Trust and Transparency in Contact Tracing Applications

06/19/2020 ∙ by Stacy Hobson, et al. ∙ ibm 0

The global outbreak of COVID-19 has led to focus on efforts to manage and mitigate the continued spread of the disease. One of these efforts include the use of contact tracing to identify people who are at-risk of developing the disease through exposure to an infected person. Historically, contact tracing has been primarily manual but given the exponential spread of the virus that causes COVID-19, there has been significant interest in the development and use of digital contact tracing solutions to supplement the work of human contact tracers. The collection and use of sensitive personal details by these applications has led to a number of concerns by the stakeholder groups with a vested interest in these solutions. We explore digital contact tracing solutions in detail and propose the use of a transparent reporting mechanism, FactSheets, to provide transparency of and support trust in these applications. We also provide an example FactSheet template with questions that are specific to the contact tracing application domain.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Motivation

The recent spread of Severe Acute Respiratory Syndrome Coronovirus 2 (SARS-CoV-2) and the outbreak of the associated COVID-19 disease has inspired the development of new software applications and AI models to address many of the challenges our global society is facing. Public health agencies, corporations, and individuals have been racing to identify tools to help control the spread of the virus, find suitable treatment options, and aid in the creation of a vaccine. Given the public health impact and urgent need to limit the continued spread of the disease, many government officials and policy makers have relaxed regulations to expedite the launch of technologies addressing these and other related concerns. Many of these technologies collect and use sensitive data about individuals such as health history, medical conditions, infection state, current health symptoms, and location. An example includes Contact Tracing Applications - those focused on identifying individuals who are at risk for developing COVID-19 through exposure to a person later identified as having been infected with SARS-CoV-2. Contact tracing applications use various techniques to identify exposure or contact events, and use sensitive personal data like some of the examples previously identified.

The use of sensitive personal information has prompted concerns about the overall trustworthiness of these types of applications. These concerns have motivated interest in application transparency, so that application stakeholders can better understand details including the purpose of the application, the data that is collected and the application’s use of the collected data.

In recent years there has been significant discussion around the need for transparent reporting, specifically with regards to AI models and services. We apply one of the recent transparent reporting techniques in the context of contact tracing applications. Although this category of applications are not considered AI, there is significant risk to the end-users of the applications given the health implications and use of sensitive personal data. Studies have shown that technologies that are applied in a healthcare or a public health setting can lead to negative outcomes like medical errors, harm, or death especially if they are poorly designed, implemented, or applied [1]. The limited understanding of details of these applications motivates a need for transparency to support trust.

The objective of this paper is to identify how we develop and use transparent reporting mechanisms for Contact Tracing applications. We do not aim to make direct conclusions about the trustworthiness of specific applications but focus on the types of questions that must be addressed to provide transparency of and support trust in the applications in this domain.

Ii Transparent Reporting Mechanisms

Researchers in the software engineering community have focused on creating useful documentation for applications. They have identified quality issues in existing documentation for conventional systems [2, 3, 4] and discussed problems such as missing rationales for design decisions, too few examples to understand how to use a module or package, lack of overviews to illustrate how a system’s component parts work as a whole, and insufficient guidance on how to map usage scenarios to elements of an API.

AI applications pose a unique challenge, given their reliance on training data, and their often probabilistic behavior with respect to test data. Thus, there has been a recent focus on transparent reporting mechanisms for AI systems, focusing on datasets [5, 6, 7], models [8, 9] and services [8]. There have been efforts focused on the ethical development of AI that also highlighted the need for transparency or detailed assessments of AI systems [10].

We build upon these efforts of transparent reporting to examine and provide transparency of contact tracing applications.

Iii COVID-19 and Contact Tracing

SARS-CoV-2 poses a significant health challenge for global communities in that there are currently no identified vaccines or accepted proactive treatment methods for COVID-19, the disease the virus causes. Limiting the spread of the virus has emerged as one of the primary targets to reduce the occurrence of COVID-19, and the impact on individuals and the overburdened healthcare system in many countries. Two of the measures used to reduce the spread are 1) limiting the physical interactions and contact between people (social distancing) and 2) identification of people who have come into contact with or proximity of an infected person (contact tracing).

Contact tracing has been used for many years as a method to control disease and has primarily relied on mobilization of trained human contact tracers - people who actively work with individuals with confirmed infections to generate a list of people whom they may have further exposed or infected [11]. The contact tracers then notify each of the identified individuals of the exposure risk, encourage them to get tested for infection, and suggest potential immediate quarantine action. If any of those individuals are infected, the tracers begin the process of creating an exposure contact list for each of those people for further notification and action.

Manual contact tracing efforts are likely not sufficient in cases where the spread of the disease has been exponential, as we have seen with SARS-CoV-2. The initial doubling of cases in China was reported at every 6.4 days before advanced mitigation methods were employed [12]. A recent publication by Johns Hopkins University Center for Health Security reports that the United States will need to add approximately 100,000 human contact tracers as part of the multi-pronged effort to manage the COVID-19 epidemic [13].

