scanned at entrance and exit from every shopping mall, department store etc. Basically, you have to register at government owned website, with personal data, to be issued with personalised bar code, otherwise you are denied entrance to any public space, including restaurants.

techreview17 karma

That's a new one to us. We're adding it now, thank you—definitely looks like it's worth further investigation; if you have any useful sources of information on this, please email them to [[email protected]](mailto:[email protected]) —Bobbie

heavydenim17 karma

Depending on the user agreements (which no one reads), once installed, will we have agreed to be tracked forever once this thing is over? Can we ever go back?

techreview15 karma

This depends on your locale as well as the apps and authorities in question. For exactly this reason, our tracker looks at data destruction, i.e. Does the app auto-delete or offer you the opportunity to delete your data? Is there a sunset clause? - Patrick

Bananawamajama15 karma

So you track the trackers, but who tracks the tracker trackers?

techreview44 karma

be the tracker tracker tracker you wish to see in the world - Patrick

dabzillathrilla13 karma

Can you look at Alberta Canada’s app?

https://apps.apple.com/ca/app/abtracetogether/id1508213665

techreview9 karma

Thank you! I'm going to add it to our list of apps we will follow up on. - Benji

techreview7 karma

Right now we are only documenting apps backed by national governments, but we might expand that in the near future. Please send other contact tracing apps for us to investigate at [[email protected]](mailto:[email protected]) - Tate

indigo-alien9 karma

How are they going to track me when I don't even own a cell phone?

techreview14 karma

Contact tracing apps are new, contact tracing itself is an old and proven technique that has long depended on human beings doing the work. Depending on where you are and what your government is doing, they may call you on the phone or speak with you in person. - Patrick

ax72218 karma

If I were to work in a location where my company is using tracing apps, but I want to ensure my privacy for the long term, would a solution be to use an old cell phone (with no sim card) to use as a tracking beacon while at work (and leaving it at work when I leave) as opposed to installing some encrypted software on my daily driver phone?

techreview2 karma

I can't speak directly to the rules in place in your country or the ones your employer might put in place, but this would certainly be a possibility. The old phone would work as a bluetooth beacon. However, it's also entirely possible that this may not be something that they would accept: if you were diagnosed with covid, tracing would want to examine your contacts outside the workplace as well as inside. So I suppose I'm saying read the fine print. —Bobbie

gingerbeard3037 karma

What’s your go-to VPN?

techreview11 karma

sagb98316 karma

All of the technologies mentioned in your article rely on either Bluetooth or GPS. Could you please comment on the efficacy of such Bluetooth and GPS solutions, considering the signals emitted from both technologies register interactions from upwards of 30 feet (10 meters) away? Is there a danger to this much false positive reporting? In a city like Manhattan, solutions using Bluetooth or GPS would penetrate walls and floors, and very easily over-report interactions. Have you explored ultrasonic contact-tracing solutions instead?

techreview6 karma

Hi Sagb. You're right, these underlying technologies are far from perfect.
We actually did a story recently on the problems with using Bluetooth, which is by far and away the most common technology used in these apps.
https://www.technologyreview.com/2020/04/22/1000353/bluetooth-contact-tracing-needs-bigger-better-data/
A lot of people are working hard to try and come up with ways to prevent false positives and negatives, but it's certainly not easy. But there are ways to determine exposure than simple proximity—so these new protocols don't just register whether you've been "near" somebody else (without understasnding if there was, say, a wall between you) they look at signal strength, time, and even things like phone orientation or screen activation to get more clues about possible exposure.

As for ultrasonics: I've seen some examples of this in theory—there was an app out of Carnegie Mellon, for example, but ultrasonics have their own set of privacy concerns, potential for false positives, and have a much smaller base of engineering expertise. I haven't seen anybody use those in the wild yet, although it may happen —Bobbie

techreview6 karma

Hi everyone. This is Benji Rosen, MIT Technology Review's social media editor. We're super excited to be here to answer your questions about contact tracing, data privacy, or anything else. I'll be helping forward questions to Bobbie, Patrick, and Tate over the next 24 hours. Ask us anything!

techreview5 karma

Hi everyone. This is Benji. We're going to sign off for today, at least for the most part. We may answer a few of your questions overnight. We'll be back at it tomorrow until this AMA ends. Keep yours questions and comments coming! We've really enjoyed them thus far.

