Tweet

Lea Kissner

2 Feb, 112 tweets, 19 min read

@benadida

Kicking off #enigma2021 second day with our Contact Notification panel, moderated by @benadida with panelists Mike Judd, CDC COVID-19 Exposure Notification Initiative; Ali Lange, Google; Tiffany C. Li, Boston University School of Law; Marcel Salathé, EPFL

usenix.org/conference/eni…

Ben: The reason why we cannot be here in the same physical space is the same reason we have this panel on Contact Tracing. What is that?
* Run around looking for people who have been infected
* And looking for people who have been exposed to the people who have been infected

* To try to contain the spread

2020 is when COVID-19 emerged. And people asked "can we apply technology?" can we use our cell phones, which know about location and can contact servers to record who we're close to in case someone is, unfortunately, positive for COVID-19

* should we?
* do we need it?
* will public health know how to use it?
* will they want to?
* will people game it?
* will the location data be misused?

Marcel: runs the digital epidemiology lab at EPFL

Want to talk about development and launch of .ch contract tracing app
"An Ode to Pragmatism"

Did one of the first papers on digital contact tracing a decade ago, this represents a long line of work.

See sociopatterns.org website for examples

In the wake of SARS-cov-2 and COVID-19 became very important to aid manual contract tracing with technology. Challenge is that people can be infectious before they're symptomatic, so cannot just focus on isolating people with symptoms -- they have already infected others

So need very rapid contact tracing for this particular bug

That's a better model than non-targeted quarantine (aka lockdown), which is no fun

Started initial project in Europe PEPP-PT, but some people wanted to build something completely transparent and decentralised (DP3T) -- made it into the Apple/Google covid app, and was the first national government EN app to launch

Digital proximity tracing is a classical case of needing both tech and relevant domain expertise. At EPFL we'd already been building those bridges -- you can't build them [well] during the crisis.

This is a harder problem than most appreciate!

The academic system has a really hard time with this (especially when it comes to incentives):
* few journals
* few grants
* few prizes
* work reviewed by single-domain experts

All of these things are important in the academic infrastructure.
[ YES! ]

Widespread myth in epidemiology: we need more data to solve the data. Strong belief that privacy preservation means you can't solve the problem (and vice versa).

More data can help, but you first should ask how you can solve the problem without collecting data.

Try to harness technology to the maximum extent possible to bend this curve. The exposure notification framework ended up being this.

This is great, but these ideas were attacked heavily be people looking through lens. "This is not the *best* solution from a privacy perspective" or "this is not the *best* solution from an epidemiological perspective" without understanding the very real issues.

So:
* build the bridges early
* sidestep the fights from people with narrower lenses

@AletheaLange

@AletheaLange:
I'm not going to explain the crypto. That's already well-explained online. ;)

Note: literally 100s of people worked on the things I'm going to talk about and this is just my story. I'm also going to be mostly talking about the US, which isn't the full picture

Remember this "flatten the curve" graphic?

There were also a lot of questions about how tech could help

Google put out a statement about what were thinking -- our instincts were to look at aggregate patterns of movement.

The community mobility reports (still up online) help governments and people see how their communities are responding to lockdowns. Have heavy privacy protection.

Started talking about contact tracing and conversation shifted to Bluetooth low energy (BLE) rather than location data [it's not fine-grained enough and doesn't work well in buildings]

But there were issues with Apple/Google compatibility, battery issues, issues where the app had to be in the foreground. So Apple/Google partners to solve this problem.

... announced before the tech was built [no one likes that!] and people worked incredibly hard to compress months of work into weeks.

Also renamed "contact tracing" to "exposure notification" to help people understand we were helping contact tracing, not replacing it.

Also made people use API so could protect privacy.

We considered privacy protections key -- if people didn't trust it, they wouldn't use it, wouldn't carry their phones

Once the Exposure Notification tech launched, governments started launching apps using it.

Also improved the BLE tech, spent a ton of time explaining how it worked and putting out explainer docs.

Growing understanding that it was really hard for governments to build the apps. So we launched "exposure notification express", which is basically building blocks to building an app.

Where are we today?
* More than 55 app launches
* "innovation of the year" for protecting privacy

Things we learned
* names matter
* governments need more support
* proactive communications on privacy protections and phone settings
* transparency is essential (open source)
* be humble
* don't give up

Tiffany:

As a privacy researcher, when I first started looking at the contact tracing apps, all I saw were the privacy problems (I use it! I urge people in specific states to use it -- why specific states? I'll explain later)

Other speakers have talked about the specific exposure notification tech, like the Apple/Google protocol which is the most privacy-protective.
* used to supplement, not replace contact tracing (people calling to ask who you've had contact with)

The tech folks may have gotten a little too excited. They're promising, but they haven't been implemented at the scale needed

There are risks: who is collecting the data and who has access to the data?

