This article was originally published by The Markup, a nonprofit newsroom covering the ways technology is changing society. Follow them on Twitter and Facebook, and subscribe to their newsletter here.
Contact tracing — monitoring who’s getting COVID-19 and tracking down anyone who might have been in contact with that person so they can quarantine — has long been considered a key to slowing and eventually ending the pandemic.
Health departments around the country (and world) have been staffing up on human contact tracers. Meanwhile, in April, Google and Apple announced they were teaming up to develop a way to do the job through smartphones. The result, released in May, is the Google and Apple Exposure Notification system.
The service is an application programming interface (API) that provides public health officials with a framework for developing a contact tracing app of their own. That framework allows users to download an app on their phones that runs in the background. When they spend more than a few minutes with another person, the two phones communicate through Bluetooth, exchanging identification codes that change every 10 to 20 minutes. If one of those users reports a positive COVID-19 test result, all the phones they’ve encountered will receive an alert, warning them they may have been exposed.
The API doesn’t collect location information or allow the data it collects to be stored in centralized servers—proponents consider those privacy protections key to widespread adoption of the technology.
“The simplest way of thinking about [Google-Apple Exposure Notification] is that it never shares information about you that could be used to deanonymize you,” said Dan Kohn, general manager at Linux Foundation Public Health, which is helping deploy apps that rely on the Google-Apple API in several states, including Pennsylvania.
“It’s not about trusting Google, or trusting Apple, or trusting your public health authority,” he said.
Kohn believes the system is the world’s best shot at quickly and effectively notifying people of possible exposure to COVID-19—but there are many critiques out there and a host of competitors. The apps have not yet gained widespread usage, but they are rolling out slowly.
Who’s Using Contact Tracing Apps So Far?
Adoption of the Google-Apple Exposure Notification API has been slow in the United States. State health officials in Alabama and Virginia released the first U.S. apps based on the API earlier this month.
But pickup has been greater around the world. Sixteen nations, including Japan, Saudi Arabia, Latvia, Gibraltar, and Uruguay have created apps that rely on the API. In Ireland, a nation with a population of roughly 4.8 million people, the government’s COVID Tracker app, which launched in early July, has been downloaded 1.4 million times.
Germany initially announced it would create its own app, in which data would be stored on one government server instead of on individual users’ phones. The app would have required Apple to change certain settings on iPhones. After the company refused and hundreds of academics signed a letter warning of privacy concerns, German officials adopted the Google-Apple approach instead. Since launching in mid-June, the country’s Corona-Warn-App has been downloaded more than 16 million times. Similarly, after the much-publicized failure of its homegrown contact tracing app, the U.K. is also creating an app using the Google-Apple API.
In a July 31 press release, Dave Burke, Google’s vice president of engineering, announced, “In the United States, 20 states and territories—representing approximately 45 percent of the U.S. population—are exploring apps based on ENS (exposure notification system).”
In an email to The Markup, Julie Grimes, a representative of the Virginia Department of Health wrote, “One of the major reasons Virginia went with the Apple and Google API, is because of privacy concerns.” She went on to explain that no location data or personal information from the app is ever collected, stored, tracked, or transmitted to the Department of Health.
The Association of Public Health Laboratories, an industry group that represents local, state, and national laboratories, recently announced it will work with Google, Apple, and Microsoft to make sure apps launching in different states are interoperable. The European Union is taking similar steps.
And the apps may not need huge penetration to have some effect on virus transmission. This model from a research group at Oxford suggests that even if only 20 to 40 percent of residents actually download and use a contact tracing app, it could still reduce the number of daily infections.
Why Isn’t Everyone Jumping On Board?
Technical and privacy challenges have led to slow adoption, though some of those concerns have been addressed.
The API initially didn’t require any kind of verification when users uploaded positive test results, leaving it vulnerable to trolling—anyone could have potentially entered false positives and undermined faith in the system. Google and Apple have since created guidelines for developers to create a verification server. When users get their test results, they receive a code that has to be entered into the app and confirmed by the server. In Germany, testing labs provide users with a QR code when they receive their results.
There are also concerns that systems like the Google and Apple API are vulnerable to spoofing—meaning a person could hijack Bluetooth signals. In an email to The Markup, Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation, said there hasn’t been any evidence that this type of spoofing has happened yet, but it remains a concern. “This could lead to a lot of false positives, where people receive exposure notifications for people that they were never actually near,” he wrote. “I haven’t seen proposals by the tech companies or the app developers to address this.”
Apple and Google didn’t respond to questions about the API’s vulnerability to spoofing or trolling.
Bluetooth, which Google and Apple rely on to sense proximity to other users, can also be inaccurate, said Greg Nojeim, senior counsel and director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.
“If the Bluetooth signal has to pass through fabric like your pants pocket, that degrades the signal and suggests you might be more distant from the person than you really are,” he said. Alternatively, Bluetooth signals could create false positives if they pass through walls and detect proximity to a person who does not epidemiologically present a risk.
And communities that are contracting COVID-19 at the highest rates also generally have less access to smartphones or may be less likely to trust apps endorsed by the government or by big tech companies.
“There’s also the question that resources are not diverted from [human] contact tracing within communities where we know there are disproportionate rates of infection,” Nojeim said.
And there’s no real guarantee that the apps will even work.
“Masks have been proven effective and there’s a consensus in the health community that masking protects others,” said Nojeim. “It’s not the same with exposure notification apps.” It’s not clear that the Bluetooth will work properly, that people will upload positive results when they get them, or that people will self-isolate after being warned about a potential exposure.
Some Places Are Developing Their Own Technology
Many jurisdictions have chosen to use other types of contact-tracing apps that are more privacy invasive—and thus more helpful to public health officials, those officials say.
China, for instance, has an app that people in the country are required to download and is used to enforce quarantine after exposure. The app shares information, including location data and users’ identification codes, with a central server that may also be accessible to the police.
"We’ve learned over the course of the past three months that location tracking isn’t popular." - Dr. Angela Dunn, Utah state epidemiologist
Rhode Island’s Crush Covid RI app uses GPS data that users can choose to share if they test positive. According to the app’s website, “Anonymous information you provide to the Rhode Island Department of Health (never including your name, contact number, home, or work address) could be used to better understand where the disease may be spreading. For example, if there is a location (e.g. a supermarket) where 20 other people also became positive in the same timeframe, that location may need to be closed and sanitized.”
Initially, Utah’s Healthy Together app used both Bluetooth and GPS data so state public health officials would have a better sense of where and how the virus was spreading. The app also gave public officials and Twenty Holdings Inc., which helped develop the app, access to personally identifying information like users’ names, location data, and phone numbers. But after Utah launched the app in April, only 200 people downloaded it. Officials decided to turn off the GPS function in June.
“We’ve learned over the course of the past three months that location tracking isn’t popular,” state epidemiologist Dr. Angela Dunn told The Salt Lake Tribune. “And as a result, it hasn’t really been helpful to our contact-tracing efforts.”
After Google and Apple refused to make their API available to countries that wanted to store data on a centralized server, France announced it would make its own app. The nation’s StopCovid app has been criticized for working poorly on iPhones, something France’s digital minister, Cédric O, blamed on Apple.
“Apple could have helped us,” he said in an interview with BFM TV. “We will remember this when the time comes.”