Contact tracing apps have been heavily criticized for the past few months. The main reasons? A myriad of security issues, and the fact that they don’t really do much to stop Covid-19 outbreaks. On top of that, governments and app developers aren’t giving much thought to user privacy, if at all. Surprisingly, the US is actually doing well on that front – but we’ll get to that in a bit.
Interested in how other countries are handling contact tracing apps? You can see the full list here, in an easy to understand spreadsheet. There’s also detailed information about how ProPrivacy calculates the apps’ privacy rating. See the gist of it below.
Contact Tracing Apps – The Rating Process
What makes an app “private”? The list above details several important criteria and awards one or two points where applicable, for a possible total of ten.
No points are awarded if the app displays any signs of user tracking. Why? Well, Bluetooth-based apps have shown that location tracking is unnecessary for digital contact tracing.
To get an idea about how they work, think of the last time you used your smartphone to connect to a pair of Bluetooth speakers. Or maybe you used it to transfer a video file too big for a chat app like Discord or Slack. Bluetooth contact tracing apps use the same type of signal.
The app constantly runs in the background, allowing user phones to connect when in close proximity. A randomized identifier called a beacon (which changes every few minutes) is exchanged between the two devices. Every such beacon is kept in an encrypted, time-stamped log on the user’s phone. Depending on the app, these records are kept between two to three weeks before being deleted.
If a user tests positive for the virus, they have the option of uploading this set of logs to a centralized system. After being approved by a relevant authority (usually health officials), an alert is sent out to app users that came into contact with the infected person.
The intended result here is a quick and minimally-intrusive way of warning people to get tested or self-isolate. That is, without relying on peoples’ memories, which aren’t always reliable.
Privacy-oriented apps should not store user-related data anywhere. As you can see, no personal data is collected or exchanged between two devices running Bluetooth contact tracing apps. Even the identifiers mentioned above are just random strings of numbers that are stored temporarily, in a secure format.
Similar technologies – such as Sonar-X, which uses ultrasounds instead of Bluetooth – may also be a viable alternative.
Data storage and access
Evidently, apps that collect any data are automatically “disqualified” from the category above. However, they may still redeem themselves with good data storage and access practices. Max points are awarded when the data is stored locally on the user’s device, and data access is limited to the user.
One point for each category (storage and access) goes to apps that collect and send data to health officials, and only with user consent. The worst offenders are the ones that collect user data without consent and store it in a centralized system where it can be accessed by the government or other third parties.
There’s a heated debate between academics on whether contact tracing apps should run on a centralized or decentralized system. Apps built on the PEPP-PT privacy framework only receive one point due to their centralized approach and lack of transparency. DP-3T and other decentralization advocates receive two points.
So, How Do US Contact Tracing Apps Score?
With the country’s bad track(ing) record, we didn’t expect much from the available digital contact tracing solutions. While there are a couple of bad apples, two of them managed to score an eight. Pretty decent when you consider that:
- Only one other app in the world has scored an eight (“We Trace” in Switzerland).
- There are only two apps that scored higher (“Next Step” in Switzerland, and “Ito” in Germany).
Let’s see what these two US-based apps bring to the table.
Right off the bat, NOVID solves one of the problems plaguing Bluetooth and GPS-based apps. That is the increased risk of false positives. Since Bluetooth signals can pass through walls and have a range of approximately ten meters (about 33 ft), smartphones may end up registering each other’s beacons unintentionally.
GPS location data doesn’t account for walls, dividers, or users being on different floors either. It just registers that two users were in close proximity for a set amount of time, even if there was no real risk of infection.
NOVID combines Bluetooth with ultrasonic technology, which reduces the chances of false positives by almost 100%. This data was gathered using five-year-old phones running the 2.1 iOS version of NOVID. These are the specific numbers in the NOVID technical report (which you can find on their main website):
- 12-foot-or-higher interactions – 99.6% of the 225 tested scenarios were correctly reported as over-9-feet.
- Under-6-foot interactions – over 50% of the 187 tested scenarios were correctly classified as 9-feet-or-under. For truly under-6-foot interactions, the success rate was 94% (15 out of 16 tries).
Where NOVID loses points is in its usage of check-ins with NOVID QR codes, called “GeoTags.” These GeoTags can be used to aggregate data about communities, with interactive maps showing the locations of positive cases. These community trends can be later checked by health officials to better understand the spread of the virus.
While the data is anonymized and implies user consent (as it’s their choice whether to send it or not), it’s still enough to worry privacy advocates.
Unlike NOVID, COVID Watch solely uses Bluetooth as a contact tracing method. Well, their main website calls it “exposure notifications” since there is some detective work involved in contact tracing. Whatever they call the process, no personal data is collected, which is all privacy-minded people want to hear.
However, they still lose points for the same reasons NOVID did. Centralized servers exist for positive cases, which health officials can peruse for research purposes. This all requires express user consent, so the app doesn’t lose any points in that regard.
As a final note, both NOVID and COVID Watch are built on the decentralized TCN framework, which is considered fairly private by experts.
Private Kit: Safe Paths
On the other end of the spectrum lies Private Kit: Safe Paths which features GPS location logging every five minutes. According to the spreadsheet linked in the beginning, the app isn’t built upon a privacy framework. Infected users may send the encrypted location data to health authorities. Unlike in previous cases, this data can then be made public – removing any shred of privacy in the process.
The only reason the app hasn’t scored a flat zero is the fact that the data can only be accessed by local health authorities, with user consent. The same thing can’t be said for the North Dakota app “Care-19,” which not only gathers user location and advertising data but also sends it to Google and Foursquare.
As long as you avoid these two apps, the US has some pretty decent “exposure notification” systems in place. Naturally, these aren’t meant to be a replacement for traditional contact tracing methods – just tools to make things easier on overworked health workers.