Update 28 April: Germany to move from central database to ‘diary alert’ approach of distributed data on handsets for improved privacy protection.
Many countries are considering making use of a contact tracking app to allow track and trace of Covid-19. There is an app that was initially developed in Singapore, based on detecting contacts through Bluetooth. Most Bluetooth solutions have two problems: limited ability to actually track and trace, and the requirement for a central database. The central database can be seen as effectively enabling a type of surveillance on the population, with a risk of being the data being mined, hacked, or open to other uses beyond the original stated intent. While guarantees can be offered that data would not be misused, this post is about an alternative strategy which we now call ‘diary alert’. Using this ‘diary alert’ solution completely removes the need for capturing any tracking data on a central database. Removing the capture of data on a central database, removes the risk of such data compromising the the privacy of the movements and/or contacts of ordinary citizens.
‘Diary alert’ allows electronic track and trace for all confirmed cases, while other solutions only allow track and trace when confirmed cases are people who have been using the app.
Further diary alert enhances the core track and trace capability, removing the limitations of Bluetooth, which include preventing detection of potential infection from contact with surfaces, after an infected person may have infected those surfaces.
In addition to these improved abilities in detection of potential infections, the ‘diary alert’ approach removes the registration and ‘broadcasting’ elements typical of Bluetooth applications. This removes major security concerns and may facilitate increased uptake.
An app and server to deliver a system implementing ‘diary alert’ are relatively straight forward to develop and deploy. In fact the software team who contribute to these pages is prepared to develop an open source working system at no cost, should any relevant authority (e.g Australian or New Zealand government) commit to deploying such a system. Hosting could also be organised. Alternatively, research on the fine details of implementation can be provided to anyone considering developing such a system, or considering adding ‘diary alert’ as an upgrade to an existing app. Leave a comment below if interested.
Benefits: Diary Alert.
As stated in the introduction, the original design goal was to address privacy concerns, but there are further benefits:
- No collection of data from the general population. Users receive a list of ‘diary alerts’ on locations visited by infected people for comparison against their own private diary.
- Diary alerts only needs the same data collected in interviews and already held as central data with manual track and trace systems
- Track and trace for all confirmed cases are sent to all app users
- other systems can only send data on a subset of cases
- Ability to detect more potential infections
- Learn more on how Covid-19 spreads
- Ability to measure app usage anonymously
- Lower cost to society
- Can coexist with Bluetooth style solution
How Does ‘Diary Alert’ Work?
The app works by downloading, normally at least once per day, a list of ‘diary alerts’. A prepared file of locations and times known to be visited by infected people where there was a risk others could be present.
Imagine there is a web site with a list of places visited by infected people. Anyone keeping their own private diary of their visits to public places, could check their diary against the list of alert locations from the website each day. Now, provide an app to automate recording the private diary, and checking against the website. Now improve the data on the website so the checking could be accurate to within a metre instead of providing a location by name. Each of these steps is performed automatically by the ‘diary alert’ app.
For example, a diary alert could be that person now confirmed as infected visited locations within a particular supermarket between 10:15am and 10:45am last Thursday. The app checks the users private diary to see if records indicate the user was in those locations in the supermarket at the same time last Thursday, or at some time after the visit by the infected person. A risk level is calculated based on the length of time of overlap, and whether overlap was at the same time or a later time. From all ‘diary alerts’ with any match, a total risk level is calculated. The total risk level is then compared with current thresholds to determine if the user should get a test.
The private diary on the users phone can be entirely private. The only necessary use of the private diary is that the application must read the diary to evaluate if downloaded ‘diary alerts’ represent a risk of infection. No reporting or exporting of private diary information is required.
If a person does become infected, then track and trace teams will need to construct a set of ‘diary alerts’ for that person. This is normal procedure for track and trace and takes place irrespective of any app. If an infected person does have the app, then building their diary alerts could make use of data from the app provided privacy guidelines are followed. Use of this data direct from the app should be optional, otherwise privacy could be compromised if the person becomes infected. Yes, anyone infected is going to be asked what their movements have been regardless of any app, as that is the ‘track’ of track and trace. In the event of infection, the person can have the same control over what data is shared as if they did not have the app, given that having an app is a choice. However, data they do wish to share, there is additional precision allowing improved data. The app can save keeping a manual diary, and can provide the same level of ability to control what is available to be seen by others.
