Security Economy Episode 8: Behind the Scenes on Contact Tracing & Privacy Implications with Dr. Anna Lysyanskaya

Hear from Dr. Anna Lysyanskaya, a renowned cryptographer and professor at Brown University. Anna has worked directly with Google and Apple on how to use bluetooth low energy in our cell phones to enable privacy preserving contact tracing at scale for COVID-19.

Hear from Dr. Anna Lysyanskaya, a renowned cryptographer and professor at Brown University. Anna has worked directly with Google and Apple on how to use bluetooth low energy in our cell phones to enable privacy preserving contact tracing at scale for COVID-19. She shares her thoughts on the privacy preserving methods used to develop the APIs that Google and Apple just released.

Dr. Anna Lysyanskaya

Katelyn Ilkani

COVID-19 has upended the world.

People are looking for answers for how we can reopen society, get back to work, or even go to a restaurant.

One of the top strategies being discussed is contact tracing.

How can we trace people who we know are positive for the virus and then notify people who may have been in contact with them, to let them know that they maybe should also get tested.

If we do this, how can we possibly make sure that people's privacy is preserved?

That's why I've brought in Dr. Anna Lysyanskaya. Anna is a professor at Brown University, and a world renowned cryptographer.

She's been working with other cryptographers, and privacy preserving specialists on this exact topic. And she's here with us to describe what's happening in this space, and what we should all know about the privacy preserving methods being deployed.

Hi, Anna. Thank you for joining me today on Security Economy.

Dr. Anna Lysyanskaya

Hi, this is very exciting. Congratulations on your wonderful podcast.

Katelyn Ilkani

Thank you so much.

I am really excited to talk to you about what's happening in contact tracing, and what's going on from a privacy perspective today.

I know that we met while you were my professor at Brown.

(I got an Executive Masters in Cyber Security at Brown and Anna taught me a course on cryptography.)

So today, we're going to be talking about privacy and cryptographic aspects of contact tracing apps.

With that, can you tell us more about yourself?

Dr. Anna Lysyanskaya

I'm a Professor of Computer Science at Brown University.

I'm a cryptographer. My field is all about having your cake, and eating it too. Or in other words, preserving your privacy, and yet, making sure that the right things happen.

So, only authorized individuals get the right information that you can enjoy access to wherever you need to go without disclosing who you are, just the fact that you're authorized. Those types of things.

Katelyn Ilkani

What's happening right now with contact tracing apps for COVID-19 tracking? I think you've been working in this space.

Dr. Anna Lysyanskaya

That's right.

First, let me tell you what context tracing is.

Should you become sick with any infectious disease in general, and COVID-19 in particular, public health officials would ask you, "Can you remember where you've been, and who you met may have come into contact with, so that we can find these people and alert them that they may have been exposed? They need to look out for any symptoms, and they need to minimize contact with other people so as not to expose them."

So that process is called contact tracing.

It's been done now for infectious diseases for decades, probably hundreds of years, because it's known to be extremely effective in reducing the spread of infection.

And now that it's the year 2020, a very obvious approach to it is, can we automate at least part of it? Because most of us carry smartphones everywhere we go, and smartphones typically are very good at sort of scanning their environments and checking if: are there are headphones nearby that I can pair with? Or, there's another device nearby that maybe I can exchange pictures with?

So, just scanning the environment to see "Oh, is there another device nearby, so that if my user is infected with the virus, the owner of the other device might catch it too?"

That's just a small addition to the kinds of functionality that a phone already has.

So based on that, with the idea that using Bluetooth, and then in particular Bluetooth Low Energy, you can identify whether or not there are other devices in your environment that might need to be alerted about possible exposure down the line, should the user to whom this device belongs end up being diagnosed with the disease.

So the question is how to do this.

The obvious approach would be, "Well, my phone broadcasts my phone number, everywhere I go. It's a little beacon and says, 'Here is an honest phone number'." And then if your phone comes into contact with mine, and then it turns out that you test positive for the disease, then, conveniently, you have my phone number. You can get in touch with me, and that would be one way of automating this exposure notification.

Of course, this is not a very good way because of privacy concerns.

