COVID-19 apps can play a crucial role in helping economies around the world restart safely. So far, there are 11 countries with official tracing apps in use, and at least 15 more nations that are either considering an official government app or where private solutions are in use.  A variety of different applications provide a range of services from information and self-diagnostics to quarantine enforcement and contact tracing. Around the world, health authorities have emphasised the importance of contact tracing in the fight against COVID-19. Since most of us carry our mobile phones most (if not all) of the time, apps can play a crucial role in supporting the efforts to achieve successful contact tracing. However, unresolved issues related to such tracing apps and their functionality need to be addressed, and with so many apps out there, it’s hard to keep track. We are answering some basic questions around contract tracing apps and outline three key principles that should guide governments’ decisions to use a tracing app on a large (country-wide) scale.

What is contact tracing?

According to the European Centre for Disease Control (ECDC), so-called contact tracing fulfills the purpose of identifying and managing the contacts of probable or confirmed COVID-19 cases. Being able to quickly identify secondary cases after transmission from primary cases allows public health officials to provide those contacts with advice on self-isolation and what to do if they develop symptoms. The goal of contact tracing is to interrupt further transmission.

How can apps help with contact tracing?

Apps can be a useful and effective way to provide users with health information and alert them if they have come in contact with someone who has tested positive for COVID-19. Apps can be an efficient tool for successful contact tracing because the majority of the world’s population already owns a smartphone and carries the device on them most of the time. It’s important to keep in mind though, that any app can only be helpful if enough people use it (correctly, and in good faith).

What are some of the risks of using mobile apps for contact tracing?

There is an ongoing debate about how and what user data these apps analyse in order to effectively identify secondary contacts of known positive COVID-19 cases, as these apps potentially collect highly sensitive health and location data. The risks of privacy breaches, surveillance, and public backlash if too much data is collected are high. Moreover, if an app contributes to false positives or if not enough people use it, it could be counterproductive. In addition, privacy and surveillance risks vary depending on if the app uses a decentralised or a centralised approach. In Europe, the debate is centred around the question of where data should be stored: on a centralised national server or decentralised on users’ devices.

The decentralised approach, on the other hand, analyses Bluetooth signals and doesn’t track location. It generates unique but anonymous identifiers for each user and tracks the identifiers of other devices that have been in proximity. The list is only stored only on users’ phones, except in the case of a user who voluntarily submits verified information to the app showing that they tested positive for COVID-19. At that point, the Bluetooth identifiers associated with that user are sent to a centralised database. This list of devices that belong to those infected (without revealing their identity) can be checked by users periodically to see if they have been near someone who tested positive. Centralised approaches can use both Bluetooth signal analysis and network-based location tracing, which tracks a user’s history and can then compare it to the history of others to see who they have been near. The key difference is that in the centralised model pseudonymised proximity data is stored and processed in a national database controlled by a government authority, raising the risk of user re-identification.

What is the state of play in Europe?

Most European governments now seem to be favouring apps using the decentralised, privacy-protecting approach that uses Bluetooth signals to determine a users’ proximity to other cell phones. If a user has recently been near someone who then tested positive for COVID-19, the app will alert them. Google and Apple’s tracing project, for example, combines Bluetooth signals and privacy-preserving cryptography. Following the on-going debate in Europe, Germany recently shifted their efforts from a centralised to a decentralised model, abandoning the centralised infrastructure promoted by the German-led Pan European Privacy Preserving Proximity Tracing (PEPP-PT) project. PEPP-PT later stated it would support a combination of centralised and decentralised infrastructure

On the other hand, there are some governments, like the Czech Republic, France, the UK, and Israel, for example, that still favour centralised network-based location tracing. Although this would eliminate the need to download an app, network-based solutions can access location data, exposing them to significant privacy issues. South Korea’s centralised system combined mobile device tracking data and credit/debit card transaction data to avoid more serious privacy issues that stem from personal location data.

Three principles for decision-makers to keep in mind when choosing a contact tracing app

As governments around the world consider the use of tracing apps, we encourage them to keep the following three principles in mind:

  1. Privacy must be a top priority and should not be compromised.

Having enough people use a contact tracing app is key for it to be effective. For people to want to use it they not only need to have a smartphone, but they also need to trust the app and the government. Building trust via strong privacy mechanisms is, therefore, essential if any contact tracing app is to succeed. We need a solution that minimises data sharing so that users won’t have to worry about surveillance by their government, law enforcement, or private companies for commercial purposes. Additionally, governments, app makers, and platforms should commit to remove the software and the data swiftly once the crisis is over

  1. Solutions must be compatible across borders.

The virus doesn’t stop at borders and neither should contact tracing apps. Especially in Europe, a pan-European approach would make success more likely. Once travel restrictions are lifted, a common security architecture is the only way to ensure that contact tracing apps continue to be useful.

  1. Decisions must be made quickly.

Time is of the essence. With limited time, policymakers must choose the best solution available, regardless of politics and the desire for ‘digital sovereignty.’

Apps can and should play a key role in the fight against the COVID-19 pandemic. While there are currently some unresolved issues, we should not shy away from using apps as a tool to achieve effective contact tracing. If anything, this should force us to have some important conversations about privacy, surveillance, and interoperability.