The Breakdown - We Don’t Need Big Brother To Beat This Virus
Episode Date: April 23, 2020One of the key aspects of most plans to reopen the economy is digital contact tracing. This would be an apparatus whereby mobile phones kept track of the other mobile phones they had been physically p...roximate to, so that if someone were diagnosed with COVID-19, the at-risk people they had been in contact with could be notified. Apple and Google have proposed one plan while a European consortium is working on another. At the center of the issue is whether contact tracing can be done in a way that doesn’t violate privacy and doesn’t open a Pandora’s box of new issues around the data governments have on their citizens. Today’s episode of The Breakdown explores the crypto community’s response to contact tracing and why we don’t need big brother to beat the virus.
Transcript
Discussion (0)
Welcome back to the breakdown.
An everyday analysis breaking down the most important stories in Bitcoin, crypto, and beyond,
with your host, NLW.
The breakdown is distributed by CoinDesk.
Welcome back to the breakdown.
It is Thursday, April 23rd, and today we're going to be talking about a subject which is high
on many people's minds, not just in the Bitcoin and crypto world, but beyond, but certainly
has particular interest for this group of folks. We're going to be talking about privacy in the context
of COVID-19. On Monday, the Times in the UK published an op-ed called We Need Big Brother to
beat this virus. The subheader is, don't let the civil liberties lobby blind us to the fact that
greater state surveillance, including ID cards, is required. So this is, of course, clickbait. The
title is designed to get engagement, and engagement it got, including for me. I wrote,
we really don't, though, with a screenshot of the piece, and it seems from the response that I got
to that tweet that this is something that a lot of people are thinking about. One of the great
fears in really any time of extreme crisis is that centralized actors, governments, use that
moment to consolidate more power. Some of this is necessary. There are extraordinary powers needed
for extraordinary times, the problem is that states tend not to relinquish that power. I mean,
no one tends to relinquish power easily once it has been claimed. In America, we've obviously
seen this with the Patriot Act and how that kind of just became de rigore normal policy
rather than something that was for a specific moment in time in history. And people fear that
that's what we might see again in this context, in the context of the coronavirus crisis. Now, I don't really
want to spend too much time on the Big Brother essay. I think, like I said, it was designed,
at least from the way that it was presented, to get clicks, to get people riled up. And it did.
I do think the idea that there's some big powerful civil liberties lobby that we should call
out is a little bit of a joke. But what I want to talk about is the actual questions of privacy
in the context of reopening the economy, because that's really what this conversation is about.
It's about contact tracing, which is a part of the strategy or a part of what would allow us to
actually open up the economy and go back about our lives.
So that's kind of what we're going to talk about today.
So what is contact tracing?
Contact tracing is a technique that is meant to help slow the rate of infection of a disease
by giving people information that they might have been exposed so that they can self-quarantine,
they can remove themselves from normal activities and actually stop the spread of a virus.
Historically, the way that contact tracing has worked is through individual people,
through people actually going out and interviewing people who have been diagnosed with a disease
to determine who they've actually interacted with in a way that might bring that person into risk or into harm.
They then follow those contacts to see who else they interacted with and so on and so forth.
So this is an extraordinarily labor-intensive effort historically.
But what it allows for when done well is that if people find out that they've been potentially
exposed, they can alter their behaviors in a way that matches that, and thus we reduce the
overall spread of a disease.
For those who have heard of contact tracing, it might be in the context of the 2014 Ebola
outbreak in West Africa.
The effort to use contact tracing to reduce the spread of that disease was one of the biggest
efforts of its type in history.
And then when it came to coming back to the U.S., some 29,000 people were actually monitored
through a contact tracing program as well.
These are people who had been in Africa and came back to the U.S.
So that's contact tracing.
The issue with it primarily has to do with just how much labor there is involved.
It's a hugely laborious process, which would be especially difficult in the context of coronavirus, which has such a long incubation period.
There can be no symptoms for two weeks before this thing shows up, so it makes it extremely difficult with an extremely long window for potentially having interacted with people.
