Contact Tracing Apps Can Help Slow the Spread of Coronavirus. But They Can Hurt Privacy.

Countries and Big Tech need to overcome the privacy and practical challenges of digital contact tracing.

Photo by Mika Baumeister on Unsplash

With countries struggling to contain the spread of the deadly coronavirus and with no hopes for vaccines in the next few months, most countries have put citizens under stay at home orders to curb the spread of the outbreak. Contact tracing has become an effective measure to find and break chances of community transmission in countries.

Contact tracing involves the tracing of each person that an infected person may have come in physical contact and isolating those few people. I wouldn’t get into the details of contact tracing. However, this video by Vox makes it very simple to understand.

Contact tracing needs an army of people to find and trace every single person who has come into contact with an infected person. Moreover, when the number of patients goes up significantly, it becomes more and more difficult for tracing to be done. This is where the software companies come in.

Last month, Apple and Google announced that they would be working together to help develop a feature that would keep a log of each person that a person has come in contact with. And considering that most person always has their phones with them, this doesn’t feel like a bad idea. However, it would be an opt-in feature, but the greater number of people using it will help increase the effectiveness of the feature.

This diagram from Google explains how this form of contact tracing would work in practice:

Image Credit: Google

Image Credit: Google

Here is a list of countries and platforms which have already created apps to help trace the locations of its citizens (Source: Wikipedia) :

• In China, the Chinese Government, in conjunction with Alipay, has deployed an app that allows citizens to check if they have been in contact with people that have COVID-19. It is in use across more than 200 Chinese cities.
• In Singapore, an app called TraceTogether is being used. Additionally, a digital contact tracing protocol, BlueTrace, was developed, with an open-source reference implementation, OpenTrace.
• Colombia — CoronApp is the mobile app for Android and iOS –and available for the Huawei AppGallery– developed by the Colombian Government. The app, downloaded more than 1.2 million users, is a free application, which does not consume data; it helps detect affected areas and nearby people with a positive diagnosis for COVID-19. CoronApp facilitates the real-time monitoring of data collected to the Emergency Operations Center of the Instituto Nacional de Salud (National Health Institute, INS). It incorporates technologies such as those developed by the Governments of Singapore and South Korea, as well as Apple. Privacy, the major concern with these applications from organizations around the world, has not been the exception for Colombia: Fundación Karisma points out some vulnerabilities of CoronApp. As an additional benefit of the app, the Colombian Government will finance 1 gigabyte per month and 100 minutes for users of prepaid lines that install it.
• The Czech Republic has launched a Singapore-inspired tracing app called eRouška (eFacemask). The app was developed by the local IT community, released as open-source, and will be handed over to the Government.
• North Macedonia launched “StopKorona!” on April 13 2020, becoming the first country in the Western Balkans to launch a Covid-19 tracing app. The Bluetooth-based app traces exposure with potentially infected persons and helps healthcare authorities to provide a fast response. The app was developed and donated by Skopje-based Software company Nextsense. With regards to laws on data protection, the app does not use the users’ locations nor personal information. The users’ mobile numbers are the only user-related data, stored on servers managed by the Ministry of Health.
• Ghana launched “GH Covid-19 Tracker App”, an Android and iOS app equipped with location-tracking technology to provide detailed information about people who have been at the same event, location, country or other defined locations to provide accurate information to health authorities overtime to know who to screen and provide needed assistance. The app was developed by the Ministry of Communication and Technology and Ministry of Health. As of April 14, 2020, the app was awaiting approval by the Google Play Store and Apple App Store.
• In Norway — the Smittestopp app that is developed by the Norwegian Government needs Bluetooth and GPS signals.
• India- India has launched an app named “Aarogya Setu” which is one of the most prominent apps used to track user data and helps in contact tracing.
• Israel — The Ministry of Health launched “HaMagen,” an iOS and Android contact tracing app launched on March 22, 2020. ‘Hamagen’ tracks a user’s whereabouts using standard location APIs and then compares them to known movements of those diagnosed with COVID-19. In order to check if paths were crossed within the previous 14 days. The Hamagen app was specifically designed with a novel privacy-first approach as information about locations and times is cross-referenced on the user’s device, and not transmitted on to the cloud.

Here are a list of countries considering creating apps for contact tracing (Source: Wikipedia):

• In the United Kingdom, Matthew Gould, chief executive of NHSX, the government body responsible for policy regarding technology in the NHS, said in late March 2020 that the organization was looking seriously at an app that would alert people if they had recently been in contact with someone testing positive for the virus after scientists advising the Government suggested it “could play a critical role” in limiting lockdowns. On April 22, the Government announced that alpha testing of a prototype of the app was in progress at RAF Leeming.
• A similar app is planned in Ireland, and in France (“StopCovid [fr]”).
• Both Australia and New Zealand are considering apps based on Singapore’s TraceTogether app and BlueTrace protocol.
• Austria and Switzerland have both announced national applications based on the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol.
• Russia intends to introduce a geofencing app for patients diagnosed with COVID-19 living in Moscow, designed to ensure they do not leave home.

India’s Aarogya Setu app is one of the most prominent of the apps which are available in the testing against Coronavirus. With more than 75 million downloads, it is being pushed by the Government of India to everyone, with major companies like Zomato making it mandatory for its employees to download and use the app.

Since most of the contact tracing apps use the same underlying technology and have similar terms of service, I went through the Aarogya Setu app extensively. I analyzed every clause of its Terms of Service.

The Homepage of the Aarogya Setu app

1. Location Services- The app uses your mobile data location along with your GPS data to determine whether the place you are residing is safe or not. The app asks you to set the location services permission to “Always allow” and thereby keeps track of all the locations that a person visits.
2. Bluetooth- This is used to measure the device’s proximity to another mobile device. As soon as someone’s phone having the app installed comes in proximity to your device, the app exchanges, and stores a list of keys. The Government says that these keys are tough to backtrace but isn’t impossible. Whenever someone tests positive for the virus, an alert is immediately sent out to all the devices having the key generated by the patient’s phone, asking them to self isolate.
3. Data Sharing- The app’s terms state that the data will be shared exclusively with the “Government of India.” However, the terms do not give any assurance of how the data will be used, and whether the data will be used only for health reasons. The app also doesn’t assure that the massive amount of data that each person generates will be deleted once the pandemic resides.
4. Hacking- Most of these apps, which are developed by governments, have been rushed into service. They may become easy targets for hackers to extract the data of millions of people with just a single data breach.
5. Phone number- The app requires you to log in using a phone number. Now, this is the tricky part. Government rules in India do not allow a person to get a SIM card without proper ID proof. The same ID proof called “Aadhar Card” is linked to every person’s income tax, voter registration, everything. The Aadhar card is like the master key to a person’s information. Therefore, forcing people to furnish their phone numbers means that the Government knows every single thing of every single person- like a mass surveillance system working within many cases, the forced consent of the user. This is how the app explains the use of the phone number:

Health surely trumps privacy in a public health emergency. These will make it a lot easier to enforce contact tracing and prevent the deaths of thousands.

However, these same lax terms of service can be used by totalitarian and authoritative regimes to increase surveillance on its citizens even after the pandemic gets over.

What we need now is an assurance that the data generated during the pandemic will be deleted in some form after the end of the pandemic. There also needs to be a clear statement that the Government will stop data collection after the pandemic, even if users do not explicitly revoke the permission and delete the apps. It also calls for responsible players like Google and Apple to develop their solutions quickly to mitigate the risk of mass surveillance by governments and lowering the risk of hackers getting into the database of a local tracking app that knows everything about you.