We don't want to walk around broadcasting our phone numbers, because we don't want to be traced.

It's just not acceptable in a free society to constantly broadcast unnecessary information. But it turns out that you can do equally well without this very invasive approach.

Instead of broadcasting my actual phone number, I can just broadcast completely random numbers.

These random numbers are long enough that it's extremely unlikely that anybody else happens to have the same exact random number that I'm broadcasting.

And not only am I broadcasting these numbers, I actually change them all the time. So one minute I broadcast one number, and then  I keep broadcasting it, and then the next minute, I change it up and it broadcasts a completely different number.

But I remember all the numbers I've broadcast, and if somebody comes into contact with me, I also receive the numbers that they broadcast. Then if one of my contact's becomes ill with this disease, and they are asked to participate in this automatic automated exposure notification scheme, then they publish all the numbers that they've broadcast.

These numbers are completely random. They don't reveal any information about who they are, or where they went, or anything like that.

But if I happen to have been in contact with them, then their numbers that they've published, happen to be stored locally on my phone.

Now, my phone can download this huge database of random numbers that are linked to people who have been infectious, and checks that against what's stored locally. Then, if there's an overlap, it alerts me and says, "Oh, you know, you've been in contact with somebody who tested positive. So take extra care, isolate yourself."

Now I know, and I can pay attention and at the slightest sign of anything worrisome, I can contact my doctor and tell them.

That's kind of the broad outline of what me and my colleagues have been thinking about as far as privacy preserving contact tracing is concerned. And of course, there are many, many more details, and the devil is in the details. So, there are more challenges to talk about.

Katelyn Ilkani

So, Anna in this scheme, the numbers would not be broadcast, for instance, to the CDC, or local public health agencies.

Dr. Anna Lysyanskaya

So, that's exactly what I'm saying, the devil is in the details.

There are many ways of doing it.

For example, a user, let's call her Alice, let us say that she becomes sick with the disease. Then the numbers that she has broadcast, she needs to submit them to some database so that her contacts can download them and compare them with what's stored locally.

The question is, how is this database going to be realized? Who is going to be in charge of the numbers that are stored in the database?

And that entity, does it need to know who Alice is, or not? Those issues, I think, are very much up for discussion and debate. And there are pros and cons.

I mean, you definitely don't want somebody to just upload some random numbers in this database without any of kind of authorization, because then it would be very open to a denial of service attack. So care needs to be taken in how the numbers get to this database, and who is authorized to enter them. So, you know, you can imagine a number of different approaches.

One approach is, well, Alice just tested positive so she's physically potentially at a testing location, and so somebody who works at a testing location might be authorized to upload her numbers. That would be one approach.

And potentially they upload her numbers, but they don't necessarily do it in a way that all the numbers are linked together, so you don't know that all of these numbers belong to the same individual. Maybe they kind of aggregate all the numbers from the people who tested positive in that location, and then upload them all together as a batch.

That gives us a little bit more privacy. So, there are many ways of doing it that would allow both some degree of confidence that these numbers really didn't come from devices of infected individuals, and yet won't reveal any unnecessary information that would allow you to track particular individuals' movements, contacts or whereabouts.

That would be very undesirable from a privacy point of view.

Katelyn Ilkani

You mentioned that you've been working on this with some colleagues. How have you been involved in this effort?

Dr. Anna Lysyanskaya

Obviously, all of us are cooped up at home right now, and it can be a little bit depressing. So I was kind of thinking like, what can I do?

How can I contribute to helping resolve this crisis? I came across some ideas from  my PhD advisor. I got my PhD almost 20 years ago, but of course, I still try to keep in touch.

I just got so excited because I thought, "Wow, this is something I can do."

I can't make masks - one of the things that I cannot do. But this is something I could do. Let's see if I if I can help.

I started thinking about what can I add to the projects. I started exchanging ideas, with him, and the team, and many other people joined kind of in this similar manner. We just all found each other and started talking to each other.

We came up with a lot of the details that I'm not touching upon, and a lot of different approaches, different privacy features.

At some point, it became clear that as academics, we can sit there and think about it as an academic exercise. That's very valuable and very interesting.

