Despite a promising start in some countries (Australia, Singapore) nearly all contact-tracing apps have failed to meet expectations, due to the combined effect of technical problems (inaccuracy of both Bluetooth and location data), barriers to interoperability, lack of public trust, and low uptake among the population.
Different approaches have emerged, with some governments opting for centralised systems in which citizens’ data is stored and matched on servers, and others going for decentralised systems where everything happens on citizen’s devices. The collaboration between Apple and Google on the decentralised API is becoming the prevalent option, which could address the issue of interoperability between different apps.
Adoption of the apps will need to grow significantly for contact-tracing to succeed, since in most countries only a minority of the population are currently using them. For this to happen, governments will need to show they take privacy seriously, and minimise the data they collect and how long it’s stored.
Apple and Google: an unlikely duo
Given the rivalry between Apple and Google, many were somewhat surprised to see both collaborate on the technology for contact-tracing apps. Nevertheless, both firms came together to develop an application programming interface (API) which has formed the basis for the tracing apps that has been adopted around the world – although, not all governments are using their technology, with some governments choosing to develop bespoke solutions.
An important part of Apple and Google’s framework is the use of Bluetooth which removes the need to rely on the phones’ location data. This is seen as advantageous because of the lower battery consumption, and because using location data raises privacy concerns and is deemed to be even less reliable than Bluetooth in revealing who citizens have been in contact with. However, both technologies are showing problems in crowded housing environments, such as apartment towers. Because of the proximity of people in these areas, users could potentially get exposure notifications from people with whom they have never actually been in contact with.
Under Apple and Google’s framework, each person’s phone will be logging other devices which it comes into contact with. These logs do not include any identifying information about an individual; they use random numerical ID codes that change frequently, and are destroyed after 14 days, which is understood to be the incubation period for COVID-19. The apps will be able to log the length of time for which a person has been in contact with someone, and how far away they were, based on the strength of the Bluetooth signal. Any contact deemed to be not risky (e.g. briefly passing someone on the street), will be ignored.
For the system to work, each device must run a COVID-19 tracking app that has been fully enabled. Both Apple and Android devices now have a ‘COVID-19 notifications’ option in the privacy settings, which users can only enable through a contact-tracing app. For this reason, public support is important, although most governments have so far stopped short of making the apps mandatory, and have opted for a voluntary approach to adoption.
Apple and Google are successfully moving governments towards their approach
The dichotomy between the use of Bluetooth and that of location data is not the only one to characterise contact-tracing apps. While most of the apps that have so far been adopted rely on Bluetooth, these apps can differ depending on whether they are part of a centralised or decentralised approach. With a centralised approach, the contact-matching process is carried out on a remote server, whereas in a decentralised approach (like the one of the Apple/Google API) the ‘Bluetooth handshake’ happens on the device. The perceived advantage of a centralised approach is that authorities and researchers have more insight into the spread of the virus, and on the performance of the app. A decentralised approach is seen as more privacy-friendly, with better protection from potential hackers and from possible misuse of personal data retained by authorities.
In a first phase, the need to gather extensive amounts of data for research purposes saw governments lean towards the centralised approach. Early adopters of contact-tracing apps such as Australia and Singapore were initially seen as examples of best practice – particularly Singapore’s TraceTogether. However, things changed when it turned out that these apps had low adoption rates (Singapore’s app was used by about 20% of the population and the country saw a resurgence of the pandemic) and crucially, that Bluetooth does not work properly on Apple devices when in the background. This prompted both governments to shift to Apple’s and Google’s decentralised system, citing significant improvements in Bluetooth performance. The UK Government was also developing an app based on a centralised approach, although it is now reportedly considering to switch to the Apple/Google API. France also built a centralised system, which is facing similar difficulties due to the restrictions placed by Apple on the functioning of Bluetooth.
As part of our tracking of measures the industry has been taking in response to COVID-19, we have been monitoring the approaches taken by various countries. Out of 18 countries we’ve tracked, 11 have chosen a decentralised approach so far, two of which have shifted from their initial choice of a centralised system. It is worth noting that the situation in the US is extremely fragmented, with 15 states reportedly not aiming to introduce an app at all, and 18 states still unsure on whether to do it.
The European Commission’s approach rightly focuses on interoperability
Interoperability between apps will be of key importance, especially as countries look to reopen to international travel. The ability of different apps to talk to each other will make sure that a user can rely on one single tracing app, regardless of the country where they are in a given moment. The framework developed by the EC for a common approach to contact-tracing apps within the EU is a step in that direction, and sets out criteria that the apps should meet. They must be voluntary, transparent, temporary, cybersecure, using temporary and pseudonymised data; they should rely on Bluetooth technology and be approved by national health authorities.
Such a framework further strengthens the position of the Apple/Google API, which is the easiest way to achieve interoperability between different apps, whereas getting centralised systems to talk to each other is much more complicated. Accordingly, most countries in the EU are following the decentralised Bluetooth approach, with some notable exceptions (France, UK, as well as Norway and Iceland if we consider the EEA).
For contact-tracing apps to succeed, authorities need to gain the public’s trust
Since its inception, the issue of contact-tracing apps has sparked a lively debate around the balance between the need to use technology and data to limit the spread of the virus, and the need to meet the increasingly high privacy standards imposed by regulations such as GDPR, and demanded by more consumers worldwide. The two main aspects to consider here are the use of location data and the trust public authorities need when it comes to handling personal data. The use of location data has been a sensitive topic for telecommunication operators for some time, especially in Europe, where e-privacy rules have strongly limited the use operators can make of such data. Even in countries where regulations are less prescriptive such as the US), operators have come under fire for allowing location data to fall into the wrong hands. This is one of the reasons why the European Commission adopted a toolbox for EU member states, opening the door to the use of ‘anonymised and aggregated’ mobile location data, and soon after recommended member states to adopt the decentralised approach.
The general lack of trust in governments and public authorities when handling personal data is a further problem, which risks undermining the very purpose of contact-tracing systems. Despite the safeguards built into decentralised approaches, and the reassurances many governments have issued around the way they intend to use citizens’ data, there is a widespread perception that contact-tracing apps could be used for mass surveillance purposes. These concerns will be difficult to overcome unless governments commit to make the use of contact-tracing apps temporary, and to retain any data they collect for a limited period of time, only to the extent that it is necessary. In this respect, the contact-tracing apps we have observed vary widely: some governments set a good example by committing to store data on phones for 14 days (the two weeks during which the virus incubates) or up to 30 days, as is the case in Norway. Other governments have made more vague commitments to retaining data only until necessary, without setting specific timeframes (although the Italian Government said this will in no case be later than 31 December 2020). Governments’ lack of clarity could strengthen the perception that data is being harvested and used for other purposes, thereby making citizens turn away from them and preempting their effectiveness. It is worth noting that, so far, adoption rates of contact tracing apps have been low, even in the few cases where the app has been made mandatory, such as in India. Without large-scale adoption, contact-tracing apps will not serve the intended purpose, and will be little more than a failed experiment.