PreprintPDF Available

Apps Gone Rogue: Maintaining Personal Privacy in an Epidemic

Preprints and early-stage research may not have been peer reviewed yet.


Containment, the key strategy in quickly halting an epidemic, requires rapid identification and quarantine of the infected individuals, determination of whom they have had close contact with in the previous days and weeks, and decontamination of locations the infected individual has visited. Achieving containment demands accurate and timely collection of the infected individual's location and contact history. Traditionally, this process is labor intensive, susceptible to memory errors, and fraught with privacy concerns. With the recent almost ubiquitous availability of smart phones, many people carry a tool which can be utilized to quickly identify an infected individual's contacts during an epidemic, such as the current 2019 novel Coronavirus crisis. Unfortunately, the very same first-generation contact tracing tools have been used to expand mass surveillance, limit individual freedoms and expose the most private details about individuals. We seek to outline the different technological approaches to mobile-phone based contact-tracing to date and elaborate on the opportunities and the risks that these technologies pose to individuals and societies. We describe advanced security enhancing approaches that can mitigate these risks and describe trade-offs one must make when developing and deploying any mass contact-tracing technology. With this paper, our aim is to continue to grow the conversation regarding contact-tracing for epidemic and pandemic containment and discuss opportunities to advance this space. We invite feedback and discussion.
PrivateKit: MIT
Apps Gone Rogue: Maintaining Personal Privacy in
an Epidemic
Ramesh Raskar1| Isabel Schunemann2| Rachel
Barbar3| Kristen Vilcans1| Jim Gray1| Praneeth
Vepakomma1| Suraj Kapa4| Andrea Nuzzo5|
Rajiv Gupta6| Alex Berke1| Dazza Greenwood1|
Christian Keegan8| Shriank Kanaparti2| Robson
Beaudry2| David Stansbury2| Beatriz Botero Arcila2
| Rishank Kanaparti9| Vitor Pamplona1| Francesco
M Benedetti1| Alina Clough2| Riddhiman Das7|
Kaushal Jain2| Khahlil Louisy1| Greg Nadeau10 |
Vitor Pamplona1| Steve Penrod7| Yasaman Rajaee1
| Abhishek Singh1| Greg Storm7| John Werner11
1 Introduction 2
2 The Case for Implementing Contact Tracing Technologies 3
2.1 ATimelySolution:Contact-Tracing......................................... 3
2.2 Epidemiological Impact of Application for Coronavirus Infection Contact Tracing . . . . . . . . . . . . . 4
3 The Landscape of Interventions 4
3.1 Broadcasting ...................................................... 5
3.2 SelectiveBroadcasting ................................................ 5
3.3 Unicasting........................................................ 6
3.4 ParticipatorySharing ................................................. 6
3.5 PrivateKit:SafePaths ................................................ 6
arXiv:2003.08567v1 [cs.CR] 19 Mar 2020
4 Risks and Challenges 7
4.0.1 PrivacyRisksforDiagnosedCarriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.0.2 PrivacyRisksforUsers............................................ 7
4.0.3 PrivacyRisksforLocal Businesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.0.4 PrivacyRisksforNon-Users......................................... 8
4.0.5 ConsentandChoice ............................................. 8
4.1 MisinformationandPanic .............................................. 8
4.2 RiskyBehavior ..................................................... 8
4.3 FraudandAbuse.................................................... 9
4.4 SecurityofInformation................................................ 9
4.5 EquityandSocioeconomicFactors ......................................... 9
5 Mapping Technological Interventions with Risks 9
5.1 TheUtility-PrivacyTrade-Off ............................................ 9
6 Discussion of Risks, Mitigation and Trade-offs 9
6.1 PrivacyofDiagnosedCarriers............................................ 11
6.2 PrivacyofLocalBusinesses ............................................. 11
6.3 AccessandInclusion.................................................. 12
6.4 MisinformationandRiskyBehavior ........................................ 12
6.5 SecurityofInformation................................................ 12
7 Conclusion 13
8 Acknowledgements 13
“Containment [...] must remain the top priority for all countries. With early aggressive measures countries can
stop transmission and save lives.
-Tedros Adhanom, Director General of the WHO
"[Some of my patients] were more afraid of being blamed than dying of the virus”
-Lee Su-young, Psychiatrist at Myongji Hospital, South Korea
Containment, the key strategy in quickly halting an epidemic, requires rapid identication and quarantine of the in-
fected individuals, determination of whom they have had close contact with in the previous daysand weeks, and decon-
tamination of locations the infected individual has visited. Achieving containment demands accurate and timely collec-
tion of the infected individual’s location and contact history. Traditionally, this process is labor intensive, susceptible
to memory errors, and fraught with privacy concerns. With the recent almost ubiquitous availability of smart-phones,
many people carry a tool which can be utilized to quickly identify an infected individual’s contacts during an epidemic,
such as the current 2019 novel Coronavirus (COVID-19) crisis. Unfortunately, the very same rst-generation contact-
tracing tools can also be – and have been – used to expand mass surveillance, limit individual freedoms and expose the
most private details about individuals.