One way to scale contact tracing efforts and complement the work of human contact tracers is through the use of digital contact tracing solutions. The United States Centers for Disease Control and Prevention (CDC) identifies two types of digital contact tracing solutions - one focused on streamlining the capture and management of data on cases and contacts, the other on using Bluetooth or GPS to track an individual’s exposure to an infected person [14]. The approach we use for transparency can be applied to both solution types, however, we focus our remaining discussion on the most prevalent of the application types - those that fall into the latter category.

Iii-a Digital Contact Tracing Techniques

There is not an agreed upon single way to achieve contact tracing; at the time of writing this paper, we identified 30 contact tracing applications available worldwide. Many of these applications establish contact events by keeping a record of all the devices (e.g. smartphones) that come within a certain distance of one another or are in the same geographical location at the same time. Once a person has been identified as infected with COVID-19 and has indicated it in the application, a notification can be sent to all other devices running the same application that indicated close proximity to the device of the infected person within a set date range. These details are used to infer a contact event - that one or more people were close enough to an infected individual where respiratory droplets could pass from the infected person to the others. The most common approaches for digital contact tracing rely on either the use of location tracking through the global positioning service (GPS) or Bluetooth Low Energy capabilities.

Most smartphones today continuously capture details on the device’s location and the associated time via GPS satellites. GPS-enabled devices are reported to work best when they are outdoors under open skies where they can accurately capture location within 16 feet [15]. Location accuracy is known to degrade when devices are indoors, underground, or near items that obstruct a direct path to the satellites, e.g. buildings, bridges, or trees [15]. GPS-based location tracking for a device is achieved through trilateration using radio signals from GPS satellites. The resulting coordinates indicating geographical location are paired with a timestamp to represent location at a specific time. Contact tracing applications infer contact events by 1) identifying devices that have geographical coordinates that fall within a set distance parameter (e.g. 6 or 10 feet), 2) has a time-stamp that overlaps with one another and 3) continues to remain within the distance parameter for a specified duration (e.g. 15 minutes) even if the geographical coordinates between one or both change. This inference also relies on certain assumptions including that the device is always in a person’s possession and that possession is by a single person. A contrary case includes when the device is not in someone’s possession, for example it is left somewhere (on the seat on a train, a table in a restaurant, etc.). The device’s location (and not that of the person) would be tracked and a faulty contact event can be reported. Similarly, if a device owner or primary user lets someone else (friend, family member, etc.) use the device and the owner is later found to be infected, the exposure of others may be reported for cases where the infected individual was not present. Additionally, the challenge posed by inaccuracies for device use indoors may limit the ability to identify a significant portion of contact events and has been identified as a potential shortcoming of using GPS location tracking for this particular purpose.

Bluetooth Low Energy (BLE) capabilities can be used to establish contact events though proximity detection. Most smartphones are equipped with bluetooth capabilities that are leveraged for this method of contact tracing and, unlike GPS, can track proximity events indoors or outdoors. Since bluetooth is used to track the promixity to other bluetooth-enabled devices, it does not track actual location. This has been considered one of the limitations of this method since it cannot assist in identification of geographical areas where the virus is spreading.

In a contact tracing context, Bluetooth Low Energy is used to broadcast information from a device including a time stamp and an identifier. Since Bluetooth Low Energy is based on short-range communications only devices that are within a short distance are expected to receive the broadcast. The receiving device uses the received signal strength indicator to infer distance between itself and the broadcasting device. A recent tech report highlights issues with relying on signal strength as an estimator of distance. The authors showed that the signal strength varied substantially based on the orientation of the device, absorption of the signal by the human body, and reflection or absorption of radio signals in buildings and trains

[16].

Another fundamental difference between GPS-based location tracking and proximity identification through Bluetooth Low Energy is in how the data related to potential contact events are stored. GPS-based location tracking relies on centralization of data to a remote server while the Bluetooth Low Energy technique can be either centralized or decentralized, with data being shared only locally on the individual devices.

Other, lesser-discussed methods for contact tracing solutions may involve the use of bluetooth beacons [17], location tracking through cellular or wi-fi, or tag scanning (e.g. QR or RFID). These techniques can be implemented as the sole method for contact identification or in combination with one of the other techniques.

Although these techniques can be used to identify potential contact events, they do not factor in pertinent details that can affect transmission likelihood. For example, transmission within an indoor, poorly ventilated space may be more likely than transmission in an outdoor space [18]. Additionally, appropriate use of items like medical-grade masks or respirators by one or more individuals can greatly reduce likelihood of transmission during contact events.

We are not suggesting that one method is better than the other; we only present a brief introduction of the techniques since aspects of the technical implementation are important considerations for stakeholders interested in application transparency.

Iv Application Stakeholders

Contact tracing has been identified as critical to the ability to manage the COVID-19 pandemic and, along with significant testing capabilities, may be a required item to enable governments to relax measures in place that limit the movement of their citizens [19, 20]. These measures have negatively impacted global economies given the effect the restrictions have on businesses in industries such as retail, hospitality, and travel & transportation. Multiple stakeholders are interested in the development and use of contact tracing applications and the underlying motivations for this interest may differ for each group. Understanding some of the motivations for the stakeholders provides a foundation for identifying the expected benefits and concerns of use of these applications.

