Perception of Privacy-Utility Tradeoffs in Contact-Tracing Apps Key to Widespread Adoption
CMU Researchers Find Users Prefer Centralized System
Contact-tracing could help curb the spread of COVID-19. While the process can be performed manually, researchers have suggested that digital contact tracing using cell phones could be a more accurate and scalable approach. But its effectiveness relies heavily on a large installation rate — and that may depend on how people weigh the app's utility versus its privacy risks.
Researchers at Carnegie Mellon University examined user preferences on six different app designs after explaining the risks and benefits of each option — including whether the user's data was stored on a centralized (government) server or decentralized server run by the app's developer.
"Surprisingly, contrary to the assumptions of some previous work, we found that the majority of people in our sample preferred to install apps that use a centralized server for contact tracing," said Tianshi Li, a doctoral student in the School of Computer Science's Human-Computer Interaction Institute (HCII.)
Contact-tracing apps may need to collect a lot of sensitive health and personal information, including where you've been, who you've been interacting with and if you've been diagnosed.
"The problem is that decentralized solutions are not risk free," Li said. "We found that people are more willing to allow centralized authorities to access information than to allow a decentralized server to potentially offer loopholes to tech-savvy users who could infer the identity of diagnosed users."
The largest cluster of people, 32% of the sample, preferred centralized versus decentralized servers. The second largest cluster, 25%, were the most privacy-conscious and disagreed with almost all app designs.
Another design aspect included in the survey is location data sharing. Researchers found that a majority of the sample preferred to install apps that share diagnosed users' recent locations in public places to show infection hotspots. "People are generally very sensitive about location data, but in this specific case, users wanted useful information, beyond even direct exposure notice, so they feel more in control of the situation and can make their own decisions about how to reduce risk," Li said.
The researchers offer several suggestions for an app design that may achieve a high adoption rate in the U.S.
First, servers should be centralized, although Li underscored the importance of handling data in a secure and privacy-preserving manner, and verifying the users' identities during sign up to avoid malicious users identifying diagnosed users. Also, a one-size-fits-all solution has its challenges. Researchers found that at the state level, political leaning influenced design preference. Li said a combination of manual and digital contact tracing may be necessary.
The researchers' second suggestion is to provide users with information about infection hotspots, which may nudge them to install the app. Location data collection should be opt-in, and the app should offer multilevel options when it requests that data to accommodate different user preferences.
Finally, researchers said these apps should be transparent about the risks of disclosing personal information to both governments and tech-savvy users.
"I think this is the very first step to understand the design space," Li said. "Challenges are obvious, such as keeping a centralized server secure from hackers. But now is the time to think about design, before investments are made and apps make their way onto people's phones."
Currently, Apple and Google are only offering APIs for decentralized contact-tracing apps. Researchers believe that similar APIs may also be needed to support the implementation of centralized contact-tracing apps that follow the best security and privacy practices.
The paper "Decentralized Is Not Risk-Free: Understanding Public Perceptions of Privacy-Utility Trade-Offs in COVID-19 Contact-Tracing" is available now on arXiv. The research team also includes Jason Hong of the HCII and both CMU's Electrical and Computer Engineering Department and CyLab Security and Privacy Institute; Cori Faklaris and Laura Dabbish of the HCII; Yuvraj Agarwa, from CMU's Institute for Software Research; and Junrui Yang and Jennifer King from Stanford University.
For More Information