We seek to outline the different technological approaches to mobile-phone based contact-tracing to date and
elaborate on the opportunities and the risks that these technologies pose to individuals and societies. We describe ad-
vanced security enhancing approaches that can mitigate these risks and describe trade-offs one must make when de-
veloping and deploying any mass contact-tracingtechnology. Finally, we express our belief that citizen-centric, privacy-
rst solutions that are open source, secure, and decentralized (such as MIT Private Kit: Safe Paths) represent the next-
generation of tools for disease containment in an epidemic or a pandemic. With this paper, our aim is to continue to
grow the conversation regarding contact-tracing for epidemic and pandemic containment and discuss opportunities
to advance this space. We invite feedback and discussion.
Infectious diseases spread in an exponential fashion. Containment is an effective means to slow the spread, allowing
health care systems the capacity to treat those infected. However, ‘lock down’ like containment can also disrupt the
productivity of the population, distort the markets (limiting transportation and exchange of goods), and introduce fear
and social isolation for those that are not yet infected or that have recovered from an infection.
2.1 |A Timely Solution: Contact-Tracing
Several infectious diseases have incubation periods and asymptomatic manifestation, making it difcult to effectively
measure the actual number of infected members of the population. Blanket-testing to avoid missing asymptomatic
cases, of course, is not always feasible. Another approach is contact tracing, which involves keeping track of the possi-
ble routes of infection:
“People in close contact with someone who is infected with a virus, [. .. ], are at higher risk of becoming in-
fected themselves, and of potentially further infecting others .Closely watching these contacts after exposure
to an infected person will help the contacts to get care and treatment, and will prevent further transmission of
the virus.”
-World Health Organization (WHO)
The process for contact-tracing, according to WHO, occurs in three steps:
1. Contact Identication: From conrmed cases, identify those the infected patient had contact with (according to
the transmission modalities of the pathogen)
2. Contact Listing: Record the possible contacts of the infected patients and contact those individuals
3. Contact Follow-Up
Contact tracing is a key public health response to slowing the spread and containing infectious diseases. By mitigating
the aws of detection based solely on symptoms, contact-tracing increases the sensitivity and the readiness of the
community for an emerging epidemic. Further, contact-tracing allows citizens to relieve burden from a community’s
containment measures, as it pushes perspective infected members to isolate themselves voluntarily as shown recently
in the NYC area.
Finally, and most importantly, contact tracing can be quickly deployed at the rst warnings of an outbreak, but
continues to be effective when disease resurgence concerns exist. Thus, following an initial epidemic peak, contact-
tracing can be an effective means to enable disease decline and avoid multiple peak periods and disease resurgence.
2.2 |Epidemiological Impact of Application for Coronavirus Infection Contact Tracing
Lessons from China have suggested the utility of understanding GPS localization of intersections between known in-
fected individuals and others in stemming infection progression. This is specically related to the R0 (R naught) that
determines how contagious an infectious disease is. R0 is a description of the average number of people who will catch
a disease from one contagious person. Ideally, a lower number will optimize reduction of disease spread, which will
facilitate time to develop a vaccine or for the disease to die out. Three factors that dene R0 are the infectious period
(which is generally xed for a given disease), the contact rate (i.e., how many people come in contact with a contagious
person), and the mode of transmission (which is similarly xed for a given disease). Thus, for a given disease, the most
adjustable factor is the contact rate.
One key issue with contact rate is how to optimally allow individuals and societies to limit the contact rate. Con-
tact amongst uninfected individuals will not facilitate disease spread. Thus, ideally a society and/or an individual is
principally concerned with understanding the contacts an infected individual has had. Understanding if paths have
been crossed between an infected individual and any number of other individuals will allow for identifying those who
have been exposed (and maybeshould be tested resulting in appropriate resource allocation or may isolate themselves
in the absence of available testing). Thus, at a societal level, this may limit the economic and public impact.
With an application that allows for users to understand potential exposure to an infected individual, and appropri-
ate action of the exposed individuals, it may be possible to reduce the contact rate bymore rapidly identifying cases/ex-
posures which will remove them from the contact chain. For example, if we assume uptake of an application amongst
x% of a population, and assuming that portion of the population responds to known exposure by self-quarantining or
pursuing texting to conrm lack of infection, the R0 will decrease in turn by a multiple of that percentage based on
the degree of mixing in the population. The reason for the multiple decrease is R0 partially depends on the population
size and density and the exact number of people an individual may come in contact with after exposure which varies
amongst individuals. Furthermore, with an increasing number “x” in terms of user base, there will be an exponential
decrease in R0 (e.g., for 100% use and appropriate action, R0 would be expected to fall <1 due to maximal reduction
of contact rate). Thus, for example, a 10% uptake will have downstream impacts on individuals that person may have
come in contact by more rapid exposure/contact identication. This may eventually disrupt the contact rate with may
signicantly reduce the R0 more than is accounted for by the 10%.
This ultimate effect of R0 with a 10% use and appropriate response to data will hopefully disrupt ongoing chains of
transmission, thus effecting the mortality rate and eventually impacting the contact rateand infection curve. However,
high enough utilization could reduce contact rate to such a degree as to make the overall R0 < 1 which would ideally
lead to dying off of the infection entirely.
