Computing Community Consortium Blog

The goal of the Computing Community Consortium (CCC) is to catalyze the computing research community to debate longer range, more audacious research challenges; to build consensus around research visions; to evolve the most promising visions toward clearly defined initiatives; and to work with the funding organizations to move challenges and visions toward funding initiatives. The purpose of this blog is to provide a more immediate, online mechanism for dissemination of visioning concepts and community discussion/debate about them.


What is the right information architecture for digital contact tracing?

August 19th, 2020 / in COVID, research horizons, Research News / by Helen Wright

The following is a guest blog from John Langford (Microsoft Research) and Stefano Tessaro (University of Washington) on finding the right information architecture for digital contact tracing.

The information architecture of a system defines who has access to which pieces of information. Contact Tracing is inherently a process of data collection — therefore, the choice of information architecture has a profound effect on who is willing to work with the system and how effective it may be. In order to rationally consider the information architecture, we must define a goal for the system. Clearly, the primary goal must be epidemiological effectiveness in suppressing the spread of disease, but how should that be done? There are at least two distinct and intrinsically opposed approaches available. We could take a Surveillance of Society approach which enables data collection through easily available channels, such as phone networks, subpoenas, credit card information, etc. with the goal of allowing public health authorities to determine which people are close to which others at any given time. This approach could be epidemiologically effective. However, many would consider it unacceptable as it is prone to abuse by the government.

To succeed epidemiologically, data collection must necessarily occur. However, the data collection could (and should) be done by individuals instead of governments. In this Trust-Limited approach, people voluntarily provide information about the places they have been and the people they have met who are at risk of infection. In particular, the individual can choose to give relevant information (or not).

The Surveillance of Society approach and the Trust-Limited approach are antagonistic, since if you do half of one and half of the other, it fundamentally does not work well. For example, surveillance of half of society could easily destroy trust by the other half of society, implying that people do not choose to share information. It is also important to note here that successful suppression of the disease via contact tracing is a whole-community endeavor, since if only half the community takes part, constant reinfections will occur from the other half.

Between the Surveillance of Society and Trust-Limited approaches there is a natural preference for Trust-Limited approaches based on civil rights grounds. However, it is also the preferred approach based on cost, manpower, and a robust track record of epidemiological effectiveness. The Trust-Limited approach requires hiring people to handle the case management and contact tracing pro1 cess, but it requires hiring substantially fewer than the Surveillance of Society approach since voluntary data collection is easier and more accurate by default. For example, phone based location data is often inaccurate by (say) 100 meters. Government sponsored collection of all phone data (as was done by Israel) results in datasets that have the potential for substantial false positives. On the other hand, if you simply ask people where they were, you can get much more accurate information up to the limitations of personal memory.

Once we have adopted a Trust-Limited approach, it is important to understand that SARS-CoV-2’s quick transmission makes it is essential for contact tracing to move even faster (see here, Figure 3). How then can the most trustworthy approach to contact tracing be created? We can minimize abuse of trust by design and policy. Viewing with the trust lens, we can try to answer questions about how to improve manual contact tracing through digital elements without introducing serious unforeseen drawbacks. Here are some example of natural questions.