Iv-a Public Health Officials

One category of stakeholders includes those with a public health role - officials in organizations with a focus on the identification and management of viruses like SARS-CoV-2. Examples of these organizations are the CDC in the United States and Ministries of Health in other countries. They have an interest in digital contact tracing solutions as a complement to manual contact tracing efforts that many of them have employed for decades, with a goal of using these techniques to mitigate disease spread.

Iv-B Health Care Providers

A second group includes health care providers - hospitals, long- and short-term care facilities, and laboratories. Their interests also include the management of the virus but extend to use of the applications for reporting of infected cases from their patients and appropriate handling of people who have been notified of potential exposure. The health care provider and public health groups, along with government officials, likely also have interests in using applications to identify ’hot spots’ or locations where the spread of the virus is growing. This information can be used in tailoring localized measures aimed at reducing the continued spread.

Iv-C Public and Private Companies

Many public and private companies have interests in digital contact tracing applications as part of the efforts in allowing their employees to return to a physical worksite. Since the start of the pandemic, many governments have instituted measures to encourage or mandate that their citizens remain at home with exceptions being allowed for those in essential roles, e.g. health care staff, public safety officials, and critical infrastructure work in specific industries [21]. Digital contact tracing applications can be used to identify exposures within an office setting and enable employers to recommend exposed individuals quarantine at home to reduce worksite-associated outbreaks. Additionally, employees that have been notified of potential exposure through non-work related activities can communicate the exposure identification their employer and self-quarantine to prevent spread.

Iv-D IT Professionals

Software developers and information technology professionals are often the groups that are responsible for the development of contact tracing applications. People within this group may have interests in developing their own solutions for contact tracing to make available to the stakeholder groups mentioned above. There are often government and geographical considerations that apply to the applications, so the potential for adoption of an existing application by a different country may require updates by software developers to make them adhere to specific local policies or regulations.

Iv-E General Public

The final stakeholder group we identify here includes the individuals that are expected to actively use contact tracing applications. This could be individuals in a certain country, state, or geography, or in a business context, the business’ employees. Trust in the applications by the target end-users is critical for effective adoption, especially in cases where application usage is not mandated.

V Benefits and Concerns

The use of digital contact tracing applications is expected to provide a variety of benefits but also brings to mind a number of concerns including those relating to privacy and security. The means in which the concerns are handled may differ given the technical design and implementation of each application.

V-a Benefits

One key benefit of contact tracing that applies to both manual efforts and digital applications is the ability to identify people who are exposed to an infected individual to encourage testing and quarantine. The implementation of a quarantine action for people who are infected but are pre-symptomatic or asymptomatic reduces the chance of them infecting others prior to awareness of their own infected state. Recent studies have suggested the median incubation period for COVID-19 is about 5.1 days [22] and that a portion of the spread of SARS-COV-2 is from pre-symptomatic [23, 24] or asymptomatic individuals [24, 25]. Therefore, the identification and quarantining of pre-symptomatic and asymptomatic people may be a useful factor in reducing the continued COVID-19 infections.

Digital solutions may also provide additional benefits above that of manual contact tracing methods. Some of these additional benefits include:

V-A1 Faster notification of exposure

Digital solutions can help reduce the time for notification to exposed individuals as compared to manual contact tracing. Apps can notify exposed people within seconds after an infected person has been identified. Manual tracing efforts require several steps after the identification of an infected individual, including completing an interview with the infected person or close family members to collect names of the people potentially exposed, potential additional time to locate a means to contact each person (phone numbers, addresses, etc.), and the time to establish contact.

V-A2 Identification of contact in public spaces

Contact tracing applications may also help address areas where manual contact tracing is not effective, for example in identifying prolonged contact with strangers or in public spaces. A specific example of this would be an asymptomatic individual traveling via public transportation or waiting in line in a coffee shop. The individual would not be able to identify most of the people he/she/they came into contact with. Additionally, if the individual could recall the exact day, time, and duration of the visit, this still would not be sufficient to identify and locate all others that were in the same location at the same time.

V-A3 Identifying outbreak ‘hot spots’

Contact tracing solutions that capture location details in association with infections and exposures may be useful in identifying areas where 1) infections are growing, 2) the number of cases exceed a threshold, or 3) congregations of large groups of people are enabling rapid transmission. This information may be used in implementing countermeasures like social distancing and shelter-in-place policies targeted at specific locations to reduce the increase in infections within that geographical area.

V-B Concerns

Discussions around the potential for use of digital contact tracing applications have brought light to a large number of concerns with the technologies, chief of which is focused on privacy. We maintain that transparency of the technologies through an understanding of how each addresses the concerns is a foundation for building trust and enabling stakeholders to make decisions about which technologies they want to use and how they want to use it. Some of the main concerns with the solutions include:

V-B1 Privacy

At the core of digital contact tracing is the awareness of personal information such as health status (infected or not infected), location details, social interactions, and in some cases name, gender, age, and health history (self-reported symptoms and medical conditions). The collection of these details pose a number of issues such as the potential for an individual’s sensitive data to be made available to others (intentionally or unintentionally) and use by governments or other groups for purposes other than management of COVID-19 spread. Some practical privacy concerns are the opportunities for government agencies such as law enforcement or organizations like the United States’ Immigration and Customs Enforcement (ICE) agency to surveil people through their use of the application and the potential for others to find out about their health conditions including COVID-19 infection.

