While countries like Iran and China are witnessing a second wave of the coronavirus, other countries are easing lockdown measures. The world cannot stop and wait for a vaccine. As movement resumes, governments are relying on technological intervention to stop the spread of the virus. Contact tracing apps were developed as early as February this year. Asian countries were among the first to use apps in addition to other measures like increased testing and isolation. In other parts of the world too, these apps are being rolled out urgently, but lots of countries have quickly discovered that they’re far from a perfect solution. Contact tracing apps present challenges from both technological and data ethics perspectives - and of course there’s no guarantee that they will be effective in controlling the spread of infection.

How does a contact tracing app work?

Contact tracing can be done manually, but it often becomes very difficult to keep track of all of a person’s interactions for a time period over a week and this tracing becomes even more problematic as we interact with strangers on a day-today basis. A contact tracing app automates this process and works by notifying a user when they have been in contact with an infected person. Typically, when two people meet, their phones( bluetooth or location enabled) will exchange a key and in case one of them is tested positive the app will alert the other user by matching their location data or keys. Asian countries were among the first few to implement the apps to monitor the spread of the coronavirus infection, and have adopted a centralised model. Many European countries and states in the US are collecting data under decentralised models. Each of these apps rely on different technologies to operate. So how exactly do the two models work?

Decentralised models

Decentralised models that are jointly developed application programming interfaces (API) by Apple and Google allow for governments to develop applications themselves. These models rely on bluetooth technology instead of location for “proximity tracking,” which in turn allows users more autonomy over their data. When two users come in contact with each other, they exchange keys and information about the users’ movements over the last fourteen days is stored locally on their devices. When one of the users tests positive, they can submit their key along with the keys of other users they’ve interacted with into the application. The application then matches the key of the infected person with those they have interacted with over the past fourteen days. The application then notifies the other users to get tested, how to access local health care and perhaps to self isolate.

The added advantage with Google and Apple APIs is that they do not collect any location data unless the patient voluntarily marks themselves as COVID-19 positive. Some other apps still in development will be using the DP-3T, a decentralised privacy-preserving proximity tracing tool where data of contacts the user has interacted with will remain stored locally on the phone alone. Switzerland’s SwissCovid app relies on DP-3T built atop the Google and Apple API. Though largely preferred over centralised models for privacy and data protection, these apps have also raised concerns over privacy, data sharing with advertisers and the problem of false positives. Tech companies have tried to allay these fears for now, but the longer term realities remain to be seen. A survey conducted by expressvpn shows that only 9% of Americans trusted big tech companies with their data and privacy.  

Centralised models

Under centralised models, the data is collected in the form of a user key or an anonymised ID, and the IDs of other users with confirmed interaction are stored on a centralised server. Centralised systems may use location services by obtaining information from GPS and how much time a user has spent in a particular area.

Though users have less control over their information, the centralised system is preferred by governments as it benefits “public health” and gives access to larger datasets which can better prepare healthcare systems incase of a surge in infection. In countries where centralised models have been adopted like China and Qatar, there are no limits on the kinds of information that can be collected nor is there any information as to where this data is to be stored or when it is likely to be used. It’s even possible that other government agencies will have access to this data. In a report delivered to the British Parliament by the Joint Committee on Human Rights, the committee has raised concerns around the possibility of mission creep regarding the development of the NHSX app. Centralised systems make large amounts of data vulnerable to manipulation, and possible profiling of certain sections of society. There are no sunset clauses available for any of the apps and many of them do not delineate how long data will be stored on these servers.

Inconsistencies in technology adoption across and within jurisdictions

The coronavirus itself is not deterred by territorial distinctions, however the apps developed to track it vary from jurisdiction to jurisdiction. In the EU there seems to be a rift between the choice of technology used. France’s StopCovid app uses the centralised system, while Germany’s forthcoming app will be based on a decentralised model because of its potential for privacy protection. In the US, there is little effort being made to develop a nationwide app and this has left states with the responsibility to develop their own apps. The state of Utah has adopted a centralized model, while Alabama, North Carolina and Dakota have opted for the Google and Apple APIs.

This inconsistency in technology will only create more challenges for states and there will have to be an increased reliance on testing and manual tracing to offset the lack of interoperability between the two systems. The question here is if these apps are not interoperable, then will they be able to function effectively?

The ground realities of contact tracing apps

India’s COVID-19 tracing app, the Arogya Setu app, was one of the earliest in the world to be rolled out. It now has more than 100 million downloads on the Google play store. The app was released on April 2nd - on May 1st, by an order from the Indian Home Ministry the app was made mandatory instead of voluntary. This order was later changed to “best efforts” instead of mandatory following an order from the Kerala high court and efforts by the Internet Freedom Foundation.

In order for the app to be made mandatory, India would need to have 100% internet and smartphone penetration. In reality, only 25% of the population has a bluetooth enabled smartphone. The app was even recommended as mandatory for access to travel, but it’s clear that contact tracing apps will prove futile without a supporting digital infrastructure.

Only China and Qatar have made their apps mandatory. Turkey mandates the app only if a person has tested positive. Most countries have made their apps voluntary. According to a study conducted by Oxford University’s Nuffield department of medicine, if an app (like the proposed NHSX one) were to be useful in stopping the spread, at least 80% of smartphone users would need to use it. In countries like Singapore, about one million people have downloaded the TraceTogether app but very few are actually using it. According to the Singapore’s National development ministry at least three-quarters of the population must use the app for it to be beneficial.

Many citizens will be reluctant to download the app unless it promises transparency and protection of data. Most of the apps across the world have been rolled out without testing for privacy and potential data breaches. Qatar’s Ehteraz app, which is compulsory, had a glaring security issue, which may have exposed sensitive data from at least 1 million users. Similarly, North Dakota’s contact tracing app Care19, was found to be sharing data with Foursquare and Google. According to the MIT Technology review, India's Arogya setu app collects more data than is necessary. There is no information available to the public how the Chinese app works, how much information it has access to etc. These examples only show how it is important to assess the willingness of people to trust an application. A survey shows that 65% of Britons are open to having a mobile tracing app, however concerns around privacy and security must be balanced with public health interests.

A lack of information around contact tracing apps

The coronavirus pandemic has brought with it a barrage of both dis and misinformation. Conspiracy theorists are already viewing technology with suspicion. They blame 5G for the spread of the coronavirus alongside even more outlandish theories of Bill Gates inventing the virus so he can inject us with trackers. Conspiracy theories have had a good season over the past six months and if a lack of information and understanding surrounding tracing apps persists, it's quite possible that they will be absorbed into these paranoid narratives and their merits will never see the light of day. Another pressing issue is that most users are unaware of how these apps are supposed to work. A rumour spread on Whatsapp in India has stated that a siren goes off on the Arogya Setu app when a COVID-19 positive patient approaches close. This was of course clarified by the government but it goes to show that roll-outs of apps must be done systematically taking into account the digital literacy levels of the participants.  

South Korea is often cited as a model for its efforts to contain the spread of the virus. While they did use a contact tracing app, their approach also relied on extensive manual contact tracing as well as a mass testing regime. A contact tracing app may not be as effective in countries with large populations, incompetent healthcare systems and low digital literacy. Although some think they are our best bet yet, questions around public access, trust and responsibility in use need to be addressed.