Complexity science and computer algorithms can help us address privacy concerns that arise with the pandemic.
Read the Reflection, written 20 August 2021, below the following original Transmission.
Pervasive surveillance is quickly becoming the new normal, whether the surveillance infrastructure is developed by governments for control (e.g., in China and many other authoritarian countries) or by large tech companies for profit, as we see in the US and other Western countries. In the age of coronavirus, these are tempting tools to turn to, either to stamp out misinformation (censorship) or for efficient contact tracing of infected individuals or detection of social distance cheaters (surveillance). One recent example is the company Kinsa, which markets an Internet-enabled thermometer and made headlines in March when it announced that it had used data from 1 million thermometers to create a national map of fever levels and had spotted a downward trend in fevers, ahead of data reported by public health agencies.
Many of us would like to contribute to databases such as these, which can play an important role in the current epidemic; however, many are wary of Internet-enabled surveillance and wish there were a way to participate without sacrificing anonymity and privacy.
Complex systems thinking can provide new ways of thinking about these problems. Several years ago, we studied how the immune system learns to distinguish self (its own naturally expressed proteins) from other (cells and molecules associated with invading pathogens). Put very simply, the immune system uses a trick that is reminiscent of classic figure vs. ground examples, such as the famous picture that is both an urn and two faces. In effect, the immune system builds a map of self (the urn shape) by constructing many small detectors that represent non-self (the two faces). In immunology, this is known as “negative selection” or “clonal deletion.” This simple idea can be mathematized and coded as a computer algorithm in an approach that its inventor, Fernando Esponda, calls “negative surveys.”
In terms of the thermometer example, suppose each thermometer recorded the correct temperature but reported a value to the database that was different from the actual value. With sufficient data, it is a relatively straightforward calculation to recreate a histogram of the original temperature frequencies. A similar trick can be used to disguise the location from which the temperature was recorded.1,2,3
Such an approach would work well for problems like crowd-sourcing fever maps, but contact tracing poses a greater threat. Epidemiologists argue that the most effective way to control epidemic spread through a population is with rigorous tracing of contacts. In today’s world, the most efficient way to accomplish that is by inspecting cell phone data, since almost everyone carries a phone almost everywhere they go. And some countries are indeed taking this route — for example, China, South Korea, and Singapore. In the US there are already calls for us to adopt this approach, and we are seeing an explosion of “privacy preserving” apps for contact tracing. Because cell phone data reveal much more information than that which is required to alert and test all at-risk contacts, the potential for abuse is high.4
Suppose that I am secretly meeting with a potential new employer, keeping an appointment with my mental health provider, or perhaps having an affair that I don’t want my spouse to know about. In these circumstances, if one of my contacts becomes infected, we would like a computation that can identify every person whose location data intersects with that of the infected contact, and we don’t need to know who the infected person is or what locations exposed me or my other contacts. This problem is known as set intersection, and Ni Trieu5 and many others have developed private set intersection algorithms that use cryptographically secure methods to compute set intersections without revealing members of different sets to one another.6 Despite the urgency of the current situation, this is the time to insist on strong guarantees (on both data collection and use), and on secure methods for computing and alerting contacts.
These are just two examples of how complexity science and computer algorithms can help us address the many privacy concerns that arise with the pandemic. In the past, we have gone to war to defend the principles of a free and open democratic society. Putting in place poorly thought-out massive surveillance schemes puts these principles at risk. Instead, we should develop and deploy methods, many of which already exist, that allow us to recover the information we need in order to preserve public health without jeopardizing our right to be free of unreasonable search and seizure.
Read more posts in the Transmission series, dedicated to sharing SFI insights on the coronavirus pandemic.
Listen to SFI President David Krakauer discuss this Transmission in episode 30 of our Complexity Podcast.
August 20, 2021
Complexity Thinking for Computational Systems
As a computer scientist I was proud of how the technology developed over the span of my career enabled society to continue functioning in the face of a global pandemic: online education, remote social interactions, video meetings, online shopping, and telemedicine, just to name a few. At the same time, the pandemic threw into sharp relief many issues that my field has not addressed and probably cannot address on our own.