We haven't seen as much adoption of even the privacy-preserving apps because people don't trust the governments or these companies

If we think these apps are important, then we need to solve the core trust issue. One way to use privacy-preserving protocols

This is important because there are many risks to this data being collected, no matter how secure your app or company is, especially sensitive types of heath data.

Have to think about misuse of data by authorized actors like governments. e.g. Singapore admitted their contact tracing app data could be used for other purposes including law enforcement.

This hurts use of the app and can harm civil liberties if governments can access and possibly misuse data for unlimited purposes.

There are also equity concerns. Privacy protections might be enough to get some people to adopt, but privacy harms might be worse for certain marginalized communities

[ I'd say this needs a per-protection-scheme discussion and leaves out the trust issues which are broader]

How about HIPAA? Only covers "covered entities" like clinics and health care providers. Not application developers.

Google and Apple may not be able to crack down on every app.

Also if there's a hack, have to send out a breach notification (much worse if it's centralized, not the privacy-preserving Apple/Google approach)

Consumer protection laws can be used to protect people using apps developed be people who aren't public authorities. Enforced by the FTC. Doesn't do enough.

Greatest privacy problem is shifting norms about how we think about health privacy.

The privacy-preserving approach is great! But not all states are using this and users don't necessarily know which one is going on. Users are getting more used to have their data collected

Laws have some protection, but we need more legal protections.

Health privacy can be more critical than other kinds of privacy. You can't change your health information, like you can change your password. It's unique to you and important.

We need to think about how to protect privacy moving forward and how to shift the norms of privacy back.

Mike:
Want to explore interdisciplinary problem-solving and how this has led to some successes in deployment of Apple/Google exposure notification system

1. promoting inclusive environment helps get things done. It takes a village. Parochialism can prevent collaboration and can't get things done -- need tech people and public health people (and more)

Guiding principles for community of practice

2. successful exposure notification launches have been driven by state government and technology collaborations

State highlights:
* AZ: adding more messages about up-to-date transmission information
* CO: automation of part of the process of verification
* NJ: use of open source code
* WA: marketing including lead singer of Pearl Jam, translation to 36 different languages

3. evaluation of the public health value requires more analysis

analytics portal will allow more rigorous evaluation

[side note: there are privacy protections on this]

Next steps:
* what's next for these relationships after the pandemic?
* how do we generalize these lessons and apply them to persistent problems in public health?

[ done with intro and time for questions. I'm going to have to only type some of these to save my hands ]

Ben: thank you so much for taking the time to do this panel! You're all so busy and we deeply appreciate this

Q: did things like randomized BT/wifi addresses impact the feasibility?
A: Marcel: I'll pass on the technical details, but questions like these came up all the time. How far are you going to go in preservation on privacy and what is the impact from an epidemiological perspective

If you tweak the protocol you could possibly answer some interesting epidemiological question but you would compromise the privacy. We took the position that we wouldn't try to solve too many problems at once.
Epi wanted to tackle problems that you normally can't tackle at all

Pained me to say this but said let's aid the manual contact tracers, maximum privacy. Once it's taken up we can talk about other points on the tradeoff curve.

Ali: the sentiment was that privacy was not an extra thing we were adding on -- critical to success. Tradeoff is not "same # of participants, more data" -- if you don't make the same promises, you will have fewer participants.

Mike: It worked out how Google/Apple put together this temporary exposure key approach (it's a rotating identifier to foil people sniffing for keys). Rotates once per day. Corresponds to CDC's understanding of exposure to be cumulative across the date. Good to see convergence

Q: Is this working? Is there a difference between countries with low- and high-spread?

A:
Ali: Couple of studies. One from Oxford/Google. Looked at modeling what effectiveness would be at levels of adoption. Saw predicted effectiveness at even low levels of adoption

There are some stats on downloads from public health authorities

Real-world study in Spain. 30% adoption, able to detect ~6 contacts per infected individual, which was 2x manual contact tracing. This is doing a good job of supplementing manual contact tracing.

Mike: Can think about effectiveness in intermediate outcome or ultimate outcome
want to encourage public health behaviours (masking, quarantine). That's really hard to do in an app -- we can't confirm personal health behaviour.

