What Are Contact Tracing Apps and How Do They Work?
It’s been over half a year since the first outbreak and it’s fairly obvious that the Coronavirus isn’t going away any time soon. As such, governments and tech giants are resorting to COVID-19 contact tracing apps as a possible way to prevent further outbreaks. Until a working vaccine is developed or herd immunity kicks in, many consider them the key to return some sense of normalcy in our lives.
But what are contact tracing apps, anyway?
Basically, they’re used to alert people about potential exposure to someone who has tested positive for the virus. Of course, there are several types of contact tracing technologies available – some less private than others, but we’ll get to that in a bit.
Obviously, the effectiveness of these apps depends on how many people actually put them to good use. It’s hard enough to convince people to practice social distancing, let alone install an extra app on their phone. In fact, this problem may be exacerbated by governments (or relevant health officials) and the app developers themselves.
How? Well, rather than developing the apps with user privacy in mind, it often ends up as an afterthought. You only need to take a quick look through ProPrivacy’s comparison list, which is linked in the beginning. Barely any apps have made it past a privacy score of seven, and at least eleven apps around the world have scored a flat zero.
People are understandably worried about their personal data, especially when some apps have even been found sending location and advertising data to third parties.
While they may be built with different tech in mind, all contact tracing apps operate on the same principle. Users have the option (or, in some cases, are legally required to) input whether they tested positive for Covid-19 into the app. If you’ve been in close proximity to an infected person, the app will notify you – a timely warning to self-isolate and/ or get tested.
But how do these apps detect whether you’ve been exposed to someone with Covid-19? Well, there are a few alternatives.
More specifically, these apps use Bluetooth Low Energy due to its lower power consumption. It works pretty much the same way as regular Bluetooth – sending out a signal to discover nearby devices. This signal contains a string of characters called an identifier beacon, which other phones can detect. These phones then make an encrypted, time-stamped record of the beacon.
For privacy purposes, these identifiers are changed every few minutes, and are only stored on other devices temporarily. If somebody tests positive for Covid-19, they may upload their personal log of identifiers to a central cloud.
Who controls this central system? Well, it depends on the jurisdiction, app developer, and other factors. Regardless of the organization handling the cloud, it’s safe to say that health officials will need to green-light these alerts, to prevent malicious false positives. The last thing people need in a pandemic is pranksters causing unnecessary distress among the population.
In any case, those who have come into contact with the infected person will be notified through their apps, once the log of identifiers has been uploaded. No personal info is collected from any of the parties involved, so there is no risk of a privacy exposure.
Now, the Bluetooth approach is not without its criticisms. For the most part, those criticisms are aimed at:
The unreliability of Bluetooth signals
Potential false positives, as devices may be detected through walls and dividers
The increased risk of man-in-the-middle attacks
Nonetheless, it’s still considered one of the least privacy-invasive choices at the moment.
If an app has ever requested permission to track your location, this will feel pretty familiar. These contact tracing apps use location data to alert users whether they’ve come in close contact with Covid-19 carriers. Naturally, being tracked all the time is not exactly great for user privacy, and this New York Times piece perfectly exemplifies that fact.
Similarly, some apps (such as Corowarner in Turkey) may use location data provided by telecoms. This approximated location can be tracked when your phone connects to an operator’s cell tower (e.g. for mobile Internet usage).
Apps like NZ Covid Tracer in New Zealand allow you to scan official QR codes posted outside public businesses. Essentially, this allows you to track where you’ve been and receive alerts of potential exposures to Covid-19. Depending on the app, you may also manually add entries for places that don’t have a QR code available.
This method may not seem as invasive as using GPS location data, but it’s just as easy for governments to track your movements. Considering a QR code-based app was made mandatory in China, you can see how this approach wasn’t built with user privacy in mind.
Contact tracing apps are still a work in progress, so new ones may improve upon previous iterations or seek to replace them entirely. One example is the Israel-based SONAR-X app that uses sound waves instead of Bluetooth, minimizing the potential for false positives while maintaining the same level of privacy and improving security against cyber attacks.
Some contact tracing options don’t rely on a single approach. For example, a single app could use both Bluetooth and location tracking or a GPS/ QR code combo. Self-reported user data may also be part of the mix (as is the case with the GH Covid-19 Tracker App from Ghana).
Unfortunately, there isn’t enough data to decide which method is the most effective – at least for the moment. Until more data can be gathered, governments may feel pressured to use everything at their disposal to prevent the spread of the pandemic. Results from South Korea look promising, but we’ll see if that progress translates as well to the rest of the world.