Governments and Tech Giants Face-Off on Contact Tracing: Centralized or Decentralized Data Storage?

May 02, 2020 by Robin Mitchell

Contact tracing is the next big proposal for quelling COVID-19. While some governments are proposing their own apps and centralized data storage, Apple and Google are offering a decentralized "opt-in" approach. What's your take?

In the past several weeks, governments and technology giants alike have been debating a new approach to quell COVID-1: contact tracing.

There are two main camps in this discussion. The centralized approach holds that governments should release their own contact-tracing apps and store information about COVID-19 patients' movements on a government-owned server. The decentralized approach comes from Apple and Google, who have crafted a plan for "opt-in" contact tracing. With the Apple-Google plan, users can choose whether or not their device sends contact-tracing information to health authorities. 

This debate has been especially contested across Europe; namely, the UK's National Health Service (NHS) has rejected the Apple-Google coronavirus app plan while Germany, Austria, and Switzerland have aligned with the Apple-Google proposal. While this discussion mostly revolves around software and user privacy, there are a few hardware dimensions that may interest engineers. 

What exactly are the software and hardware challenges of contract tracing? And what's the argument between decentralized and centralized approaches? We'll break this issue down in layers to help us assess the direction of this debate.


Contact Tracing Concept

According to the CDC, contact tracing entails a system of recording a person's contact with others, so if a person tests positive with COVID-19, that individual can contact health services, which will, in turn, notify other individuals that came in contact with the patient. Those in contact with the affected can then follow isolation or treatment protocols. 


Contact Tracing

How concept tracing works. Image used courtesy of BBC

This allows the population to continue working; only those in close contact with an infected person need to be isolated, thereby increasing the economic output of the country. 

The means by which this information is gathered and stored, however, is where differing approaches emerge.


Establishing the Right Hardware for Contact Tracing

The first step to implement contact tracing is to decide the best hardware device to gather information. One example we recently discussed is a Bluetooth contact-tracing wristband, but this technology would require users to buy a new device for the express purpose of contact tracing.

The most obvious contact-tracing device is something we all already have: a smartphone with built-in wireless and tracking technologies, like Wi-Fi, Bluetooth, and GPS. While GPS can easily be used to track user movement, many have decried this course of action as a violation of privacy. GPS tracking can also be a difficult solution to contact tracing when two users are within close proximity to each other. 

Smartphones might also trace contacts using Bluetooth, detecting nearby Bluetooth signals when the source is very close. Once detected, the phone can log that two phones were in close proximity and store that information in a database.


The Challenges of Software Apps

Google recently released a document on Bluetooth specifications for contact tracing, expressing this protocol as the clearest option for the effort. But Bluetooth does pose some problems for designers. The first is that users are required to opt-in to the system and the system is only effective if enough people sign up.

The second issue is that some devices, such as iPhones, must be unlocked to activate Bluetooth modules—otherwise, they'll be ineffective when left in a pocket or bag. This second issue, however, would only apply to government software applications. Apple software can operate continuously in the background out of sight. In fact, Apple and Google have said that their contact tracing software would not even require installation and would only require a simple opt-in to function.


Centralized vs. Decentralized Data Storage

The next question of contact tracing is whether gathered data should be centralized or decentralized.

As mentioned, a centralized system depends on all users sending their gathered data to a single server run by a company or government. A decentralized system, however, still uses a central database to store contacts, but instead of all data being submitted, only those who report an infection are submitted.


PACT upload to a public database

MIT's private automated contact tracing (PACT) allows users diagnosed with COVID-19 to upload an anonymous list of "chirps," or Bluetooth pings to other smartphone devices, to a public database. Screenshot used courtesy of MIT

Data about a user's movements is stored on their device with layers of protection and UIDs that don’t correspond to the user's identity. When a person becomes ill with COVID-19, he or she can submit their UID to the database. From there, other phones can check the database to see if they have been near that UID. If a match is found, they can be instructed to self-isolate at home to prevent the further spread of the virus.

Generally, governments have been in favor of centralized systems that can connect to their health services. Tech companies like Apple and Google, on the other hand, have gained popularity from countries that trust a decentralized approach to data storage.


What are Your Thoughts on Contact Tracing?

One of the primary concerns of contact tracing technology is not what it currently gathers but what doors it may open up in the future. The CDC recently published a document outlining critical features of digital contact tracing apps, many of which support the Apple-Google proposal. The document cites a  “PACT protocol,” or precautions to maintain privacy while enabling Bluetooth proximity tracking. Apple and Google have openly drawn ideas from PACT (private automated contact tracing), an open-source protocol out of MIT.



Bluetooth on smartphones sends anonymous "chirps" whenever a device comes within arms reach of another person. MIT has a privacy-focused system that collects these lists for contact tracing COVID-19 cases. Screenshot used courtesy of MIT

As an engineer, what are your thoughts on these two contact-tracing approaches? Are you impressed by the possibility of this technology? What privacy issues concern you in this conversation? 

Do you feel data storage is best protected on a government-owned server? Or do you think contact tracing apps are best left to tech giants like Apple and Google? This issue is multi-faceted, so we would love to hear your unique perspective. Share your thoughts in the comments below.