The U.S. Digital-Contact-Tracing Debacle

About a month into the pandemic, I got a phone call from somebody who told me they’d just heard about an elegant technical solution that might stop COVID in its tracks. They had been talking with a team in Switzerland that was trying to develop a Bluetooth-based contact-tracing app. The pitch was simple: Contact tracing in those early months was woefully understaffed and under-prioritized and couldn’t keep pace with COVID’s (first, we now know) march around the globe. With unclear incubation times and asymptomatic cases, this meant that plenty of people were walking around unwittingly contagious. But what if peoples’ phones could tell them if they’d come in contact with a COVID-positive individual? It might change everything.

I was skeptical. I’d spent the last few months of 2019 working on a seven-part series about the massive privacy implications of smartphone location tracking. The project radicalized me a bit and I could only think of the ways that a digital virus-surveillance tool might be used nefariously by governments and corporations against citizens. But I was also pretty terrified of this new virus and imagined that pandemic mitigation would perhaps take forms that made me slightly uncomfortable. I followed the project from a distance but never wrote about it.

Then, in April 2020, Apple and Google announced an unprecedented partnership to build out a Bluetooth-based Exposure Notifications platform. Basically, Apple’s and Google’s phone operating systems act as conduits—they passively log a record of the devices that you’ve been in proximity with (not the actual device IDs but a private key). This information is stored on a server run by a government third party. If somebody becomes infected, they report this information. It registers in the database, and all the keys that have been in proximity with an infected user get an immediate notification. The idea is that Apple and Google never receive any data from users; they just help collect it and distribute the notifications.

As a critic of Big Tech, I was and still am wary of big private-industry efforts using potential surveillance tools to help with the pandemic. But this line, from the privacy activist and writer Maciej Cegłowski, has stuck with me since I read it in March 2020. Like me, he recoiled at the idea of turning to invasive tech to mitigate the virus, but noted that these were extraordinary times:

“The alternative is to keep this surveillance infrastructure in place to sell soap and political ads, but refuse to bring it to bear in a situation where it can save millions of lives. That would be a shameful, disgraceful legacy indeed.”

I attended an early briefing from the two companies about the tech back when it was announced in the spring of 2020, but I didn’t hear much more. Once I started traveling a bit again, I noticed the occasional push notification from my iPhone asking me if I wanted to opt in to a specific state’s Exposure Notifications program. I did, but that was the extent of my interaction. I always wondered if, well, people were using it.

This past Christmas Eve, Myoung Cha provided an update. Cha used to be the head of health strategic initiatives at Apple and was a leader on the Apple/Google Exposure Notifications team (he’s now president and chief strategy officer at Carbon Health). In a lengthy tweetstorm, Cha reflected on the last 18 months of Exposure Notifications and why it hadn’t achieved its full potential.

As he described it, two of the world’s biggest and most powerful companies came together to create a piece of technology and offer it to the U.S. government for free, in order to modernize an outdated piece of public-health infrastructure during a pandemic. And then … nobody with the CDC, FDA, or two presidential administrations took them up on the offer. I called up Cha this week and asked him some questions about the Exposure Notifications program—how it came together, what a perfect version of digital contact tracing looks like, where the project fell apart, and why the government dragged its feet on the technology. The following is a very lightly edited transcript.

Charlie Warzel: Obviously, there was a desire to help stop the spread of the virus, but were there specific reasons Apple and Google got involved in contact tracing, versus letting the government or states handle it?

Myoung Cha: At the start of the pandemic, in 2020, governments around the world ramped up different forms of digital contact tracing with smartphones to track down exposures to infected individuals, using everything from GPS location, QR codes, and even cellular towers. The initial efforts around Bluetooth-based COVID apps began in Asia with Singapore’s TraceTogether app and in Europe with a number of academic groups, including DP-3T, which rallied around Bluetooth as the best approach for digital contact tracing. In the very early months of the pandemic, multiple governments and their developers asked Apple and Google for technical support to enable better Bluetooth-based contact tracing.

One of the things both companies were concerned about very early on were the implications, from a privacy standpoint, of turning a Bluetooth-based system into a mass surveillance operation. When you think about it, the very nature of manual contact tracing is privacy invasive; if you are infected, a contact tracer will ask you for your whereabouts and all known associates and contacts over the last several days. If we were to have simply allowed governments unfettered access to the Bluetooth protocol for their apps, the raw data that could be collected (i.e., who you were in contact with, for how long, where) from smartphones would have allowed them to reassemble your social graph, which would have been useful for contact tracing but also for other more nefarious purposes in the wrong hands.

