The privacy versus safety debate around coronavirus tracking and tracing technology examines the wrong dilemma. Choosing the right tracking solution is equally important.
Numerous podcasts and current affairs programs have raised privacy concerns around track and trace software proposed by the Australian government. They generally frame the debate with safety as one horn of the dilemma and privacy the other. The question is most regularly posed in the form, “How much privacy we are prepared to sacrifice to obtain the safety offered by the track and trace application proposed by the Australian government?”
This is a false choice, though, that plays into the hands of those who wish to increase surveillance.
Privacy is threatened
This article does not seek to devalue privacy concerns.
There is no doubt that governments have aggressively adopted surveillance and centralisation of data to strengthen their power over the population. Although essentially a democrat rather than an anarchist, I have a great deal of sympathy for Proudhorn’s view that “To be governed is to be at every operation, at every transaction noted, registered, counted, taxed, stamped, measured, numbered, assessed, licensed, authorised, admonished, prevented, forbidden, reformed, corrected, punished.”
Despite the High Court ruling that the Australian Federal Police used an illegal warrant to enter the home of journalist Annika Smethurst, they allowed the federal police to keep the data they had illegally gained. It is beyond irony that the AFP used illegal means to shut down a journalistic investigation into spying on Australian Citizens by the Australian Signals Directorate. The story involves layers of abuse by government agencies carrying out surveillance on citizens.
So, concerns about privacy are completely legitimate. The problem emerges in the assumption that there is an inverse relationship between privacy and safety. That there is a direct trade-off and we must choose how far we want to push the slider along a spectrum between full privacy at one end and full safety at the other.
A thought experiment
Without going into the deeper technical details of the various approaches being proposed to track and trace, we can carry out a simple thought experiment between two possible and radically different approaches to reaching the end goal of tracking and tracing.
One approach, commonly called the Bluetooth approach, is to provide unique IDs to each citizen and then to record what other citizens you have spent more than 15 minutes with in your phone. The other approach is commonly referred to as the GPS approach and it maps your location over time, providing the possibility of identifying who you were near at any given time over a certain period.
The Bluetooth approach is considered superior for a number of reasons and has been selected by the Australian government. The most widely discussed reason is the better accuracy of the system. The GPS data is easily confused when people are in the same building, but not near to each other, for example. The Bluetooth method ensures you are close enough to share a signal, which roughly equates to breathing the same air.
There is a fundamental difference to the nature of the data, and the world model involved. This is really important, if a little abstract.
The Bluetooth model simply stores a list of ids that you have shared space with for more than 15 minutes. It requires a date to be stored along with the ID so that you can eliminate people who you shared space with outside the incubation period of the virus. Other than that, nothing else is required. So, when you are found to have CoViD19, i.e. test positive for a response to the virus named SARS-CoV2, you supply the list of IDs you have been in contact with to the government and they are duly notified. That’s it.
The model of the world maintained by this method is a record of interactions. If that was fully shared, we could build a day by day account of who was with whom, which may be useful for lots of reasons, especially if shared with other data, but in itself does not constitute surveillance of a particularly invasive kind. It also requires a relatively small amount of data. 1 billion people, each recording a couple of hundred interactions a day, involving two numbers for each transaction – the ID and the date. That is two hundred billion numbers a day, roughly a trillion numbers a week.
The GPS model, on the other hand, records the location of every individual on a map of the world at some time interval, say every minute. This necessarily has to be centrally stored, because the amount of data required to record your location like this would swamp many people’s phones. The result is that your every move is available to the data holder, and everyone who has access to it, for as long as it is stored. The amount of data required is phenomenal. Every person requires two numbers to identify which of the 149 million, million square metres of the earth’s land surface that they occupy and another number to identify which minute of which day that space is occupied.
Tracking the same billion people requires (1,000,000,000 * 4 * 86,000)= 346 thousand trillion numbers per day or roughly one and a half million trillion numbers a week. That requires one million times the storage of the alternative.
There is little wonder that the Morrison government has opted for the Bluetooth model.
The purpose of this analysis is not to confirm the wisdom of the Morrison government’s decision but to identify the different dimensions involved in building such solutions and the relationships between the social, political and technical aspects of those solutions.
Extracting some principles
The Bluetooth approach offers a solution that reduces the quantity of data by a factor of one million, that is six orders of magnitude. The elegance of that approach seems inherently valuable just because of these data savings. It also provides a much less intrusive data model by focusing on the data required to achieve the specific outcome.
In this case, the desire to identify who might infect whom requires us only to record the encounter, not its location, or time. The recording of the encounter obviates the need for mapping any individual’s journey. The improved requirements analysis reduces the problem significantly.
The general preference for simple solutions is generally captured by technologists under the heading of elegance. The value of elegance in programming is almost identical to the core principle of Occam’s Razor, “Entities should not be multiplied without necessity” or in modern business English, “Keep It Simple Stupid.”
Similar logic applies to the concerns expressed over the nature of targeted advertising in late 2019. Scott Morrison insisted that Google and Facebook provide data on who had been shown what advertisements. They resisted on the basis that it would be impossible. You only have to think for a moment about the amount of data storage that such an endeavour would require to realise that it is inordinately easy to imagine systems that generate more data than it is capable to process. I have crashed more than a few computer systems in my time with such infinitely expansionary code.
One thing that results from the simple, elegant solution of capturing only the ID of those in close contact is that it separates the requirement or tracking and tracing from any external surveillance concerns. The important thing in this case is that it removes any purported relationship between privacy and safety.
In the discussion of how we best design and manage the computer systems that increasingly dominate our lives, we need to keep a very clear head about exactly what it is we are doing.