Contact Tracing in the Real World

There have recently been several proposals for pseudonymous contact tracing, including from Apple and Google. To both cryptographers and privacy advocates, this might seem the obvious way to protect public health and privacy at the same time. Meanwhile other cryptographers have been pointing out some of the flaws.

There are also real systems being built by governments. Singapore has already deployed and open-sourced one that uses contact tracing based on bluetooth beacons. Most of the academic and tech industry proposals follow this strategy, as the “obvious” way to tell who’s been within a few metres of you and for how long. The UK’s National Health Service is working on one too, and I’m one of a group of people being consulted on the privacy and security.

But contact tracing in the real world is not quite as many of the academic and industry proposals assume.

First, it isn’t anonymous. Covid-19 is a notifiable disease so a doctor who diagnoses you must inform the public health authorities, and if they have the bandwidth they call you and ask who you’ve been in contact with. They then call your contacts in turn. It’s not about consent or anonymity, so much as being persuasive and having a good bedside manner.

I’m relaxed about doing all this under emergency public-health powers, since this will make it harder for intrusive systems to persist after the pandemic than if they have some privacy theater that can be used to argue that the whizzy new medi-panopticon is legal enough to be kept running.

Second, contact tracers have access to all sorts of other data such as public transport ticketing and credit-card records. This is how a contact tracer in Singapore is able to phone you and tell you that the taxi driver who took you yesterday from Orchard Road to Raffles has reported sick, so please put on a mask right now and go straight home. This must be controlled; Taiwan lets public-health staff access such material in emergencies only.

Third, you can’t wait for diagnoses. In the UK, you only get a test if you’re a VIP or if you get admitted to hospital. Even so the results take 1–3 days to come back. While the VIPs share their status on twitter or facebook, the other diagnosed patients are often too sick to operate their phones.

Fourth, the public health authorities need geographical data for purposes other than contact tracing – such as to tell the army where to build more field hospitals, and to plan shipments of scarce personal protective equipment. There are already apps that do symptom tracking but more would be better. So the UK app will ask for the first three characters of your postcode, which is about enough to locate which hospital you’d end up in.

Fifth, although the cryptographers – and now Google and Apple – are discussing more anonymous variants of the Singapore app, that’s not the problem. Anyone who’s worked on abuse will instantly realise that a voluntary app operated by anonymous actors is wide open to trolling. The performance art people will tie a phone to a dog and let it run around the park; the Russians will use the app to run service-denial attacks and spread panic; and little Johnny will self-report symptoms to get the whole school sent home.

Sixth, there’s the human aspect. On Friday, when I was coming back from walking the dogs, I stopped to chat for ten minutes to a neighbour. She stood halfway between her gate and her front door, so we were about 3 metres apart, and the wind was blowing from the side. The risk that either of us would infect the other was negligible. If we’d been carrying bluetooth apps, we’d have been flagged as mutual contacts. It would be quite intolerable for the government to prohibit such social interactions, or to deploy technology that would punish them via false alarms. And how will things work with an orderly supermarket queue, where law-abiding people stand patiently six feet apart?

Bluetooth also goes through plasterboard. If undergraduates return to Cambridge in October, I assume there will still be small-group teaching, but with protocols for distancing, self-isolation and quarantine. A supervisor might sit in a teaching room with two or three students, all more than 2m apart and maybe wearing masks, and the window open. The bluetooth app will flag up not just the others in the room but people in the next room too.

How is this to be dealt with? I expect the app developers will have to fit a user interface saying “You’re within range of device 38a5f01e20. Within infection range (y/n)?” But what happens when people get an avalanche of false alarms? They learn to click them away. A better design might be to invite people to add a nickname and a photo so that contacts could see who they are. “You are near to Ross [photo] and have been for five minutes. Are you maintaining physical distance?”

When I discussed this with a family member, the immediate reaction was that she’d refuse to run an anonymous app that might suddenly say “someone you’ve been near in the past four days has reported symptoms, so you must now self-isolate for 14 days.” A call from a public health officer is one thing, but not knowing who it was would just creep her out. It’s important to get the reactions of real people, not just geeks and wonks! And the experience of South Korea and Taiwan suggests that transparency is the key to public acceptance.

Seventh, on the systems front, decentralised systems are all very nice in theory but are a complete pain in practice as they’re too hard to update. We’re still using Internet infrastructure from 30 years ago (BGP, DNS, SMTP…) because it’s just too hard to change. Watch Moxie Marlinspike’s talk at 36C3 if you don’t get this. Relying on cryptography tends to make things even more complex, fragile and hard to change. In the pandemic, the public health folks may have to tweak all sorts of parameters weekly or even daily. You can’t do that with apps on 169 different types of phone and with peer-to-peer communications.

Personally I feel conflicted. I recognise the overwhelming force of the public-health arguments for a centralised system, but I also have 25 years’ experience of the NHS being incompetent at developing systems and repeatedly breaking their privacy promises when they do manage to collect some data of value to somebody else. The Google Deepmind scandal was just the latest of many and by no means the worst. This is why I’m really uneasy about collecting lots of lightly-anonymised data in a system that becomes integrated into a whole-of-government response to the pandemic. We might never get rid of it.

But the real killer is likely to be the interaction between privacy and economics. If the app’s voluntary, nobody has an incentive to use it, except tinkerers and people who religiously comply with whatever the government asks. If uptake remains at 10-15%, as in Singapore, it won’t be much use and we’ll need to hire more contact tracers instead. Apps that involve compulsion, such as those for quarantine geofencing, will face a more adversarial threat model; and the same will be true in spades for any electronic immunity certificate. There the incentive to cheat will be extreme, and we might be better off with paper serology test certificates, like the yellow fever vaccination certificates you needed for the tropics, back in the good old days when you could actually go there.

All that said, I suspect the tracing apps are really just do-something-itis. Most countries now seem past the point where contact tracing is a high priority; even Singapore has had to go into lockdown. If it becomes a priority during the second wave, we will need a lot more contact tracers: last week, 999 calls in Cambridge had a 40-minute wait and it took ambulances six hours to arrive. We cannot field an app that will cause more worried well people to phone 999.