Almost half of the world’s population carries a device capable of GPS tracking. With this capability, location trails—timestamped
logs of an individual’s location— can be created. By comparing a user’s location trails with those from diagnosed carri-
ers of infectious disease, one can identify users who have been in close proximity to the diagnosed carrier and enable
contact-tracing. As the COVID-19 outbreak spreads, governments and private actors have developed and deployed
various technologies to inform citizens of possible exposure to a pathogen. In the following, we give a brief overview
over these technologies.
Key Terms We take this opportunity to dene several critical terms used throughout this paper.
Users are individuals who have not been diagnosed with an infectious disease who seek to use a contact-tracing
tool to better understand their exposure history and risk for disease.
Diagnosed carriers then, refers to individuals who have had a conrmatory diagnostic test and are known to have
an infectious disease. Of note, in the setting of an epidemic in which some infected individuals have mild or no
symptoms, a subset of users will in fact be unidentied carriers. An inherent limitation in all containment strate-
gies is the society’s ability to identify and conrm disease
Location trails refer to the time-stamped list of GPS locations of a device, and presumably therefore, the owner of
the device.
Finally, we broadly speak of the government as the entity which makes location data public and informs those indi-
viduals who were likely in close contact with a diagnosed carrier, acknowledging that this responsibility is carried
out by a different central actor in every continent, country or local region.
Local businesses refer to any private establishment such as shops, restaurants or tness clubs as well as commu-
nity institutions like libraries and museums.
3.1 |Broadcasting
Broadcasting refers to any method, supported by technology, by which governments publicly share locations that di-
agnosed carriers have visited within the time frame of contagion. Governments broadcast these locations through
several methods. For example, Singapore updates a map with detailed information about each COVID-19 case. South
Korea sends text messages containing personal information about diagnosed carriers to inform citizens. In the US, Ne-
braska and Iowa published information of where diagnosed carriers have been through media outlets and government
websites. Broadcasting methods can be an easy and fast way for a government to quickly make public this information
without the need for any data from other citizens. It requires citizens to access the information provided and evaluate
whether they may have come in contact with a diagnosed carrier of a pathogen themselves. However, broadcasting
methods risk exposing diagnosed carriers’ identities and require exposing the locations with which the diagnosed car-
rier interacted, making these places, and the businesses occupying them, susceptible to boycott, harassment, and other
punitive measures.
3.2 |Selective Broadcasting
Selective broadcasting releases information about locations that diagnosed carriers have visited to a select group,
rather than the general public. For example, information might be selectively broadcast to people within a single re-
gion of a country. Selective broadcasting requires collection of information, such as a phone number or current loca-
tion, from users in order to dene the selected groups. Often, a user must sign up and subscribe to the service, e.g., via
a downloaded app.
Selective broadcasting operates under one of two modes: (i) The broadcaster knows the (approximate) location of
the user and sends a location specic message. Thus, user location privacy is compromised. (ii) The broadcaster sends
a message to all users, but the app displays only the messages relevant to the user’s current location. The second
approach is typically used when messages are intermittent. KatWarn, a German government crisis app that, once
downloaded and granted access to location data, noties users within a dened area of any major event that may
impact their safety such as a natural disaster or terrorist attack. User privacy is compromised by apps using the rst
mode as the broadcasting agent receives information about the user’s location. Apps using the second mode do not
have this same limitation as location data is not reported back to the broadcaster.
In addition to the risk to the user’s privacy with selective broadcasting, the same risks of identication of the
diagnosed carrier and harassment of locations associated with the diagnosed carrier seen with broadcasting apply.
Further, requiring a user to sign up and subscribe risks decreased participation by possible users.
3.3 |Unicasting
Unicasting informs only those users who have been in close contact with a diagnosed carrier. Unicasting requires
government access data, not only of diagnosed carriers, but also of every citizen who may havecrossed their path. The
transmission is unique to every user. China developed a unicasting system which shows who poses a risk of contagion.
While highly effective at identifying users exposed to contagion for containment interventions, unicasting presents a
grave risk for a surveillance state and government abuse.
3.4 |Participatory Sharing
In participatory sharing, diagnosed carriers voluntarily share their location trails with the public without prompting by
a central entity,such as a government. Advantageously,with participatory sharing, diagnosed carriers retain control of
their data and presumably consent to its release. Users are required to independently seek the information and assess
their own exposure risks. However, these solutions present challenges as it is difcult to check for fraud and abuse.
3.5 |Private Kit: Safe Paths
Private Kit: Safe Paths is an MIT-led, free, open-source and privacy-rst contact-tracing technology that providesindi-
vidual users information on their interaction with COVID-19, while also empowering governments’ efforts to contain
an epidemic outbreak. The solution is a ‘pull’ model where users can download encrypted location information about
carriers so the users can self-determine their likely exposure to COVID-19 and coordinate their response with their
doctor using their symptoms and personal health history.