Simply showing staff at a testing centre the phone screen indicating a risk level could be sufficient for a testing centre to approved conducting a test. There are also various possible features such as the ability to issue anonymous case numbers, thus allowing medical systems to record what percentage of people take up their ‘test recommendations’, and even establish statistics on what types of events actual result in infections. There is logic analysis as to how to provide all of these features even automatically without any privacy comprise for anyone, but this topic is too long to discus in full in this post. If more is needed, please ask.
The mobile app need not be registered, and does not require a login or any personal identification data. Full data on how many people are using the app and how often does not require any registration or tracking of individual devices with the app.
The app would normally store diary events for approximately 14 to 21 days depending on preferences selected. However people could select some data to be kept for a longer time if they wish, Each day, the ‘location alert file’, a list of all locations visited recently by any person now confirmed as infected, is downloaded to the app for comparison. The app then looks for overlapping locations and times. If an infected person was present at the same time it can be given the highest risk weighting, and if an infected person was at the same location at an earlier time and potentially left the virus on surfaces that can be given a lower weighting depending on the time interval.
If processing the ‘location alert’ list calculates that the risk for a person is over the current threshold, the app then will recommend testing for Covid-19. Options such as generating a code to ensure a testing centre will perform a test is a potential option.
Benefit 1: No Central Collection of Data from General Population
As described in ‘how does diary alert work’, the core of the system is keeping a private diary on a user’s own mobile device that for the purposes of this system, can remain fully private. Any ability for anyone to read the contents of the diary should be at the option of the user. Even if the person becomes infected and as a result they would be asked about their movements, it can be the option of the user what events from their diary are revealed to medical teams, just as would be the case if they were not using the app. This entire system can operate without anyone else gaining any access to a person’s private diary.
It seems probable more people will accept an app that does not report on them, when compared to an app that does report on them. While guidelines and assurances can protect against misuse of data, it is easier if there simply is no central data to protect and provide assurances about. This may allow for more widespread use of an app.
There is no central database with sensitive data requiring protection from hacking. While individual hacks of a persons phone are possible, any such hack will simply enable reading one persons event, and is the type of data already stored by fitness applications etc. It is not even the most desirable data to try to hack into and far less desirable than banking details etc or passwords stored in the web browser. In short no central database results in no incentive or opportunity for hackers.
Benefit 2: Same Data as Manual Systems
Tracking and tracing the movements of recent confirmed Covid-19 cases is normal procedure. That is why it is called ‘track and trace’. The ‘diary alerts’ file send to the app is using this same data. Data that would still be collected even if an app such as the Bluetooth application is in use, or if no app based system is in use. So a system using the Bluetooth application still requires all the data needed by the ‘diary alert’ system, in addition to the massive database of data on a high percentage of the population.
Track and trace is a system only used when case numbers are low. When there are more cases, lockdowns are required to control the outbreak. Typically, within any given region, 1,000 cases per day or more would require a lockdown and make track and track impractical. So there are never many cases for a ‘diary alert’ file. Further, no personal or sensitive information need be provided in the ‘diary alerts’ file. Data such as ‘an infected person visited a particular shopping mall at 10:15am’ is the type of information that in another time would have been printed in a newspaper, and may still need to be on a website for those who do not have the app. Security systems to protect the secrecy of the information should not be needed.
If Covid-19 cases average 1,000 cases per day. Then from the last 14 days there would be diary alert data built from combining data of the public outings of 14,000 people, in place of what is effectively mass ‘surveillance’ data on 40% or more of the entire population.