The real trade-off between surveillance and public health is this. For years, a pandemic has been at the top of Britain’s risk register, yet far less was spent preparing for one than on anti-terrorist measures, many of which were ostentatious rather than effective. Worse, the rhetoric of terror puffed up the security agencies at the expense of public health, predisposing the US and UK governments to disregard the lesson of SARS in 2003 and MERS in 2015 — unlike the governments of China, Singapore, Taiwan and South Korea, who paid at least some attention. What we need is a radical redistribution of resources from the surveillance-industrial complex to public health.

Our effort should go into expanding testing, making ventilators, retraining everyone with a clinical background from vet nurses to physiotherapists to use them, and building field hospitals. We must call out bullshit when we see it, and must not give policymakers the false hope that techno-magic might let them avoid the hard decisions. Otherwise we can serve best by keeping out of the way. The response should not be driven by cryptographers but by epidemiologists, and we should learn what we can from the countries that have managed best so far, such as South Korea and Taiwan.

99 thoughts on “Contact Tracing in the Real World

  1. I agree with most of this, except ‘sixth.’ If we can get infections down to reasonable numbers (e.g. hundreds), it’s perfectly reasonable to lock down even a couple hundred people for each confirmed infection — anyone they may have come in contact with, even 3 meters apart with the wind blowing. Indeed, that’s darned reaasonable to do.

    A hundred cases times a hundred lockdowns is 10,000 people. That beats locking down a whole country. That’s one lockdown per UK death. Would you stay in-doors for 2 weeks if it meant saving a life? The cost is darned cheap — incredibly cheap — compared to exponential growth.

    That’s the thing most people don’t get: exponentials. You need to do this immediately in a pandemic, or just coming out of a lock-down, though. Otherwise, numbers balloon. Early on, you could have bought every person in lockdown their own private mansion to stay at home in, and it’d still be orders-of-magnitude cheaper than the current crisis.

    1. I definitely agree with this approach.
      Locking down a subset of the population is far more manageable than locking down a whole country. It’s better also manageable for the economy and we have more people outside that can go shopping for people that are in lockdown.

      This needs a high acceptance in the population and I think with a reasonable implementation that can be reached. In Germany even epidemiologists are awaiting such a solution (RKI, Berlin Charite).

    2. Do they die due to Corona? What are the autopsy results showing? 2000 cases in Italy 3 of them healthy, 100 in Hamburg all severely sick independent of age. Do we have the correct perspective? Do we follow the right data?

  2. Good article, with a realistic take. As a mobile app developer since 1999, I can confirm this kind of real-world problems. Add in the risks of a surveillance state, and we end up with few of the benefits and many of the costs.

    Also, why do I crave a mint julep?

    1. Do you have reliable data for that? Or is that just one of the often propagated tech myths that “old people” don’t have tech and/or can’t use it?

      I very much doubt that. Sure, there might be fewer mobile phones in the older demographics, but on the whole many if not most of them will have caught up by now and have one. We’re in 2020, not the 1990s.

      1. agreed, but they are used differently. My mother has an iPhone last updated in 2017, and my dad’s iPhone is locked in a drawer so it doesn’t get damaged. These are apps that need to be downloaded, and possibly OS upgrades… It ain’t’ going to happen very widely.

      2. inews reports 18 per cent of over 75s have smartphones compared with 95 per cent of 16-24-year-olds. So, no myth. Chum.

    2. And this absolutely misses the point. The usage of Contact Tracing apps (if they work as promised – for doubts see article above) will not prevent the user from getting infected, but it will limit the spreading of the virus, when you go into self isolation in case you receive a message that you’ve been in contact with a potential carrier. Therefore it doesn’t matter if everyone has a mobile phone, as long as a sufficient number of people have on and are using the app.

    3. It doesn’t matter. These apps don’t protect the user of the app, they protect other people from potentially getting infected. The over-70s are currently supposed to be isolating themselves, so there is little benefit from them using such an app.

      1. 1.5m over 70s with special health problems must isolate. The rest can go to the shops – and do. So it does matter.

  3. Got this via Farber’s IP list…

    Your points are well-taken, but sometimes do-somethingitis is not so bad. If the contact information is in your phone and revealed only when you turn up sick, then the trolling is less of a problem. The technical issue of BT going through glass, etc is unfortunate but the notification doesn’t have to be absolute. It can be a warning: “You might have encountered a CV19 positive in the market.”

    Others at MIT are working on a cryptographic approach. Larson, Raskar et al:

    If anything, these apps get people to take distancing and quarantines seriously.

    1. Good thoughts! I have a few comments below.

      Disclosure: I work at Google.


      I think the keyword here is bandwidth. Health authorities can keep doing manual contact tracing. At minimum contact tracing tech can help them reach people who they might never talk to due to lack of bandwidth or lack of contact information.


      Again, they can keep doing this. The new tech will assist them to reach out to more people.


      I don’t understand why this is relevant. Could you please elaborate?


      People can’t test themselves. They need to talk to a doctor who will report their ID and location data to health authorities, if they test positive. Health authorities can still know the identity of all infected cases, but nobody else should know (unless the patient decides to disclose themselves).


      Only health authorities can insert new patients to the database of infected cases.

      >Sixth, there’s the human aspect.

      I agree that this is not ideal. Maybe the app can do some risk base calculation, and only raises an alarm when the person is in close contact with X people.

      > Seventh

      This is why we want to build this into iOS and Android. We want to be able to update the software regularly. I agree that crypto protocol should allow health authorities to adjust parameters based.

      1. If it’s built into the phone OS, then it won’t be a voluntary feature very long. The UK gov will certainly insist that Apple and Google enable it unilaterally, because there’s stopping them doing so.