Can do better at intermediate outcomes, e.g. time to contact tracing notification.
Can also increase comprehensiveness of notification

Marcel: When you ask how well does EN work, that's a difficult question also because the tech is embedded in a public health process where a lot of things can go wrong
for example in a lot of countries including Switzerland you need a code -- and if it doesn't get delivered...

Q Ben: we have the hard part and the "easy" parts like delivering the code (which clearly isn't easy). What sounds easy to tech people but was actually hard?

A:
Marcel: Many things! People from one field doesn't understand challenges *or* solutions from the other field. Example: blog post from Bruce Schnier saying "digital contact tracing is dumb" and as an epidemiologist this is ... dumb

We've been thinking about this for 30 years. It's hard not just to say "this person doesn't get it" when it gets picked up in the media. We can have a debate but when you're in the middle of building something and have a public conversation at this low level...

Have to establish communities way before.

[ suspect Marcel would like Bruce and others not to go off half-cocked as well, but is too polite to say ]

Tiffany:
People were surprised at how few people wanted to download the app even when they know it works. When it comes down to it, most people don't know what these apps are.

Most people don't know what these apps do, where data is going. All they know is a scary government or company is putting out an app and don't want to download it. We should have worked harder on... but that was pretty difficult last year especially in the US because ... gov't

Need to not only make the tech safer -- need to make it clear to people that the tech is safer. People know they care about privacy, but don't know how to protect themselves. Need to make this usable for people.

Q Ben: Love the point you made about shifting norms and public trust. Most of us carry cell phones. Lots of tradeoffs with that, and now there's this huge possible benefit with EN can can do it without privacy downsides... but how can people understand which are the "good" apps?

A:
Tiffany: Black Mirror joke: "what if phones but too much"
EN can be "what if phones but too little"

What if there was a federal app [US]? Would that help? There should at least be interoperability. Right now some are done in the best privacy-preserving manner. Some are *not*.

For individual consumer it's really hard to know the difference. Could there be a national standard or framework... outside the ones which are already published.

Users also really don't have a choice, they have to use the one where they are

Q Ben: how do you build trust with the public in a pandemic?

A:
Mike: it requires consistent messaging. Support from local trusted figures (e.g. Pearl Jam, Starbucks in WA)

Making it easier -- a few clicks from the homescreen really helps. Giving the option right there and making it easy really helps.

Q: Why in the US did we make every state make their own app to use the same Google/Apple framework?

A:
Mike: Authority and responsibilities not given to the federal government is given to the states. That's what's spawned the more federated approach. CDC's role is to support.

Tiffany: I know a number of states have joined together to e.g. use common key server. Legally it's difficult to mandate a national app, but could have national support for a key server, national awareness campaign.

Legal point: it's not as set in stone, it's more of an interpretation thing. There could be more working together, more coordination. CDC was really hamstrung last year about getting guidance out there. Hopefully that's fixed now.

[ hint: I think that's a Trump comment ]

We'll need to think about an interoperable federal or international approach for vaccine verification as well

Q Ben: Whether people should or not, they're traveling. What are some of the interoperability aspects here which arise? Are countries/states sharing the key servers which would allow notifications to happen?

Ali: In the US the work done to host the diagnosis key server by APHL [if I heard that right]. Not everyone is using the Google/Apple notification system, though.

Marcel: was on our radar from day 1 for obvious reasons. There was a lot of collaboration in the EU. Switzerland isn't in the EU, so had to make another solution. A lot of the roadblocks are procedural or nationalism. The virus doesn't give a damn about borders.

Q Ben: have we seen abuse of the Google/Apple exposure notification framework? e.g. spurious claims of positive result to spam the system, anything else?

A:
Mike: we were worried about concerns about using that during the last presidential election to poll workers to keep people out of the polls, but have seen zero cases of abuses
[wow, nice]

Ali: so far, so good, knock on wood

Q Ben: You gave us a really interesting timeline of how quickly you had to move. At Google in particular how did you make these decisions? It looked really fast and really public.

A:
Ali: You're right on the timeline and the pressure and intensity. People were making difficult decisions every day. There was previous work, but most of the most relevant work was < 3 months old. I read *everything*, even if it was a Twitter thread.

There were literally hundreds of meetings. We would take a meeting with literally anyone who would share their expertise: epidemiologists, privacy advocates, public health folks [long list I didn't type fast enough to get, including a lot of examples]

So many thanks for getting so much information out there quickly for everyone to use. Huge benefit to the effort, all this collaboration and sheer volume of work around the world.

