Apple and Google shocked the world last Friday with their COVID-19 announcement to collaborate on an opt-in Bluetooth-based proximity contact detection API for iOS and Android. Contact tracing is the identification and follow-up of people who may have come into contact with an infected person. We’ve been learning more about the API this week, including that it will work on iOS 13 and Android 6+ devices (via Google Play Services), and that only health authorities will be able to access it.
This is a good opportunity to remind businesses: Technology is a tool, not a solution. New tools take a lot of iteration to get right. When it comes to health care, this is doubly true.
Apple and Google’s tech will fail. Privacy concerns aside, there are too many obstacles for the contact tracing tool to be effective. Let us count the ways.
First, the API will only be available in mid-May. Second, you need a compatible mobile phone (not a given for many, depending on age, country, income, race, and so on). Third, you will need to update your smartphone. Fourth, health authorities will have to release apps that use the API. Fifth, you will have to download and install such an app. Sixth, you will have to leave Bluetooth on when you’re out. Seventh, the tech will have to correctly identify that you have come within 6 feet of other people. Eighth, everyone else you came into contact with have to have done all of the above too. Ninth, if the app lets you know you might have COVID-19, you have to get tested (not a given, depending on location). Tenth, if you tested positive, you will have to opt-in to notify everyone who may have come into contact with you.
Time, adoption, and technology
This will not happen for the large majority of people. It will especially not happen for those most susceptible to getting COVID-19. The above can be boiled down to three big obstacles: time, adoption, and technology. (Read Khari Johnson‘s take on what privacy-preserving coronavirus tracing apps need to succeed.)
For time, there’s nothing we can do about the fact the API isn’t ready today. I’m sure Apple and Google are working very hard to ship it ASAP and that it will work on day one.
For adoption, there’s nothing we can do about the fact people don’t like to be told to install updates or apps, and generally to opt-in to anything the government tells them to. (For example, about 12% of Singapore’s population downloaded TraceTogether, the government’s contact-tracing app that also relies on Bluetooth.) Adoption might be improved a bit by eliminating the app requirement. Apple and Google plan to build the Bluetooth-based contact tracing platform directly into iOS and Android “in the coming months.” That’s right, more time.
And finally, this is all based on Bluetooth. The technology that has a history of being unreliable when all you want to do is pair two devices. Even if it was reliable, Bluetooth wasn’t designed for contact tracing or anything remotely related to determining if two devices were a certain distance apart for a certain time. (Apple and Google are specifically using Bluetooth Low Energy, which has a range of about 30 feet on a typical phone — the theoretical maximum is “less than” 330 feet.)
It doesn’t matter how many of the world’s smartest software engineers Apple and Google have, their combined market cap, or their mobile market share duopoly. Even if they can make Bluetooth do what they want, they can’t solve the problems of time and adoption.
But wait, doesn’t every little bit help? Let’s say a fraction of a fraction of iOS and Android users end up using this contact tracing tool. Let’s say it “works” for that small group of people.
Isn’t that a good thing? Well, yes and no.
Tech’s mantra is move fast and break things. That’s fine for building a fun mobile game. It’s not fine for a health care app that is supposed to help track the spread of a global pandemic. (For his part, Google CEO Sundar Pichai rightly said this week that tech companies should not get carried away with their role in combating COVID-19.)
I’m not talking about false positives where the system flags that you were in contact with someone who is infected but you didn’t become infected. I’m talking about false positives solely due to Bluetooth: You’re sitting in your apartment (or in any building) and your device comes into close proximity with someone’s device through a wall, above you through the ceiling, or below you through the floor. Two devices could come into close proximity in cars side-by-side at a red light. Or you could have your phone on you and pass a phone simply not on another person.
A bug in an app that is supposed to warn you that you may have a deadly disease can be serious. False positives in a contact tracing app have consequences. There is a mental toll to learning you might be infected. What happens if you get tested and you find out all is well? There’s an even bigger mental toll if you’re repeatedly told you might be infected. What happens then? The few people that opted-in decide to opt-out.
Contact tracing is not a new idea. It’s widely used in public health: Identify people who may have come into contact with an infected person, collect information about these contacts, test them for infection, treat the infected, and trace their contacts in turn. Rinse and repeat to reduce infections in the population. It’s hard-core, manual detective work.
Human beings are good at contact tracing. We have 0 evidence that phones are. So given all the above problems, why should Apple and Google build it anyway? It’s simple: The novel coronavirus wasn’t the first pandemic and it certainly won’t be the last. This will happen again. We should still invest in technology that could one day help investigators with contact tracing.
It may sound crass, but think of Apple and Google’s COVID-19 contact tracing as a beta program. When the next virus comes along, the technology will already exist and will have been tested. There will still be problems of adoption and questions about efficacy. But Apple and Google, assuming the Android-iOS duopoly holds until the next virus, will be able to issue updates. And even if Bluetooth doesn’t exist anymore or we’ve all ditched our smartphones for smart glasses, many of us will remember COVID-19 and all the efforts to flatten the curve. We will have learned what worked, what didn’t, and what had potential. That’s the beautiful thing about technology — it can be adapted, reused, and improved.
Most importantly, we won’t have to wait for a global pandemic to be declared. A contact-detecting API will be one of the many tools in humanity’s toolbox.
ProBeat is a column in which Emil rants about whatever crosses him that week.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here