How TraceFi works
TraceFi is not in operation on campus at this time. Before it would become active in a specific room or building on campus, community communications would occur. If at any point TraceFi becomes active, signage will be prominently posted at building entrances notifying visitors that TraceFi is in effect. These notices will include opt-out instructions and an explicit end date. The termination date may be subject to review, but TraceFi will operate only as the University deems its use beneficial and important during the COVID-19 public health crisis. At the conclusion of the crisis, TraceFi sensors will be removed and any remaining captured data destroyed. (This is the same process followed by the limited pilot that ran in the Science Labs using the earliest version of TraceFi.)
TraceFi runs on custom-built sensors placed in the physical environment. The array of sensors detect signals that are constantly emitted from mobile devices and use the strength of the signals received by the sensor array to determine whether two devices are "collocated" (6 ft or less for 15 minutes or more). The Centers for Disease Control and Prevention advise human contact tracers to interview a positive tested person about all interactions with whom the person was within 6ft for 15 minutes or more, in order to determine who else may have been infected. TraceFi can automatically determine collocations of mobile devices and provide that information to a contact tracer at Harvard University Health Services working with a person who tested positive to COVID-19. TraceFi is not a required program. Members of the Harvard community may opt out of the data collection by turning off the Wi-Fi on their devices, whenever they are in range of the sensors. The program also provides a way for members of the community to opt out while still connecting to Harvard’s several Wi-Fi networks. If you choose not to opt out of the program, data collected by TraceFi will be kept no longer than 14 days, stored on systems that apply Level 4 protection for “high risk information” under Harvard’s information security policy, and made available to a contact tracer at Harvard University Health Services on a need to know basis.
Mobile digital devices—e.g., phones, tablets, laptops—constantly emit Wi-Fi signals regardless of whether the device is connected to a Wi-Fi network. When two mobile devices are present in a physical space fitted with a TraceFi sensor array, the sensors can detect the relative strengths of the signals from all the mobile devices within range, in order to determine whether the devices are “collocated” (that is, within 6 feet of one another for 15 minutes or more). TraceFi sensors can also detect the proximity of a single mobile device.
(Note: The very first version of TraceFi worked differently. The first version collected signal strength information from wireless access points on Harvard’s Wi-Fi system. TraceFi no longer uses access points and instead relies on its own sensor array. This change to sensor arrays allowed ease of installation and the ability to opt-out of TraceFi without sacrificing Wi-Fi use.)
The bullets below track the flow of data from the TraceFi sensor array to the human contact tracer at Harvard University Health Services.
- The TraceFi sensor array captures the signal strengths emitted from mobile devices at a particular time and records the internal MAC addresses of the mobile devices that sent the signals. A MAC address is a unique code assigned to each mobile device by the manufacturer of the device.
- The information from the TraceFi sensor array does not contain a person’s name or Harvard ID or any explicit personal identifier.
- The TraceFi sensor data flows into "Raw," a secure data storage container that resides on a system that applies Level 4 (high risk information) protection under Harvard’s information security policy. No backups or copies are made of the data. Data are kept no longer than 14 days. On the 15th day from collection, the data are no longer available.
- The TraceFi algorithms read data from the Raw storage, compute proximity and collocations, and write the derived information into “Processed,” a secure data storage container that also resides system secured to Level 4 requirements. No backups or copies are made of the data. Data are kept no longer than 14 days. On the 15th day from collection, the data are no longer available. Access to both the Raw and Processed storage containers is locked down and secured. The TraceFi algorithms are the only reader from the Raw storage and the only writer to the Processed storage.
- Harvard University Information Technology has produced a "Dashboard" for a human contact tracer at Harvard University Health Services to use when interviewing patients who have tested positive for and/or have been diagnosed with COVID-19. The human contact tracer enters the person’s HUID into the Dashboard, which automatically fetches information from the Processed storage at TraceFi based on the MAC addresses of the person’s known devices. The Dashboard then displays the proximity information for the person’s devices and any collocations registered by the system.
- The two readers of TraceFi’s Processed storage are the Dashboard of the contact tracer and an automated regularly timed function that allows individuals to get their TraceFi data copied into private storage on MyDataCan, a data management and apps platform Harvard has provided for members for the Harvard community. Each access to the Processed storage records in a one-way immutable log that is not readable by TraceFi or the members of the Data Privacy Lab responsible for the operation of TraceFi. The immutable log allows external review to confirm that each instance of access to TraceFi data relates to a specific COVID-19 diagnosis or positive test result.
- Only a human contact tracer at Harvard University Health Services can use the Dashboard to access information from TraceFi. The human contact tracer can receive proximity information relevant to a positive test case and collocation information relative to a positive test case. The retrieved information is sufficient to review the information with the infected person and to notify collocated people as needed. Details are covered under medical and public health confidentiality.
- Security tests and audits are done regularly. Data access is reviewed monthly and reported to the University Electronic Communications Policy Oversight Committee, which prepares public reports of aggregated information.
- Members of the community can opt out of the system, using their MyDataCan dashboards: the TraceFi sensors will not accept or process any information from the MAC addresses of people who have opted out. The TraceFi sensors will also not receive information from any device that has Wi-Fi turned off.
Here is how the approach is proposed to work at Harvard. The numbered steps correlate to the numbers in the image below.
- Adam is a Harvard person who tested positive to COVID-19.
- Adam’s test result forwards to a contact tracer at Harvard University Health Services.
- The human contact tracer enters Adam’s name and HUID into the Dashboard that Harvard University Information Technology provided to interface with TraceFi.
- The Dashboard operation looks up all MAC addresses registered on Harvard’s network for Adam’s HUID and requests information about those devices from the TraceFi Processed repository.
- The TraceFi system sends back date-time locations for Adam’s MAC addresses. It also sends a list of other MAC addresses of devices that were collocated with Adam’s.
- The human contact tracer can then view Adam’s devices on the Dashboard.
- The human contact tracer can also view the places Adam went on campus and people whose devices were collocated with Adam’s, but only those places that are within designated operational areas of TraceFi sensors.
- The human contact tracer works with Adam to review places and encounters with people. This process may take some time.
- The human contact tracer will notify people deemed to be at risk to infection.
The diagram below provides a summary of these steps.
There is a privacy wall between the TraceFi System maintained by the Data Privacy Lab and Harvard University Health Services and Harvard University Information Technology. The TraceFi side of the privacy wall has location information with no identity. The Harvard University Health Services and Harvard University Information Technology side has identity but does not have open access to location information. The only disclosures of location information outside of the TraceFi System at the Data Privacy Lab are to human contact tracers at HUHS, through the Dashboard and, potentially, by automated means to collocated persons who have not opted out of TraceFi.
There is a process for those who come to Harvard’s campus but who do not have their devices registered with HUIT. This writing does not go into those protocols, but they do exist.