July 28, 2020

Surveilled #54 — My First-Hand Contact Tracing Experience

Surveilled

Issue 54

A weekly summary of what I’ve found interesting at the intersection of economics, finance and technology.

Surveilled has been on an unanticipated long break, arguably for a good reason: I recently moved from Singapore to Malaysia with my family, and left both my job and the industry sector I was working in for the past 20 years, all in the middle of a global pandemic. Further developments on the professional front will be announced soon, but, to cut a long story short, I expect to have a bit more time to devote to Surveilled. As a result, I’m revisiting the format to include more long-form content and tightening down the curation of links, since we all have too much to keep on top off already. Let me know what you think, and as always, thanks for reading and subscribing.

First-Hand: My Contact-Tracing App Experience

I joked previously that I should change this newsletter’s name to “contact-tracing weekly,” given the amount of attention I’ve given to the various apps and other systems countries are putting in place to manage the spread of Covid-19.

Now with our recent move I mentioned higher, I’ve had the opportunity to experience one of these systems more extensively, and there are some interesting conclusions to be drawn from it.

Previously, my experience was limited to the TraceTogether app, which Singapore launched early on in the pandemic, and whose design partly inspired the Apple/Google framework. Take up of TraceTogether has lagged though, presumably in no small part because it is cumbersome to use on iOS—the app needs to run in the foreground with the screen on to log any contacts.

However, there is another system in Singapore, called SafeEntry, which requires everyone walking into public buildings to “check-in”, by scanning a QR-code that redirects to a website. This method is more manual and less precise, but it is mandatory, and as a result undoubtedly more useful in controlling the spread of Covid-19. From a user’s perspective, this is certainly not frictionless, but it’s less cumbersome than using the TraceTogether app.

In short, my experience with contact-tracing overall was fairly limited. Upon entering Malaysia however, we’re all considered as a “Person Under Surveillance,” which entails a quarantine for 14 days (at home, thankfully), wearing a wristband for identification and downloading Malaysia’s contact-tracing app, MySejahtera. We are meant to submit a short health questionnaire through the app every night, so the authorities can check we don’t develop Covid-19 symptoms.

Registering and setting up the app is a pre-requisite for entering the country. The airline checks that it is installed on your phone before issuing a boarding pass, but the key control is upon arrival at the airport. All passengers are funnelled through a sanitary checkpoint, where they take your details, check the app once again, issue the wristband, and take a test for Covid-19.

Then follows a few hours’ wait for the test result. If it’s negative you can proceed to immigration, if positive, there is a protocol to take you directly to hospital, which we luckily didn’t have to follow. With a negative test result, your profile on the MySejahtera app is “Person Under Surveillance,” which lasts for the quarantine period.

One day before the end of the mandatory quarantine period, there is another Covid-19 test to be taken; if that is negative the quarantine period ends and the wristband is taken off, and your profile on the app is presumably updated.

The design of this process obviously ensures that 100% of the arrivals are registered onto the system and tracked on the day of arrival. From that perspective, and for this small population, it circumvents the issue of low initial adoption, which is plaguing practically all the contact-tracing apps.

However, recent statistics mentioned by the Malaysian Health Ministry indicate that even with the mandatory nature of the app and the protocol in general, compliance is less than perfect. 25% of the people enrolled in this programme didn’t fill in the daily health questionnaire, and 10% didn’t show for the second Covid-19 test, this despite the potentially severe consequences, including arrest. This observation alone doesn’t bode well for the issue with adoption and compliance rates, and that is of course a key requirement for the apps to be successful in managing the pandemic.

A few more observations, in no particular order:

• The MySejahtera app doesn’t include Bluetooth-based contact tracing functionality, although a sister app, MyTrace, does. The latter is not mandatory for persons entering the country, which is sensible, given that they are meant to be in quarantine anyway.
• MySejahtera does include check-in functionality, by scanning a QR-code, like Singapore’s SafeEntry. In fact, the app opens on this check-in page, to try and make the process as frictionless as possible.
• Overall, the MySejahtera app feels modern, well-designed and fast. I don’t know what technologies are used for either the app or the back-end, but using it feels fast and smooth, and, subconsciously, that also inspires confidence in the infrastructure and process.