But there's something else that's happening in the world, and that is that actual people are getting sick, and that contacts actually needs to be traced, and actual devices need to enable that.

Another thing that we did, and that's not just my team, but the several teams around the world,  all of us had the idea that we need to get in touch with absolutely everybody we know at Google and Apple, and, you know, get them excited too about making this happen.

I'm sure it will come as no surprise, but when we did get ahold of them, our friends at Apple and Google, it turns out that actually they were also thinking along those lines.

It's not just an academic exercise. This is really happening.

I guess by now, it's been more than a month since we started talking with Apple and Google.

A few weeks ago, in the middle of April, they made a joint announcement. This is extremely rare, because usually, Apple iOS, competes with Google's Android. They're trying to one up each other; they're very secretive; they don't tell each other what they're up to.

But this was a case of absolute harmony between them, and also between the academic cryptography and privacy communities, where they made the announcement that they wanted to make it possible to do this automated exposure notification.

And they want to do it right from the privacy point of view. Just recently, they published their APIs. That means that if you want to write an app that would enable automated explosion notification, you now have the right APIs  to make your app talk to iOS or to Android.

Their approach to here's how we're going to do it right is exactly what I described earlier on your podcast, with every device transmitting these completely random numbers all the time.

The numbers rotate so that if you come into contact with somebody else's device, all you know is, "I just came into contact with somebody's device, and I got this random number from them."

If they later test positive, then you can be notified. Your phone notices that a number in this global public health database matches the number that's locally stored on your phone and notifies you that you've been exposed.

That's exactly what the APIs do. They allow this Bluetooth communication that would generate these numbers and then store them, and then allow public health officials to get these numbers out of your phone for the purposes of notifying people that have been exposed.

Katelyn Ilkani

It sounds like the first hurdle has been overcome, which is getting Apple and Google to push out this API, so that app developers can even work on the contact tracing apps and hope to have a measure of success.

What do you think, though, about the privacy preserving methods that are being discussed and that have been settled on here? This idea of using these long strings of random numbers?

Dr. Anna Lysyanskaya

I think that is the best approach we have, at the moment.

I mean, we can improve it a little bit from the privacy point of view using some very interesting and fancy cryptography.

Me and many of my collaborators, we actually just submitted a paper to a conference where this random number that gets broadcast, after your phone receives it, but before it stores it, it actually randomizes it a little bit. If you become infected, then you publish the numbers you received, but in this randomized fashion, it's randomized in such a way that your phone can still recognize that it was mine, but I can no longer tell when I sent it out.

That means that I don't know at what point in time I met this contact, who in the future tested positive.

That protects the privacy of the people who are infected. We just wrote a paper on it, so I think it's very cool.

I'm excited about the possibility that that might be used. From the efficiency point of view, probably the APIs that Apple and Google currently made available, they're probably more desirable. From the privacy point of view, they are actually quite good also.

I think that those APIs are the way to go for this particular pandemic.

Now, some governments around the world might disagree.

For example, the UK, they were not pleased with the Apple/Google approach.

They wanted an app that would not be privacy preserving at all, so that they would know exactly who's been where, and who has been in contact with whom without any of this "Oh, you know, we ran with like, it's just random numbers," and you learn nothing.

So, they announced a completely different approach.

I think it maybe was a week or two ago, and as soon as they announced it, everybody on all the teams  that I know of, that were in touch with each other were like, "That's just because they don't understand what Apple and Google are giving them."

Because Apple and Google are giving them everything they want.

The ability to notify everybody who has been exposed, to get in touch with them so that they will potentially come and get tested themselves, and then you can notify their contacts. That's all you want.

But because the announcement made it so clear that this is privacy preserving, it's possible that these government officials were like, "Oh, its privacy preserving? That means I cannot do the contact tracing."

Now, it turns out that time has passed, and they've understood it better. Now, they kind of assumed that it actually will work with the Apple/Google approach. I think the world is converging  to the privacy preserving way of doing it.

Katelyn Ilkani

Well, it's hard to scale this if you don't go with the Apple and Google approach, right?

