Why Bluetooth apps are bad at discovering new cases

Why Bluetooth apps are bad at discovering new cases
Why Bluetooth apps are bad at discovering new cases

Why Bluetooth apps are bad at discovering new cases yesterday, we talked about the things that need to happen before we can begin to slowly re-open our cities: hospital bed supply catches up fully with demand; testing catches up fully with demand; we develop programs for quarantining new cases and informing their contacts that they may have been exposed to the disease, and the number of cases declined for 14 consecutive days.

Today let’s zoom in (not Zoom in) on the third point: building systems to enforce quarantine and to trace the contacts of those who get infected. Both are areas where public health officials believe that technology can play a role. But I want to describe why that role might be more limited than you assume — and, according to the experts I’ve spoken with, much less important than staffing up public health agencies to do the primary work.

First, let’s talk about quarantine enforcement — making sure that people the state has ordered to stay at home are actually doing so. This is an area where technology can play — and is playing — a huge role. I’ve mentioned Taiwan’s “electronic fence” in this column a few times already, but here’s a quick refresher from Reuters:

The system monitors phone signals to alert police and local officials if those in-home quarantines move away from their address or turn off their phones. Jyan said authorities will contact or visit those who trigger an alert within 15 minutes.

The technology here is not particularly complicated. With the cooperation of a telecom company, you can tie a person’s phone to a single cellular tower. If the phone pings another tower, or shuts off, the public health authorities contact you. This approach is invasive, somewhat disturbing, and by all accounts quite effective. It’s not clear to me how a similar program could be implemented without new legislation giving telecom companies explicit permission to share this kind of data — my inbox is full of lawmakers (appropriately!) calling for safeguards and oversight on any such government surveillance. But if the recent stimulus packages are any indication, that also seems like legislation that could be written and passed very quickly.

Note that tech alone doesn’t solve the enforcement problem. You also need people calling patients whose phones appear to be moving or have been shut off. You need people doing spot checks to make sure the person under quarantine hasn’t simply left their phone at the house and gone to church. And you probably need a place to house quarantined people that is not with their families, which are the most likely places for the coronavirus to spread. Tech is necessary, in other words, but not sufficient.

Now let’s talk about what might be the most challenging piece in the entire stack: contact tracing. Public health experts tell me that getting in touch with people who may have been exposed to a known COVID-19 case is one of the most important steps we’ll need to take to contain future outbreaks. But the how of it is complicated. While we’ve seen a Cambrian explosion of contact tracing apps around the world, it remains unclear how good or effective any of them have been. And as US government officials consider asking big tech companies to consider working on contact tracing solutions — and I’m told that they have already made inquiries with Facebook — that’s worth keeping in mind.

To get a sense of how this played out in one country that has done a relatively good job containing the coronavirus outbreak, let’s turn to South Korea. Derek Thompson has a good piece on contact tracing in the Atlantic that describes how it has played out there. The country seemingly skipped over traditional contact tracing completely and went straight to putting new coronavirus victims on blast in the new public square — other people’s smartphones:

The government uses several sources, such as cellphone-location data, CCTV, and credit-card records, to broadly monitor citizens’ activity. When somebody tests positive, local governments can send out an alert, a bit like a flood warning, that reportedly includes the individual’s last name, sex, age, district of residence, and credit-card history, with a minute-to-minute record of their comings and goings from various local businesses. “In some districts, public information includes which rooms of a building the person was in when they visited a toilet, and whether or not they wore a mask,” Mark Zastrow, a reporter for Nature, wrote. “Even overnight stays at ‘love motels’ have been noted.”

New cases in South Korea have declined about 90 percent in the past 40 days, an extraordinary achievement. But the amount of information in South Korea’s tracing alerts has turned some of its citizens into imperious armchair detectives, who scour the internet in an attempt to identify people who test positive and condemn them online. Choi Young-ae, the chair of South Korea’s Human Rights Commission, has said that this harassment has made some Koreans less willing to be tested.

So far, South Korea appears to be an outlier in this approach. Other countries are opting to build much more targeted interventions, using phones’ GPS and Bluetooth signals to passively track the proximity between individuals and inform potential contacts after someone gets infected. Singapore, which built an app called TraceTogether that monitors Bluetooth activity, “offers perhaps the most likely model for the West,” Thompson writes. The country is making TraceTogether available as an open-source project.

To the extent that they’ve been written about to date, these passive tracking apps are generally considered in terms of their privacy implications. Who collects the data? Where does it get shared? Can it be linked back to individual patients? How long should that information be stored?

Already, various academics and entrepreneurs are working on passive tracking apps that attempt to solve these issues. At Wired, Andy Greenberg reviews three such efforts, and all of them are absolute Rube Goldberg machines. Here’s one of the apps under development:

COVID-Watch uses Bluetooth as a kind of proximity detector. The app constantly pings out Bluetooth signals to nearby phones, looking for others that might be running the app within about two meters, or six and a half feet. If two phones spend 15 minutes in the range of each other, the app considers them to have had a “contact event.” They each generate a unique random number for that event, record the numbers, and transmit them to each other.

If a COVID-Watch user later believes they’re infected with Covid-19, they can ask their health care provider for a unique confirmation code. (COVID-Watch would distribute those confirmation codes only to caregivers, to prevent spammers or faulty self-diagnoses from flooding the system with false positives.) When that confirmation code is entered, the app would upload all the contact event numbers from that phone to a server. The server would then send out those contact event numbers to every phone in the system, where the app would check if any of the codes matched their own log of contact events from the last two weeks. If any of the numbers match, the app alerts the user that they made contact with an infected person, and displays instructions or a video about getting tested or self-quarantining.

All of these efforts seem to skip over the question of whether a Bluetooth-reported “contact event” is an effective method of contact tracing, to begin with. On Thursday I spoke with Dr. Farzad Mostashari, the former national coordinator for health information technology at the Department of Health and Human Services. (Today he’s the CEO of Aledade, which makes management software for physicians.) Mostashari had recently posted a Twitter thread expressing skepticism over Bluetooth-based contact tracing, and I asked him to elaborate.

The first problem he described is getting a meaningful number of people to install the app and make sure it’s active as everyone makes their way through the world. Most countries have made app installation voluntary, and adoption has been low. In Singapore, Mostashari told me, adoption has been about 12 percent of the population. If the United States had similar adoption, you’ve now made your big contact-tracing bet on the likelihood that two people passing one another have both installed this app on your phone. The statistical likelihood of this is about 1.44 percent. (It could be higher in areas with greater population density or where the app was more widely installed.)

The second problem is that when these Bluetooth chips do pass in the night, you should expect a large number of false positives.

“If I am in the wide-open, my Bluetooth and your Bluetooth might ping each other even if you’re much more than six feet away,” Mostashari said. “You could be through the wall from me in an apartment, and it could ping that we’re having a proximity event. You could be on a different floor of the building and it could ping. You could be biking by me in the open air and it could ping.”

All of this seems really problematic even before you consider asking Apple or Google or Facebook to make a contact tracing app and promote it through their own channels. We’ve spent three and a half years having a discussion about the shortcomings of these companies when it comes to protecting our data privacy; putting them in a position to oversee a project as intimate and sensitive as disease infection seems like a bad idea. (My own sense in talking from executives at Google and Facebook in recent days is that they are eager to help with crisis response, and are already doing so in various ways, but basically have no interest in this particular part of the response.)

So that leaves us with two remaining questions: what should Big Tech do, and what should the government do?