Digital Contact Tracing Apps

Many governments are struggling to find the right solutions in response to the coronavirus pandemic, and to share technology and content they’ve developed with others in need. The solutions listed in the Pandemic Response Repository (PRR) are reusable, easily shared among agencies, municipalities and countries, and can be adapted to local needs. This brief outlines one common type of solution found in the PRR: digital contact tracing applications.

What’s the challenge?

Contact tracing is a critical tool in slowing down the rate of new COVID-19 infections. However, contact tracing can be especially difficult for diseases with long incubation times like coronavirus, because the carrier is unlikely to remember every risky encounter or identify every person who may be at risk of contracting COVID-19. Without finding contact tracing tools that can be deployed quickly and with sufficient accuracy, public health agencies and governments cannot safely reopen economies without threatening a resurgence of coronavirus cases. Public health leaders require tools that can be rapidly built and deployed to millions of residents, while accurate enough to predict whether or not an individual is at risk of contracting coronavirus based on a risky encounter.

What’s the solution?

Digital contact tracing apps could provide a low-cost way for public health workers to collect and process contact tracing data through existing smartphone technology and rapidly scale efforts to contain future outbreaks. These apps could track interactions between people in the background, and notify a user if they had a potentially risky exposure to someone who later tested positive for coronavirus. Smartphones are already used by the majority of the population, and built-in features like mobile data, bluetooth, and GPS provide ways for public health agencies with data to quickly notify individuals who may have had a risky exposure to a coronavirus patient to self-isolate to reduce the spread of the pandemic.

How does it work?

While there are numerous different contact tracing apps, with different designs that affect privacy and efficacy, the general model remains the same. After users download the app, their phone becomes a beacon that emits unique identifiers to other phones in their vicinity via bluetooth technology. Some apps also record GPS location to help public health authorities detect hotspots or areas that lead to increased infections. The apps keep a record of every interaction within a certain span of days, which usually corresponds to the maximum potential incubation period to ensure that all potentially risky exposures are captured.

If someone experiences symptoms of coronavirus or tests positive, their app can alert any other phone who has the infected person’s unique identifier in their records. If there’s a match, the app warns the user that they may have been exposed and directs them to take actions predetermined by the app developer or public health authority, such as self-isolating or visiting a local testing facility.

Who are the leaders?

Given the global demand for contact tracing solutions, countries around the world have built digital contact tracing apps to aid their public health institutions in containing the spread of coronavirus. Singapore’s OpenTrace protocol, also used by Australia and New Zealand, the Pan-European Privacy Preserving Proximity Tracing (PEPP-PT) protocol used by the Czech Republic, as well as Israel’s app use a more centralized model to provide public health agencies with richer data that helps inform public health policy. For instance, Singapore’s model can be configured to provide public health agencies with mobile phone numbers of app users, which enables them to confirm self-reported diagnoses in the app with official health records and reduce false positive reporting.

Meanwhile, the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol utilized by the United States, Canada, France, Germany, Switzerland, Italy, the Hague and the UK (which recently transitioned away from a centralized model) are designed to prevent central authorities from collecting data that could be used to personally identify an app user. Some countries like Italy, the UK, and Germany shifted from a centralized to decentralized approach due to privacy and scalability concerns after discovering that Apple phones would not support any centralized contact tracing apps. Advanced cryptography and systems like differential privacy prevent any entity from recreating social interactions or associating real identities with app data. This not only protects users from potential abuse, but builds the level of public trust required to encourage the public to download the app, without which digital contact tracing is impossible.

What are the challenges?

Digital contact tracing apps have never been tested during a pandemic, leaving many questions about their effectiveness and security unanswered. Scientists and public health authorities are uncertain that Bluetooth or GPS technology is accurate enough to correctly assess exposure risks. Researchers also have not determined how many people would need to use the app within a specific population in order to meaningfully reduce contagion and affect public health outcomes. Accessibility to populations without mobile internet, such as low income individuals, the elderly, and rural communities contributes to the concern about app adoption rates. Civil society organizations around the world continue fierce debates over the design implications of these apps, seeking to balance user privacy with the benefits of providing public health authorities with sensitive health information.

Why open source?

Digital contact tracing apps collect and process sensitive health information on a mass scale. Security flaws in the software that can expose confidential information or undermine the efficacy of the app not only place individual citizens at risk, but can present national security risks to governments seeking to manage a public health crisis. By coding in the open, public health agencies benefit from the increased scrutiny of the application and can resolve bugs and problems with the app design before they endanger the public. Developing software in the open also enables experts to validate the app and build public trust in its functionality and security. Contact tracing apps are useless if they are not downloaded, and residents may fear potential security breaches enough that they do not download the app, undermining the app’s usefulness to contact tracers and public health authorities. India’s Aarogya Setu app, for example, was found to have numerous security bugs despite having undergone a security review by a renowned IT company, pressuring public authorities to open source the code for additional review by the global security community. Hundreds of security flaws have been identified and fixed thanks to the power of crowdsourced engineering talent made possible by open source.