  4. Hello,

    There would be no more privacy concerns due to this app. Google can already track you if you have accepted the terms of the agreement. The problem I see is somewhere else. The basic principle of this contact tracing is about accurately determining one’s position with respect to GPS coordinate using Google map and then performing the calculation who else was in close proximity. The problem is this GPS accuracy can wildly vary depending on the hardware module in the smartphones. Good news is that there is technology depending on the latest GNSS ( Global Navigation Satellite Systems) by which Googles Android can determine pin point location accuracy in real time. But the catch is you need to have those mobile phones which got those hardwares. I kept mentioning Google , but the same is also true for Apples IOS platform. The question is , there are few challenges

    1. The government has to mandate everyone to use these technology before they can go out of their front door. You can say its like the new NI code so that we are trackable in real time.
    2. NHS infected list + Analytics from our phone to Google / Apple cloud systems need to compute these in real time. You can imagine trillions of data points each and every second or hour( I am sure that can be done).
    3. Since everyone doesnot have the latest device , they might be using the app , but that would be inaccurate. So there needs to be specific devices for everyone going out. I am concerned about elderly , like my Grandma , who are not keen on using Smartphones.

  5. While we’re calling BS, let’s note that Ross, as smart and well-known as he is, really cannot predict what no one else can predict (least of all those with actual medical experience in the area). The truth is that we don’t know whether automated contact-tracing solutions will work – it’s too hard to properly correlate sociology with disease spread for a disease we really don’t understand. They may be a total failure, but rarely is failure complete – we will learn and can update the approach as needed.

    The right approach is to build a system that, in an of itself, is based on privacy and voluntary inclusion – meaning that it simply cannot collect or organize private information without obvious red flags going up – and then make sure it is nimble enough to respond to the facts on the ground as they come out.

    The systems world knows how to do this … we will make mistakes, but it is a bigger mistake to shoot down a novel and promising approach in its infancy. Instead of being part of the problem, why not contribute your considerable knowledge to a solution?

    1. The question for me is, for how long such a solution would remain voluntary, if in real life you would be denied access to public transport, certain business, official buildings etc. if you can not prove you have been “doing yor part” by running the app and are therefore a possible public health risk?

      1. Agree with this 100%, plus, how will this not be used to punish populations — if even unintentionally? Is it not foreseeable that someone just coming out of a two-week quarantine couldn’t just as easily be forced back into yet another round another two-week stint immediately upon leaving their house — by simply being around yet another of the unwashed masses? And couldn’t this scenario continue to repeat itself indefinitely for some unfortunate souls caught in the “gotcha” loop? What are the practicalities of this really working without an indefinite and absolute population control? Sure we’re being told NOW as in today that this kind of surveillance will only last until the pandemic is over. BUT what if the pandemic NEVER ends or is with us for another 20- to 30-years? What happens when our governments keep the power tomorrow that is temporarily afforded to them today? In the US the Patriot Act, for example, was supposed to sunset in 2005…it’s still with us in 2020. Therefore, can we not easily foresee a future where we are literally locked in our houses with no recourse and no rights to the contrary? This is indeed a slippery slope…

  6. It would be really useful if, when the app sends you amber or red notification, it tells you time that the potential contact occurred. So if you were in your car, or a room with plasterboard walls, you’d know it was a false alarm.

  7. This App would be an invasion of Privacy and no different from the analogue version of snooping which was practised by the Stasi. I am old and prefer not to associate myself with this technological method of snooping – I have experience of the bad old days!

    1. If Corona is bringing in the from governments long wanted surveillance state, than the virus is being misused. The STASTI revisited.
      We are entering a horror society.

  8. For some reason , the blog ignores the main concern that underlies the distributed solution approach: To avoid a situation where a centrally-controlled, opaque database holds information on the minute by minute locations of a large fraction of the population. Such a database should never exist – it is too dire a danger to civil liberties and free society, too strong a temptation to aspiring authocrats. Accepting it in times of emergency and fear is one step too far in a slippery and steep slope.

    All the other “deanonimization attacks” (eg the ones described in and later in are of a very different and less austere flavor. They also can be mitigated in a variety of means, while remaining within the distributed approach (as sketched there and also here

    BTW – another very interesting discussion on distributed vs centralized solutions is taking place at in

    1. Contrary to common belief a central database with detailed information about individuals must not be avoided at all cost. With reasonable safeguards against unauthorised use such a database can be maintained with a stable and clearly defined mission by a trustworthy institution.

      As an example, Germany has preserved the records of the former East-German Ministry of State Security a.k.a. Stasi. Collected by a suppression apparatus, these records became mostly – not entirely – harmless overnight as the institution that collected them, the Stasi, was shut down and later replaced with a different one pursuing a different purpose, the Stasi Records Agency. Over time the Stasi records also become less of a risk simply because they are not being amended any more. There have even been attempts to reconstruct shredded files.

      I admit that access control may be a bit easier to enforce for paper files than for digital data in an online system. However, I would love to see a more balanced debate taking into account institutional solutions at least as an option rather than focusing solely on privacy technology. Developing a system that can affect the lives and the well-being of everyone need sound requirements engineering, which I do not see in the privacy-preserving contact tracing arena (longer version:

      1. I believe you are wrong. I recollect being told that the records of the East German cancer registry, including who had been exposed to risk but not yet shown symptoms, were deleted under West German Data Protection laws. This was despite a statistically analysis that this would lead to 25,000 avoidable deaths by halting the programme of routine checks.

  9. Given a choose between a supermarket that required all shopper to use the app and prove they have not been given an ioslation order, and a cheaper supermarket, I would spend my money at the former. Likewise for pubs, churchs etc. (different opening hours for app users would also work)

    As a landlord, if many people have the app I would not allow a person who is not using the app to view a property I had to rent, likewise when choosing the trade people to use.

    Employers (other then key workers) could be required to prove socal distancing between staff with option to require all employees to use the app if not able to prove socal distancing 100% of the time.

    Access to someday food deliveries from a supermarket of my choose when ordered to ioslate (maybe along with income protection) would give strong intensive to use the app.

    Access to testing for anyone with symptoms who have been using the app with the previous 5 days would also provide a strong insensitive.

    Let’s remember that requing enough ramdomly chosen people to remian at home can get R0 under 1, I considered a trackng app to be worthwhile if it results in fewer people being confined to their homes.

    1. 10500 on average have been dying in this country every week over the last 5 years from number of causes. 165000 died from cancer in 2018 alone. Nobody thought an app is required. This is only 10000 deaths so far and people will keep dying no matter what. Currently person with number of underlying health issues who dies and has convid 19 is classed as convid victim as long as there were respiratory complications. If the same person recovers but then dies from something else a month later, he is just one of that 10500. If this sort of app is made compulsory I’ll be the first one to revert back to Nokia 3310 or just leave my phone at home. You’ll achieve nothing if you think you can force people to use it.

