This article is the second installment of a two-part series. It reviews the alternative, non-centralized approaches to contact tracing currently being implemented in many Western democracies. The first installment described South Korea’s centralized approach to contact tracing and the legal impediments to its implementation in other countries.
As it currently stands, the legal impediments to centralized contact tracing have essentially reduced EU countries to adopt non-centralized alternatives. Most have involved voluntary cell phone apps, employing proximity detectors such as Bluetooth to record when one phone comes into close range of another. Depending on the country, non-IT outreach efforts have also been enacted locally and regionally, using interviews and phone calls to identify contacts and inform them of potential interaction with infected individuals. As described in the first installment of this series, such a manual approach to contact tracing is often labor-intensive and uncoordinated, diminishing mitigative power, especially when compared to the centralized approaches of countries like South Korea.
Unlike locational tracing, proximity-based methods like Bluetooth do not collect any information about where contact took place, avoiding the legal challenges of a privacy breach. Many of these apps also do not record the exact time of contact, using less specific blocks, such as “last twelve hours” or “past three days” to report results. This too is a way of avoiding privacy concerns. Unfortunately, the lack of locational data abrogates the possibility of rapidly deploying decontamination teams, as done in South Korea, to disinfect environments known to have been traversed by newly diagnosed patients. The lack of integration with other information sources (such as credit card transactions) also diminishes the ability of proximity-based methods to motivate real-time public health responses in an incident-specific manner, severely limiting support for community-level mitigation.
Regardless of any endorsement by government entities, the legal basis of proximity-based apps is established through the “user consent” domain of the GDPR. This consent occurs when users install the app and approve the data collection agreement. The problems with a voluntary approach, however, are many. The first and most obvious is the rate of use. Whereas a centralized approach will automatically incorporate data from the entire population, voluntary ones are at risk of not achieving a critical mass of users. Even in Ireland, which currently has the highest reported voluntary proximity app usage in the world, only thirty-seven percent of the population has actually downloaded it. For comparison, only twenty percent of Germans and twelve percent of Italians have downloaded their respective apps. Since the number of users is always much fewer than the number of downloads, one can safely conclude none of these countries has achieved critical mass.
A second concern is an obligatory reliance on self-reports. The usefulness of voluntary apps depends entirely on users willingly reporting when they have been positively diagnosed. In contexts where it is difficult for users to get tested, these reports will only represent a limited portion of all infected individuals, meaning there is no opportunity to identify all routes of transmission, a serious liability for virus containment. Belayed inputs into the app, either due to slow testing or a lack of user diligence, would also significantly reduce the effectiveness of containment because contacts would have more time to spread the virus before being warned of infection. Here too, a centralized approach is much more effective, allowing for both swifter identification and immediate action.
Cultural considerations also become more important in a voluntary approach. Personal, religious, social, and contextual reasons all have the potential to make users reluctant to truthfully report a positive diagnosis even if that result is received in a timely manner. Especially in countries like the United States, where health authorities have struggled immensely in getting citizens to adopt simple mitigation practices such as social distancing and mask-wearing, skepticism about the viral origins of COVID-19 can significantly depress app usership and input fidelity. Such skepticism can also make the system vulnerable to attack by ill-intentioned users who purposefully report false positives, potentially fomenting panic and wide-spread misinformation.
Another weakness of app-based tracing is the frequent lack of integration with public health entities. In ideal circumstances, public health authorities would be allowed to collect and review as much information as possible in real-time to help advise them about necessary preventative actions. For example, knowing that a cluster of new cases appeared yesterday in a certain geographical area allows public health authorities to mobilize interventions specific to that locale, helping improve the chances of containment. These activities, however, are not possible when the data from tracing apps are 1) not shared, 2) shared in a highly anonymized manner, or 3) shared days or weeks after positive results have been input. Especially in countries like the United States where the activities of private companies and government health officials have long experienced segregation, the lack of cooperation can become a serious and missed opportunity, one that a centralized approach would not suffer.
