From Contact Tracing to Outbreak Notification
Call for Participation
As countries assess how best to respond to the COVID-19 pandemic, many have introduced smartphone apps to help identify which users have been infected. These apps vary from country to country. Some are mandatory for citizens to use, such as apps released by the governments of China and Qatar (see inset images); most are not. Some are based on user tracking; others focus on contact tracing. Some utilize a central database; others use APIs from Apple and Google. At least one has already experienced a data breach. But all of them are coming under scrutiny for violating personal privacy.
Wherever personal data is shared, privacy becomes an issue. In countries where use is voluntary, citizens are reluctant to download these apps. A poll by digital ad company Ogury showed that in France, where a centralised database approach has been adopted, only 2% of the population have downloaded the app, and only 33% would be willing to share any data with the government via the app. 
Public trust is a huge issue – given the frequency of data breaches, people are wary of uploading their personal information, even for the purposes of combatting COVID-19. In the USA, only 38% were prepared to share their data, and only 33% trusted the government to protect it. In the UK, the stats told a similar story, with only 40% believing that their data would be safe.
In Canada, Alberta’s ABTraceTogether app was slammed by the provincial Privacy Commissioner for posing a “significant security risk.” The federal government’s COVID Alert app, released in Ontario and pending elsewhere, is promising, but the voluntary contact tracing app has user experience issues which may prevent it from being widely adopted.
In a recent informal poll which I conducted on my page, the proportion of people who were comfortable with installing a contact tracing application was 26%. Most of the people in the No Way camp were experienced professionals with in-depth knowledge of privacy, security, and information technology.
The private sector is bringing a different approach to contact tracing. Several developers have released customer registry systems to support contact tracing and outbreak notification at the level of individual businesses. Some of these are applications; some are online platforms. Privacy remains a concern, and seeing both a privacy gap and an adoption gap, I have designed an outbreak notification system for businesses, IoPlus.
Outbreak notification vs contact tracing
Simply said, contact tracing attempts to build a network of every physical interaction, and trace it backwards in the event that a person tests positive for COVID-19.
Contact tracing app are state-centric, require a centralized store, and control
Most implementations of contact tracing require a centralized data store with varying levels of power given to officials and businesses.
Outbreak notification, on the other hand, is a subscription based model, in which citizens are notified if there has been an outbreak in places they have visited. The goal of this solution is to notify the individual to allow them to take action.
Outbreak notifications are citizen-centric, do not require the installation of a mobile application. The individual has the driver’s seat.
From mathematical modelling, contact tracing resembles a neural network, in which every citizen can have as many connections as the population size. This model is subject to computing challenges. Outbreak notification, on the other hand, is a distributed model that is connected by the edges. The load and computational network is at the business/location level.
Privacy in Design Principles
Outbreak notification has been designed and built with privacy and security as a top priority. The IoPlus notification system relies on an individual mobile device (phone or tablet) leaving a digital “breadcrumb” at a visited location. Patrons and employees scan a posted barcode when they enter and leave a business, to “check in” and “check out.” Users can sign up for notifications via email or a social media account. After an infection is recorded, individuals who self-register will receive a notification through email or via their social media network, based on the contact information given. Those who do not subscribe can check whether they have been in contact with an infected person by simply going to the IoPlus web page. Based on the unique, encrypted “breadcrumb” generated during their visit, a patron can go to the IoPlus web page and can privately see whether they have been in contact with an infected person. No-one else can access that notification.
This method avoids tracking users via location data, and gives them the choice to check in and check out of participating businesses only when they wish.
KI Design is building Outbreak notification service that is:
- App-less: it doesn’t require users to install any apps.
- Server-less: Does not store user and tracking data in a hosting environment.
- Privacy in Design: Design artifacts are built with privacy in mind.
We are calling for contributors to participate in the design and promotion of IoPlus.