    2. And your insistence that a potential renter have the app, that you’d only shop at supermarkets that demand the app from shoppers, etc… is exactly why such apps should never exist in the first place. Everyone can call them “voluntary”, but when people like you get involved, they become de facto mandatory.

      1. As much as I prefer an app to voluntary I can also see that in the long run it could be hard for an individual to keep using/obeying the app.

        The use of such an app is first and foremost to protect society. On an individual level you can still get infected but the app helps to limit the potential spread (which is quite a selling point to voluntary use such an app) but the impact of getting notifications are on the individual level. This can start to wear on people using it… you just visited the supermarket and got an notification to stay home for two weeks… for the third time in a relative short period (“but the first two times I didn’t feel ill at all”)? And how would one feel after the thirteenth time? Or when you have a special event coming up next week? Your wedding is next week? Maybe the fiftieth time? You have lost a loved one and you have a funeral tomorrow?
        Just uninstalling the app and not participate any longer may start to seem like an increasingly attractive option, very quick.

        Then there is also the employer side of the coin. Yes, I can see the incentive in favor of making the app mandatory for customers. But what if the situation at work ensures that your employees come in to “contact” (Bluetooth range) with a huge number of people on a daily basis. Think about people working in large offices, restaurants or public transport.
        Having your complete workforce on repeating cycles of a few days (maybe a week) of work followed by weeks of quarantaine could be quite the incentive to not allow the use of a “voluntary” app.

      2. I agree wholeheartedly. Once instituted, this will become mandatory and remain a persistent part of society.

    3. How would you verify someone is using the app? How would you distinguish the app you were looking for from a different app that looks the same, or from something as simple as a screenshot?

      Such problems can be solved – consider e.g. electronic tickets – but one would need to design features into the app to support these use cases.

    4. Income protection would make a big difference. I am self employed and being off for two weeks could be the different between whether I can pay rent or not. If someone close to me tests positive off course I would isolate, but the chances of unnecessary isolation are high with the app and I need to keep the lights on. So I am unlikely to use it.

  10. As a contact tracing app developer (, I understand the criticism and concern. And I agree with most of it.

    However, I also understand how new technologies and products get to the world, and how unpredictable the future is. I don’t think contact tracing is the solution to everything. But I also don’t take it out of this very complex equation.

    Your post reads remarkably similar to Steve Ballmer’s “There’s no chance that the iPhone is going to get any significant market share. No chance”, in 2007. A very knowledgeable person, predicting something in his own field, using good scientific reason and extrapolations in existing data.

    He just forgot to account for time. 😉

    1. Point well made Vitor, time will (I hope) yield options and solutions to the points Ross makes.

      I feel we will need to make hard decisions and technology only goes so far on the ethical points raised. Where countries have already degraded privacy rights should be disturbing given the type of threat we face – unlikely to destroy us; quite likely to change us.

      The cultures of our society will likely seek out:

      + Improved testing and so a result that can be delivered more quickly, more accurately. Convenience is a big driver of adoption.

      + Types of test for example based on what we know of a pathogens nature, i.e. people only spread the pathogen in the first X days.

      +. Integrate testing, tracing and isolating. i.e. Government authorised testing , like Canada and then integrated with an app, that now affords me rights that might otherwise require me to do an intrusive test – rights to fly by air, rights to attend concerts and event, rights to work at an office 2 days a week with my team and the rest at home… the list goes on. Even the right to book in healthcare appointments – these were hard enough pre-covid19.

      + There might even be fun ways a “paying it forward” as your bluetooth beacon can be set to do so on your behalf – it feels better than being linked to trainer doesn’t it?The restive and networked aspects is not yet explored (from the “hack the crisis”a more diverse community is likely to be a better fit for our a new world. It will come… in time.

      My preference is for voluntary notification and until that point no server (only onboard phone) storage of data. I’m not technical enough to know how this is best done without going via Google or Apple but it should be the option that we agitate for.

      1. yes we use it as the basic Idea … and i know from other TCN members that the look to it…I know from on app in the store who works dirctly with the code

  11. Let me rant a while …

    To the state leaders:

    Witch hunting, at the 21st Century, using extreme prejudice ….

    Yes, implement this legislation, however you define it ….
    For the good of the People. Make it a Law.

    But, with a small proviso, with no exceptions to it….

    The people that have the power to pass it as a Law,
    per country,
    I estimate that there will be less than a thousand….
    This number may even be down to a small two-digit one ….
    Regardless… the proviso is:

    Any one of those people, without exceptions,
    must spend six months alone, or, if they have immediate family,
    with all that family, in an isolated house, e.g., a farm house,
    with all the amenities, of course,
    and be *required* to be in contact with a nearby village.
    E.g., shopping, wherever permitted, done not by their lackeys or bodyguards,
    or servants, etc.; by themselves. This also implies that they will
    not do anything out of the ordinary that is required for other people,
    nothing to put them in excess of danger; just normal stuff, like all
    the rest people involved are free / required to do, as circumstances dictate.

    – Hello, John … hello, Jim … , hello, Sarah ….

    Blink … test …. blink … POSITIVE !!!

    (notifications fly over to John, Jim, Sarah, …)

    Now, John, Jim, Sarah …, in their frantic panic, assert between them
    that they went to such and such a place ….. met several people …..
    ‘oh, wait a minute…..’
    and before long, they have figured out certain common contacts….
    effectively planting a flag that says ‘Covid-19 HERE’ … where?
    you guessed it … right at that remote house.

    Doesn’t have to be true … collective wisdom said it is true, right?

    Then the friendly local mob / gang will take matters into their
    own hands, in order to eradicate the infected spot.
    Or, self-style individuals, Punishers-to-be, may choose to enforce
    Justice, acting for the good of the community, so few have to
    go, in order for the many to live.

    So, we are giving each and everyone of us a gun, with a virtually unlimited
    supply of bullets, and we say to ourselves and others:

    — ‘Here is a gun; here, bullets; the enemy is out there, somewhere; might be
    anyone you meet; go get him; use as many bullets as you wish;
    just make each one counts; do not kill the wrong people.
    Any questions?’

