Coronavirus crisis

Why Exposure Notification won't work

The contact-tracing system is a noble effort that assures user privacy. Unfortunately, it breaks down under scrutiny for four reasons.

coronavirus covid 19 pandemic stop sign virus 4807211 by geralt pixabay cc0 2400x1600
Gerd Altmann (CC0)

Coronavirus crisis

Show More

Nothing kills a good story like good research.

Have you heard the one about Apple's and Google's Exposure Notification project to fight the coronavirus and protect the global public from COVID-19?

I told you on April 10 about Exposure Notification -- the joint project from Apple and Google to build limited and private "contact tracing" functionality into APIs and the iOS and Android operating systems. At the time, details were sketchy, but I was optimistic about it.

The over-simplified version of the story is that Silicon Valley's two mobile operating system giants, which make the OSs that 97 percent of the world's smartphones run on, have banded together to rapidly enable the world's national health authorities to create very private and anonymous cross-platform apps for "contact tracing."

This part of the story is true. And let me be clear: Apple and Google are absolutely doing the right thing -- and doing the thing right. Exposure Notification will probably work as advertised while assuring user control and privacy.

But the rest of the story goes like this: Exposure Notification will have a major impact on reducing infections. And this is the part that doesn't hold up to scrutiny.

How Exposure Notification works

Exposure Notification is shockingly elegant. Here's how it works. When a user opts in, the phone sends anonymous beacon "chirps" to other phones within range. This happens even if the Exposure Notification-supporting app isn't running in the foreground. The apps broadcast cryptographic keys -- one that change randomly every day and another than changes every 10 to 20 minutes -- with numbers unassociated with user or device. The system also "listens" for other phones also broadcasting cryptographic keys that also change randomly. The phone securely records the number it broadcasts, and also the numbers received from other phones.

Users who test positive for COVID-19 can say so in the app, which triggers the system to upload all the recently used cryptographic keys to a server, which are then downloaded by ever other user. If a phone downloads a match, the user is notified that they've been in contact with someone who tested positive, but it doesn't tell who. The notification is based on the length of exposure, and also the signal strength -- a rough gauge of how physically close the two phones were. Each Individual public health authority will decide what length of time and distance is defined as "contact." 

Exposure notification offers intervals of five minutes ranging from five minutes of exposure to 30 minutes. So in one country, 15 minutes of exposure would trigger a notification, but in another, that same duration would not. In all cases, exposure notification is accompanied by the date of exposure (but not the time of day).

The person with COVID-19 can't know who was notified; the notified can't know who tested positive. Apple and Google never know, the public health authorities never know and governments never know.

Exposure Notification is not based on location, just proximity to other Exposure Notification users. In fact, the companies opted to label the project "exposure notification" instead of "contact tracing" to avoid the implication that they're "tracing" or "tracking" who users come in contact with. In fairness, this is accurate. The system doesn't track. It simply notifies people that they've been exposed, and when.

If a user tests positive, each health authority will decide how to notify users who have come in contact with that user. Those health authorities also get to decide how much contact is registered as contact.

The API became available to developers who work with public health agencies globally in beta this week, and they'll be looking for fast feedback. The public API should hit mid-May, with apps following by the end of the month. System level integration will come later.

Apple and Google have promised more details today (Friday, May 1) about the API, along with sample code and a demonstration of how it works.

Apple has also released the user control for Exposure Notification in the beta of iOS 13.5. You toggle it on and off in Settings/Privacy/Health, which now has an Exposure Notification button that can be turned on or off by the user.

Apple and Google say that they'll end Exposure Notification when the coronavirus pandemic ends. The companies can terminate on a region-by-region basis.

4 reasons Exposure Notification won't work

Well, nothing, really. It's very good. The problem is that it takes a village to eradicate a virus. And the village isn't ready.

Here are the four reasons why Exposure Notification won't make that big of an impact on the spread of the coronavirus.

1. It depends on frequent and universal testing

The trigger for notification is when a user takes a coronavirus test and tests positive, then chooses to say so in the app.

Coronavirus testing now in the foreseeable future will be inaccurate, slow, unevenly applied and rare.

As a country with a population of 328 million, the United States is conducting at most 300,000 tests per day, far less than one-tenth of one percent of Americans.

Experts disagree on how many coronavirus tests are need to "re-open" the economy. Harvard scientists say 20 million per day; Dr. Anthony Fauci, director of the National Institute of Allergy and Infectious Diseases, says only 500,000 per day are needed, and that we could get there as early as the end of May.

In order for Exposure Notification to work the way people imagine, each user would have to be tested at least once weekly. (How many times have you be tested?)

That's not going to happen in the US anytime soon.

2. It doesn't address all the ways people get the virus

There are many ways to get the coronavirus, and hanging out with other adults using Exposure Notification is just one of them. You can hang out with non-users. You can touch infected surfaces. You can walk into a room or a bus or a train or an Uber where the virus is hanging in the air. You can get it from your kids, who got it from other kids. Exposure Notification tracks none of this.

3. It doesn't notify beyond one level of contact

With actual, manual contact tracing, the people who came in contact with the infected are notified, as are the people they came in contact with, and the people they came in contact with, and so on.

With Exposure Notification, if I register a positive diagnosis with the system and I made contact with ten people who are using the tool, they'll be notified. But the ten people that each of them came in contact with won't be, nor will the ten people each of those people came in contact with. In this hypothetical mental model, 1,110 people could have gotten the virus from me, but only ten are notified.

4. It's not universal

The ideal outcome for something like Exposure Notification is that everybody with an iPhone or Android phone uses it. But that's never going to happen. Other countries' contact tracing apps were downloaded by a tiny minority of people. It's reasonable to assume that only a minority of Americans will download the coming CDC app that supports the initiative.

Not all foreign countries will even use it at all. The UK, France and Australia will not embrace it.

Germany first announced that they would do their own thing, but converted to Exposure Notification supporters after they saw how stringent the privacy measures are. Germany's about face was basically forced by Apple. In order for Europe's Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) system to work, Apple would have been required to change iPhone settings to enable contact data to be uploaded to a central server. Apple refused. So Germany decided that: If you can't beat em, join em.

Australia also uses a central-server approach with its national app called COVIDSafe, which is based on Singapore’s open-source TraceTogether app.

Privacy advocotes object to U.K.'s approach

The U.K., on the other hand, went with a centralized server model, and is being criticized for it by privacy advocates. The U.K. app performs the same basic functions as the Apple and Google tool, with two major differences:

  1. It can identify users
  2. Data is uploaded to a central server.

At least 177 privacy and security specialists have signed an open calling on the U.K. government to not use its contact tracing app for mass surveillance. (I've filed a Freedom of Information request with the NHS asking for details about the decision-making process but at press time have not gotten a reply.)

When I go to a non-Exposure Notification country, I'm not using their system and they're not using mine.

Don't get me wrong. Exposure Notification is well-designed, and it will help.

But because of the inadequacies of testing, usage and the ways in which the real virus spreads, it will at best make only a tiny impact on suppressing the virus.

At the core of it is testing. We need massive, easy-to-administer and accurate testing. Until we get that, no initiative -- not even this one from Apple and Google -- will make a huge difference.