V-B2 Security

Another top concern for application stakeholders is application security. This includes two aspects: a) the vulnerability of the applications to attack with an attempt to change how the application works, to access personal data, or to disable usage of the application and b) the embedding of code for nefarious purposes by an application developer or publisher. The 2020 Data Breach Investigations report by Verizon identified web applications as the second highest category of healthcare industry breaches after miscellaneous errors [26]. An example of a specific security issue with a contact tracing application was highlighted in a recent report by Amnesty International, in which they stated that they were able to access individuals’ names, health status, and location details from a central server for the Qatar government-sponsored digital contact tracing application EHTERAZ [27].

V-B3 Coverage

The technical implementation of the applications also affects the expectation of deployment and use. For example, applications using Bluetooth Low Energy may require many people in the specific community or location to download and use to adequately assess potential spread amongst the population. If there is not enough coverage of use across the population, the ability to identify many of the exposed people is reduced. We understand that people may have varying reasons for choosing to participate or not, one of which is their belief of trustworthiness of the applications based on many of the specific concerns highlighted here.

V-B4 Access

A key requirement for digital contact tracing is that individuals have devices (e.g. smartphones) that enable the application to function properly. Since many of the applications rely on BLE or GPS, individuals would have to have devices that have the capabilities embedded. Results of a 2019 survey showed that approximately 53% of the people aged 65 or older in the United States have a smartphone while ownership of those between ages 18 and 49 was greater than 90% [28]. Also, for some of the systems, a newer version of a smartphone is required; people with older smartphones may not have the ability to use or get alerts from these types of applications. Since the identification of contact events for individuals are based on these devices, children and disadvantaged groups may also be omitted given a lack of access to or continued use of a personal smartphone. Countries like India and Indonesia have large portions of the population that either do not have access to a compatible device or have a device at all [29].

V-B5 Accuracy

We introduced some of the issues related to accuracy earlier in the discussion, specifically the limitations with tracing contact in large locations (e.g. apartment buildings) and areas where people are more geographically separated. We highlighted a concern with GPS previously in that it is not as accurate indoors or in areas where there isn’t an unimpeded path to open skies. With BLE, accuracy may degrade based on the positioning or obstruction of the bluetooth enabled device and this may impact the proximity identification [16].

V-B6 Asynchronous contact events

There is potential for exposure and spread of the virus from cases where there is an asynchronous contact event, for example with a person being in a small enclosed space (e.g. elevator) for a period of time then leaves, and then shortly thereafter another person comes into the same space. There is the belief that most of the spread of the virus is through aspiration of respiratory droplets however there is also the possibility that spread occurs when an uninfected person touches an object or surface that an infected person has previously touched and then puts their hands or fingers in the areas around their mouths, nose, or eyes. Both of these examples of spread can occur through an asynchronous contact event but may not be captured as such in digital contact tracing solutions that focus on people being in the same location or close proximity at the same time.

V-B7 Device impacts

Each contact tracing application may also have specific considerations and impacts on the devices in which they are being run. There is a concern with the potential of high consumption of battery power with bluetooth-based techniques [30]. Some of the applications have requirements to run in the foreground of the device, meaning that when other applications are being used by the device holder, the application may not be able to work appropriately to identify contact events. Additionally, the device makers may have restrictions in place that effect the way the applications work. One example of this is Apple’s restriction on allowing bluetooth transmissions when an iOS based device is locked [30], which limits the functionality of contact tracing applications on these devices.

V-B8 Ability

These applications rely not only on adoption by individuals but also appropriate use. If people are unaware of specific requirements for use, or are not comfortable with usage of the device or the application, their interactions may not be sufficient to enable effectiveness of the application. Consider an example where a novice technology user has a smartphone and downloads the application on it. The user may not realize that downloading the application is not sufficient, but may also require completion of a profile and providing consent for the application to run on the user’s device. Consent may also be required in the device settings to allow the application to access some of the smartphone’s capabilities that are required. For example, a user may install an application but inadvertently restrict the ability for it to work by disabling access to the device’s location services or bluetooth capabilities.

V-B9 Interoperability

Limitations associated with contact tracing applications’ ability to identify contact events may lead to missed episodes of exposure and potential transmission of the virus. We have highlighted some of these concerns relating to the coverage, access, and accuracy aspects already. Another related concern of the application’s ability to identify contact is that of interoperability between applications and/or devices. Consider an example where an infected individual is located near another individual for an extended period of time. If the two people are running different contact tracing applications, or running applications on different devices (e.g. one with an Android based device and the other with an iOS based device) restrictions in the applications being able to share details with one another or from one platform to another is a direct inhibitor to the identification of this contact event. Apple and Alphabet (Google’s parent company) have proposed a framework that allows interoperability between the device operating systems of contact tracing applications, which is a helpful step in addressing this issue, but is limited to the applications that use the framework [31]. In some cases, applications like Aarogya Setu have developed both a version based on the Android and the iOS operating systems [32].