The Private Kit: Safe Paths solution, in its rst iteration, enables individuals to log their own location. With con-
sent they can provide health ofcials with an accurate location trail once they are diagnosed positive. Additionally,
governments are equipped with a tool to redact location trails and thus broadcast location information with privacy
protection for diagnosed carriers and local businesses. In its second iteration, Safe Paths provides users with infor-
mation on whether they have crossed paths with a diagnosed carrier. Safe Paths’ ability to do so without collecting
information on the user in an external cloud prevents government surveillance. As an open-source tool, Safe Paths
fosters public trust and utilizes experts to audit its security and privacy features.
In the last phase of development, Private Kit: Safe Paths will move to a mix of participatory sharing and unicasting,
eliminating the need for a central entity while still providing a highly personalized exposure risk assessment to users. In
this third iteration, Safe Paths enables privacy protected participatory sharing of location trails by diagnosed carriers
and direct notication of users who have been in close proximity to a diagnosed carrier without allowing a third party,
particularly a government, to access individual location trails.
Different technological interventions for contact-tracing pose various risks to individuals and the public. We will
discuss and compare the main challenges of deploying these technologies in the following chapter and compare how
the Private Kit: Safe Paths solution maximizes stakeholder value when trading off the key constraints as compared to
existing solutions.
Risks exist for both the individual and the public with use of contact-tracing technology. The primary challenge for
these technologies, as evident from their deployment in the COVID-19 crisis, remains securing the privacy of individ-
uals, diagnosed carriers of a pathogen, and local businesses visited by diagnosed carriers, while still informing users of
potential contacts. Additionally, contact-tracing technologies offer opportunities for bad actors to create fear, spread
panic, perpetrate fraud, spread misinformation, or establish a surveillance state.
4.0.1 |Privacy Risks for Diagnosed Carriers
All containment strategies require analysis of diagnosed carrier location trails in order to identify other individuals at
risk for infection. Diagnosed carriers, therefore, are at the greatest risk of their privacy being violated, for example,
by public identication. Even when personal information is not published, these individuals may be identied by the
limited set of location data points released. When identied publicly, diagnosed carriers often face harsh social stigma
and persecution. In one example, data sent out by the South Korean government to inform residents about the move-
ments of those recently diagnosed with Covid-19 sparked speculations about individuals’ personal lives, from rumors
of plastic surgery to indelity and prostitution. Online witch hunts aiming to identify diagnosed carriers create an
atmosphere of fear. As painfully articulated by the following quote, social stigma can be worse than the disease.
"[Some of my patients] were more afraid of being blamed than dying of the virus”
-Lee Su-young, Psychiatrist at Myongji Hospital, South Korea
With all currently available contact-tracing technologies, the risk for public identication of the diagnosed carrier
remains high. Further innovation is necessary to protect high risk populations.
4.0.2 |Privacy Risks for Users
Users also face privacy violations. Providing an exposure risk assessment to the user requires the user’s location data
in order to establish where the user’s path has crossed with that of a diagnosed carrier. However, enabling access to
the individual’slocation data by a third party,particularly a government, preludes a step towards a surveillance state, as
examples from the COVID-19 crisis show. In China, users suspect an app developed to help citizens identify symptoms
and their risk of carrying a pathogen spies on them and reports personal data to the police. The Google Play store
also pulled the Iranian government’s app amid similar fears and South Korea’s app to track those in self-quarantine
automatically noties the user’s case worker if they leave their quarantine zone.
4.0.3 |Privacy Risks for Local Businesses
Identities of cafes, shops, and other businesses visited by a diagnosed carrier may be divulged when the carrier’s loca-
tion trail is released to the public. Public association with the path of a diagnosed carrier, as examples from China and
South Korea show, damages local businesses. At a time of heightened vulnerability due to the economic stress which
often coincides with an epidemic, these businesses may suffer signicant nancial hardship and possibly collapse.
4.0.4 |Privacy Risks for Non-Users
Contact-tracing technology may, at times, violate the privacy of a non-user. Users and non-users are networked to-
gether through social relationships and environmental proximity. When a family member or friend’s identity as a di-
agnosed carrier is revealed, non-users close to the diagnosed carrier may endure the same public stigmatization and
social repercussions. When a business loses customers or faces harassment due to association with a diagnosed car-
rier’s location trail, its patrons and, particularly, its employees bear the economic and social burden whether or not
they are a user of contact-tracing technology. Non-users may be further negatively affected if location trails pinpoint
sensitive locations, such as military bases and secure research laboratories.
4.0.5 |Consent and Choice
Obtaining consent for any form of data collection and use helps manage privacy risks. Consent’s utility in real-world
settings, however, is often undermined. Language which is incomprehensible for typical users and a lack of real choice
(e.g. users must often relinquish privacy and share their data in order to receive a service or opt not to use the service at
all) severely limit the power of consent. Contact-tracing technologies have yet to overcome the challenges associated
with obtaining true consent from the user. Typically, a user may be required to share their location with a third party
in order to receive an exposure risk assessment.
4.1 |Misinformation and Panic
During an epidemic, complex and quickly evolving data must be accurately conveyed to and understood by the entire
public, including individuals with low health literacy. Serious harm, including heightened alarm among the public, may
result from failure to appropriately communicate health risks. Contact-tracing technologies have potential to intro-
duce misinformation and cause panic. For example, if users receive an alert about a possible contact location without
appropriate information and understanding of the exposure time frame, some users will inaccurately conclude they
are at high risk. Even when information regarding both location and time is provided to users, if the magnitude of the
risk cannot be easily comprehended, an atmosphere of fear or a run on the medical system may be provoked.
