5 things to know before installing a COVID-19 tracking app on your phone

Contact tracing is a critical part of shutting down every major epidemic and COVID-19 is no exception. Historically, contact tracing has been slow and labor intensive, with medical workers working directly with the infected individuals to identify and contact the potentially infectious. The process works with diseases like TB and polio. However, given the speed at which COVID-19 seems to be spreading and the high levels of people that are spreading the virus without having any symptoms, people are wondering: Can we provide better living and contact tracing via technology?

 

Smartphones make it possible

Tapping the smartphone potential really accelerated when Apple and Google announced plans for COVID-19 tweaked updates to their respective operating systems. The changes to both operating systems will enable a special app on these devices to broadcast a Bluetooth signal. Other nearby phones can detect this signal — and its strength – to measure the extent of contact and the proximity between the two device owners.

 

The road diverges with the Bluetooth signal

Once Device A detects Device B and the two spend time together within 6 feet, there are some records of the event. This is where the road diverges with a wide range of technology options. These influence how anonymous the data can be, who gets to keep it, and who gets to process it. There are even a range of organizational steps that take place once an infection is reported and the notification process kicks off. These differences will have a huge impact on the privacy of individuals and the invasiveness of the apps.

 

Who are the big players so far?

There are a range of apps that will use this coming Bluetooth capability now under development by a mix of private, government, and health authorities. An incomplete list should include the DP3T project and the Pan-European Privacy-Preserving Proximity Tracing system, or PEPP-PT.

 

The interesting case of the tracking app launched in the UK

The different approaches are clearly illustrated when comparing the Google/Apple approach vs. the one taken by the National Health Service (NHS) in the UK, which recently launched – as a pilot project – a tracking app in the Isle of Wight, an island off the coast with about 140,000 people.

Whereas the approach taken by Google and Apple favor a decentralized data collection model, one which minimizes information in favor of limited infringement on user’s privacy, the one taken by the NHS is centralized, and comes down heavily on the side of data collection to help -so the argument goes – better identify hotspots and contain the virus – but which comes at the expense of a far more invasive data collection program.

So far, the Silicon Valley titans refuse to give in to the demands of the British government by providing access to the Bluetooth signals. This leaves the NHS with either the option of limiting data collection or going its own way, at the expense of likely technological flaws and perhaps security vulnerabilities.

 

 

So what are you going to do about it?

Given this dynamic situation, your best option is to look for answers to the five following questions before installing any tracker app on your phone.

  1. Will this be an opt in or a forced arrangement? Is it your free choice or a mandatory decision to have that tracking apps and technology installed on your device? In South Korea and Singapore – two early leaders in tracking technologies – it was optional.
  2. Who holds the data? Is the data from Bluetooth held on the device until requested or stored in a central server? Can this data be sold or used by external organizations?
  3. Am I really anonymous? – Individual apps might do this contact and tracing processes in different ways. There is a risk that the anonymization of your data can be reversed. It’s been reported that the United Kingdom’s NHS tracking app might permit data to be de-anonymized in order to identify individuals if needed.
  4. Who will review the source code? The rush to launch tracking apps is letting companies skip over a public vetting of the code to uncover vulnerabilities and security issues. This is an issue as an app can incorporate a basket of tracking technologies beyond that of just Bluetooth.
  5. Once this app takes my privacy, will I get it back? Will these new coronavirus Bluetooth tweaks to the Apple or Android OS be removed from the operating systems once this virus has been beaten down. The fear of privacy advocates like the EFF is that it will not be, like the mass collection of phone metadata in the US.

 

Even the best designed of apps just may not work. For starters, an Oxford University model estimates that around 80% of smartphone owners would need to use a tracking app for it to be effective. That would be a difficult level to reach without some coercion or a huge PR push. Given the current lack of testing in most areas, building a contact tracing app just might be locking the barn door after the horse has been stolen.

When it comes to COVID-19, technology, and your privacy – you can trust, but verify.

This post is also available in: French

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.
Avira logo

Protect your privacy for free on all devices