So the COVID Bluetooth protocol was designed as a so-called decentralized system to provide exposure notifications—a distributed network where those people who are notified of possible exposures are not informed of who exactly exposed them, just when they were exposed and a message from the public-health authority with instructions on what to do (e.g., test, isolate/quarantine). From the very beginning, the system was designed with privacy in mind because we believed no one would use the system otherwise.

Warzel: Can you say a bit about some of the technical challenges? There’s a privacy component, of course, but there’s also the challenge of making Bluetooth run in the background while not bricking everyone’s phones.

Cha: There were a lot of under-the-hood improvements specific to EN, including making sure that Bluetooth could run effectively in the background without negatively impacting battery life. Some governments attempted to hack their own Bluetooth-based solutions, which had all sorts of problems with run time and interfering with other Bluetooth devices, like AirPods.

Warzel: As an outsider, it would seem to me that the biggest challenge you all had with EN was overcoming trust issues between the American public and Big Tech, especially on things that are privacy focused. Did the reception surprise you? Do you feel like EN’s benefit or technology was properly communicated during the rollout?

Cha: One of the biggest surprises to me during the pandemic was the distrust in institutions in general, not just with Big Tech. We spent countless briefings explaining to government authorities, public-health officials, privacy experts, and the press how the technology worked, in particular the fact that neither Apple nor Google received any of this user data. Despite this messaging, I think there was (and still is) a general perception that Big Tech has all of your data and this is just another aspect of personal data that these companies have about you. Beyond the privacy concerns, there is a two-sided coin with EN and the power of Big Tech. On the one hand, it is the very scale that these platforms represent that provides a unique tool in the fight against COVID, something that never could have existed before smartphones, which on the other hand represents the disproportionate power these companies have in our lives.

Stepping back, given that these EN apps were sponsored by the government in one form or another, the level of trust not just in Big Tech but in the government was a huge factor for EN adoption and acceptance of other mitigation measures during the pandemic. In other countries where trust in government is high, we saw much higher levels of adoption than we saw in the U.S.

Warzel: If you can, could you walk me through the rollout and evolution of EN? Where were the big initial roadblocks?

Cha: For me, COVID really “started” the week the world shut down in early March 2020, with Tom Hanks and his wife announcing they had COVID, the NBA season shutting down, and people being sent home from work. Shortly after that, the EN API really took shape at both companies and was officially announced in April 2020. The first EN apps were launched in Europe in May. So all of this took place with amazing speed and urgency.

Our attention soon turned to the U.S., and we spent much of the summer trying to figure out who should launch these apps here—was it the CDC? HHS? The White House? The states? The local counties?

With the Trump administration pushing most of the pandemic response to the states, our efforts focused on the state public-health authorities, and Virginia became the first state to launch an EN app, in August 2020.

We realized quickly that most states didn’t have the resources or capabilities to build their own mobile apps, so we set to work on an app-less implementation of EN called EN Express, which was built right into the operating system of both platforms. Through a template, a state could get up and running with EN in a matter of weeks with no technical skill required. California was the biggest state to launch early on with EN Express, in December 2020, and achieved pretty significant adoption among smartphone users in the state.

Currently, there are more than 20 states and territories in the U.S. that have adopted EN apps or EN Express.

Warzel: How did things change after Biden took office?

Cha: We thought things would change massively and were hopeful that the Biden team would embrace EN as part of a multipronged mitigation strategy. But I think the transition team had already decided early on that vaccines should be their big bet to end the pandemic.

Warzel: What’s your gut feeling as to why it didn’t take? Were there concerns about efficacy? Was it a lack of interest in the technology? Was there a worry about abuse?

Cha: It was probably partly political and cultural. I suspect the government didn’t want to expend political capital on EN given some of the Big Tech distrust among the public. I also think there is a culture of conservatism with a layer of bureaucracy in places like the CDC that is not compatible with trying new things. I understand the risk-benefit cost calculus that a policy maker has to do with deciding whether something like EN is worth investing in. But there are some calculated bets that are pretty obvious to make in the midst of a pandemic: the backing and support of two of the largest and most capable companies on the planet, along with the fact that the U.S. was a late adopter with plenty of other “guinea pig” countries who seemed convinced that the technology was saving lives.

Warzel: So how does EN work in a perfect world? What is the approach and how might it work with other mitigation techniques, like the oral medications we’re going to have shortly?

Cha: I always thought that EN could be part of a 21st-century public-health infrastructure built with a new set of rails, versus the current system, which is a labyrinth of federal, state, and local agencies.