For that reason, a human-based, exclusively human-based contact tracing system seems very, very difficult to implement from a pure human resource standpoint.
What's being debated now, then, is digital contact tracing.
In other words, apps that would take advantage of smartphone beacons, which can ping off one
another, to actually create a record of who has been near other people that is automatic.
The upshot of this is that it can happen all in the background, and that it can do a much better
job, frankly, than interviews would likely do of actually seeing people's daily interactions
with one another. The downside is, of course, and this was what was intimated in that piece,
why we need Big Brother, that there are serious privacy considerations around this type of data,
around putting a huge amount of information about people's movements and who they've interacted
with into a centralized server that is accessible and usable by governments, but also hackable.
There's an issue here of, on the one hand, civil liberties and privacy, and on the other hand,
health outcomes. So let's talk a little bit about the actors in the space right now, the main
proposed ideas happening. What's the status of these contact tracing apps? Well, the biggest effort so far
is a collaboration, actually, between Apple and Google. And they've proposed what effectively
amounts to a decentralized approach that it promises to protect users' privacy by giving the phone's
a fixed identifier, a series of pseudonyms. So basically, instead of having the phone identify itself as
Nathaniel's phone or Joe's phone or Miranda's phone, it instead has a random identifier that changes
every 10 minutes. Then if someone has actually been diagnosed with COVID-19, they effectively
publish or unmask themselves and share a list of those pseudonyms. This all happens automatically,
obviously in the background, and your phone can tell you if you've been near someone that has been
exposed. And of course, it won't tell them anything about who that was or how, right? So it's privacy
preserving, at least this is the promise. There is another effort going on in Europe that is called
the pan-European privacy preserving proximity tracing system, or PEPPT, which is just a delightful acronym.
theoretically it is privacy preserving and decentralized as apples and Googles is, but actually
there are some significant changes. Matthew Graham, who is notable for, among other reasons,
for having worked on the original design of Zcash, wrote a essay in Slate about this,
and he says that on closer examination, the concrete proposals for P.T. So far differ fundamentally
from the decentralized approach. For one thing, where the decentralized approach is proposed to
generate pseudonyms on your phone, the PEPPT protocols generate your pseudonyms on a centralized server.
This server will be able to link each pseudonym back to your real identity.
Worse, if you're diagnosed positive, your phone will not simply upload the list of its own
pseudonyms. It will also upload the identifiers of every person you've come into contact with,
so the authorities can track them down and notify them directly. So this is a massively different
system with a huge amount of additional data, personally identifiable data, by the way,
and the state having access to all of that data.
So these are really significant privacy implications that come with this.
This is what Graham's point is in writing this essay.
He says, these changes might seem small, but the privacy impact is huge.
If adopted, a single government-run server will store a list that maps every pseudonym
to its real user's identity.
If anyone were able to get a hold of this list, perhaps a spy agency or a hacker,
they could use it to track you out in the real world.
and for anyone unfortunate enough to be diagnosed with COVID-19,
the hacker will also gain a complete list of all of their social contacts.
Graham also points out that beyond just the privacy implications,
there's also potential for delays.
By doing this separate version of this,
there's specific rules that have to be negotiated with Apple's iOS apps
that prevent this sort of background broadcasting of beacons without authorization.
So there's actual implications just in terms of the efficacy as well.
Now, beyond just this separate build effort besides Apple and Google, you're also seeing governments
in Europe put pressure on Apple and Google to ease privacy rules.
So a headline from The Guardian yesterday, France urges Apple and Google to ease privacy rules on
contact tracing.
Government becomes first to call for invasive measures in effort to combat coronavirus.
Alex Stamos had a really interesting comment about this.
He said, referring to this article, this is the natural endpoint of an online.
online privacy debate that has always been more about culture war and competition policy than
actual empirical evidence of harm.
The moment there is a need for a reasonable balance of equities, ten years of European
rhetoric just evaporates.