    — !! ?? How to discern the good guys from the bad ones?

    — That is something you have to find by yourself.


    Have the above-mentioned proviso along with the Law, and show me the
    politicians/legislators/state leaders that will sign it.

    I despair finding out, in blog after blog, in discussion after discussion,
    that brilliant people, knowing every possible detail of every software
    stack / app / code and what not, every hardware and implementation detail,
    try to convince themselves that
    a driver here, a bandwidth adjustment there, or a privacy-issue-fix/patch/hack
    is more important than the need to train/educate people / point and
    manage the ethical aspects of what power we already are holding in our hands,
    and not giving a moment’s thought about what we are doing: giving
    StarTrek phasers into the hands of unaware individuals,
    hoping that they *know why they have to use them*; and all this for the
    good of the People.

  12. I followed a link from a discussion forum on a totally different subject to get here; I’m not a part of this community but I felt the desire to comment.

    I would imagine that people here are acutely conscious of the fact that “average person in the security research community” is not at all the same as “average person in the UK population”. Sean Paget’s comment is really important: it’s entirely unrealistic to expect all (or nearly all) of the population to have midrange-or-above smartphones with fully updated versions of Android or iOS. Especially when a large slice of those most at risk from this virus is made up of the elderly. Among the over-70s I know personally, there are very few these days who have no mobile phone at all… but there are *plenty* who only have very basic phones, either £50 smartphones that have zero chance of getting OS updates or simple feature phones that don’t do apps in the first place. Has this been considered? I hope so.

    Ian’s comment worries me. I hope I’m doing him a disservice, but it feels uncomfortably like a “90% strategy” comment – ie 90% of the population have access to X, so it’s fine and dandy to require X from everyone for certain things. We see this already with bank accounts, passports and cars – access to many services is already difficult to obtain without those things, sometimes through deliberate government policy and sometimes through a lack of forethought, yet in every case millions of people in the UK don’t have them. The fact that most people using a website like this *do* have them is not the point. Given the have-nots are already more likely to be poorer – and also in poorer underlying health – I would be deeply uncomfortable with an approach that did things like making them lower priority for food shopping. It would effectively tell such people “If you don’t use this app, we’ll make your everyday life even more of a trial than it already is.” That, I fear, would actually contribute to a lot of deaths in the end.

    I accept that in an emergency it’s not going to be possible to find a perfect solution, and that a good method that can be implemented fast may well be better than a brilliant method that takes significantly longer. I also accept that this is an incredibly difficult problem that may well simply *have* no wonderful solution. But I hope everyone working on this kind of app is getting views and opinions of what people would find easy and acceptable – always bearing in mind the skew in results caused by the fact that another of the have-not groups – those with no home internet access – are currently unable to get online at libraries either, since those are closed.

  13. Interesting post. South Korea is so often praised as a beacon of hope. In reality they are in virtually the same state of lockdown as every other country, thousands of businesses are closed without compensation because they had contact with an infected person, normal daily life is severely curtailed, yet they don’t even have the benefit of a significant minority of the population now being immune.

    I would also ask, if you’re as capable and intelligent as your status implies, why spend so much time criticising other peoples efforts to find a solution instead of putting forward your own viable solutions?

    1. Beyond the privacy risks, one thing that wasn’t mentioned is that even with perfect implementation this system will miss infections where no direct human-to-human has taken place i.e. people in the same place but at different times. Some examples of this are door handles, elevator buttons, coins, taking a seat on a bus that was previously used by someone covid-19 positive, etc . So this system has the potential of generating a lot of false positives and false negatives. Currently in countries like the US and UK there is a real problem with shortages in covid-19 tests and the last thing we need is more panic with people thinking that they are infected because they have an alert in their phone and increased pressure onto our testing facilities.

      I am aware that S. Korea did great with something “comparable” to this. Some people claim that is why, it’s unclear when you see other countries like Japan that also seem to have done great without it, probably there is much more into it. South Korea did “this” from the beginning coupled with a huge capacity for testing and they did all this after testing throughout a prolonged period of time. These differences are relevant.

      The delight in the wonders of technology coupled with the sense or urgency and panic can easily get us rushing and approving things that otherwise we would not or do so with insufficient due diligence. However, reverting these things can be extremely hard if possible. These are really strong reasons to think in what we are doing as opposed to question each other’s agenda so this blog post is very relevant and far from being “so much time criticising other peoples efforts”, given the stakes.

      1. No measure is perfect. Luckily they don’t have to be. With COVID19 you need to prevent around 2/3 of all infections to get lower numbers.

        So a combination of hygiene, masks, contact tracing and some social distancing could be enough to keep R below 1.

        This is quite different from the first few cases where not containing a single case can lead to exponential spread.

  14. Matt Hancock’s promise that “All data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research, and we won’t hold it any longer than it’s needed” could have as easily come from the mouth of Jeremy Hunt, either before or after the scandal, or for that matter from the mouth of Stephen Dorrell in 1995 when he was denying that the NHS mainframe would infringe patient privacy. There’s no credible guarantee that the data will be deleted once the emergency is over.

    What’s more, a little birdie tells me that the reason for Hancock’s premature announcement of the app was to sideline this story.

  15. What a totally negative blog. Not every ventilator prevents a patient from dying – I think about 50% don’t make it. Does that mean you shouldn’t bother with that technology because there is no guarantee it works every time? I hope this guy has very little influence on the UK government. It amounts to – ‘Well we should do nothing, because nothing is perfect.’ You don’t just give up because you can see the problems. You tackle the problems and with vigour if needs be. There are many things in society that are compulsory, like taxes, driving licences etc. So make the app compulsory. That gets over the critical mass problem. If someone doesn’t install the app and then become ill, well they have been rather irresponsible. They may pay the ultimate price, but so too may their friends, family, partner or parents. That’s called a feedback loop. Make the app smarter. Not just Bluetooth but also geo-location and other criteria such as stationary, moving etc. That would allow responsible users to eliminate certain types of false alarms. And for the anti-social elements in society that think it is fun to muck about with the system go after them, hard. At the end of the day I believe most people would wish to employ every possible tool to combat this disease. I doubt if some casualty on their death bed will be rejoicing in the thought that they die for the cause of someone else’s personal positional privacy. I’m really shocked that a contact tracing and notification app wasn’t high on the government’s agenda from day one, but with the attitude depicted in this blog I can see why.