I mean, COVID-19 is so infectious, you can spread it so quickly to such a large group of people that without  having Apple and Google backing this approach, I don't know how we would do contract tracing well at all.

Dr. Anna Lysyanskaya

That's absolutely right.

It is very hard to make people install an app on their device, unless you actually push it via an automated update to the device's operating system. So yes, without their buy in, it's very hard to reach every single device and make it participate.

Some jurisdictions potentially have other tools at their disposal, right?

They might say, "We need you to download this app. And we're going to put a security guard in front of any public place that you want to gain access to, and that security guard will demand to see your phone and to make sure that you've downloaded an app."

Now, that's a very invasive approach, but it does work in some countries.

I believe in Israel, everybody is required to have their contact tracing app on their devices.

That can be accomplished without any cooperation with Apple and Google, because if you install an app on your own device, this app can do all kinds of things that maybe Apple and Google will disapprove of, and will say, "Oh, that's privacy invasive."

But if you installed an app, and this app says broadcast your number all the time, then this is what the app is going to do.

And it might not do it via the APIs that Apple and Google have developed. APIs in general, they don't give an app access to this Bluetooth interface.

I think that it's kind of walled off, but there are other methods that your device might broadcast its number. You can broadcast it over WiFi.

Our devices are designed to communicate all the time, so they'll find a way to communicate whatever it is that your app wants you to communicate.

All this to say that you could potentially write a completely different app, totally bypassing all of the wonderful APIs that they're designing, and you might even have, the government that is strong enough, that is capable of having this app installed on every single device.

The question is not whether a government can do this. But the question is, What do we want? Like, what are our values? Do we want government surveillance? Do we want big brother in our pocket?

Or do we believe that you can have privacy, and contact tracing at the same time? I strongly believe that you can, and that there is no value added to having a very invasive approach.

That's why I got so excited about getting involved with this project. This is one of those opportunities that we have, as technologists, to come up with the technology that isn't intuitive and yet, it accomplishes so much. It gives us the tool to do something very important for the public good, and very seemingly invasive, like contact tracing, and yet do it without compromising our values and without putting a big brother in everybody's pocket. So that's extremely exciting to me.

Katelyn Ilkani

That is exciting. And just for clarification for our listeners, Anna, as Apple and Google have pushed out this API to enable phones to be able to do this, will individual users have to download an app to make the Bluetooth signal work? Will they have to choose to do that? How is that going to be figured out?

Dr. Anna Lysyanskaya

The idea, I think is still in flux, so I am not speaking for anybody except my own, potentially quite limited understanding of what the vision is here, but I think that your device is going to be broadcasting random numbers as soon as you install the updates to your operating system.

So, you don't need to do anything except, every night you plug in your device so that it's charging.

While it's charging, if there's an update to the operating system, it typically downloads it and installs it automatically. This is going to just be added to the operating system so nothing else is needed from the user.

Now, when the user becomes interested in this, or tests positive, at that point in time, your device might say, "Oh, by the way, it's broadcasting and still storing the numbers that it hears, but when you become interested in this information, then you download an app."

The app just gives you the interface, and it says, "Well, what do you want to do with this?  How do you want to be notified about your exposures?" So at that point in time, the user actually is interacting with the app.

When the user tests positive, at that point in time, their numbers get transmitted somewhere. If the public health authority in that location is taking advantage of this, then they could tell the user, "Okay, you need to download an app at this point, and then using this app, we're going to get the numbers out."

The vision, as far as I understand it, again, speaking only for myself, and this is a kind of a quickly developing story, and I think we get more and more information every day. I think the vision is that in every jurisdiction, in every geographic location, there's a different public health authority that should authorize probably just one app per jurisdiction, to eliminate any kind of confusion so that depending on where you are physically, you will be able to download just that one app and nothing else for the purposes of exposure notification.

Now, you might be able to download other apps that give you more information about the disease, about your risks, about what to do if you're notified and all of that, but for the purpose of uploading those random numbers to the health authority, I think there's just one app that's authorized for a geographic jurisdiction.