The biggest opportunity for EN is to tether it to rapid antigen tests and to allow infected individuals to self-report their results into the system, notifying close contacts instantly that they might have been exposed. This would cut many days from the typical cycle of test reporting from centralized labs and the aggregation of those results by public-health authorities (i.e., the “traditional” rails). Once rapid antigen tests become more ubiquitous, the EN system deployed in this way truly becomes a decentralized system that operates at the speed of the internet.

With this advantage of speed, EN then becomes a digital messaging platform for public-health authorities to provide guidance on what to do when exposed to an infected person—where to get tested and notifying them that they may be eligible for the new oral therapies if they are high risk and symptomatic. This is an enormous capability that has yet to be fully tapped, in my view.

Warzel: Briefly, can you tell me what plans are to counter abuse in the system?

Cha: In those states that allow self-report of results from rapid tests, there are restrictions to prevent would-be fraudsters from abusing the system with multiple false alarms in a certain time period. There is always the risk of abuse with self-report, but I think the benefit of trusting people to do the right thing will lead to greater good and impact than not allowing it at all.

Warzel: Do you think people don’t want to buy into that vision because they don’t want to imagine the pandemic persisting beyond Omicron?

Cha: Yes. I think there are likely many people who are done with the pandemic right now and want it to be over after this Omicron surge. It would require a real mindset shift from leadership to everyday people that COVID is just part of our lives and we need to live with lightweight mitigation strategies—including masking, testing, and EN—for some time to keep it under control.

Warzel: You’ve tweeted that you see the lack of EN buy-in in a similar camp with the U.S.’s testing failures and the lack of focus on COVID mitigation measures outside of the vaccine. What do you think the experience says about the U.S.’s approach to the pandemic and to public-health infrastructure right now?

Cha: Our pandemic response in general has been about looking for the quick fix, the silver bullet. And the vaccines represented that for a while but also fell short of being the magic bullet once we ran into the harsh realities of hesitancy, inequity, and waning immunity versus new variants.

We failed to plan seriously for a long fight against the virus and as a result, when I look around right now, I’m not sure we are dramatically better off than some of the worst moments of the last two years. There are massive lines for tests, many days to get results, hospitals getting crowded, kids returning to remote schooling, and a worn-out health-care workforce. Sure, we have fewer people who have died as a result of the vaccines. For that, we should count ourselves lucky. But we missed out on so many other things over the last 12 to 18 months that would have set us up with a more resilient infrastructure than what we have right now.

Before we leave, I thought I’d add some of my own thoughts about all this. I will always be skeptical that Exposure Notifications would have been widely adopted in the United States, and even if it had been, I don’t think there’s any way to know if the system would have vastly changed the number of COVID cases in the U.S. In some countries, like the U.K., Exposure Notifications has been reasonably successful (one estimate suggests it prevented 600,000 cases in the winter 2021 surge), but in places like Switzerland, adoption and efficacy weren’t quite what people had hoped.

But Exposure Notifications didn’t need to be a silver bullet to be a helpful tool during this crisis. And the fact that it was so thoroughly dismissed by two administrations and many government agencies underlines to me that our pandemic response is still single-mindedly focused on stopping COVID instead of mitigating it. Especially during this Omicron wave, where cases are piling up far faster than any testing facility can process them, we’ve largely lost track of the pandemic from a data perspective. As our systems struggle to keep up with and identify confirmed infections, Americans are left to make personal risk calculations with imperfect or little information. Maybe the best example of this is the confusion and fear that millions of people felt this past Monday sending their kids back to school after a long holiday break that happened to coincide with the largest explosion of COVID cases since the pandemic started. As Cha notes, the government’s understandable focus on vaccines has left us in a better spot from a deaths and hospitalizations perspective, but left us flat-footed when it comes to trying to navigate the logistics of living with the virus.

I’m not personally worried about my health, and I am not hiding away in fear of COVID these days. But I am worried about an avalanche of cases straining our systems, most importantly, our health-care system. But more than anything I’m concerned that the public-health infrastructure in the U.S. is, as Cha described it, riding on an outdated set of rails. Part of that is a fragmented bureaucracy that makes it difficult for outsiders to try and lend assistance in a crisis. (If companies like Apple and Google can’t find a way to navigate public-health infrastructure, that bodes extremely poorly for any other outsiders with big or new ideas.) But most concerning is an outdated mindset that seems to focus on silver-bullet solutions over comprehensive ones. It’s a type of thinking that moves slowly and seems to resist adapting to new, ever-evolving information.

I want to hope that the scariest days of COVID are behind us. But even if that’s true, I worry we haven’t learned the necessary lessons from the past two years.