Do tracing apps matter in managing COVID-19?

Do tracing apps matter in managing COVID-19?
(Image credit: Image Credit: Pixelkult / Pixabay)

Right now, many governments around the world are pushing what are merely ‘exposure notification’ apps for smartphone users rather than full-blown contact tracing apps. Proper contact tracing includes the ability to track down and pinpoint where exposure and transmission has actually occurred through interviewing those infected about their patterns, recent movement and visits.

About the author

Chester Wisniewski, Principal Research Scientist, Sophos.

Exposure notification apps simply let users know if they were in close proximity to someone else using the app who’s exhibiting COVID-19 symptoms. They offer far less certainty in their notifications to individuals, and in balancing privacy concerns with public health considerations, they typically offer far less useful information to public health authorities.

How exposure notification apps fall short

Exposure notification apps rely on the Bluetooth Low Energy (BLE) radio in a smart device to keep a log of all the other devices using the same app within range of the user’s phone. Don’t be fooled by the “Low Energy” designation. The radio has the same strength and range as traditional Bluetooth, so most user devices will likely keep a log of other phones within a range of 10 metres (33 feet) or more.

This will help in wide open public spaces, as the app can estimate the distance between a user’s phone and the vast majority of phones out there. When someone suspects they have symptoms or tests positive for COVID-19, public health authorities can set the app to only notify phones that were close enough for long enough. At the moment epidemiologists recommend this to be set at two metres (6 feet) for 15 minutes or more, but if our understanding changes, public health authorities can adjust the app settings.

Unfortunately, Bluetooth radio waves travel quite efficiently through drywall, glass and other barriers that prevent the transmission of COVID-19. This means there’s potentially a reasonably high level of false positive notifications for people in densely populated urban areas. They also are quite easily blocked by the human body, making distance measurements unreliable. 

The tech also doesn’t know when or if the user wears personal protective equipment (PPE). It’s believed that the rate of transmission drops dramatically for those who are potentially infected yet wear a face mask or shield. Apps don’t know when the user takes responsible protective measures.

Privacy issues

The UK’s NHSX app as well the one developed in Australia tried to make a go of using a decentralized approach, but have found that neither app can deliver on what it promises without the help of Google and Apple. Apple has designed iOS to not allow applications to use Bluetooth for tracking purposes, both as a battery-saving technique and for privacy. For any app to work in countries where the iPhone has any market share, the app will need Apple’s blessing.

Google and Apple have decided that privacy remains paramount and aim to prevent apps from using their APIs if they collect location or other personal information. Unfortunately, this is precisely the information public health authorities need to battle this pandemic.

Oddly, this privacy-first approach only becomes mandatory when providers want to develop exposure notification apps. Every other app on our devices collects nearly unlimited amounts of personal information and tracks our every movement, online and off, with only a brief popup for permission.

Time to compromise?

Usually, I am the first in line to argue for privacy, but these are not ordinary times. Public health authorities need to balance efficacy, trust and privacy in the design of their apps to achieve the results they need to manage this pandemic.

Apps can help us track symptoms and can even help us voluntarily track our own movements to self-disclose to real human contact tracers. Apps could even help us with exposure notification and share small amounts of data about our location to help public health professionals plan for outbreak response.

Or we can just continue to only allow marketing and advertising companies to collect this data, while keeping the public health authorities in the dark.

It’s our choice and we need to have an open, informed and honest conversation about how we move forward. The decision does not belong to Google or Apple alone, but to all of us.

The final caveat is that even if we get the perfect app, for an app to meaningfully effect the spread of COVID-19 we would need a significant majority of smartphone users to install the app. This may turn out to be unrealistic if not impossible.

Chester Wisniewski

Chester Wisniewski, Principal Research Scientist, Sophos. Chester Wisniewski has been involved in the information security space since the late 1980s. Chester divides his time between research, public speaking, writing and attempting to communicate the complexities of security to the press and public in a way they can understand. He has spoken at RSA, InfoSec Europe, LISA, USENIX, Virus Bulletin and many Security BSides events around the world in addition to regularly consulting with NPR, CNN, CBC, The New York Times and other media outlets.