key: cord-0130034-s6g4di6e authors: Redmiles, Elissa M. title: User Concerns&Tradeoffs in Technology-Facilitated Contact Tracing date: 2020-04-28 journal: nan DOI: nan sha: 90a9093b78c9ccf20f54bd951d001265ab903242 doc_id: 130034 cord_uid: s6g4di6e Contact tracing apps are one of the primary technology-facilitated Coronavirus (COVID) responses currently proposed. In the majority of Western nations there is the expectation that citizens will have the autonomy to decide whether or not to install a COVID-related app. Yet, the more users who install a COVID app, the greater the impact on public health. As explained by Chan et al. the value of users installing a contact-tracing app grows quadratically with the number of users who install. How can we get users to install COVID apps? By understanding and mitigating user concerns and tradeoffs. This document provides a framework for considering the user-relevant components of COVID apps and corresponding user tradeoffs related to these apps. Specifically, we enumerate user tradeoffs related to data collection, data quality, identifier/data encryption, privacy invasion, mobile costs, user agency, benefits from app use, and app transparency. We break down which tradeoffs are relevant for which contact tracing implementations (centralized vs. decentralized, location- vs. proximity-based). Additionally, we compare contact tracing to an alternative technology-facilitated COVID solution: narrowcasts. Narrowcasts are location-personalized broadcasts about COVID hotspots in your vicinity. There have been a number of papers and articles summarizing possible technology-facilitated COVID responses. Here, we focus on contact tracing and narrow casting. We refer the reader to other materials (below) to learn about other potential approaches. • Contact Tracing -Centralized: users are assigned an encrypted identifier by a trusted third party (TTP). Users broadcast their identifier or a function of it to those within some distance X. Users store lists of identifiers they have been in contact with. COVID-positive users push a list of contacts during contagious period to TTP. TTP notifies at-risk users. -Decentralized: users generate anonymized identifiers for every time period. Users broadcast their anonymized identifier to those within some distance X. Users store lists of identifiers they have been in contact with. Positive users push list of their identifiers during contagious period to public list. Users periodically pull public list and check if they have any contact matches. 3 What are the components of a COVID app? Table 1 delineates the user-relevant components of a COVID app. Explicit vs. Implicit. It is important to note that some of these components are explicit to the user (e.g., we can reasonably assume that the user will know who is providing the app they download). While others (e.g., who might be able to learn the users' data) may not necessarily be made transparent (i.e., explicit) to the user by the app provider. In the absence of app transparency, the user may have their own, accurate or inaccurate, expectations about these implicit components. In this section we delineate users' potential considerations (e.g., concerns) related to the app components summarized in Section 3. Users may be more or less willing to install a COVID app, or to continue using the app once installed, depending on these concerns. Note that these tradeoffs focus specifically on the app components. This is not a comprehensive list of all user motivations to install COVID apps (or reasons to avoid them). Additional user-related factors that may make users more or less willing to install COVID apps (e.g., level of concern about COVID) are addressed briefly in Section 6. There are many entities who could provide a COVID app. I draw this list from prior work [6] . • Health protection agency (e.g., CDC, FDA) • Health insurer (e.g., BlueCrossBlueShield, Aetna) • Employer • Technology company (e.g., Microsoft, Google) • Federal government other than a health protection agency • Local government • Non-profit organization • International organization (e.g., UN, WHO) • University User Considerations. Prior work suggests that users differ in their willingness to install COVID apps provided by these different entities [6] . There are two types of data that can be collected from users in these systems. • Contact Tracing -Proximities (who you have been in contact with, where the "who" is anonymized) -Locations (where you have been) There are also two types of errors (inaccuracies) that can occur: • False Positives: the app notifying the user that they have been exposed when they actually have not been exposed. This can happen due to inaccuracies in proximity and location measurement or due to the app allowing non-validated self-reports of positive COVID19 status. • False Negatives: the app failing to identify all exposures to coronvairus. User Considerations. Different users may have different perceptions of the acceptability of different contact-tracing data and the acceptability of different levels of false positives / false negatives. In our complimentary empirical work, we evaluate the influence of accuracy on willingness to adopt [7] . The app architecture and what data the app collects influence potential privacy costs to the user. Privacy costs can be thought of in user terms as: "who can learn what about me". There are five potential "whats" that can be learned about a user: • That I am COVID-positive • That I am at-risk (have been exposed to someone COVID-positive) There are six potential "whos" -these could range from individuals to nation states -that can learn these pieces of information about a user: • Users of the app, who are legitimately using it • Attackers who exploit the app (e.g., place bluetooth beacons at specific locations, falsify my GPS coordinates) • The app (including individuals who work for the app) • Any third-party service used by the app (including individuals who work for these services) • Network providers • Government entities that can use legal process to force the app to turn over data User Considerations. Different users may rank these costs differently or not perceive them as costs at all. Potential for Inequity. The potential for tracking COVID-status by social group may increase marginalization of underrepresented groups (as has already been a concern with high rates of COVID infection among communities of color [5] ). COVID app architectures result in different mobile costs. For example, contact tracing apps require the user to frequently use bluetooth, which has known impacts on battery life [1] . Similarly, whether the app has push or pull architecture may also have implications for users' mobile costs such as: • Data costs (MB of mobile plan used for the app). • Storage costs (MB of space on the mobile phone used for the app). • Battery performance costs (impact on battery life from using the app). • Other app performance costs (impact on speed of other apps / network speed from using the app). User Considerations / Potential for Inequity. Mobile costs are a potential source of inequity: less resourced users who are known to have less-featured / older mobile devices and are more likely to have limited mobile data [2, 