I think that for the other step where you get the notification that you've been exposed, I am not sure if it's just one app, or it could be that you might want different apps depending on language or users with disabilities might prefer apps that are a little bit more tailored for their particular abilities or languages.

It's possible that that side, there might be more more choices, but in any event, the part where the user actually has to interact, him or herself with their device, they might have just one app or might have a choice of apps.

Katelyn Ilkani

This is a particularly interesting discussion in light of this idea of being able to open back up the economy and being able to open up higher education institutions in the fall for classes.

I'm really looking forward to see how this evolves. There's a lot of conversation right now happening in higher ed in particular, I believe, around how can higher education institutions get this contact tracing data.

To to that, it also depends on us testing; we have to do more tests.

Dr. Anna Lysyanskaya

Yes, I think that this is a really multifaceted problem that requires a lot of people working together to make it possible to safely reopen at least some of the economy.

And this exposure notification is just one little piece of the puzzle. You cannot do exposure notification at all if you cannot identify people who are actually sick.

I think that what we're doing right now, you and I are doing right now, which is just putting our heads together, virtually, and talking through the problem and thinking through it, a lot of that needs to be happening everywhere before we can go outside and resume at least a fraction of business as usual.

Because even with exposure notification, it doesn't in itself, slow things down, unless you can get not just the people who have been exposed, but they don't know yet that they're sick.

You also potentially might need to notify the people that they have been in contact with. Because this disease is rather slow.

You know, it takes several days, sometimes even up to two weeks for somebody who caught it, to develop any symptoms.

By that time, not only have they infected lots of people, but even the people they have infected may have already had a chance to infect others.

We need to limit the number of people that anybody is exposed to at any given time, because even if you can trace everybody, if by the time that I even test positive, I've already exposed 100 people who have in turn exposed, you know, another hundred each, then it just becomes such a huge number of people.

The cat is out of the bag at that point. There's community spread, and it's too late.

I don't think it's that contact tracing and exposure notification by themselves do much. It's extremely important, in my opinion, and I'm not an epidemiologist so, ask an epidemiologist next, but in my opinion, this is no substitute for your basic precautions like wearing masks, using hand sanitizers religiously.

In addition to that, of course, we need to not congregate in large groups, be mindful about personal space, not get too close to people. None of these restrictions can be relaxed anytime soon.

I mean, we're not talking about resuming business as usual. We're talking about maybe, in a large enough classroom, we can put desks 6 feet apart from each other so that kids can actually be in a classroom with their teacher and not on Zoom.

And these kids, they need to be wearing masks. They need to eat their lunches at their desk and not run around too much.

This is hard, but that would really be great because we're all so tired of having our kids at home. That would be the limit.

Katelyn Ilkani

Well, I am not an epidemiologist either, but I do have a Master's in Public Health. I would agree with everything you said about masks, washing your hands, and social distancing - keeping at least six feet apart from other people.

I completely agree with you, that those things are going to be necessary until we either have some kind of antiviral medication or a vaccine.

Dr. Anna Lysyanskaya

Yes. So, I think those are the superheroes.

I'm excited that I can contribute a little bit to trying to solve this problem, but they're really the ones who are solving the problem.

Katelyn Ilkani

Well, it all has to come together, to your point that there are lots of pieces to the puzzle. We really need to be focusing on so many areas.

You mentioned something earlier about this idea of Big Brother, and my worry is that a lot of Americans will feel like this is incredibly invasive if they don't understand the technology.

It is complicated technology, these privacy preserving methods, and I'd like to explore with you here if we can debunk any myths.

So, you know, first, are there any aspects of this that give you pause from a privacy perspective?

Dr. Anna Lysyanskaya

So that's a very good question.

What these particular APIs do, is they allow your phone to discover that it has been in relatively close proximity to the phone belonging to a person who tested positive.

Now, your particular device might, in addition to the number that the person has sent out, at the time when you were in proximity to each other, it might store not just that number, but also the time when that number was received.

And that's useful to store because obviously the numbers that you overheard more than two weeks ago, they're no longer dangerous for you because the incubation period is over.