4.2 |Risky Behavior
Feeling a false sense of safety at having not received a notication of exposure, some users may underestimate their
risk for disease. Users who no longer perceive a signicant risk may be less likely to engage in other forms of disease
prevention, such as social distancing. A false sense of safety may occur when the limitations of contact-tracing tech-
nology within a community are not clearly communicated to the public.
4.3 |Fraud and Abuse
Technological interventions in human crises are often targeted for fraud and abuse. In South Korea, fraudsters quickly
began blackmailing local merchants and demanding ransoms to not (falsely) report themselves as sick and having vis-
ited the business. Additionally, bad actors may force individuals to provide their location data for purposes other than
disease containment, such as for immigration or police purposes. Fear of such abuse may prevent a contact-tracing
system meant to help save lives from being adopted.
4.4 |Security of Information
Hacking lingers as a serious risk for all data-gathering technologies with sensitive information, like health status and
location. Hackers have successfully inltrated apps and services collecting sensitive information before, with 92 mil-
lion accounts from the genealogy and DNA testing service MyHeritage hacked in 2017. Data security must lie at the
center of every effort to use location data for contact-tracing and containment.
4.5 |Equity and Socioeconomic Factors
Ensuring equity and social justice challenges many technologies, including contact-tracing. If participation requires
ownership of a smartphone, some people, often those most vulnerable, the elderly, the homeless, and those living
in lower-income countries, will not be able to access the technology. A lack of access to devices among vulnerable
populations will remain a signicant challenge for contact-tracing technology in the near future. Avoidance by the
public may impact any business identied on a diagnosed carrier’s location trail, but reduced hours or job loss hurt
lower-income service workers most. Finally, abuse of data collection and violations of user privacy are inicted more
often upon those who are already most vulnerable to government surveillance.
In the following table, the various contact-tracing technological approaches are mapped against the reviewed risks
and challenges.
5.1 |The Utility-Privacy Trade-Off
The inverse relationship between accuracy of the provided risk assessment and user privacy for contact tracing tech-
nologies necessitates compromise by the user community. The core trade-off between utility and user privacy, di-
agrammed below, illustrates this and highlights the potential of Private Kit: Safe Paths to fundamentally alter this
Deploying any form contact-tracing technology requires contemplation of several risks outlined in the prior analysis.
Mitigation of these risks depends on thoughtful consideration of the trade-offs inherent to contacttracing technology
and containment strategies. In the following, we review decisions required for these trade-offs and best approaches
FIGURE 1 The various contact-tracing technological approaches are mapped against the reviewed risks and
FIGURE 2 Unicasting, Broadcasting, Selected Broadcasting and Private Kit: Safe Paths plotted in terms of the
trade-off of privacy and utility.
for risk mitigation.
6.1 |Privacy of Diagnosed Carriers
Data must be collected from diagnosed carriers to facilitate containment of an epidemic. However, both data collec-
tion and release of that information to identied contacts may violate the diagnosed carrier’s privacy. As the most
vulnerable stakeholder in the containment strategy, several efforts must be undertaken to protect the diagnosed car-
rier’s privacy to the highest degree possible. Limiting the publicly published data helps protect the known carrier’s
identity from the public. To date, with the exception of participatory sharing models, the diagnosed carrier’s data must
be shared with a third-party entity, requiring the carrier to relinquish at least some control over their data. Ending
the need for third party involvement would represent an immense step forward in privacy protection for diagnosed
carriers. Access and usage of the data by an entity, mostly governments, should be limited and highly regulated. Harsh
penalties for the abuse of such data should be established. Obtaining true user consent further protects diagnosed car-
riers. Not all approaches in use today require consent to share personal data. Particularly in non-democratic regimes,
diagnosed carriers may be unable to deny consent. In other instances, all users must consent to share their data in
order to be informed of their own exposure risk. We believe no one should be obligated to share their personal in-
formation. Time limited storage of location trails further protects the privacy of diagnosed carriers. Finally, using an
open-source approach to create an app fosters trust in the app’s privacy protection capabilities, as independent ex-
perts and media can access and evaluate the source code.
6.2 |Privacy of Local Businesses
Containment of an epidemic requires publication of sites of known exposure to a diagnosed carrier to the public. Yet
doing so risks harassment of local businesses at these sites. Providing broader location data may better protect the
privacy of a local business, but also affects the accuracy of the risk assessment. Broad location data, such as notice of a
100x100m area into which a diagnosed carrier sojourned, may still identify a business. Any contact-tracing approach
must balance the public health benet of disease containment against the threat of economic hardship for local busi-
nesses connected to the epidemic.
There is no easy answer to this trade-off as any choice impacts utility of the technology and risks affecting the
viability of the business. Evaluating the risk versus benet of location data release should occur on a case-by-case
basis. The time frame of possible contagion must be released so the users may understand the limits of the exposure
risk. Critically, the entity publishing the location data should consult with the local business and inform the business of
any decision before the public is notied.