Q Ben for Marcel: you're like the epidemiologist who's the privacy advocate's best friend because you talk about data minimization. Is there anything you'd push privacy folks on?

A Marcel: Good question! I don't know that I have a good answer. We need to learn from each other and try to bend this curve as much as we can. We want both privacy and health impact. We need to have a discuss about how to get as close to the optimum as possible.

The pandemic is going to pass, and then we'll be back to all the other health problems we have to tackle. There, the discussions about digital health records are just as worrying and challenging.

Incredibly grateful for the push from the privacy community. We were on a path to having majorities for a centralized solution and would have built a huge surveillance apparatus and would have found out we had huge issues a few years down the line.

Let's not wait for the next pandemic. Let's start working together now on public health problems.

Mike: We're also grateful to the privacy community. Remarkable example of restraint across tech, government, global institutions on the opportunity to have a major influx of data. Positive result that the majority of those opportunities to be data hungry were not taken.

Can we get more data for public health without sacrificing security and privacy? Maybe there isn't a way, but we should look at limitations in that answer.

Q Ben: Pretty broad agreement on this panel that apps Google/Apple are better and privacy-first. What if we had just installed these apps by default? Public benefit, push it out there. One could make the claim that there is no privacy risk.

Or what if we enabled the bluetooth tracking by default, but it's not accessible unless someone turns it on later (say because they're infected).

A:
Tiffany: Well, first problem is the law.
Remember a few years ago when Apple loaded a U2 album on everyone's phones? That did not go over well.
And the app was there, but people could opt in/out.

You can look at examples from abroad, like where there was a required quarantine app. May be more effective but there's a flip side: every time we allow an incursion on privacy even for very good reasons, we can't necessarily roll it back after.

Post-9/11 the US gov't got a lot of powers of surveillance and that hasn't really been rolled back.

I wrote an article [missed title] because I really want to be able to participate in these public health records but I don't want to give up my privacy

Need the privacy-preserving technologies to ensure that we can do this. This isn't the last pandemic. This isn't the only public health issue. We need protections.

Maybe can change some of our laws which protect privacy so can tell people if they turn on these tools the data won't be used against them, their location data won't be collected.

Ali: The amount of confusion there was even when Android and iOS added the option to turn it on tells you a lot: there was a rumour that it had just been turned on [it hadn't]. It was *not* popular as a rumour.

People also can leave their phone behind and turn it off. The app isn't enough to install -- you have to create the conditions in order to make it successful, where people carry their phones.

Trust wasn't essential just for people to participate but for people to participate successfully.

Very hard to explain something which is entirely novel, where you can't just compare it to something which already exists. Public health folks did a lot. But challenges there that more dramatic path would have been so poorly received that it could have endangered whole effort.

Mike: have to have consent for usage of data for health-related purposes.

Last question: is this code going to stay on our phones in case of the next pandemic (it's inevitable)? Is it useful for contact tracing other diseases? Is this kind of collaboration the kind of bridge that is going to be stable?

A:
Ali: Google and Apple plans to turn off this code when the pandemic is addressed. The code was created for *this* situation. We can also toggle it off by region, as different areas have different situations WRT the pandemic.

Mike: so much novelty and value to having these two different communities come together at the same table. Not sure where we go from here, but would like to at least keep this partnership on the back burner for the big thorny problems where a tech solution could provide value.

Marcel: I very much appreciate the collaboration. It would also be interesting to think about where these collaborations could happen which wouldn't depend on two particular companies [Google and Apple], though they did a great job of stepping up.

Tiffany: We should have more privacy-preservation generally: tech, norms, laws. Let's work together to make the tech work for all of us.

@benadida

[end of panel]
Many thanks to moderator @benadida and panelists
@tiffanycli , @AletheaLange , @marcelsalathe, and Mike Judd (lead of the CDC Contact Notification Initiative)

[This was fascinating and now my livetweeting hands are going to take a break. Reminder to everyone that I'm livetweeting and so this isn't 100% accurate. It's actually less accurate than in previous years because I can't both type and watch folks speak at the same time.]

• • •

Missing some Tweet in this thread? You can try to force a refresh

Share this page!

Lea Kissner

Try unrolling a thread yourself!

More from @LeaKissner

Lea Kissner

Lea Kissner

Lea Kissner

Lea Kissner

Lea Kissner

Lea Kissner

Did Thread Reader help you today?

Like this author's thread?