GiuseppeMercadante5 karma

What was your analysis on Italian app 'IMMUNI"? One of the major investors in the company is Berlusconi's son.

techreview3 karma

Great question. You can see how we scored Immuni in our database. Bobbie, Patrick, or Tate might have more insight to share. https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/

-Benji

HaloZero3 karma

Does the United States not have an official app from the CDC or some other government institution?

techreview8 karma

Ya this is a super good question. In short - no, and we speculate that its pretty unlikely that there will be at national-level in the US. Contact tracing in the US will probably fall to state governments, or even more local government bodies like cities and municipalities. Many states have started manual contact tracing initiatives already, and we think that there might be a proliferation of state contact tracing apps that supplement the manual efforts, especially when the Google/Apple API goes live. We are tracking apps built by state governments already with the intention to publish that data in the near future. Right now, we are aware apps in Utah, North Dakota and South Dakota.

If the Google/Apple API becomes the default backbone for many (maybe all) of the state-owned apps (we don't yet know if this will happen), I just want to point out what this means for how we responding to the crisis. Though Google/Apple aren't a government-body and are in no way beheld to the best interest of the public, they really are setting the operational framework and privacy/ data-sharing norms for digital contact tracing. - Tate

Freemontst2 karma

When Google bought Fitbit, people were concerned with mass tracking. Is that happening so far?

techreview2 karma

Google hasn't actually completed the acquisition of Fitbit yet, so the question is moot. But I would suggest that the proposition of Google doing mass tracking is well within their reach, given their web services, phones, laptops, smart home products, and so on. Just doing some rough back-of-the-envelope calculations here: Fitbit sold approximately 16 million devices in 2019; Android is the operating system for approximately 70-80% of all smartphones, and there were something like 1.5 billion smartphones sold in 2019. That means it's orders of magnitude more concerning, if you are concerned.—Bobbie

superjames902 karma

Hi, thanks for doing this AMA. In your article you reward stars for different categories, which is a fantastic idea. Will you also provide sources for the individual reasons and maybe an unknown indicator in case it’s not confirmed yet wether an app is positive or negative in that category?

techreview6 karma

Thanks for the question! You're right in that we only award a positive star if we can say 'yes' to a question ("does this app delete data after 30 days or less?" for example.) We don't differentiate in the star rating between a 'no' and a 'we don't know.'

But we actually do provide that information—as well as extra sources and explanatory notes—in a couple of ways. If you take a look at the underlying spreadsheet that this is drawn from, you'll see 'TBD' in a number of cells; this is where the information is currently unknown. There are also some links in there to source materials.
https://docs.google.com/spreadsheets/d/1ATalASO8KtZMx__zJREoOvFh0nmB-sAqJ1-CjVRSCOw/edit#gid=0

You can also see a bit more detail on those sources and decisions as they come in by looking at our changelog. We update that most weekdays, whenever we have updates. Sometimes it's a lot, sometimes it's a little.
https://www.technologyreview.com/2020/05/15/1001736/changelog-covid-tracing-tracker-updates-as-they-happen/

Hope that helps —Bobbie

Pearlfish2 karma

Hi, I live in QATAR and the app name is Ehteraz. It is now mandatory and the phone permissions seem a lot. Can you advise on its abilities and if it is based on any other countries apps?

techreview3 karma

Thanks for the question u/Pearlfish. This is Benji. We have added Qatar's app as one we plan to follow up on. Once we rate it, we'll add it to our database, which you can follow here: https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/

CmdrNorthpaw2 karma

Over in the UK, the NHS are making the COVID tracking app and I believe they have decided to open source it. Do you think that this is a good thing, and does it make your job any easier?

techreview3 karma

Making something open source is generally a positive in our view of what's happening here; it's more transparent, it allows people to interrogate the code, look for bugs, and check that the government and health authorities are doing what they say they're doing.

It also allows other people to reuse and build on that code for their own contact tracing efforts, which potentially allows folks to get where they're going faster and potentially improve on the work of others (this is what's happening with Singapore's TraceTogether app, one of the early operators, because they open-sourced its BlueTrace protocol and so now it's been picked up by Australia and others.)

But it's not a surefire signal for complete transparency or privacy-protecting behavior—things can still be hidden inside the code, and it doesn't stop bad or confusing policies from existing around important elements of how the app behaves. For example: it might be easier to spot and solve bugs, but if you flag them up are they actually dealt with by the developers? Being open source doesn't make the developers more responsive. Is this data shared with other organizations or agencies outside of healthcare? It's hard to know this just by looking at the code.