V-B10 Reluctance in disclosure

In some cases people may agree or are mandated to use a digital contact tracing application but have an interest in withholding an infection diagnosis because of privacy or security concerns, or personal reluctance to acknowledge the diagnosis. Similarly, people may not want to acknowledge or disclose their exposure to infected individuals. In some geographies, people who are diagnosed as infected or are identified as having been exposed to an infected individual may be told to quarantine for a period of time. These measures will limit people’s movements and ability to do things that they may want to do e.g. go to work, go to the grocery store, visit family members, or participate in social activities. Some of these limitations may have an economic impact (restricting ability to work) which may reinforce a reluctance for an individual to disclose infection or exposure.

Vi Current Contact Tracing Applications

The urgent global need for contact tracing has spurred the development of many digital solutions. To date, we have identified 30 different applications created since December 2019 specifically to support the contact tracing needs required for management of COVID-19. These solutions may differ in technical implementation and specific policies of use. It is likely hard for public health agencies and government officials to quickly identify the differences between applications as they try to determine which one to select as part of their targeted virus management strategy. Similarly, it is also difficult for individuals who are asked to install and use the applications to get consumable details regarding specific considerations relevant to them like requirements for use, types of data collected, and data use policies.

We provide a list of the 30 applications in Table I including details on the organization that sponsored the development or group that directly developed the application, and the technical approach that is used for identifying contact. These details are based on information reported for each of the applications at the time of authorship of this paper, but we acknowledge that due to the dynamic nature in the development of these applications and efforts to address emerging concerns of the intended community of use, some of these details may change in the future.

Application Developer or Sponsoring Organization Tracing Technique
Aarogya Setu Government of India GPS
Apturi Covid Private Developers (Latvia) Bluetooth
Corona100m Private Developer (South Korea) GPS
coEpi Private Developer (United States) Bluetooth
Coronika Kreativzirkel (Germany) Manual
COVA Punjab Government of Punjab (India) GPS
CovidSafe University of Washington (United States) Bluetooth
CovidSafe Australian Government (Australia) Bluetooth
Covid Watch University consortium (United States) GPS
EHTERAZ Ministry of Interior (Qatar) GPS and Bluetooth
eRouška Czech Ministry of Health and Hygiene (Czech Republic) Bluetooth
HaMagen Israel Ministry of Health (Israel) GPS
Immuni Italian Central Government (Italy) Bluetooth
Ito Private consortium (Germany) Bluetooth
Health Code Alibaba (China) GPS
Social Monitoring Infogorod (Russia) GPS
Mahakavach Government of Maharashtra (India) GPS
NHSX NHS Digital (UK) Bluetooth
NOVID Carnegie Mellon University (United States) Bluetooth
Private Kit: Safe Paths MIT (United States) GPS
ProteGO Ministry of Digital Affairs (Poland) Bluetooth
Rakning C-19 Iceland’s Department of Civil Protection and Emergency Management GPS
Smittestopp Norwegian Institute of Public Health (Norway) GPS
StopCovid Government of France (France) Bluetooth
StopKorona! Ministry of Health (North Macedonia) Bluetooth
Stopp Corona Austria Red Cross (Austria) Bluetooth
Swiss Covid Federal Office of Public Health (Switzerland) Bluetooth
TraceTogether Government Technology Agency (Singapore) Bluetooth
Triax Private consortium (United States) Tag Scanning
ZeroBase ZeroBase Foundation (United States) QR Code Scanning

TABLE I: Examples of Contact Tracing Applications

Vii FactSheet Template for Contact Tracing

As a follow-on to our prior work on the use of FactSheets for transparent reporting [8], we now aim to help identify the questions that would provide useful and critical information about contact tracing applications.

To achieve this goal, we first compiled questions that are relevant to provide basic information relative to any model, service or application. These include questions focused on scope of use, target stakeholders, and data that is collected. Then, after detailed review of contact tracing technologies and their potential for use, we augmented the initial list with questions specific to contact tracing, namely, those that would elicit details addressing the benefits and concerns identified above. Some of these questions focus on the technical implementation including the technique used for establishing proximity and/or location, method for identifying a contact event (centralization versus decentralization), and method for infection reporting. As a final step, we considered the beneficiaries of the applications and questions that would be of interest to them that were not already identified. Examples of these questions include how infections are reported, whether usage is voluntary or mandated, and how compliance with local laws or regulations is achieved.

These efforts enabled us to create a FactSheet template - a list of questions that can be used to provide important details on and promote transparency of contact tracing applications. The FactSheet template we created is organized into four main categories: General Questions, Data-specific Questions, Privacy Questions, and Use Questions. We introduce the template and the associated questions in Tables IIV.