6.3 |Access and Inclusion
Issues of access and inclusion are not easily resolved by contract-tracingtechnology. Limited access to a device capable
of utilizing contact-tracing technology and difculty understanding and acting on the provided risk assessment overly
affect the more marginalized of our societies. However, containing an epidemic outbreak quickly benets everyone
within a community. Implementation of contact-tracing technology within a community,even with unequal access, may
increase the safety of all. The development of a simple GPS device that can share location trails may be a medium-term
solution to some accessibility concerns, particularly in countries with limited smartphone penetration. Additionally,
some form of access to information about a possible contagion must be made available to those without a smartphone
and all information should be presented in a way that accounts for variation in health literacy among users.
6.4 |Misinformation and Risky Behavior
The spread of misinformation cultivates instability and uncertainty during a crisis. Release of information on the
spread of a pathogen to the public invites public speculation and fear-mongering and manipulation by bad actors. A
false sense of safety for users may increase alongside increased efciency of contact-tracing technology. Entities
providing contact-tracing technology are also at risk to introduce error within the release information, despite best
intentions. At this time, no strategies exist to eliminate these risks; however, such risks can be mitigated through edu-
cational outreach efforts and engagement with key stakeholders.
6.5 |Security of Information
Storage of sensitive information invites attack by hackers. Trade-offs must be made in order to mitigate this risk. Only
anonymized, redacted, and aggregated sensitive information should be stored. Use of a distributed network, rather
than a central server, makes hacking less attractive, but requires providing security to multiple sites. In the long term,
the safest way to store location data will be in an encrypted database inaccessible to all, including the government.
Time limitations on data storage also work well to secure information and should be implemented in contact-tracing
technology. During an epidemic outbreak, the appropriate amount of time for data storage equals the time during
which a diagnosed carrier could have possibly infected another individual. For COVID-19, this time frame is set to be
14 to 37 days. Deleting data after such a short period, particularly during an outbreak of a poorly understood pathogen
has risks. However, we feel this trade-off should be made for data security and user privacy.
Our ability to accurately trace contacts of individuals diagnosed with a pathogen and notify others who may have
been exposed has never been greater. Real risks exist, though, thus care must be addressed in the design of the solu-
tion to prevent abuse and mass surveillance. As a beginning to the discussion of how to develop and deploy contact-
tracing technologies in a manner which best protects the privacy and data security of its users, we have reviewed
varioustechnological methods for contact-tracing and have discussed the risks to both individuals and societies. Pri-
vateKit: Safe Paths eliminates the risk of government surveillance. It draws on the advantages from several models of
contact-tracing technology while better mitigating the challenges posed by use of such technology. We have presented
a discussion of precautions which should be taken and trade-offs which will need to be made. We invite feedback and
discussion on this whitepaper.
We would like to acknowledge Amandeep Gill of the International Digital Health & AI Research Collaborative (I-DAIR),
Bernardo Mariano Jr of the World Health Organization (WHO), and Don Rucker of the U.S. Department of Health and
Human Services (HHS) for their mentorship in advancing contact-tracing solutions.
[1] Eames, Ken TD and Keeling, Matt J. Contact tracing and disease control, Proceedings of the Royal Society of London.
Series B: Biological Sciences, vol.270, 1533, 2003, The Royal Society.
[2] Emergency Guideline: Implementation and management of contact tracing for Ebola virus dis-
ease, World Health Organization (WHO) and Centers for Disease Control and Prevention (CDC),
[3] Kiss, Istvan Z and Green, Darren M and Kao, Rowland R, Disease contact tracing in random and clustered networks, Pro-
ceedings of the Royal Society B: Biological Sciences, Vol 272, 1570, pp. 1407-1414, 2005, The Royal Society, London.
[4] Bai, Yan and Yao, Lingsheng and Wei, Tao and Tian, Fei and Jin, Dong-Yan and Chen, Lijuan and Wang, Meiyun, Presumed
asymptomatic carrier transmission of COVID-19, JAMA, 2020
[5] Huerta, Ramon and Tsimring, Lev S, Contact tracing and epidemics control in social networks, Physical Review E, Vol.66, 5,
2002, APS
[6] Heymann, David L and Shindo, Nahoko, COVID-19: what is next for public health?, The Lancet, 2020
[7] van der Hoek, Lia and Pyrc, Krzysztof and Jebbink, Maarten F and Vermeulen-Oost, Wilma and Berkhout, Ron JM and
Wolthers, Katja C and Wertheim-van Dillen, Pauline ME and Kaandorp, Jos and Spaargaren, Joke and Berkhout, Ben, Iden-
tication of a new human coronavirus, Nature Medicine, Vol. 10, 4, pg.368-373, 2004
[8] How The Painstaking Work Of Contact Tracing Can Slow The Spread Of An Outbreak, National Public Radio (NPR)
[9] Ha, Yoonhee P and Tesfalul, Martha A and Littman-Quinn, Ryan and Antwi, Cynthia and Green, Rebecca S and Mapila,
Tumelo O and Bellamy, Scarlett L and Ncube, Ronald T and Mugisha, Kenneth and Ho-Foster, Ari R and others, Evaluation
of a mobile health approach to tuberculosis contact tracing in Botswana, Journal of health communication, Vol 21, 10,
2016, Taylor & Francis.