Conceptually speaking, greater cooperation between app controllers and public health authorities would offer a potential solution to the problem of high reliance on self-reports. If public health authorities were able to possess a real-time list of newly diagnosed patients, that information could be used as a more reliable input for the app, bypassing the need for user fidelity. This would, of course, require the identification of app users and the implementation of an organized process of matching, both of which are currently difficult to justify within the framework of the GDPR and other, similar legal documents.
Despite these shortcomings, the United Kingdom, Italy, France, Austria, and Switzerland have all moved ahead with voluntary proximity apps, yielding results that have been, understandably, underwhelming at best. Given the legal issues involved in implementing centralized approaches, it is not difficult to appreciate why the less intrusive alternative was initially favored. However, with outcomes as they are and every northern hemisphere country nervously awaiting the prospect of renewed outbreaks in the fall and winter, one must ask whether it is time for more constructive dialogue about legislative changes to data privacy laws, making some exceptions for centralized collection and use during public health emergencies. Considering that vaccine distribution will likely take time, mitigation procedures will likely need to remain in place, perhaps for years, until enough people have been vaccinated.
In the United States, officials have only recently begun endorsing the implementation of proximity-based voluntary apps such as the Apple-Google contract tracing app. Legal obstacles to centralized approaches are, unfortunately, quite similar to those in the European Union, with privacy laws leaving little room to implement public health exceptions. Seventeen states—including Colorado, Delaware, Florida, and Georgia—have held fast to decisions not to employ any IT-based means for contact tracing. This highlights again the many cultural and political challenges of getting Americans to adopt voluntary methods on a national scale. Even if such methods were to gain traction, one must wonder whether the United States is already destined to retread old ground covered by EU countries, arriving at user rates that are disappointingly suboptimal.
A common question is whether there might be some positions of compromise that can be achieved between the centralized and voluntary approaches. New Zealand, for example, has adopted a voluntary app with centrally managed data. The app works by assigning different locations, such as restaurants and coffee shops, with unique QR codes posted at entrances. App users are asked to scan these whenever entering or leaving. This is an innovative approach to circumvent the potential legal issues associated with automated locational data by making the locational input a voluntary user task that falls more comfortably under the “user consent” domain. Given its voluntary nature, however, suboptimal usership and user fidelity remain critical issues, with only about twenty-one percent of New Zealanders having downloaded the app.
An interesting way to potentially enable a fully centralized tracing approach would be to use an app as a platform to consent to centralized data collection. Users could, for example, provide their personal and credit card information through the app, consenting to its use in automated tracing. This would allow central government authorities to legally track credit card transactions and cell phone location logs through the “user consent” domain. Many countries would need to establish the requisite infrastructure for collecting and using that information—by buying servers, hiring data managers, et cetera—but the costs would be marginal compared to the health care expenses of even a modest epidemic. Even in this model, however, the voluntary nature of consent would likely require some program of incentives and unified publicity to help achieve a critical mass of users.
In closing, it is important to reiterate the central importance of contact tracing in virus mitigation. Timely tracing is the only way to decisively get ahead of virus transmission and contain it. Other mitigation techniques like social distancing and mask-wearing are largely preventative and can help slow the spread but will never contain it completely. Given that South Korea and Taiwan are the two countries to have fully implemented centralized tracing right from the start, it is no surprise that they have some of the lowest infection rates in the world, at 0.046 percent and 0.002 percent of the total population, respectively. By comparison, other democracies like the United States, United Kingdom, Germany, and Italy have had 2.239 percent, 0.668 percent, 0.350 percent, and 0.517 percent of their populations confirmed infected as of September 30. As these countries enter the added uncertainty of colder weather, one can only expect the disparity to continue increasing, adding more deaths, more health care debt, more sufferers of long-tail symptoms, renewed lockdowns, and added economic damage.
. . .
Justin Fendos is a professor of cell biology at Dongseo University in Busan, South Korea. He conducts research on a wide range of topics including education, science, culture, and maritime trade. Since the beginning of the pandemic, he has been studying South Korea’s response to COVID-19, contributing articles to a variety of publishers including The Diplomat, National Interest, and Brookings Institution.
This article is the first installment in a two-part series. Unlike South Korea’s centralized approach to contact tracing, other democracies faced legal impediments to similar approaches. The second installment reviews…