  1. Should we create a national database for contact tracing interviews and case management? No. A national database requires more trust, because more people would have access to the information, and the potential for abuse is therefore far greater. However, there should be a mechanism for confidential sharing of contacts across jurisdictions since people sometimes travel between communities (e.g. those who work in a different state from which they reside).
  2. Should we create local community databases for contact tracing interviews and case management? The sheer scale of contact tracing required to suppress the virus suggests that ’yes’ is the right answer epidemiologically, because the greater degree of organization that this allows for containing spread within a community. At the same time, it is imperative to have a plan for how this information is transformed, parceled, aggregated, used, and eventually removed so as to maximize the trust within communities where contact tracing interactions take place.
  3. Should we use digital assistance for manual contact tracing? Yes. There is considerable opportunity for digital assistance to make manual contact tracing more comprehensive and efficient, since obtaining information from cases and potentially exposed individuals via interview can be a challenging and time-consuming process. We can easily imagine a web app or a phone app assisting the transcription of information, with a phone app able to help more via contact lists or reminding people where they have been. At the same time, this all must be done in a manner that is trustworthy. For this reason, and because accurate information is vital to public health efforts, a human should be involved, to both foster trust and as a way to triage and interpret information that is generated by an application.
  4. Should we enable public health to easily send and receive public messages? Definitely yes—there is high potential to help prevent spread of the disease and one of the requirements for trust is good communication.
  5. Should we have laws preventing use of contact tracing data for nonepidemiological purposes? This is a good idea, because it helps create trust in the contact tracing interview process. Let’s allow the normal lawenforcement process to run independently of the public health process so the public health process can be unimpeded by lack of trust. As an example, an unauthorized immigrant should not fear that the information they give in a contact tracing interview will be used to deport them or their friends.
  6. Should the code for digital assistance be open source? Should the code pass security reviews? Yes, because open source and security reviews create trustworthiness.
  7. Should we enable exposure notification apps as defined by the Google/Apple protocol? Yes. This is an experimental approach to assisting contact tracing based on proximity broadcast and recordings. Deployment of these protocols in a trustworthy fashion is unlikely to harm manual contact tracing approaches so they are a reasonable experimental technology. Since these have been particularly controversial, we detail here some responses to arguments against these approaches.
    1. “Equity”: some are concerned that these approaches are meant to replace the normal manual contact tracing process, and in so doing leave some subpopulations without the protection of manual contact tracing. This appears to be a mistaken understanding since we know of no serious proponents of exposure notification approaches who are proposing replacing the manual process. Instead, the opposite seems reasonable: to whatever extent exposure notification might be useful for some populations, it allows more manual contact tracing resources to be dedicated to other subpopulations.
    2. “Ineffectiveness”: some are concerned that these approaches are ineffective because they require a very high adoption level to replace manual contact tracing. These digital tools, like any new technology, do not yet have a strong evidence base. However, since proponents of digital exposure notifications are proposing supplementing rather than replacing the manual contact process, and reasonable proponents insist that any deployment should be done so responsibly so as not to make things “worse” (e.g., by sowing confusion), this argument does not withstand scrutiny. Indeed, even at relatively low levels of adoption, it’s possible that there are subpopulations with high adoption where it may be helpful. Furthermore, disease suppression is a matter of numbers: if you manage to catch, on average, enough transmissions to bring the effective reproduction number below 1, we all win. Exposure notifications don’t need to catch all or even most transmissions to enable crossing that threshold—instead they just need to catch marginally more than current methods, without causing harm. Furthermore, there are scenarios (such as mass transit) where other approaches typically fail, but exposure notifications might succeed and be extremely useful.
    3. “Misconfiguration”: some are concerned that these approaches might be misconfigured. For example, a system with self-reports may result in spamming and system breakdown. That is entirely true, but the exact method and criteria for exposure notification authentication is essentially a configuration choice. In places with an effective public health infrastructure, the right configuration involves just authenticated positives. For uses of the Google/Apple exposure notification protocol, authentication from local public health authorities is required by policy.
    4. “Experimental”: some are concerned that the approach is experimental and hence likely faulty. The right definition of ’contact’ for exposure notification is indeed quite unclear and measurement errors in Bluetooth signals are nontrivial. Because of this, the right guidance from an exposure notification may significantly differ from the manual contact tracing process. For example the outcome of a manual interview might be “please isolate and request a test” while the guidance from an exposure notification event might be “please contact public health for followup”.
    5. “Attackable”: some are concerned that the exposure notification approach is vulnerable to (say) a shopkeeper with a phone, a camera, and a credit card transaction record. This is unquestionably a valid approach to de-anonymize someone, but the goal (again) is not perfect anonymity. Achieving perfect anonymity is not possible in general, so tradeoffs are inherent in the choice of protocol. Existing decentralized approaches offer a good compromise between the amount of trust you must put into a system for it to work and epidemiological effectiveness compared to other proximity protocols. Note here that as long as we leave exposure notification response up to the discretion of someone who tests positive, well known large scale attacks on the protocol will simply result in it not being used. People will simply choose to not respond to exposure notifications or provide their keys if they become infected.
What is the right information architecture for digital contact tracing?

Comments are closed.