Click to learn more about author Brian Jackson.
After a false start based on poor software design, mobile apps for contact tracing are relaunching around the world with a privacy-first approach, and there is early promise out of Europe that these apps could make a difference in the war against COVID-19.
In Ireland, Germany, and Switzerland, the first contact tracing apps based on Google and Apple’s Exposure Notification System (GAEN) have been publicly available for several weeks. The apps are intended to help bolster the manual contract tracing efforts made by public health authorities, using smartphone technology in an ingenious way that was never previously considered. By turning phones’ Bluetooth sensors into proximity radars, it’s possible to detect and log when two users of the app come into contact without physical distancing. When a user of the system becomes infected with COVID-19, all the other users that encountered that individual are notified. After that, they can seek testing and self-isolate to prevent spreading the virus.
Contact tracing apps hold potential for an incredible upside but also face many unknowns before that potential can be realized. Studies out of the University of Oxford indicate that if an urban population of at least 1 million people were to see a 60 percent adoption of such apps, the pandemic could be stopped even before a vaccine is available. But questions remain about whether these mobile apps will effectively represent risk and whether people will adopt the apps and heed their warnings of infection. In the months ahead, the world will at least be able to pursue answers to these questions. Just a couple of months ago, it seemed that mobile apps for contact tracing were doomed to fail. At the root of the problems for the first round of failed apps: how the data was managed.
What Went Wrong
Mobile apps for contact tracing launched in April and May and were built with a centralized design that pooled personally identifiable data on a central server. Early examples included apps that included GPS tracking in China, South Korea, and Malaysia. Apps launched in Singapore and in Alberta, Canada didn’t use GPS but still shared all Bluetooth-identified contacts with one central authority. It would be up to public health officials to identify who was at risk of infection based on the collected data, and then decide what action to take as a result.
The approach triggered many fears of new surveillance state capabilities being created. The tide towards a decentralized, opt-in system began in late April when 300 privacy advocates signed a letter endorsing Apple and Google’s announcement of a partnership to make a shared set of APIs for their smartphone platforms. In the decentralized model, those diagnosed can choose to share their positive result anonymously. Those IDs are then broadcast out to other users’ devices, which keep the logs of contact data stored locally. The outcome is that only users know when they’re at risk of infection and remain in control of what next steps to take.
Aside from privacy concerns, centralized approaches faced major technical problems. Because Bluetooth permissions are closely guarded by Apple on iOS, the mobile apps didn’t work as intended on iPhones. Users had to keep the app open and their screens on, making persistent use impractical. Some Android phones also had issues logging the Bluetooth “handshakes” while the apps were not on screen.
By using the decentralized design and GAEN APIs, developers are now able to overcome both the technical barriers and many of the privacy concerns.
How Things Are Improving
In Europe, the first GAEN apps are seeing good adoption and cautious approval from privacy advocates. In Switzerland, SwissCovid became available for the population on June 25th, and the Head of the Department of the Interior, Alain Berset, gave a press conference describing it as the best complement to the manual contact tracing system. It warns users if they’ve come within 1.5 meters of a positive case for more than 15 minutes.
The team behind SwissCovid played a role in influencing Apple and Google towards a decentralized-model of contact tracing, or exposure notification, by developing the Decentralized Privacy-Preserving Proximity (DP3T) framework early in the pandemic. As a result, it ran a comprehensive beta test starting in May that first involved the Swiss Army and academics, eventually growing to 150,000 preview users.
After the official launch, the app reached 1.6 million downloads by July 4th. But daily active users of the app were about 960,000 by July 11th, according to SWI swissnfo.ch. National wireless carriers Salt, Sunrise, and Swisscom all endorsed the app for installation by their customers, sending out a text message recommending its installation. The carriers also committed to cover the costs of data used by the app, so customers wouldn’t have to fret about a bigger bill.
The app reached the number one spot in the medicine category of Apple’s App Store with 3,865 user reviews and an average rating of 4.6 stars. One reviewer offered this humorous comparison, “The Corona app is basically like Tinder backwards. First, you meet. Then the app reports a match. And shortly afterwards, you feel very lonely.”
In Germany, the Corona-Warn-App was released June 16th and received 6.5 million downloads in the first 24 hours. The app was developed by German enterprise software vendor SAP SE alongside Deutsche Telekom. By July 16th, it was downloaded 15.8 million times, according to Juergen Mueller, chief technology officer of SAP. It was the most-downloaded free app for four weeks in the nation on both Android and iOS. Still, it will need to achieve about 63 million downloads to hit the optimal 60 percent mark for Germany’s population.
SAP received early access to GAEN APIs, as reported by IT World Canada. It also layered on other connections to national healthcare authorities. Mueller said in an interview that a centralized approach was discussed but rejected because the public would be concerned about privacy intrusions.
Ireland may be the best example of success in achieving a high percentage of adoption among its population. As of July 14th, its COVID Tracker app was downloaded 1.3 million times or by about one-third of the population. It’s the fastest-downloaded app per capita in Europe ever and is already detecting incidents of infection.
NearForm developed COVID Tracker. At first, the firm pursued the Singapore model of a centralized app, but it quickly identified the technical problems of operating on Apple devices. So, it pivoted to use the GAEN APIs. Now it’s used that same decentralized design to launch apps in Northern Ireland, Gibraltar, and Spain as well.
The Challenges Ahead for Contact Tracing Apps
While the effort to bolster manual contact tracing with a mobile app has now cleared several hurdles, many more remain ahead of the finish line.
Adoption by enough users will be a major challenge. Just as a vaccination strategy requires inoculating a certain proportion of a population to achieve herd immunity, these mobile apps will need more than half of a jurisdiction’s population to cooperate to be most effective. Users must download and install the app, then consistently use it and heed its warnings. No other mobile app in history has seen the adoption curve that is required for contact tracing apps. Even an app like Facebook is only used by about half of smartphone users in developed nations, and this is after years of availability.
Whether the apps are effective or not is another question. Critics point out that Bluetooth proximity could log contacts even when people are separated by walls or windows. If the false-positive rate is too high, users will no longer pay attention to the app when it warns of a risk of infection.
Finally, not all civil rights advocates are satisfied with the privacy-enhancing measures taken with these apps. The Irish Council of Civil Liberties rated the COVID Tracker app a C+ for privacy because of its features asking for additional information in a symptoms-screening feature, reports RTE. In Switzerland, a committee is worried about a potential “Bluetooth sniffing” attack that could track individuals using the app. The group, Stop SwissCovid, is working on collecting 50,000 signatures by October 8th to force a referendum on the issue.
No other mobile app in history has had a higher bar to reach for success or attracted as much scrutiny as contact tracing apps. But the world is facing a virus that can’t be stopped or cured. The potential to stave off new waves of infection and save lives can’t be left unexplored.
Key success factors to monitor for these apps in the weeks ahead include adoption rates, active daily users, and reported positive infections.