    1. So you effectively just told my mum, not using a mobile phone at all, or my father-in-law, who can only use a big-button seniors phone because of his arthritis, that they are acting irresponsibly and therefor it´s their own fault if they die and they should not be expecting any help.
      If they had just bought a smartphone and learned to use it at their age, you would then be willing to give them medical help?

    2. So you are more scared of the disease than of losing all your choices.
      Just stay indoors! That’s what the government would be happiest with anyway.

  16. Lets for a moment pretend that the app is ok, NHS would take care of all the data, government would not use it outside this and so on. Everyone would download the app and use it and we would be happy.

    Even if we would encrypt everything in the app, the moment you turn on bluetooth and wifi, that data goes to the big tech companies and being marketing companies they are more than happy about the situation. They are even now able to tell where the people are as they have provided the info. It’s not only about the app, the OS tracks you.

  17. I’ve really enjoyed reading this blog and everyone’s contribution which has been educational. I am one of those people who don’t have a smart phone – by choice and don’t use apps and frequently forget to take my mobile phone (which just makes phone calls) out with me. I agree that we should not assume more technology and ever more obscure technology is the way to manage life in general, never mind crises. Complex problems require complex solutions and perhaps we should wait to find out what worked and what didn’t before we try to find ‘the’ solution? One of the issues of course is that data is going to be very difficult to tease out – death rates need to be seen in context as i understand it there are 600,000 deaths per year in the UK with Public Health England assuming 17,000 excess deaths annually from flu. Because someone tested positive for Covid 19 doesn’t mean they would otherwise not have appeared in another column of annual death stats. Covid 19 is here to stay and will ultimately be beaten by developing immunity in one guise or another. We need to prepare seriously for the next real pandemic (maybe Ebola or another really ghastly virus) which will kill children and healthy adults rather than the vulnerable group this (rather better behaved virus) is targeting i.e. the elderly and those with underlying – though sometimes not recognised – health issues. And how to manage it without inflicting global ‘lock-downs’ which are unsustainable and will have extraordinary effects which are impossible to predict. It would take years for us to unscramble the lessons to be learnt from this experience (even if the data were accurate and comparable) between countries – just in time for the next pandemic probably. But a good reason not to jump into what look like solutions to this situation but have major unintended consequences – sometimes the practical basics and familiar technologies: good hygiene; good nutrition and good living conditions are the best. And although they are not sexy – everyone can understand how they work!

  18. To what degree does the success of this endeavor depend upon:
    (1) the assumption that most folks have a bluetooth-enabled phone
    (2) the assumption that most folks haven’t turned bluetooth (or their phones) off while out and about
    (3) the assumption that folks may simply (rebel and) leave their phones at home


    1. To work it does not need “most folks” to use it, just enough of the people who have the most contect with other people.

      It could be as simple as only opening up pubs/bars to people who have used the app for the preceding 14 days.

  19. Given public-health authorities will be developing the apps, I’d already seen floated (possibly by people given deeper briefings by Apple, Google, or authorities) that the “I’ve been diagnosed” button will also require some kind of identifying element that’s unique and can’t simply be replayed.

    In one scenario, the app would deliver testing results and then be used to let you choose to trigger the release of the daily tracing keys.

  20. Probably asking all the wrong questions! or all the correct questions, but necessarily in the right order!

    – What use will such an app have, if you cannot leave home?

    – How many folk clean their mobile device after touching it or making a call?(or wash hands after touching it?) CV-19 can survive on hard surfaces.

    – What advise has or has not been given to care providers for those compassionate folk who may wash hands, but not a mobile device in a third parties residence?

  21. Interesting article with some valid points from everyone.

    Q1. What’s a mobile app?
    Q2. What if I don’t own a mobile phone?
    Q3. Any questions?

  22. CLUMSILY DESIGNED decentralized systems are a pain to update. Pretty much every really bad update problem we have is the result of somebody shoving something out the door without thinking about the future.

  23. I find that most “If I were in {position} I would do {act}” statements are basically useless.

    For example, one commenter said that if he was a landlord, he wouldn’t allow someone who isn’t using the app to view his property. Strong words from someone who isn’t a landlord.

    I don’t know UK law, but in the US regions with the highest COVID density, refusing to allow someone to view will almost always result in legal action. A not-landlord might think that govt would back him up, but landlords know that govt doesn’t work that way.

    “Govt won’t do that this time” is laughable.

    Yes, some people would pay more to shop at a store that required use of such an app, but [1] The relevant people won’t and [2] stores have the landlord problem that I mentioned above.

  24. If this Appappa is made mandatory, then there will probably be a Bluetooth-proof pouch for sale that will let you “isolate” by just isolating your phone.

  25. Manual tracing has it’s limits. Who was with me on that bus? Also, it’s slow and does not scale.
    Digital contact tracing may be a useful complement. Of course it has limits, like the manual tracing does, and of course it requires that lots of tests are done but this must be done anyway if we want to lower R0 and contact tracing helps in making tests more efficiently.
    Trolling is a minimal risk. How many dogs running in parks with a cell-phone can you have?
    Also, this kind of contact tracing does not have to solve all the problems. It is’t the best tool to support decisions on where to build field hospitals, those decisions are not taken based on contact tracing.
    False positives may happen but it minimizes false negatives which are a lot with contact tracing based on memory. No tool is perfect but different tools can complement each other. Probably signal strength and contact duration can be tuned in order to minimize false positives. As you said we don’t have much experience, which is true for any new technology. These don’t seem unsormountable issues.
    User experience is certainly something that can be critical and also voluntary adoption can limit the effectiveness but I can imagine lots of ways to incentivize the use of these tools. For example some restrictions may be released when using these tools.
    In the end, manual contact tracing is the thing we should compare to. It has huge scalability issues, it’s not designed for a pandemic we have to live along for months, it’s slow, it has more privacy issues (health data leaks will keep happening), it misses lots of contacts because you will never be able to tell who was with you on the train or in that shop.
    No technology is perfect, with a well designed system I don’t see big privacy concerns (again, the non-anonymous manual tracing is the comparison) and in the end, if well deployed and supported, it has the potential of delivering many benefits. Worth trying.