General
What is the scope of use of the application?
Who are the target stakeholders or beneficiaries of the application - the people who will be impacted by its success or failure (e.g. government or public health agencies, private companies, and/or individuals)?
What policies or laws apply to the development, deployment or usage of this application? How do you ensure compliance with these regulations?
Is this application intended for stand-alone use or as a companion to established health-agency or government manual tracing efforts?
Does this application connect to any other applications or IT systems (for example, public health, clinical laboratory, or hospital systems)?
Identify the technique used for establishing contact (bluetooth, location tracking via GPS, etc.)
What are the specific requirements for efficacy of tracking and contact identification?
Distance – the span of space that is used to identify a contact event
Time – amount of time individuals are within the required distance to meet threshold for exposure risk
Coverage – the number of people or percent of population needed to use the app
What concerns (positive and negative) might the beneficiaries have in how the service works? How are these concerns addressed?
TABLE II: Contact Tracing FactSheet Template: General Items
Data
What data is collected by the application? Include data collected directly by the app, from the user, and data accessed from other applications/system.
Is this data combined with any additional details about an individual, community, locale, or environment?
Identify any data collected that is of a sensitive nature (for example, health conditions, symptoms, etc.)
How is the collected data used?
Who has rights to access the data (explicitly define people, agencies, and/or organizations)
What is the policy on data retention and deletion?
Is there potential for the data provided or collected to be used for future purposes, beyond the scope of the current intended use? What mechanisms do you implement to limit use beyond scope of the intended purpose?
What mechanisms are used to keep the data secure?
TABLE III: Contact Tracing FactSheet Template: Data Items
Use
What are the device requirements for use of the application? (for example, required platform, operating system, wifi, and/or cellular access, date of manufacture)
Is use of this application voluntary (opt-in) or mandatory?
If mandated, do users have the ability to opt-out?
If users opt-out, what is the policy on deletion of details on their use and associated data from the system?
Is user consent collected for the use of the application?
Is user consent requested for access to or collection of the explicit user data (personal, health, and/or location-related details)?
Are contact episodes identified in a decentralized (locally on each device) or centralized (remotely through a server) manner?
How is infection being reported - self-reported or reported from an established health system (public health, clinical laboratory, hospital, or other COVID-19 management system)?
If self-reported, how does the user indicate infection? Is the identification by the user authenticated in some way?
If reported from an established health system, how is the information shared and received?
What is the expected impact on the devices that use this app? (battery use, compute, and bandwidth considerations)
What are specific considerations for use of the particular application? Include details on any technical concerns or shortcomings.
What are the limitations of use? List scenarios for which use is not suitable (e.g. incompatibility with certain devices, inability to identify non-contact barriers like walls separating locations within a building)
TABLE IV: Contact Tracing FactSheet Template: Use Items
Privacy
Did you implement the right for a user to 1) withdraw consent, 2) object, and 3) be forgotten in the application?
Does the application allow people to learn any personal information about others?
Are privacy-preserving techniques incorporated in the application (e.g. data anonymization, encryption, aggregation)? If so, provide details on the techniques used.
What additional measures are used to protect the data and identity of infected and exposed individuals?
Could this application be used in a way that identifies people who are infected or at risk to 1) the developers, 2) people within an individual’s social circles, 3) to those the app is warning about contact and potential exposure, or 4) to the government, employer, or managing organization?
If the app connects to public health or hospital systems, how do you ensure that personal information isn’t accessible during data sharing points?
TABLE V: Contact Tracing FactSheet Template: Privacy Items

Viii Discussion

We have presented a broad FactSheet template to support transparency of contact tracing applications. A key component of FactSheets is the tailoring of the questions within the FactSheet template to address a specific stakeholder group and provide clarity on the aspects of the applications that they are most concerned about. As we discussed in Section  IV, the motivations of interest in the applications may differ for each group, and these motivations influence the questions that enable transparency for each group.

Let’s consider the General Public stakeholder group whose interest in transparency may be most related to their own use of the applications. The questions that focus on data, privacy and device requirements may be the ones that are critical for their specific version of the FactSheet template. Some of these questions would include those relating to 1) types of data collected, 2) how the data is used, 3) requirements for efficacy of tracking and contact identification, 4) expected device impacts, 5) limitations of use, and 6) data privacy.

The Public Health official group would potentially be engaged in the selection and management of the contact tracing applications for a specific geographical area (city, county, state, county, etc.) and therefore would likely have interest in the broadest set of questions from the template above. The full set of questions we identified in the template would provide information pertaining to the concerns from all stakeholder groups, and this could be useful as the Public Health officials evaluate and select the applications with the other stakeholders concerns in mind. However, they might be less interested in questions relating to specific device impacts or requirements of use unless these considerations could greatly limit acceptance in their geographical communities.

For the IT Professionals group, questions around the technical implementation, limitations, connections to other IT systems, all data aspects (collection, policies, access rights, retention, and security), device requirements, decentralization versus centralization, and privacy-preserving techniques would be of particular interest. This group may also be interested in additional technical details about the applications including access to the code base. Recent reports have suggested that the code for two of the applications referenced in Table I

- Aarogya Setu and TraceTogether - will be publicly available as open source projects

[33, 34]. We believe that this is another path for promoting transparency of these types of applications for this specific stakeholder group, and can be used together with FactSheets to foster trust.

We acknowledge that there could be additional relevant questions that were not listed in our FactSheet template that might be useful for application transparency in this context. We suggest the FactSheet template as a useful starting point in the efforts towards transparency.

We also acknowledge that as applications are updated, the answers to the questions may change. We suggest the generation of a FactSheet for each application deployment and update. It is possible to create a base FactSheet for the application that covers the details that will not change from one application instance to the other, and also include a supplementary FactSheet that is generated for each version or use case.