9] . These users may be disadvantaged by or unable to use apps with high mobile costs or whose functionality their devices do not support. Different COVID app implementations give users different levels of agency over their data. In the suggested implementations considered here, users always have the agency to decide whether to reveal their COVID-positive health status to an app. • Control over data retention: user vs. TTP • Control over length of data retention: auto-specified (e.g., 2 weeks) or user can decide to delete all data at any time User Considerations. Users may have different preferences for the tradeoff between autonomy vs. decision-burden offered by apps with different implementations. COVID contact tracing apps have different possible benefits depending on their implementation: 1. Knowledge of my risk: I learn if I have been exposed to someone who has COVID 2. Knowledge of hotspots: I learn where there is a high rate of COVID 3. Feeling of Altruism: I feel good about myself for using the app because I feel that I am helping society / others 4. Environment safety: my country/community/environment has lower infection rate, if people take action on the basis of app information 5. My contacts learn their risk: people I have come into contact with are able to learn if they are at-risk if I become COVID positive 6. Epidemiological data: My use of the app allows for some entity to learn one or more of: • Infection rate: how many people are COVID positive (infection rate) • Spread: how many people are at risk of COVID (have been exposed) Note, I do not include changes in institutional response (e.g., a state shortening the lockdown period, supermarkets changing their store hours) because the user cannot know for sure that this epidemiological data will be used to inform these decisions, nor that the decisions will be in alignment with their own goals. As discussed below, the value of the last benefit thus depends on the users' beliefs regarding whether/how this data will be used. User Considerations. The relevance of these benefits to users depends on: • whether or not the user plans on taking action once they learn that they are at-risk (1, 2) • whether the user cares about the safety of those around them (3, 4, 5) • whether the user thinks that others will take action once they learn that they are at risk (4) • whether the user believes that epidemiological data will be used / should be used to inform government/institutional COVID planning (e.g., lockdown lengths, PPE orders, hospital capacity planning) and whether the user cares about this planning (6) Potential for Inequity. The hotspot feature has a potential for inequity / negative impacts on marginalized communities. Less resourced and minority communities have, thus far, experienced higher rates of COVID [5] due to a number of factors. Hotspots may lead to increased marginalization of these communities and reduction in economic stimulus (e.g., some groups avoiding shopping in these areas). Table 1 summarizes the user-relevant tradeoffs between the different contact-tracing and broadcast approaches, which are segmented by architecture, data collection, and encryption. Here we highlight the most critical differences. Broadcast vs. Contact Tracing. Across all implementations broadcast apps differ in that broadcast apps: • (Privacy costs) at most know user location • (Mobile costs) do not require bluetooth to be on • (Benefit) can only tell users about hotspots Centralized vs. Decentralized Contact Tracing. Contact tracing apps differ on the following axes: • (Privacy costs) -Centralized: Allow a TTP, individual at the TTP who knows the link between identifiers and real identity, and an attacker who hacks the TTP and the identifier link to learn whether you have the app installed, who is COVID-positive, who is at risk (COVID-exposed), and the social graph (who has had contact with whom) in the absence of testing COVID positive. -Centralized: epidemiology data is available regarding spread (count of number of at risk persons) -Decentralized: spread data is available only if at risk people share this data with an epidemiology server Location vs. Proximity Data. Apps that collect users location data differ from those that don't collect this data in two ways: • (Privacy costs): location can be learned • (Benefits): hotspot information can be provided (note, decentralized broadcasts offer this without location data collection) Other Features/Benefits. Users may be more or less willing to install COVID apps that have benefits from additional non-contact tracing/narrowcast features. These features may be possible to include in contact tracing or narrowcast apps, but have additional privacy costs and architectural considerations that we do not consider here. These features/benefits include 2 functionality related to: symptoms (e.g., symptom checkers, self-diagnosis tools), public health information (trustworthy general information and guidelines), and home health support (support for quarantined COVID-positive/atrisk patients e.g, personalized medical advice, contact with a doctor). User Factors. Whether or not a user is willing to install a COVID app may depend on large list of user-specific factors. I have compiled a, by no means complete, list of these factors (some of which is drawn from my prior work with Hargittai [6] ): • Their current or previous health status (e.g., COVID positive) • The current or previous health status (e.g., COVID positive) and outcomes (death) of those they care about • Non-physical health-related negative experiences they (or those they care about) have had as a result of COVID (e.g., layoff, bankruptcy, business loss, etc.) • Their level of fear of one of the aforementioned negative experiences • Their locus of control: do they think they can take action to reduce their risk from COVID if they do and/or do not know their exposure status • Their knowledge of COVID • The directness of their involvement with COVID (e.g., medical worker, essential worker) • Their level of concern about COVID's impact on a variety of entities including themselves, those they care about, and their community along the lines of both physical health, lockdown/mental health, and economic wellbeing • Their level of concern about COVID consequences related to the economy and etc. • Their exposure to media about COVID • Their sociodemographics (race, income, age, gender, educational attainment, urban/rural, etc.) • ... What you should do to extend your phone's battery life | wirecutter Mobile fact sheet Privacy sensitive protocols and mechanisms for mobile contact tracing Mobile applications to support contact tracing in the eu's fight against covid-19 Black americans face alarming rates of coronavirus infection in some states -the new york times Will americans be willing to install covid-19 tracking apps? How good is good enough for COVID19 apps? Apps gone rogue: Maintaining personal privacy in an epidemic Us smartphone use in 2015 Decentralized privacy-preserving proximity tracing With thanks to Paul England, Eszter Hargittai, Cormac Herley, Eric Horvitz, Gabriel Kaptchuk, Tadayoshi Kohno, Marina Micheli, Josh Rosenbaum, and Carmela Troncoso for feedback and conversations that contributed to this document.