Basically, he's pointing out that there's this hypocrisy where, in the context of trivial advertising
data, there's this puritanism around data privacy in Europe, but then as soon as a crisis
hits, they want to have access to this huge amount of information that is much more
important in many ways. And I think it's a good point. So what do people in crypto think? I started this off
by saying that this is an issue that is particularly close to home for a lot of the folks in this Bitcoin
or world. And there are, as you would imagine, a variety of different opinions. Representing, I think,
one extreme as it relates to the surveillance question is Alex Gladstein. He is the chief strategy officer
of the Human Rights Foundation and is in general, not just in this context, but in all things very, very
against the growing surveillance state. He sees it as a major threat to human rights.
On April 15th, he wrote a thread on the folly, this is his words, the folly of fighting
COVID-19 with surveillance. Now, the thread is actually broken up into a number of different
questions and sections. The first question that he asks is whether there is clear evidence
that contact tracing is an essential part of fighting COVID-19. He says, we must grapple with
the fact that the government that has the most intense citizen surveillance system in history,
the Chinese Communist Party, couldn't, despite all the Orwellian tech in the world, prevent an outbreak,
mass loss of life, and economic devastation. In fact, the CCP knew about the danger of the
COVID-19 outbreak in December, but instead of using its enormous surveillance capabilities to
quash the virus, it decided to try and cover up the outbreak, sensor medical reports, and destroy
evidence. What does that tell you? So that's kind of his first point, is that he's not sure that
there's clear evidence, and there may even be some counter-narrative evidence around the efficacy
and importance of this type of contact tracing in the context of coronavirus specifically.
His second point has to do with the Google and Apple system. His critiques basically have two parts.
The first is that the privacy promises are just that. They're promises, and they could be broken.
The second is that once this tech exists, other people will interact with it.
Apps will be built on top of it with government and corporate partners,
and more and more information will be taken from citizens.
Basically, it has its own life when it's out into the world.
His third point is going after this question of,
well, we're all being watched anyways, so who cares about giving them a little bit more information?
And his rejoinder is basically, why would we increase the effectiveness
and normalization of surveillance.
Why wouldn't we actually use this as a moment to say we should have less, not more?
Finally, he uses the comparative historical example of 9-11 in the Patriot Act.
He says, decisions made in the anxious months after helped massively erode the liberties of
Americans and build a global surveillance state.
And for what?
Evidence that this has worked has been extremely thin and the system is absurdly expensive.
Think of our societies a decade from now.
Are we going to clamor for surveillance to fight every major crisis?
for fighting the flu or any contagion?
You think that the Bluetooth tracking infrastructure planted by Apple and Google
into all of our phones will go away?
You don't think governments around the world will say,
hey, this is actually really useful.
Let's keep it.
It gives us unprecedented power to track citizens.
They will.
They will never let a good crisis go to waste.
So before you get too excited about defeating COVID-19 with phone tracking and surveillance,
ask yourself, do we need it?
Will it work?
What precedent does it set?
What could go wrong?
Do we really need a police state to fight the virus?
Your future self says no, you don't.
So I think Alex is very, very good at laying out arguments in a way that gives you a chance to actually
engage with them rather than just be kind of purely ideological.
And not everyone agrees with his point.
In fact, he's had a number of tete-a-tete's with Preston Byrne, who actually wrote about this as well.
Preston-Berne is a lawyer at Anderson Kill, and he wrote an article that says,
I'm a libertarian and I'm going to download Apple and Google's anti-COVID contact tracing app.
He starts it off.
He says, I don't like Apple.
I don't like Google. In my view, these companies have unfair and anti-competitive strangleholds over
mobile app distribution. I don't like surveillance capitalism. I don't like how these companies do
business. Most of my professional acquaintances don't like any of it either. Neither should you.
But we should all use this app anyways. He has four reasons why. So his first point is that
it should be possible to design this system such that location data is not provided to anyone.