So, it's useful to store the timing information, but the timing information might also give away who it is among your contacts who is infected, because if you can remember, "Oh, at three o'clock on Tuesday, I was visiting my professors office hours. And that's when I was exposed to somebody who tested positive."

That means it's my professor who is sick, and that might potentially come with some stigma.

So, you want to protect the privacy of the infected individual.

One reason that you want to protect them is because if people perceive that using this app comes with a cost, with stigma, then they will just say, "You know what, I don't need to carry my phone all the time. I'll just turn it off." Then we won't get the benefits of automated exposure notification.

That particular issue, there are remedies to it. For example, your phone might store the time that it was in contact with a particular random number, but it might not routinely just give that information up to the user.

The app might say, "You were in contact with somebody," and the app doesn't tell you who it was.

That would be a way to reduce the intrusion of this app, and that's not a bad way because actually, our devices are pretty good at keeping private information on a device and not just giving it out. You'd have to jailbreak your phone to get to that information.

That's actually a pretty good deterrent for most users, so there won't be the stigma.

Then there are also other solutions, like we have this mathematical solution that eliminates the stigma, that eliminates this particular type of information.

Other than that, there really aren't any privacy risks with these APIs any more than with manual contact tracing. If we're okay with mandating that people undergo contact tracing, that they disclose all this private information about their contacts.

If we think that that's fine for public health needs, then this particular piece of the puzzle just does that much more effectively.

Now, you don't need to rely on human memory, or you don't need to ask people to remember details about where they went and who they saw when they just found out that they tested positive for this horrible disease. The last thing you want to do is go through and think ,"Who have I been in contact with."

Another thing that is actually very important about the Apple/Google approach is that it actually allows people how to opt out.

Like for example, let's say that at four o'clock on Friday, every Friday, our favorite user Alice goes to an Alcoholics Anonymous meeting. She doesn't want anybody to know that she attends these meetings, but they're vitally important to her. She could not function without going to her a meetings.

These APIs allow her to say, you know, on Fridays from four to five, and even after the fact, I want to redact that information. So, yes, you know, we're in a room together, and I'm potentially exposing people. They're potentially exposing me, but that's a risk I'm going to take. These are not contacts that I'm open to notifying, because we're anonymous, and that's just the rules of the game. That's just how it is.

There are some mental health needs, such as AA meetings, that are very important, also for public health, by the way.

It's okay that for those purposes that users should be able to redact this information. Those those contacts, unfortunately, cannot be traced. But fortunately, that means that Alice can still get the mental health that she needs, and help others.

Katelyn Ilkani

I think that these conversations are going to be very important.

You mentioned this idea of stigma. Interestingly, last night, I saw an article that if you've been diagnosed with COVID-19, you're no longer eligible for the military.

This is one big impact now of getting the disease that could really affect a lot of young people in particular, who may be thinking that they're going to enter the military.

What questions do you think people should be asking before deciding to use these applications, Anna? If you're worried about any of this, what should you be asking?

Dr. Anna Lysyanskaya

Specifically for the Apple/Google contact tracing app, I don't think they need to be asking themselves much other than, "Before I just hand over my phone to medical authorities, are there any times for which I want to redact the random numbers out because whatever it is that I was doing was somehow not okay?"

Everything else, they can preserve their anonymity.

Again, this is just a small piece of the puzzle. There needs to be a much bigger consensus in society, that when you test positive for this disease, we don't actually need to know who you are.

Your device by itself is not the same as your passport. It's not an ID.

If you just say, here's my device that I had with me all the time, take out all the random numbers from it and notify the devices who have heard them, that by itself doesn't tell anybody who you are.

It doesn't become obvious that now you're suddenly disqualified from receiving some benefit that you would otherwise be eligible for.

Now, I don't know why the Army is at the moment not accepting people who have tested positive for the disease. I mean, I hope that it's just a temporary situation because  I understand all of us will eventually catch it.

In general, I mean, you can imagine that certain diseases, there are real risks associated with people who are are positive for disease being in particular places.

It's not a question of stigma, it might be a question of safety.

Then there's a flipside to that. If you have already had the disease, and now you have the antibodies, it is actually potentially very beneficial for society to be able to say, "Oh, well, you're fine."