  26. “ the Russians will use the app to run service-denial attacks and spread panic”

    Oh, thanks! Russian here. It must norm among modern British intellectuals to use lexic that was used in your country toward Jews less than a century ago.

    1. I see your point, but in Russia they do the same simplification all the time. Apart from that “the Russians” might be a inadequate, but “the Jews” refers to a different category. The Jews aren’t a state.

  27. Use of the the app is voluntary. I wonder how many SIROs, Data Protection Officers, DP practitioners or others working in the DP, privacy and ethics fields will download it?

    Not many I suspect…

  28. I think there is a fundamental misunderstanding about the benefit of such an app.

    Most misunderstandings have already been explained in the commentary of Thai Duong:

    I would like to add one important thing:

    If I as a user get the message “Please stay home because you have had contact with an infected person”, then I should do so because I am potentially infected.

    This does NOT protect ME from infection, but I PROTECT OTHER people I would have met in the future. Other people who may not have a smartphone or the app.
    Voluntary use would be a selfless service to society and a protection for others. The trust for such an app can only be earned with anonymity and transparency (open source). This should also be communicated honestly.

  29. From the start on – of all these fashions – I never gave Apple or Google (or Facebook or Twitter, or Paypal, etc.) my data, also I never owned a mobile phone. Simply because I’m a grown & thinking person. And I live a good, gemutlich live. Without hustle and bustle.
    One does not even think how well one could live without the inventions of the year 2500.

  30. – have an app that chooses a random 256-bit ID regularly (say, automatically once a day, and whenever the user pishes a button)
    – log your own set of IDs with times (selflog)
    – broadcast ID via bluetooth
    – log times, durations and locations of other IDs seen (otherlog)
    – if you get sick, let the health officials have the selflog for the time you were infectious
    – officials put the anonymous IDs in a public database
    – app checks public database regularly against otherlog
    – user is notified if an otherlog entry matches and the duration is greater than a threshold
    – if you are privacy-conscious, log only ID and duration in the otherlog

    This achieves the following:
    — your contacts are anonymous
    — limited deanonymization for officials
    — otherlog optionally provides time and place of contact to user, but nobody else
    — attacker needs to subvert a huge number of phones to achieve tracking
    — safe against trolling
    — not safe against copying IDs (use cryptography here, see Apple/Google)
    — notifications for “strangers on the bus” (uni meetings are already easily dealt with)
    — surveillance device at supermarket can get retrospective epidemiological data on how many infected people went shopping
    — if they have a logger near a cash register, they could retroactively identify sick people if they were allowed to merge the data sets
    — but they’d get notified via contact tracing as-is anyway

  31. Tracer apps are used against their users. There is no personal benefit, and they are unreliable as some peoply decide not to use a smart phone or leave it at home on purpose, so they won’t be locked up. This is a social problem and any attempt to fix this by technology must fail.
    The chinese approach – and the tech evangelists in the western world ignore this for obvious reasons – consists of:
    – you don’use the app, we will send people out to survey you at home. You don’t want this.
    – you’re positive: stay home, get bonus money if you do and lets us check you with the app (yes, they get more money. Check this.).
    – we can and will control you everywhere – but we will treat you better if you comply.

    So for chinese citizens it is positive to use the app, because if you don’t…

  32. Contact tracing is dead. It’s over. It’s too late. The horse is out of the barn and running down the road. Everyone is already exposed. There is no point to tracing contacts for millions or billions of people. It’s absurd. Find another problem to solve.

  33. And like most other studies, missing another point that nobody wants to bring up.

    The Google/Apple effort is focused on Android Marshmallow 6 and iOS 13 and newer. Or phones sold to post-paid subscribers. In the United States, most subsidized and free phone access is on Android software OLDER than Marshmallow, and most poor users are on iOS older than 13 because they refuse to upgrade their devices.

    Not only is this an entire class of users ignored (ignoring the “essential workers = too poor to matter” arguments for a second) but probably the most vulnerable users who will get those using contact tracing-eligible devices sick and they would never see it coming or get others properly warned.

  34. 90% of your reasoning doesn’t hold up to scrutiny. Those are weak arguments against this kind of technology. Makes me happy. Thanks.

  35. There’s a lot of straw man argument in this piece. For example “someone you’ve been near in the past four days has reported symptoms, so you must now self-isolate for 14 days.” Nobody is proposing that. It’s not in the Apple / Google spec – they leave the contact experience up to the Health Authority. Likewise for PEPP-PT. Singapore specially manages contact via the Contact Centre. Sure, there are problems with automated contact tracing. But there’s also lots of problems with manual contact tracing. This item is a polemic wrapped up in reasonable words, it’s not a reasoned discussion – beware.

    1. Singapore’s case numbers have taken an upturn since about a week ago.
      It could indicate that contact tracing alone isn’t doing enough.

    1. Your medium article has several weaknesses.
      a) testing is a limited resource since it depends on chemicals that are hard to produce in quantity.
      b) contact tracing AND testing, not OR: both are tools that bring transmission down
      c) locking down 8% of Canada would be better than locking down all of it
      d) BUT your numbers are high because
      — you used cumulative data, not new cases (or new cases for a week)
      — you assume “3 contacts per day” are independent, but there is overlap between them (meet many people again)
      — and also overlap among the infected. If Person A is in a meeting with B, C and D, then your calculation for B, C and D makes it look like 9 people need to be notified when it’s only 3
      e) testing doesn’t work on people who are infectious but don’t know it because they are not yet sick. The only way to quarantine those is by contact tracing — or by locking the whole country down.
      f) contact tracing makes testing more efficient because it identifies an exposed subgroup with a higher probability of positive tests. This is useful when the number of tests is limited (which it is).
      g) you can TEST MORE people if you identify a larger exposed group-which is what you want. Even with your bad numbers, contract tracing makes 8% of Canada at-risk; no contract tracing means you have to test 100% every two weeks, and that is impossible.