Benefit 3: Track and Trace for All Confirmed Cases (not just confirmed cases who were using an app)
Bluetooth Apps use data that is feasible for track and trace teams to collect. It is possible to ask someone ‘where did you go, and when?’, even if they were not using the ‘diary alerts’ app. However it is not possible to ask people ‘please list the Bluetooth devices which were in the places you visited?’ to gain that information from people without the Bluetooth. This means people who were infected but not using ‘diary alerts’ app, can still have ‘diary alert’ data which can be sent to people using the ‘diary alerts app’. However, data to result in ‘Bluetooth alert’ only result when both infected person and the person to be alerted have the app. This is particularly relevant while building up a base of users for a system, as usage will start at lower levels.
If 40% of people have a Bluetooth contacts app, then both infected person and person to be alerted will only both have the app 16% (40% of 40%) of the time! A lot of missed alert possibilities! With ‘diary alerts’, there will always be data from the infected person, reconstructed by the track and trace team, even for individuals who do not have the app. So 40% uptake means 40% potential alerts, up from the 16% that could be detected with a Bluetooth app.
How can you automate tracing for confirmed cases that do not have any app? Perhaps ‘diary alerts’ is the best way to solve this problem of more complete tracing, even if used in addition to Bluetooth tracking?
Benefit 4: Increased Scope for Detection Of Potential Infections.
We are all told that than the virus can survive on surfaces, sometimes for days. Pick up the virus from a surface, then touch your face and you can become infected. Using diary alerts, testing for spread can be expanded to included people visiting a location soon after an infected person spent time in that location. Other contact tracing systems can only record a risk when people are present at the same time.
Clearly the risk is greater when sharing the same space at the same time, as still detected with other contact apps. However, when case numbers are low it may be both feasible and preferable, to ‘cast a wider’ net and be safe. If case numbers are high, and testing is limited, then guidelines will focus on testing those with the greatest risk. But getting to true eradication levels means more and more ability to test for every potential case, even those with a low risk level. Since these lower levels risks can also be detected, using diary alert allows extending testing to those lower risk levels dynamically.
Benefit 5: Learn more on how Covid-19 spreads
In a person on a run sits on a bench for ten minutes, and then later another person sits on the same bench, could they become infected? Not only does ‘diary’ alert allow for detecting these events, it allows for determining how often statistically they result in infections.
Benefit 6: full ability to anonymously record app usage
One advantage of everyone registering and uploading data to a central database is that the number of registrations and uploads can be measured. This provides data on how effective a system is likely to be.
Measuring daily downloads of the data on ‘diary alerts’ provides information on app uptake and usage. However, including in each server request ‘time of last download’, provides the same level of information on usage as with an app that requires registration is available overall. The only benefit of registration is the ability to track what individual users are doing, and directly contact infected people to get them to be tested rather than rely on people who have been told they should be tested to follow up. If participating in a system is optional, would people who would not be tested when advised, opt to be part of a system anyway?
Random number identities etc, are all possible. But given the goal of privacy and the ability to measure everything needed by simply including ‘time of previous download request‘ and ‘number of download requests by this phone so far‘ in download request send by the app.
Everything can still remain fully anonymous. App usage patterns can be measured without any need for any identity of any form.
Benefit 7: Lower Cost to Society
By using data already required for manual track and trace as the only central database requirement, the system cost is significantly reduced. The data exposed to the web is limited to data that can be publicly available. The ‘diary alerts’ file contains data of the nature of ‘risk of infection for those who visited supermarket downtown on April 5th” that in a previous years might have been printed in a local newspaper. The difference in cost between the risk diary events that occurred collectively for all infections confirmed within the past two weeks, and data for the millions of people constituting half of the population that has potential value for those mining data is very significant.
Benefit 8: Can Coexist with Bluetooth Based Solutions
If a Bluetooth application already has a significant installed base, then it would be easy to add ‘diary alert’ to an existing app through an update.
However if trying to increase uptake through the increased privacy, it may be necessary to either offer a second app that only uses diary alerts, or alternatively provide a sunset on previous features that relied on a central database and promote the new improved privacy of the system.
Footnote: What is in a name.
Prior to April 22nd, the working name of this idea was ‘location alert’. However, after reading this ‘dear diary‘ article, on tracing without an app, it seemed ‘diary alert’ would be a better name.