We have demonstrated the potential of FactSheets in this context to promote transparency but note that FactSheets are not limited to this purpose alone. They can be leveraged as a mechanism in additional contexts, for example as part of a robust trust and governance strategy within a business, or a path for evaluation and certification of models or services by a third-party.

Ix Conclusion

Our proposal of the use of FactSheets for transparency will help in providing consumable details about the applications for the stakeholder groups we discussed in Section III and help each group to understand application details related to the concerns of their group.

We encourage people with an interest in fostering trust in models, services and applications to use transparent reporting techniques like FactSheets to provide consumers and stakeholder groups with the necessary details to better understand these technologies.

X Acknowledgments

The authors would like to thank Marc Stoecklin for input on the list of current contact tracing applications.

References

  • [1] Institute of Medicine, Health IT and Patient Safety: Building Safer Systems for Better Care.   Washington, DC: The National Academies Press, 2011.
  • [2] G. Garousi, V. Garousi, M. Moussavi, G. Ruhe, and B. Smith, “Evaluating usage and quality of technical software documentation: An empirical study,” in Proceedings of the 17th International Conference on Evaluation and Assessment in Software Engineering.   ACM, 2013, pp. 24–35.
  • [3] M. P. Robillard and R. Deline, “A field study of API learning obstacles,” Empirical Software Engineering, vol. 16, no. 6, pp. 703–732, 2011.
  • [4] S. Sohan, F. Maurer, C. Anslow, and M. P. Robillard, “A study of the effectiveness of usage examples in rest API documentation,” in 2017 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).   IEEE, 2017, pp. 53–61.
  • [5] T. Gebru, J. Morgenstern, B. Vecchione, J. W. Vaughan, H. Wallach, H. Daumé, III, and K. Crawford, “Datasheets for datasets,” in

    Proceedings of the Fairness, Accountability, and Transparency in Machine Learning Workshop

    , Stockholm, Sweden, Jul. 2018.
  • [6] S. Holland, A. Hosny, S. Newman, J. Joseph, and K. Chmielinski, “The dataset nutrition label: A framework to drive higher data quality standards,” arXiv:1805.03677, May 2018.
  • [7]

    E. M. Bender and B. Friedman, “Data statements for natural language processing: Toward mitigating system bias and enabling better science,”

    Transactions of the Association of Computational Linguistics, 2018.
  • [8] M. Arnold, R. K. E. Bellamy, M. Hind, S. Houde, S. Mehta, A. Mojsilović, R. Nair, K. N. Ramamurthy, A. Olteanu, D. Piorkowski, D. Reimer, J. Richards, J. Tsay, and K. R. Varshney, “FactSheets: Increasing trust in AI services through supplier’s declarations of conformity,” IBM Journal of Research and Development, vol. 63, no. 4/5, p. 6, Jul./Sep. 2019.
  • [9] M. Mitchell, S. Wu, A. Zaldivar, P. Barnes, L. Vasserman, B. Hutchinson, E. Spitzer, I. D. Raji, and T. Gebru, “Model cards for model reporting,” in Proceedings of the ACM Conference on Fairness, Accountability, and Transparency, Atlanta, USA, Jan. 2019.
  • [10]

    High-Level Expert Group on Artificial Intelligence, “Ethics guidelines for trustworthy AI,” Brussels, Belgium, Apr. 2019, european Commission.