  36. Hallo @all Thanks for this great Article first.
    I am from a german Team working on a here discussed APP called Our Health In Our Hands ( ) We have an discussion side to this article on our side ( as non public till the Autor except it )
    We are very happy to get your Input as a respected programmer for our work in generell.
    And we hope that everybody here will read our possible solutions for it. Please see it as an possibility to change the problems in the case of apps with us .
    We are a part of opnsource and non-profit team all over the world organized in
    We think apps will come.only a question of time.. an we hope to make the best for everybody out of it…not because we think that apps are the best ( or that our app ohioh is the best)… no because we think that it is important that somebody looks to this and make an opnsource project to make the idea behind getting more good step by step…. Thanks for this Article and we wish that you Mr. Anderson go in discussion with us and influence us by this <3 best regards from all over the world

  37. Is Bluetooth even the best option for such a system? I mean, do we know the implementations of the software stack are even capable of running such a system?

    There are lots of phones out there, running many, many different kernels and even though this will be baked into Play Services, there will still be the need to ensure this system can run flawlessly on the thousands of different device models, OS versions, kernel versions, security patch versions, application versions, CPU architecture and so on.

    Yeah, this is going to be an absolute mess and in 12 months we’ll reflect and see what a terrible idea this whole thing was.

    Seriously, if you’re from 2021, 2022 reading this comment, think about April 2020, think about June/July 2020, think about the media reports that happened as a result and think: was this really a smart idea?

    No. And I’m saying this in April 16th 2020, and I can tell you even though June isn’t here yet it’s a complete failure.

  38. might be of interest – it’s a specification of how to do distributed contract tracing in a privacy-compatible manner.

  39. While you guys are using the Internet or Social Media, your activities are already being tracked and traced.

    The contact tracing App may not be a perfect solution, but it is much better than locking down the city. It is an easy decision for the government because they still can get paid. However, there are many out there who will lose their jobs.

  40. A simulation shows that contact tracing apps don’t work well, and if they are used only by the most careful 60% of the population the effect is basically nil. Report (in Dutch):

    Google translate:

    Simulations show that corona apps are not working

    Contact person: Prof. dr. Frank Dignum (Utrecht University & Umeå University, Sweden) (email:

    Last Monday, more than sixty scientists sent a burn letter to the government
    in connection with the development and use of tracking and tracing apps. Two members of our team
    were co-initiators of this letter. This letter not only indicated that it would be very careful
    the use of these apps should be considered, but also asked the minister to first
    see if these apps are the right ones to use when removing restrictions.
    A process is now underway in which a track and tracing app is selected within a few days
    should be out of more than six hundred submissions. It is like asking someone to choose which one
    bicycle is the best to ride on the highway. First let’s see what support now
    is necessary and helpful in removing restrictions. Otherwise we will really be riding a bicycle on the highway
    drive and many more victims.
    Our team of international researchers has built a simulation tool to assess the consequences of
    simulate policies during the COVID-19 crisis ( With
    Using these simulations, we looked at the effectiveness of tracking and tracing apps in the
    current situation. There is talk of a magical limit of 60% voluntary use of the apps
    above which it would be effective. However, a certain degree of effectiveness is only achieved if it is
    60% is randomly distributed across the population. In practice, it is rather the people who are careful
    (and therefore less likely to be infected with the virus) who will use the app.
    If we take this into account, we see that when using the app by 60% of people, the effect
    is about nil.
    Suppose that more people start using the app or that use is made mandatory. Then
    Although the effectiveness increases, but only if all contacts are also tested properly. We see
    that the number of tests that must be done increases enormously, or that a lot
    people should sit at home. So the excess part of the contacts must be tested. We
    can show on that basis that random testing of a section of the population approximately
    delivers just as much. So we conclude from this data that the app is in no case (at
    more or less than 60% use) makes any contribution to a virus-free Netherlands.
    The question then is who will be held responsible if apps are nevertheless developed
    and are used and do not seem to help? The app developers because they are not good
    have delivered quality? (note: in our simulations we assume that the apps are technically
    100% work well! For example, if they do not register all contacts correctly, the effect of the app will still be
    worse). We have also not yet talked about all kinds of ways to cheat with the apps.
    Each of those elements make the app even less effective.
    We cannot do this in the short term (this or next week) with experts from different disciplines
    sit together and see what else is possible and desirable about the intelligent lockdown
    to (partially) cancel? For example apps that indicate how busy it is in certain places so that
    you can avoid or test risk groups in a systematic way,. For all of these
    solutions are also examples from other countries where this works. let’s not focus on it
    a possible technical solution and thereby forget other and possibly much better solutions.
    Page 2
    Below the results of the simulations run with ASSOCC ( A pear
    reviewed article about the tool and our approach will be published in the International Journal shortly
    on Mind & Machines.
    In these simulations we used a city with 1000 syntethic persons. We have
    assuming that approximately 1% of people are still infected when the restrictions were lifted. In the
    simulation there are 4 ticks in a day.
    We can see the following results. First, the number of people infected with different ones
    percentages of use of the app.

  41. Is there not a low tech solution that does not need Bluetooth?
    1. Each user registers with a site with a valid email address
    2. User voluntarily enters the email address and location post code of people they “meet” or shops they visit – each shop could have email address displayed or QR codes ..
    3. User has access and control of their data.
    4. In the event of getting the virus, user can send an alert to all the email addresses on their contact list that match…
    this would work both on a web site or a phone…and relatives could complete for older people without smart phones.
    5. Controls over people trying to spam.
    My concern is that we go down a high tech route that promises much but simply does not work in practice

  42. No-one thinks a vaccine should be deployed generally without clinical trials first. We are in a position with contact tracing apps that not only have they not been trialled, we don’t even have a trial methodology to evaluate their medical AND social consequences.

    By all means develop them so they might provide proteection from future outbreaks, but deploying them fullscale now will leave us open to unforseen consequences

  43. It’s only going to work if the group is small and everyone use it. Otherwise it will just create chaos. Can’t see it working when done by Google or Apple. Knowing their practices we will find out 2 years later that it was used for 5 other things.

  44. This interesting analysis of the effects of a data processing screw-up shows that contact tracing does really save lives – though this refers to the whole system, with human tracers, rather than just the apps

Leave a Reply

Your email address will not be published. Required fields are marked *