The official COVID contact tracing apps that have been developed worldwide have the same aim: to alert people if they have come into contact with the disease and need to isolate to stop its spread. They mostly function under the same principle too. They count on users to voluntarily download and install an app on their smartphones.
COVID tracing apps, also called exposure apps, utilize Bluetooth Low Energy signals to log when and for how long two people have been in close proximity to each other. How those logs and other data are handled is where the apps begin to differ. And these differences have ignited a debate about digital privacy.
Centralized vs. decentralized?
Two approaches to contact tracing apps have emerged, a centralized model and a decentralized one. In the former, the app gathers anonymized user data and uploads it to a remote centralized server where contact matches are made. If a user reports symptoms or is diagnosed with COVID-19, the people who were in contact with him and also use the app are notified. User data is uploaded to and stored on government-run centralized servers in the case of contact tracing apps based on a centralized model.
In the more widely adopted decentralized model, users have more control over their information. All contact information is kept only on users’ phones, and there is no central database accessible by the government or authorities.
The main difference between the two models is not only a question of privacy but one of trust. While proponents of the centralized approach argue that the data collected could provide authorities with helpful insights into the spread of the disease, critics are not convinced. Instead, they find several aspects of the centralized model rather problematic:
- A centralized system could potentially be more enticing to hackers, thus leaving more people vulnerable to having their data leaked.
- Users would have to trust that whoever is collecting and storing their information would not use any of it against them at a later date or for another purpose.
- Many who oppose the centralized approach feel it runs the danger of inviting governments to introduce increased surveillance measures in the future.
Want more digital privacy?
Protect all your devices for free with Avira
Which countries rely on decentralized models?
The United States has been the biggest proponent of contact tracing apps based on a decentralized model. An online survey commissioned by Avira and conducted by Opinion Matters in the U.S. shows findings in line with the critics of the centralized approach. One of the main take-aways was that 71% of the 2,005 participants would not willingly use a COVID contact tracing app due to digital privacy concerns. When questioned about which contact tracing app technology they would trust to keep their data private, the top answer was none (40%), but following close was Big Tech, specifically Apple and Google (32%), followed by Microsoft (28%). Only 14% of respondents said they would trust the government with such data. Moreover, the survey revealed that roughly 75% of Americans believe their digital privacy is at risk if the government or similar authorities can access data collected and stored by a COVID contact tracing app.
Americans trust Big Tech
When asked more specifically what data, health-related or general, they were worried about being collected or leaked, participants cited concerns about general information such as their name, address, gender, and age. Taking that research into account, it makes sense that most Americans would trust the technology put forth by Big Tech.
The Apple-Google Exposure Notification Application Programming Interface (API) is decentralized, with user privacy built into its design. In practice, this means the warnings it sends out are not processed through a central database but triggered automatically and locally on users’ phones. Furthermore, its Bluetooth detection-based system doesn’t collect or use any location data, and it’s up to the user to report a COVID-19 diagnosis to the app.
However, questions understandably remain about the privacy of the decentralized Apple-Google technology, and not everyone is prepared to wait and see where technology takes us. One endeavor to ensure and protect users’ control over their data is the bipartisan bill, the Exposure Notification Privacy Act.
Which countries have adopted the centralized model?
Australia was one of the first countries to launch a national contact tracing app based on a centralized model. It is also the country with the widest adoption rate worldwide. In July 2020, 21.6% of Australians over 14 had installed the COVIDSafe app, launched and promoted by the Australian government. However, once the decentralized framework provided by Apple and Google was made available, the Australian government decided to implement the API provided by the two tech companies and give up the central database. Many European countries followed this example, including the United Kingdom, Norway, Italy, and Germany.
In Germany, the official coronavirus contact tracing app has been downloaded by approximately 18 million people as of September, and less than 1 million users shared test results. While Germans are also primarily concerned about their digital privacy, they prefer an app developed by the government or an independent national research institute and view solutions developed by Big Tech with skepticism. According to a study conducted by the Nuremberg Institute for Market Decisions, the adoption rate might increase significantly if users would have a clear benefit, such as priority access to testing in the case of exposure.
The best example of a centralized approach is France’s national app, TousAntiCovid, formerly known as StopCovid. The adoption has been much lower in France, with only 3.1% of the population using the app in July 2020. To encourage people to use the app, the French government has renamed and updated the app in October, including statistics about the pandemic, a news feed, and useful links.
Which types of apps have higher adoption rates?
Apps based on a centralized model raise many privacy concerns and questions: How long will the data be stored? Who will have access to the data? For what other purposes will the data be used?
However, while a decentralized model seems to address at least some of these concerns, the fragmentation has affected the apps’ efficacy.
In the United States, only ten states and Washington D.C. have implemented contact tracing apps based on the Exposure Notification API developed by Apple and Google. Four other states have apps developed by private companies using different frameworks. The lack of a national strategy makes the system less effective than the centralized system adopted, especially since many Americans travel across states.
Despite efforts from those who fall on both sides of the debate – whether privacy advocates or those in public health – the only way to really evaluate the efficacy of a tracing app is if enough people are willing to put their trust into the technology and use them. So far, the adoption rates have been below the recommended rate of 60% in the countries where contact tracing apps are voluntary.