You can now go and work shifts at these nursing homes without exposing people, because nursing homes have become unfortunately, hotbeds of this infection.

If you have already had the disease, and now you are immune, and of course, unfortunately, we don't even know if people who've had the disease are immune. But, let's hope that they are.

So, if you've had the disease, and now you're immune, it would be nice if we could give you some kind of a credential that says, "You are now immune," and there would be a way to kind of digitally represent this credential on your device. Then your device, potentially, does not have to engage in this whole contact tracing process.

Katelyn Ilkani

That leads in really well to this next question I wanted to ask you, which is around the future of contact tracing.

I can see, once this gets turned on, for instance, maybe we just never turn this off, even after we have a solution to COVID-19. Maybe this is just a new public health innovation?

Dr. Anna Lysyanskaya

I think that might be a little bit worrisome to never turn it off entirely.

What we don't want is to be able to go back in time and figure out who talked to who. For example, imagine how this can be used to out whistle blowers.

For example,  if you can somehow get a whistle blower's lawyer's device to trick the device into thinking that the lawyer is infected with a virus, then it notifies all the lawyers contacts.

Now they come forward. They contact the system and say, "Oh, I think I may have been exposed." Now, you narrow down your list of potential whistle blowers considerably.

If you have a government authority, working in conjunction with this app, it might not be so beneficial.

I think that this needs to be understood as a measure that can only be in effect during a crisis, like we're experiencing right now.

I think it's very dangerous to just leave it there for normal times; it would make me very worried.

I mean, there's always the option if you're a whistle blower, that you turn off your device.

But, who thinks of doing that? Usually there's the attorney client privilege, so you don't worry about devices.

This is all very new. So, yes, I guess there are privacy aspects of this entire situation that give me pause.

That's why I'm saying if we're okay with contact tracing at all, for the purposes of public health, then an attorney who tests positive for COVID-19 would have to disclose to the public health authorities who their clients were, so that they can be notified.

Of course, they can say, "No, due to attorney client privilege. I'm going to notify my clients myself; I'm going to turn off my device." But then they won't be able to tap into the benefits of automated exposure notification either.

There are a lot of ramifications to these technologies.

Katelyn Ilkani

That's another use case potentially for redacting the numbers just like the Alice AA example, but then people have to remember to do it.

So, are they prompted then by the public health agency? Are they reminded? There's definitely some things to work through maybe from a policy perspective.

Dr. Anna Lysyanskaya


From a policy perspective, and also from a usability perspective, because if there's an app, the user never interfaces with the Bluetooth him or herself. All of this is mediated by an app.

If you have a particularly privacy friendly interface for an app, then it might, for example,  just look at the user's calendar  and say," Okay, there's event on your calendar. Do you want to mark it as sensitive, so that it's going to be exempt from contact tracing?"

Now, if Alice has her Alcoholics Anonymous meeting on her calendar, and she just kind of blankets every Friday, so this time is walled off on her calendar. Then her app says, "Okay, every Friday, I'm just going to block it out."

It would have to be a combination of people just thinking about their privacy, and remembering to redact, and technology that gives them the aids to do that.

This is, unfortunately, very hard to accomplish in a world where all the apps out there are so hungry for data.

Data is such a goldmine, at the moment, that to have an app that actually is actively turning down access to data is really hard.

Katelyn Ilkani

There is a lot to think through, and it's an exciting space to be in right now.

It's definitely very necessary.

As I said, I know a lot of higher education institutions, in addition to public health authorities, are really interested in this. Thank you for the important work that you're doing.

Dr. Anna Lysyanskaya

Well, thank you so much for asking such wonderful questions. Very, very thoughtful questions, and I am really looking forward to keeping up with your podcast.

Katelyn Ilkani

Thanks, Anna. Thanks so much for being with me today.

Dr. Anna Lysyanskaya

You're welcome.

Katelyn Ilkani

And that's a wrap. Thank you for joining us for this episode of Security Economy. Check out our episode lineup at, and don't forget to subscribe. See you next time.


🎉 You've successfully subscribed to The Battleship Blog!