Basically, there shouldn't be a technology hurdle there. Second is a legal argument. He says
ever since Carpenter v. United States was decided, the government needs a search warrant
before it can access cell phone location data from companies like Google and Apple.
Nothing short of a ruling from SCOTUS overturning its own decision is going to change that.
Third is the argument that Alex specifically pushes back on, which is that we're giving away
so much data already. He says, for 99% of us, the data we are proposing to provide to Google
and Apple's with this app already exists somewhere and can be obtained with a search warrant.
And his fourth part is fourth, and most importantly, the American initiative is voluntary.
So long as it's voluntary, I'm going to chip in.
Now, this voluntary piece is actually hugely important.
This is something that Apple and Google have been intensely focused on.
Ben Thompson, who writes the Daily Strategory email, called this out on Tuesday, April 14th.
He said, Apple and Google, who last Friday jointly announced new capabilities for contact tracing coronavirus carriers at scale,
released a new statement yesterday clarifying that no government would tell them what to do. Specifically,
governments will not be able to require their citizens to use it. A CNBC article about this put it this way.
They said, the two companies have drawn a line in the sand in one area. Governments will not be able to
require its citizens to use contact tracing software built with these APIs. Users will have to opt
into the system. This is a point of contention because many estimate that for contact tracing apps to be
viable, to be useful to actually work, you have to have something like 60% of people actually using
them. That's a huge effort to get voluntary download. So governments are, as you would imagine,
wondering if they can just force people to. But Google and Apple, who are the ones who have this tech
are putting their foot down. Now, Ben Thompson takes this to an interesting place talking about the
reality that tech companies effectively set the rules for their domains. It's an interesting moment for that.
But this gets back to Preston's last and most important argument that it's voluntary and that makes all the
difference. There are other folks in crypto who are actually trying to go even farther in terms of
privacy preservation as it relates to contact tracing. Anigma has just demoed an API called
SafeTrace. They describe it, SafeTrace is an API which connects to a privacy preserving storage,
and private computation service.
This means that many different applications, such as a web application or a mobile application,
can enable its users to submit encrypted user data via the SafeTrace API and receive results
without ever revealing plaintext data to anyone, including the SafeTrace server operator
or the application.
Now, you can go check out all of the development updates from SafeTrace.
There's a ton of information on it.
There's video demos.
It's something that they're actually working on, right?
This is not just a theoretical paper.
But I think that the key point is actually, I'm going to quote Torbert from Enigma, who wrote,
so much of what we're presented with is a false choice.
We can protect public health and user privacy.
And I think that's my key takeaway.
This is a choice that we have.
This is a conversation that we get to have as a society about where our priorities are.
And I simply don't believe that any choice presented with, we can do nothing else.
There's the only way to do this.
The only way to solve this issue is with Big Brother, is with surveillance.
It's simply an unacceptable answer.
But here's the good news.
And there actually is a bit of good news here.
We are having, because of this crisis, a much larger conversation about the importance
of privacy in our lives than we've had for a very long time.
And people who care about privacy, the great lament is that people simply don't care.
We are the classic aphorism of the frogs being boiled in the pot without even realizing what's happening
when it comes to the privacy that we've given away, the data that we've given away.
The reality is that this issue, while I don't think it's going to mainstream the issue of privacy
and surveillance overnight, it is certainly increasing the profile and expanding the number of
people who are actively thinking about this. And I think that when it comes to issues of
privacy and surveillance, it requires awareness on a much broader level. So I do think that the one
positive outcome of this debate, of this conversation, is that we're having it and it's asking us or
forcing us to ask larger questions about privacy and surveillance in general. All right, guys,
that that's what I got for you today. What do you think? Are you going to use the Apple, Google,
contact tracing app? Do you think contact tracing is going to be effective in this circumstance?
Do you think there's a better solution? Do you think that a even
more privacy preserving alternative needs to be proposed. Hit me up on Twitter at NLW. Let me know what
you think. And as always, guys, thanks for listening. And until tomorrow, be safe and take care of each other.
Peace.