As the Lawfare blog notes in an exhaustive review of the current state of affairs, the momentum for contact-tracing apps has waned recently, after an initial surge of enthusiasm. There are myriad reasons for this, from technical to cultural and epidemiological, but it is clear that these apps will not be the silver bullets to manage the pandemic that many of us (myself included) thought they could be.

On the other hand, with our recent experience returning to Malaysia, it looks like the MySejahtera app plays an important role in the overall process to manage the “Persons Under Surveillance,” and conversely, it seems the owners of the process are aware of its limitations and are not overly reliant on it.

Hence, and perhaps unsurprisingly, the assessment of contact-tracing may not be any different than that of information technology in general. It usually is not a silver bullet, when it is seen as such it usually disappoints, and a soundly designed process is an indispensable foundation for IT systems that deliver value. These statements are anything but new. With that in mind, let’s hope that we are collectively able to chart a course out of our current pandemic predicament.

Six Links

As stated higher, I’m trying to curate the links in the newsletter better, hopefully with the result of surfacing lesser-known facts or viewpoints. Starting with six links, but expect this to change as we go along. And for good measure, I’m going to break the spirit of this restriction the first time round anyway…

1. Big Stories over the Last Few Weeks—Since the previous issue of the newsletter was almost a month ago, a quick recap below of the key stories that broke during that period.

   1. Wirecard, the German payments industry champion, spectacularly imploded, on the back of an intricate, years-long fraud. Read (FT $)
   2. Hackers used social engineering against Twitter employees to gain access to a host of high-profile accounts, including Apple, Uber, Joe Biden and Elon Musk. Read (FT $)
   3. Western tech companies, including Facebook, Google and Twitter, are blocking Hong Kong from accessing user data, and re-evaluating their operations in the city after the National Security law passed last month. Read (FT $)

2. The UK and Australia are the latest countries to launch a probe into the activities of Clearview AI, the controversial facial recognition company. Read (FT $)

3. Amnesty International sued WhatsApp hacking company NSO in an Israeli court, to prevent them from exporting their surveillance tech, but alas their bid was rejected. Read (Vice)

4. Ok, this is a bit complicated. Data Viper is a company that collects user credentials and other information, gained by others in various data breaches. This data is then used for further security research. Now, Data Viper itself has been breached, and its user data leaked. So far so good. The scary bit is, a good part of the data it had relates to undisclosed data breaches, and it appears that some of the companies are not even aware that they were hacked. Another reminder, if any was needed, that you’d better consider all data you provide to a random website as public information, and conversely, that for those services where you do upload sensitive information, you had better be using at least unique, strong passwords and 2FA. Read (Krebs on Security)

5. Intel has suffered more setbacks on its roadmap to move to 7nm manufacturing (a proxy for the ratio of computing power to energy consumption of a microchip.) Intel’s difficulties appear to be so fundamental that the company is considering outsourcing some of its manufacturing. This not only constitutes a strategic about-turn for the company, it also has tricky geopolitical implications, since the most advanced chip manufacturer is now Taiwan’s TSMC. Read (Bloomberg $)

6. Driven by the Covid-19 pandemic, big banks are now avidly embracing the shift to the cloud. My understanding of this is that banks always were quite keen, but regulators were hard to convince. Presumably that balance is now shifting as well, and in addition cloud providers have beefed up security as well. Read (FT $)

Wide-Angle

120 years ago, African-American sociologist WEB Du Bois prepared a series of stunning data visualisations to shed light on the condition of African-Americans at the time. The Financial Times shows the best examples, and updated some for the present day. Interesting from many different angles. Read (FT $)

That’s it for this week’s edition. Let me know what you think of the new format by hitting ‘Reply’. As always, thanks for reading and please forward this to anyone who you think might be interested, it would be much appreciated.