Here comes the blood tests and it is time. Serosurveys to determine what percentage of the population has already contracted COVID-19. And one at a time tests to see if you caught it but had mild or no symptoms.
In America alone, millions will soon be recovered from a COVID-19 infection. Half of the people I know, including myself, seem to have had a Schrödinger respiratory infection in the past few months and are extremely excited to see if they have tested positive for COVID-19 antibodies.
Even if they do – to be clear, most won't – what then? Assume that antibodies indicate immunity at least for a while. That seems a little likely, he said carefully. Assume that the tests are accurate enough to rely on. So what do we as a society do with this information?
The immune system – the positives – was able to return to normality without immediate fear of further infection, while all others – the negatives – could not. Do we want to create a two-tier society like this? Do we want to replace negatives with positives in risky contexts such as nursing homes? Do we want people's test status to be publicly known or available upon government request? How about your employer? How about your healthcare provider?
Most of them are difficult questions with no easy answers, and although I, like you, have some strong opinions about which are the least bad options, I also think that this is mostly an issue that sensible people cannot agree with. Regardless of our collective responses, we can all agree that they should be implemented in the most privacy-friendly way. This is where technology comes in.
Many techies and confidence and data protection experts are looking for a way to contribute to the COVID response, aside from some silly hackathons.
I have an idea: let's think about a robust, counterfeit-proof and data protection mechanism to prove immunity to nCoV.
– Alex Stamos (@alexstamos), March 30, 2020
It is worth noting that proving immunity is not a new problem. I have traveled to many countries where proof of yellow fever vaccination is required before visitors can enter. Some even enforce it. The solution is venerable, simple, and decentralized. A note that was stamped, dated and signed by a doctor.
This solution is relatively gentle on data protection – the authorities cannot require that they view yellow fever papers at a certain point in time, as they are only needed at border posts. It is very difficult to check and relatively easy to fake … but it is good enough to have worked. Its purpose is not to eliminate the risk of transmission with 100% absolute effectiveness, but to reduce it to a manageable level.
The same applies to COVID-19. As Harvard epidemiologists Bill Hanage and Marc Lipsitch wrote in February, it is important to "distinguish whether anything ever happens and whether it happens at a frequency that matters". We don't have to worry about crazy edge cases. A 99% effective solution should be fine.
What would this solution be? Something simple, decentralized, reasonably effective and privacy protection. Suppose you go to your doctor's office for a test. While you are there, your picture is taken and you choose a passcode. Along with your test result, you may receive a type of bracelet with a QR code. When your status needs to be checked, the QR code is scanned, you enter your passcode (or choose not to forget it or conveniently forget it), and your headshot will appear, confirming your identity and status.
I am not saying that this is a perfect solution. Real cryptographers will likely come up with something different and better. (In particular, to pseudonymize your individual test sample as much as possible and to ensure that anyone who hosts the central database cannot decrypt the data it contains.) This is intended to illustrate the key points that 1) only those you can Agree Look at your status and 2) this status can be checked to make sure that it actually belongs to you, using a personal identifier such as a headshot.
Then what do we do with such a system? Now that the curve has flattened and declined, we may consider reopening restaurants as long as every second table remains empty and stores, as long as there is only 1 (masked) customer per 100 square feet of floor space. Alternatively, restaurants and shops may also have the option of opening only for the positive – ie without internal restrictions. However, the positive COVID-19 status must be checked before entry, just as bars check your age before you enter.
Would these requirements be desirable? This is also extremely controversial. Would some people hack such a system in the same way that children use fake ID? For sure. Will this "happen at a frequency that is important"? That seems pretty unlikely. In cases where this seems more likely, stricter rules can probably be applied.
The most important thing that technology can contribute to is to make all of this simple, straightforward, effective and gentle on data protection, while at the same time meeting our collective goals as a society. Regardless of what we agree on as these goals, the positive results will play a key role if it turns out that a previous infection gives immunity if we try to resume our lives as far as possible in the ever-present shadow of the pandemic.