Across the globe there’s a lot of faith – and development resources – put into using smartphone apps as the primary way to track and stem the spread of COVID-19 so economies can reopen. This seems misguided at best and disingenuous at worst, an exaggeration by those for whom every nail requires a technological hammer.
Apps will play an important role in helping us manage the pandemic, but they can’t do what old-fashioned detective work can in the form of proper contact tracing.
Right now, most governments are pushing what are merely exposure notification apps as full-blown contact tracing apps. Proper contact tracing includes the ability to track down and pinpoint where exposure and transmission has actually occurred through interviewing those infected about their patterns, recent movement and visits.
Exposure notification apps, on the other hand, simply let users know if they were in close proximity to someone else using the app who’s exhibiting COVID-19 symptoms. They offer far less certainty in their notifications to individuals, and in balancing privacy concerns with public health considerations, they typically offer far less useful information to public health authorities.
Exposure Notification Apps Fall Short
Exposure notification apps rely on the Bluetooth Low Energy radio in a smart device to keep a log of all the other devices using the same app within range of the user’s phone. Don’t be fooled by the “Low Energy” designation. The radio has the same strength and range as traditional Bluetooth, so most user devices will likely keep a log of other phones within a range of 10 meters (33 feet) or more.
This will help in wide open public spaces, as the app can estimate the distance between a user’s phone and the vast majority of phones out there. When someone suspects they have or tests positive for COVID-19, public health authorities can set the app to only notify phones that were close enough for what’s considered long enough. Now, epidemiologists recommend 2 meters (6 feet) for 15 minutes or more, but if our understanding changes, public health authorities can adjust the app settings.
Unfortunately, Bluetooth radio waves travel quite efficiently through drywall, glass and other barriers that prevent the transmission of COVID-19. This means there’s potentially a reasonably high level of false positive notifications for people in densely populated urban areas. They also are quite easily blocked by the human body, making distance measurements unreliable. The tech also doesn’t know when or if the user wears personal protective equipment (PPE). It’s believed that the rate of transmission drops dramatically for those who are potentially infected yet wear a face mask or shield. Apps don’t know when the user takes responsible protective measures.
Several countries have already deployed exposure notification apps, most famously Australia and the United Kingdom. Both have chosen to use a centralized model, which makes privacy advocates nervous.
Australia’s app mostly eliminates any real privacy by requiring a valid Australian phone number. But, it also prevents abuse by requiring approval from a public health authority before allowing users to notify recent contacts.
The UK’s app asks for part of the user’s postal code, but allows self-reporting. The app collects information that’s very useful to public health officials to detect local flare ups. But in preserving a bit of privacy, the app renders itself vulnerable to trolls and deviants who may try to cause false reports. The UK’s recent test in the Isle of Wight has cast doubt on the efficacy of these apps, even in ideal testing conditions. There have been rumors they may move to Apple-Google’s decentralized API, delay the project until autumn or scrap the project entirely. The trial has concluded with far more questions than answers.
Exploring the Privacy Debate
While the UK and Australia tried to make a go of using a decentralized approach, neither app can deliver on what it promises without the help of Google and Apple. Apple has designed iOS to not allow applications to use Bluetooth for tracking purposes, both as a battery-saving technique and for privacy. For any app to work in countries where the iPhone has any market share, the app will need Apple’s blessing.
Google and Apple had decided unilaterally that privacy remains paramount and would prevent apps from using their APIs if they collect location or other personal information, precisely the information public health authorities need to battle this pandemic.
Since the release of the API in late May, they may have softened that stance. When contacted by The Age, an Australian newspaper, Apple and Google spokespeople said that some private information could get collected, but only on a voluntary basis and not location data. It’s still not clear which information passes the test and which doesn’t.
Oddly, this privacy-first approach only becomes mandatory when providers want to develop exposure notification apps. Every other app on our devices collects nearly unlimited amounts of personal information and tracks our every movement, online and off, with only a brief popup for permission.
Usually, I am the first in line to argue for privacy, but these are not ordinary times. Public health authorities need to balance efficacy, trust and privacy in the design of their apps to achieve the results they need to manage this pandemic.
Apps can help us track symptoms and can even help voluntarily track our own movements to self-disclose to real human contact tracers. Apps could even help with exposure notification and share small amounts of data about our location to help public health professionals plan for outbreak response. Or we can just continue to only let marketers and advertisers collect this data, while keeping the public health authorities in the dark.
It’s our choice and we need to have an open, informed and honest conversation about how we move forward. The decision does not belong to Google or Apple alone, but to all of us.
Even if we get the perfect app, for an app to meaningfully effect the spread of COVID-19 at the R0 rates observed in Europe and North America, we would need well over 90% of smartphone users to install the app. It’s not realistic and frankly, impossible.
Public health will still need to conduct contact tracing en masse by trained, compassionate people to help us get through this ordeal. It will require a Herculean effort by our communities. During this time of high unemployment, it also makes sense to look at it as a modern-day Works Progress Administration initiative to help the unemployed get back on their financial feet. Apps can make the job somewhat easier. But without testing and human tracers, we are doomed to fail.
Chester Wisniewski, principal research scientist, Sophos