  • [11] “Contact Tracing: Part of a Multipronged Approach to Fight the COVID-19 Pandemic,” National Center for Immunization and Respiratory Disease, 2020. [Online]. Available: https://www.cdc.gov/coronavirus/2019-ncov/php/principles-contact-tracing.html/
  • [12] J. T. Wu, K. Leung, and G. M. Leung, “Nowcasting and forecasting the potential domestic and international spread of the 2019-nCoV outbreak originating in Wuhan, China: a modelling study,” Lancet, vol. 395, no. 10225, pp. 689–697, February 2020.
  • [13] C. Watson, A. Cicero, J. Blumenstock, and M. Fraser, “A National Plan to Enable Comprehensive COVID-19 Case Finding and Contact Tracing in the US,” The Johns Hopkins Center for Health Security, Tech. Rep., April 2020. [Online]. Available: https://www.centerforhealthsecurity.org/our-work/pubs_archive/pubs-pdfs/2020/200410-national-plan-to-contact-tracing.pdf
  • [14] Preliminary Criteria for the Evaluation of Digital Contact Tracing Tools for COVID-19, United States of Department of Health and Human Services, 2020. [Online]. Available: https://www.cdc.gov/coronavirus/2019-ncov/downloads/php/prelim-eval-criteria-digital-contact-tracing.pdf
  • [15] “GPS Accuracy,” United States National Coordination Office for Space-Based Positioning, Navigation, and Timing, 2020. [Online]. Available: https://www.gps.gov/systems/gps/performance/accuracy/
  • [16] D. J. Leith and S. Farrell, “Coronavirus contact tracing: Evaluating the potential of using bluetooth received signal strength for proximity detection,” Trinity College, Dublin, Ireland, Tech. Rep., May 2020. [Online]. Available: https://www.scss.tcd.ie/Doug.Leith/pubs/bluetooth_rssi_study.pdf
  • [17] “Bluetooth low energy beacons,” Texas Instruments, 2016. [Online]. Available: http://www.ti.com/lit/an/swra475a/swra475a.pdf?&ts=1588879310912
  • [18] L. Morawska and J. Cao, “Airborne transmission of SARS-CoV-2: The world should face the reality,” Environ Int, vol. 139, June 2020.
  • [19] L. Ferretti, C. Wymant, M. Kendall, L. Zhao, A. Nurtay, L. Abeler-Dörner, M. Parker, D. Bonsall, and C. Fraser, “Quantifying SARS-CoV-2 Transmission Suggests Epidemic Control with Digital Contact Tracing,” Science, vol. 368, no. 6491, May 2020.
  • [20] A. Kucharski, P. Klepac, A. Conlan, S. Kissler, M. Tang, H. Fry, J. Gog, and J. Edmunds, “Effectiveness of isolation, testing, contact tracing and physical distancing on reducing transmission of SARS-CoV-2 in different settings,” April 2020, Preprint. [Online]. Available: https://cmmid.github.io/topics/covid19/tracing-bbc.html
  • [21] “Guidance on the Essential Critical Infrastructure Workforce: Ensuring Community and National Resilience in COVID-19 Response,” United States Department of Homeland Security, 2020. [Online]. Available: https://www.cisa.gov/publication/guidance-essential-critical-infrastructure-workforce
  • [22] S. A. Lauer, K. H. Grantz, Q. Bi, F. K. Jones, Q. Zheng, H. R. Meredith, A. S. Azman, N. G. Reich, and J. Lessler, “The Incubation Period of Coronavirus Disease 2019 (COVID-19) From Publicly Reported Confirmed Cases: Estimation and Application,” Annals of Internal Medicine, vol. 172, no. 9, pp. 577–582, May 2020.
  • [23] X. He, E. H. Y. Lau, P. Wu, X. Deng, J. Wang, X. Hao, Y. C. Lau, J. Y. Won, Y. Guan, X. Tan, X. Mo, Y. Chen, B. Liao, W. Chen, F. Hu, Q. Zhang, M. Zhong, Y. Wu, L. Zhao, F. Zhang, B. J. Cowling, F. Li, and G. M. Leung, “Temporal dynamics in viral shedding and transmissibility of COVID-19,” Nature Medicine, vol. 26, pp. 672–675, 2020.
  • [24] A. Kimball, K. M. Hatfield, M. Aron, A. James, J. Taylor, K. Spicer, A. C. Bardossy, L. P. Oakley, S. Tanwar, Z. Chisty, J. M. Bell, M. Methner, J. Harney, J. R. Jacobs, C. M. Carlson, H. P. McLaughlin, N. Stone, S. Clark, C. Brostrom-Smith, L. C. Page, M. Kay, J. Lewis, D. Russell, B. Hiatt, J. Gant, J. S. Duchin, T. A. Clark, M. A. Honein, S. C. Reddy, and J. A. Jernigan, “Asymptomatic and Presymptomatic SARS-CoV-2 Infections in Residents of a Long-Term Care Skilled Nursing Facility — King County, Washington, March 2020,” MMRW, vol. 69, no. 37, pp. 377–381, April 2020.
  • [25] Y. Bai, L. Yao, and T. Wei, “Presumed Asymptomatic Carrier Transmission of COVID-19,” JAMA, vol. 323, no. 14, pp. 1406–1407, April 2020.
  • [26] G. Bassett, C. D. Hylender, P. Langlois, A. Pinto, and S. Widup, “2020 data breach investigations report,” Verizon, Tech. Rep., May 2020. [Online]. Available: https://enterprise.verizon.com/resources/reports/dbir/
  • [27] “Qatar: Contact tracing app security flaw exposed sensitive personal details of more than one million,” Amnesty International, 2020. [Online]. Available: https://www.amnesty.org/en/latest/news/2020/05/qatar-covid19-contact-tracing-app-security-flaw/
  • [28] “Who Owns Cellphones and Smartphones,” June 2019. [Online]. Available: https://www.pewresearch.org/internet/fact-sheet/mobile/#who-owns-cellphones-and-smartphones
  • [29] K. Taylor and L. Silver, “Smartphone Ownership Is Growing Rapidly Around The World, But Not Always Equally,” Pew Research Center, Tech. Rep., February 2019. [Online]. Available: https://www.pewresearch.org/global/wp-content/uploads/sites/2/2019/02/Pew-Research-Center_Global-Technology-Use-2018_2019-02-05.pdf
  • [30] “Core Bluetooth Programming Guide,” 2020. [Online]. Available: https://developer.apple.com/bluetooth/
  • [31] “Exposure notification - bluetooth specification,” Apple, Inc., April 2020. [Online]. Available: https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotificationBluetoothSpecificationv1.2.pdf
  • [32] “Aarogya setu,” Government of India, 2020. [Online]. Available: https://www.aarogyasetu.gov.in
  • [33] “Aarogya setu open source code,” Government of India, 2020. [Online]. Available: https://github.com/nic-delhi/aarogyasetu_android
  • [34] “6 things about opentrace, the open-source code published by the tracetogether team,” Singapore Government Technology Agency, 2020. [Online]. Available: https://www.tech.gov.sg/media/technews/six-things-about-opentrace