[10] Webb, Glenn and Browne, Cameron and Huo, Xi and Seydi, Ousmane and Seydi, Moussa and Magal, Pierre, A model of
the 2014 Ebola epidemic in West Africa with contact tracing, PLoS Currents, Vol 7, Public Library of Science, 2015
[11] Tom-Aba, Daniel and Olaleye, Adeniyi and Olayinka, Adebola Tolulope and Nguku, Patrick and Waziri, Ndadilnasiya and
Adewuyi, Peter and Adeoye, Olawunmi and Oladele, Saliu and Adeseye, Aderonke and Oguntimehin, Olukayode and oth-
ers, Innovative technological approach to Ebola virus disease outbreak response in Nigeria using the open data kit and
form hub technology, PloS One, Vol. 10, 6, Public Library of Science, 2015
[12] Smartphone access demographic data (US), Fact Sheet, Pew Research Center
[13] Nemo Kim, ’More scary than coronavirus’: South Korea’s health alerts exposeprivate lives, Mar 5, 2020, The Guardian
[14] Ivan Watson and Sophie Jeong, Coronavirus mobile apps are surging in popularity in South Korea, Feb 28, 2020, CNN
[15] Mary Meisenzahl, Take a look at these Korean apps helping people avoid areas infected by the coronavirus, Mar 2, 2020,
Business Insider
[16] Max S. Kim, South Korea is watching quarantined citizens with a smartphone app, Mar 6, 2020, MIT Techology Review
[17] Coronavirus privacy: Are South Korea’s alerts too revealing?, 5 March 2020, BBC News
[18] Private Kit, MIT,
[19] Ramesh Raskar, God’s Eye View: Will global AI empower us or destroy us? TEDxBeaconStreet
[20] Evans, David and Kolesnikov, Vladimir and Rosulek, Mike and others, A pragmatic introduction to secure multi-party
computation,Foundations and Trends in Privacy and Security, Vol.2, 2-3, Pg. 70-246, 2018, Now Publishers, Inc.
[21] Vepakomma, Praneeth and Gupta, Otkrist and Swedish, Tristanand Raskar, Ramesh, Split learning for health: Distributed
deep learning without sharing raw patient data, 2018
[22] Yi, Xun and Paulet, Russell and Bertino, Elisa, Homomorphic encryption and applications, Vol.3, 2014
[23] Dwork, Cynthia, Differential privacy: A survey of results, International conference on theory and applications of models
of computation, Pg.1-19, 2009, Springer
[24] Sathya, Sai Sri and Vepakomma, Praneeth and Raskar, Ramesh and Ramachandra, Ranjan and Bhattacharya, Santanu, A
review of homomorphic encryption libraries for secure computation, 2018
[25] Samarakoon, Sumudu and Bennis, Mehdi and Saad, Walid and Debbah, Mérouane, Distributed federated learning for
ultra-reliable low-latency vehicular communications, IEEE Transactions on Communication, 2019
[26] Rocher, Luc and Hendrickx, Julien M and De Montjoye, Yves-Alexandre, Estimating the success of re-identications in
incomplete datasets using generative models, Nature communications, Vol.10, 1, Pg. 1-9, 2019, Nature Publishing Group
[27] De Montjoye, Yves-Alexandre and Hidalgo, César A and Verleysen, Michel and Blondel, Vincent D, Unique in the crowd:
The privacy bounds of human mobility, Scientic reports, Vol. 3, 2013, Nature Publishing Group.
[28] Kairouz, Peter and McMahan, H Brendan and Avent, Brendan and Bellet, Aurélien and Bennis, Mehdi and Bhagoji, Arjun
Nitin and Bonawitz, Keith and Raskar, Ramesh and Vepakomma, Praneeth and Charles, Zachary and Cormode, Graham
and Cummings, Rachel and others, Advances and open problems in federated learning, 2019
[29] Scott Berinato, There’s No Such Thing as Anonymous Data, February 09, 2015, Harvard Business Review
[30] Hadeld, James and Megill, Colin and Bell, Sidney M and Huddleston, John and Potter, Barney and Callender, Charlton
and Sagulenko, Pavel and Bedford, Trevor and Neher, Richard A, Nextstrain: real-time tracking of pathogen evolution,
Bioinformatics, Vol.34, 23, Pg. 4121-4123, 2018, Oxford University Press
[31] Karl, Inga and Rother, Kristian and Nestler, Simon, Crisis-related Apps: assistance for critical and emergency situations,
International Journal of Information Systems for Crisis Response and Management, Vol.7, 2, Pg. 19-35, 2015, IGI Global
[32] Christian and Kaufhold, Marc and Leopold, Inken and Knipp, Hannah, Katwarn, Nina, or Fema? Multi-method study on
distribution, use, and public views on crisis apps, Reuter, 2017
[33] Waugh Jr, William L and Streib, Gregory, Collaboration and leadership for effective emergency management, Public ad-
ministration review, Vol 66, Pg. 131-140, 2006, Wiley Online Library
[34] Bullock, Jane A and Haddow, George D and Coppola, Damon P, Introduction to emergency management, 2017,
[35] Kapucu, Naim and Arslan, Tolgaand Demiroz, Fatih, Collaborative emergency management and national emergency man-
agement network, Disaster prevention and management: An international journal, 2010, Emerald Group Publishing Lim-
[36] Kristen V Brown, Hack of DNA Website Exposes Data From 92 Million Accounts, June 5, 2018, Bloomberg
[37] McLoughlin, David, A framework for integrated emergency management, Public administration review, Vol 45, Pg 165-
172, 1985, JSTOR
ResearchGate has not been able to resolve any citations for this publication.