Either way it doesn't really make our job any easier at this point, although it does potentially increase the number of eyes on a particular codebase. The more people who look and tell us what they find, the better! —Bobbie

RichardKim1 karma

Can you match me a wine based off my preference of chocolate?

Aedengeo1 karma

  1. Wouldn’t it be better if all tracing apps makes use of Apple’s and Google’s API?
  2. Do you think there are any potential vulnerabilities or privacy issues regarding the Google’s and Apple’s API?
  3. Do you prefer iOS or Android? Why?

techreview3 karma

These are awesome questions and I will offer my opinion on #1, though I'm not sure how satisfying it will be. I think there are a lot of benefits if many apps leveraged Apple/Google API, importantly interoperability across different places, development efficiency and scale. It really would be great if apps worked across different states and countries, and there were many developers who could learn from each other and collaborate so we could build the best app quickly. Also its hard to ignore that adoption could be so much faster if Google and Apple were the leading players. The API also does seem to seek being privacy-preserving, so it might enable some improvements across the board. All of this assumes that contact tracing apps will be meaningful in slowing the spread and allowing public spaces to reopen.

That said, I also think its a bit scary to let Apple/Google have so much power in controlling the infrastructure and data policies if it does indeed become the default framework and scales as it could. Its just important to remember that they aren't beheld to the public's best interest, and I think its really important that they work closely with the WHO or the UN so that they can contribute the technical prowess while still answering to a higher power that does have an obligation to the global citizenry. - Tate

dondi011 karma

Whats your opinion on the italian "immuni" app?

techreview2 karma

Here's how we scored Immuni in our database. Bobbie, Patrick, or Tate might have more insight to share. https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/

-Benji

Togapr330 karma

Isn't the John Hopkins/NY Times tracker the gold standard?

techreview4 karma

We are tracking contact tracing apps, they are tracking covid-19 cases, so they're two totally distinct projects tracking different aspects of the pandemic. But we love what both of those groups are doing. - Patrick

techreview3 karma

Good question! This is Benji. The New York Times map shows reported covid-19 cases worldwide. Contact tracing is a bit different. Here's a definition of this technique Patrick included in this story about the things we need to do to make contact tracing really work:

> Tracing is the technique public health workers use to identify carriers of an infectious disease and then uncover who else they may have exposed, in an effort to isolate those at risk and halt the illness’s spread. It’s a time-tested investigation method used to successfully fight outbreaks of diseases including measles, HIV, and Ebola. Countries around the world are already using it against covid-19 with great success, and now many US states are beginning to assemble their own covid tracing teams. At the same time, powerful technology companies including Apple and Google are building systems to help expand and automate tracing and notify people who might have been exposed.

And here's how automated contact tracing apps come into play:

> [T]echnologists everywhere have been rushing to build apps, services, and systems for contact tracing: identifying and notifying all those who come in contact with a carrier. Some are lightweight and temporary, while others are pervasive and invasive: China’s system, for example, sucks up data including citizens’ identity, location, and even online payment history so that local police can watch for those who break quarantine rules.

Some services are being produced locally by small groups of coders, while others are vast, global operations. Apple and Google are mobilizing huge teams to build their upcoming systems that notify people of potential exposure, which could be used by hundreds of millions of people almost immediately.

Our database is meant to track these apps, including details on what they are, how they work, and what policies and processes have been put in place around them.

smegmary-1 karma

As a paranoid stoner - are us stoners tracked too? All I do is go to work, go to weed store, go to grocery store, and go home but I’m curious as to if others care enough about what I do

techreview3 karma

Definitely tempted to offer a joke answer here but let me get serious for just a minute. This question is the reason we tracked data limitations ('Limited' in the chart): Data may sometimes be used for purposes other than public health, such as law enforcement—and that may last longer than covid-19.

I don't know where you live, what app there is, etc., so the answer varies. Some places have strong privacy laws governing this, others hand the data straight to the police. Some locales delete the data after 30 days or whenever the user wants, some keep it indefinitely. These are all important attributes that we want to help folks be informed about.

My advice would be to find out if there is a contact tracing effort near you, if an app even exists for your area, and if it does investigate what the privacy rules and attributes of the app are. We are tracking a few dozen such apps now and are expanding our view to include American apps shortly. - Patrick