This article discusses how to exchange COVID-19 contact tracing information between countries that use contact tracing apps and infrastructure. It takes a structured look at the goals, challenges, opportunities, and limitations of this kind of interoperability between national systems. This article is not intended as an introduction to contact tracing, nor as an opinion piece if and how app-based contact tracing is an effective way to improve national and international management of the Corona virus pandemic.
Contact tracing is an epidemiological method for understanding and tracking the spread pattern of infectious diseases. It works by tracing back the contacts that an individual had who at some point is diagnosed as being infected. The goal is to find contact persons in that individual’s recent past so that they can be quarantined and tested. App-based contact tracing is a way how to complement traditional ways of contact tracing by using mobile phones and their sensors to create traces and thereby tracking past contacts.
In general, mobile phones trace an individual by location, by their proximity to others, or by a combination of these methods. This information is collected by and stored on the phone, and then all or some of this information then is sent to a server. The “What is Contact Tracing? And how do the apps work?” video provides an overview of the various elements of this picture, and how communications between them work.
A major discussion recently has been how to handle the data that is being collected. There are two general approaches, and both of them are favored by several countries for designing and building their national systems:
The centralized approach forwards the data of all individuals to a central server, where it is stored and can be analyzed. The advantage of this approach is that countries have a comprehensive dataset for their analysis. The disadvantage is the loss of privacy, which in itself is an important good to contemplate, and also may play heavily into the willingness of the public to use the contact tracing app.
The decentralized approach keeps data on the phone and only transmits data to the server when an individual is diagnosed as being infected. In that case, the history of that individual is transmitted to a server, which then distributes it to all other users’ phones. The check for contact (and thus possible exposure to the virus) then is done locally on all phones. The advantage of this approach is that it preserves privacy, and thus may see better acceptance by users. The disadvantage is that countries do not have access to the full data (except for the anonymized identifiers of diagnosed individuals), and therefore cannot use it for analysis.
It is important to understand that in both cases, countries will operate servers that are used by the apps for communications. But in the centralized case the servers store all tracing data of all users, while in the decentralized case they only store tracing data of users who reported themselves as being infected, and that data is anonymized and thus cannot be traced back to individual users.
The picture painted above assumes one server that handles all data. This is true at the level of individual countries. But when looking beyond country borders, there now is the problem that individuals have installed the apps provided by their countries, and these apps are communicating with their countries’ servers. In this kind of scenario, contact tracing only works across residents of one country.
But if people start traveling again, increasingly there will be cases where individuals from one country come in contact with individuals from another country, and in the case of isolated solutions, app-based contact tracing will not work in such a scenario.
It now becomes necessary to think about a federated scenario: In such a scenario, individual servers (each one operated by a country) exchange data, and thus make it possible to trace contacts and raise exposure notifications across country borders. Such an approach would greatly increase the effectiveness of app-based contact tracing, in particular in regions of the world where international travel is common, and in light of the fact that with fewer restrictions in place, people will start traveling again.
The picture painted in the previous section is great as an ideal, but there are challenges along the way. The biggest one is in the fundamentally different model of identity.
In the centralized model, identity is known by the server, and thus data can be tied to individual identities. For sharing data internationally, the question is whether identities are revealed, or some anonymization is applied. In either case, this can be managed by the servers exchanging the data, and thus data can be exchanged between servers following the centralized model.
In the decentralized model, identity is not revealed to the server. For example, the currently popular Apple/Google model uses advanced cryptographic methods to make sure that privacy is preserved for all participating users. The “What is Apple/Google Exposure Notification?” video explains these methods in more detail, but the important aspect is that all that servers have are anonymous so-called “temporary exposure keys” which change once a day and are not connected to user identity. It is possible to exchange these keys across country borders, but only if all apps follow the same method of creating and storing them.
This fundamentally different approach to handling identity makes it very hard to even envision how to share contact tracing information between the two worlds of centralized and decentralized approaches. For example, when the Apple/Google model is being used, the onlyidentifier phones receive and store are anonymized identifiers, and they are anonymized according to the specific scheme that is defined in the Apple/Google specifications for their “Exposure Notification” framework. Outside of this framework, these identifiers make little sense other than for aggregate data such as counting the number of individuals that are self-reporting as having been diagnosed.
Even with the limitations outlined above, there are opportunities for international collaboration. The reason for that is that national practices will very likely gravitate around the two general models:
Countries choosing the centralized model will be in full control of the data they are collecting and managing, which means that for interoperability, they have control over how to manage and exchange identities. The main call to action here would be to work on a well-defined way of how to exchange information, so that there is a standard Application Programming Interface (API) between countries, instead of relying on custom-made bilateral ways of how to exchange data.
Countries choosing the decentralized model probably will choose the Apple/Google model so that their apps have good device support on most mobile phones. But that model only defines APIs for Bluetooth and the app on the phone, i.e. it does not define APIs for how apps communicate with servers, or for the federation model of communications between servers. Defining these APIs would mean that countries would have more open models (by using an open API between apps and the server), and that countries using the Apple/Google model would have a relatively easy way how to collaborate.
Looking at these options, it seems that there are considerable options for international collaboration. But given the fundamentally different approaches of data management by the centralized and decentralized model, it seems questionable whether there can be meaningful exchange across these scenarios. This means that it is likely that interoperability can be achieved for the two groups of countries outlined above, but not across these groups.
But even if we accept that for fundamental reasons these two types of solutions will not be interoperable, at least we can move from the current picture where all countries are essentially islands in terms of their contact tracing approaches, and move towards a scenario where there are two communities where contact tracing data can be exchanged internationally. In terms of the effectiveness of app-based contact tracing, this already would be a very significant achievement.
This article is a first attempt to provide a structured view of the current goals, challenges, and opportunities of international collaboration in the space of app-based COVID-19 contact tracing. There also are some limitations or at least caveats.
One such limitation is that it seems unlikely that the two fundamentally different approaches of the centralized and decentralized model can be bridged. The different identity models make it very hard to imagine a way how to bridge two worlds with very different perspectives of privacy, and the resulting ways how to handle identity.
Another limitation is that this kind of interoperability may cause scalability issues. For example, the Apple/Google model assumes that all anonymized identifiers of all diagnosed individuals are forwarded to all phones. Because of the decentralized model, this is the only way how to match the data of individuals with a positive diagnosis with everybody who might have been in the proximity of them. While this already produces a substantial amount of data to be exchanged, it becomes even more critical when there are many countries exchanging this data, and when this method of exchanging data is still required to scale if there are larger outbreaks with a large number of individuals diagnosed as being infected. All APIs and implementations in this scenario would have to be designed and tested to handle this kind of scale.
Given the economic impact of COVID-19 lockdowns, the wish and need to lift restrictions is very understandable. However, this also means that until a vaccine is available, it will remain necessary to manage infection events and to trace outbreaks. Contact tracing will be an important method in this area, and app-based contact tracing is a part of this method.
Looking at app-based contact tracing beyond the national scope is only in its infancy. For countries following the centralized model, this means thinking about how the centralized dataset can be meaningfully matched with datasets of other countries. For countries following the decentralized model and likely using the Apple/Google Exposure Notification framework, this means widening the scope of this framework to not just cover device APIs, but to also cover APIs to the server, and server-to-server federation APIs.
It can be said with some certainty that our understanding and implementation of app-based contact tracing will evolve over the coming months. We should therefore also make sure that we follow established practices of API design and management, meaning that we design them in open and extensible ways. This means that with our evolving understanding of how to design and use contact tracing apps, we can evolve the ways in which components in this international network are communicating.