Full-text available
In this paper, the problem of joint power and resource allocation (JPRA) for ultra-reliable low-latency communication (URLLC) in vehicular networks is studied. Therein, the network-wide power consumption of vehicular users (VUEs) is minimized subject to high reliability in terms of probabilistic queuing delays. Using extreme value theory, a new reliability measure is defined to characterize extreme events pertaining to vehicles’ queue lengths exceeding a predefined threshold. To learn these extreme events, assuming they are independently and identically distributed over VUEs, a novel distributed approach based on federated learning (FL) is proposed to estimate the tail distribution of the queue lengths. Considering the communication delays incurred by FL over wireless links, Lyapunov optimization is used to derive the JPRA policies enabling URLLC for each VUE in a distributed manner. The proposed solution is then validated via extensive simulations using a Manhattan mobility model. Simulation results show that FL enables the proposed method to estimate the tail distribution of queues with an accuracy that is close to a centralized solution with up to 79% reductions in the amount of exchanged data. Furthermore, the proposed method yields up to 60% reductions of VUEs with large queue lengths, while reducing the average power consumption by two folds, compared to an average queue-based baseline.
Full-text available
While rich medical, behavioral, and socio-demographic data are key to modern data-driven research, their collection and use raise legitimate privacy concerns. Anonymizing datasets through de-identification and sampling before sharing them has been the main tool used to address those concerns. We here propose a generative copula-based method that can accurately estimate the likelihood of a specific person to be correctly re-identified, even in a heavily incomplete dataset. On 210 populations, our method obtains AUC scores for predicting individual uniqueness ranging from 0.84 to 0.97, with low false-discovery rate. Using our model, we find that 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes. Our results suggest that even heavily sampled anonymized datasets are unlikely to satisfy the modern standards for anonymization set forth by GDPR and seriously challenge the technical and legal adequacy of the de-identification release-and-forget model.
Full-text available
Understanding the spread and evolution of pathogens is important for effective public health measures and surveillance. Nextstrain consists of a database of viral genomes, a bioinformatics pipeline for phylodynamics analysis, and an interactive visualisation platform. Together these present a real-time view into the evolution and spread of a range of viral pathogens of high public health importance. The visualization integrates sequence data with other data types such as geographic information, serology, or host species. Nextstrain compiles our current understanding into a single accessible location, open to health professionals, epidemiologists, virologists and the public alike. Availability and implementation: All code (predominantly JavaScript and Python) is freely available from and the web-application is available at Contact:,,
Full-text available
In this paper the authors developed applications for apps in times of crises and critical situations. They analyzed how people act in these situations and how to mitigate their uncertainty and fears through situation-specific communication. Including these aspects as well as the general challenges of crisis communication, pros and cons of apps based on existing examples were discussed. The resulting requirements for an app for crises and dangerous situations should assist in designing a communication solution that strengthens the feeling of security of citizens in critical times, such as life-threatening situations. This solution is intended as an additional means of communication for emergency services to modernize crisis communication with affected people.
Tuberculosis (TB) contact tracing is typically conducted in resource-limited settings with paper forms, but this approach may be limited by inefficiencies in data collection, storage, and retrieval and poor data quality. In Botswana, we developed, piloted, and evaluated a mobile health (mHealth) approach to TB contact tracing that replaced the paper form–based approach for a period of six months. For both approaches, we compared the time required to complete TB contact tracing and the quality of data collected. For the mHealth approach, we also administered the Computer System Usability Questionnaire to 2 health care workers who used the new approach, and we identified and addressed operational considerations for implementation. Compared to the paper form–based approach, the mHealth approach reduced the median time required to complete TB contact tracing and improved data quality. The mHealth approach also had favorable overall rating, system usefulness, information quality, and interface quality scores on the Computer System Usability Questionnaire. Overall, the mHealth approach to TB contact tracing improved on the paper form–based approach used in Botswana. This new approach may similarly benefit TB contact tracing efforts in other resource-limited settings.
Introduction to Emergency Management, Fifth Edition, offers a fully up-to-date analysis of US emergency management principles. In addition to expanding coverage of risk management in a time of climate change and terrorism, Haddow, Bullock, and Coppola discuss the impact of new emergency management technologies, social media, and an increasing focus on recovery. They examine the effects of the 2012 election results and discuss FEMA’s controversial National Flood Insurance Program (NFIP). Introduction to Emergency Management, Fifth Edition, gives instructors and students the best textbook content, instructor-support materials, and online resources to prepare future EM professionals for this demanding career.