Many of these are complex-systems problems that involve interactions among sociopolitical systems, biology, and computational systems. For example, remote learning is much more effective when students have a stable high-speed internet connection, a quiet place to work, and a functioning computer; for most students online learning is still a pale facsimile of traditional in-person education. Similarly, the shortcomings of virtual work became painfully apparent as we staggered out of our home offices each evening suffering various forms of Zoom fatigue, mental fog, and other maladies, which highlighted the many subtle and mysterious ways that digital interfaces interact with our minds and bodies. Moving so much of routine life online so quickly also accelerated a trend that had been underway for some time, in which vast amounts of personal data are accumulating in the hands of for-profit companies and government agencies.
It will be many years before we fully understand the consequences of this trend, but if “data is power” as many suggest, then we might expect even more extreme concentrations of economic and political power in the hands of fewer and fewer actors, and we might ask what kinds of technical, institutional, and social innovations are required to mitigate these effects. The field of complex systems does not yet have answers for questions about social inequity, the differences between an in-person interaction and a high-quality video chat, or what role information and data will play in future economic and political shifts, but the pandemic brought them to the fore.
My Transmission suggested ways that complex-systems thinking might lead to new methods of privacy-preserving information capture, and it discussed phone-based contact tracing, which is an essential tool for controlling the spread of disease through human populations. Contact tracing apps record when two or more individuals are physically near each other, identify individuals who have been in close proximity to an infected individual, and notify them of exposures. In today’s world, smartphone technology is quickly replacing earlier methods as the method of choice for recovering an infected individual’s history of recent physical contacts and automatically sending out notifications. Yet existing apps do not provide sufficient coverage to be broadly useful in an epidemiological setting, and in the wrong hands they could provide new surveillance tools.
Over the past year, my ASU colleague Ni Trieu and I have investigated existing contact tracing apps on smart devices and identified several shortcomings, including: lack of integration across different systems, heavy bandwidth requirements for connectivity and high computational requirements on client devices, and vulnerability to privacy and security attacks.1 Integration and compatibility issues arise when, for example, the user of one system—say, COVID Alert NY—travels to another state or country where a different app—say, CovidWatch—is favored. If the traveler happens to become infected and contagious before returning home, the inconsistency among these apps would likely prevent prompt and accurate notification of exposed individuals. Contact-tracing apps today place most of the computational load on the user’s device, which in turn requires large data downloads. In many places, including tribal communities in the US, users may not own a state-of-the-art smartphone or have access to high-speed internet. We recently submitted an NSF proposal to develop an end-to-end unified contact tracing application with strong privacy and lightweight cost.2
Even if we should succeed in our quest for lightweight, secure, ubiquitous contact tracing, other mechanisms will be required to address the larger questions posed by the wholesale integration of computing and information with society. Others at SFI are concerned about similar issues, and during my annual summer visit we began batting around ideas for how to tackle them. Meanwhile, the pandemic has only reinforced my view that complex-systems thinking and methods are sorely needed to understand the computational systems we have already devised and to shape the design of future systems so they enhance humanity rather than degrade it.
Read more thoughts on the COVID-19 pandemic from complex-systems researchers in The Complex Alternative, published by SFI Press.
1 See, for instance: S. Habib, N. Trieu, et al., 2021, “SoK: Eunomia: A Structured and Comprehensive Scoring System for the Assessment of Privacy Policies in Global COVID-19 Contact Tracing Applications,” Submitted to 43rd IEEE Symposium on Security and Privacy; T. Duong, D. H. Phan, and N. Trieu, 2020, “Catalic: Delegated PSI Cardinality with Applications to Contact Tracing,” in 26th Annual International Conference on the Theory and Application of Cryptology and Information Security, Asiacrypt; O. Nevo, N. Trieu, and A. Yanai, 2021, “Simple, Fast Malicious Multiparty Private Set Intersection,” in 28th ACM Conference on Computer and Communications Security, CCS; M. Rosulek and N. Trieu, 2021, “Compact and Malicious Private Set Intersection for Small Sets,” in 28th ACM Conference on Computer and Communications Security, CCS; and G. Garimella, B. Pinkas, et al., 2021, “Oblivious Key-Value Stores and Amplification for Private Set Intersection,” the 41st International Cryptology Conference.
2 Our Unicon app would be deployed as a plug-in for existing apps, supporting integration across different systems, and allowing data to be shared secretly and securely via untrusted Unicon servers, similar to the distributed voluntary system of Domain Name Service (DNS) servers that supports internet communications. It would also allow users to opt in to the Unicon system even if their app provider does not.