Published by The Lawfare Institute
in Cooperation With
Digital contact tracing has become a central component of the global response to the coronavirus, with more and more countries preparing to roll out apps to help identify and isolate people who have been exposed to the virus. South Korea and Singapore were among the first to deploy a digital version of contact tracing, and experts have identified the BlueTrace system used by both countries—alongside other surveillance measures—as a key reason why they have experienced relatively few coronavirus cases. Meanwhile, other countries are taking note. More than 4.5 million Australians have downloaded a coronavirus contact-tracing app since its release a week ago. And within the European Union, Germany and France are developing tracing tools as well.
In the United States, efforts to develop digital contact-tracing systems have largely fallen to states and tech companies—though privacy advocates have voiced concerns about the invasiveness of such apps. Apple and Google recently agreed to partner in developing a contact-tracing technology that will be interoperable between iOS and Android phones and will provide public health officials and others with the ability to develop contact-tracing apps. The system uses Bluetooth beacons to log devices that phones have been near and anonymizes the data. The technology relies on a decentralized system—meaning that an individual’s data is stored locally on their phone rather than in a central database accessible to app developers or government officials. The companies have already released draft documentation and sample code for the API—the set of bare-bones protocols that will make contact-tracing schemes work on their respective platforms—and it should be available for developers to include in contact-tracing apps in mid-May. Later this year, users will no longer need to install an app to opt in to the contact-tracing effort: Apple and Google say proximity tracking will be built directly into phones’ operating systems in the coming months “to help ensure broad adoption.”
Erin Simpson and Adam Conner of the Center for American Progress write that “Apple and Google’s effort will create a new de facto international standard for digital contact tracing.” But the two are not alone in developing apps in the private sector. Companies including PwC, Salesforce and the controversial Israeli cyberintelligence firm NSO Group are preparing to launch apps that would allow employers preparing to reopen their offices to track their employees.
Beyond these projects, three state governments have already rolled out digital contact-tracing efforts. North Dakota, South Dakota and Utah have all promoted voluntary contact-tracing apps that they say will help them contain the coronavirus pandemic. But these states rely on a framework very different from Apple and Google’s approach—and new developments mean that the state apps may not be able to make use of the joint Apple-Google technology at all.
North Dakota and South Dakota
On April 7, North Dakota Gov. Doug Burgum and the North Dakota Department of Health launched a free mobile app, called Care19, to trace the spread of the novel coronavirus in North Dakota. South Dakota became the second state to utilize Care19, and the state’s governor has urged residents to download the app in order to facilitate South Dakota’s contact-tracing program. The app was developed with ProudCrowd, a company that previously developed an app to track North Dakota State University football fans on their trips to Texas for the national championship. While the app was initially available only to iPhone users, an Android version was released on April 21.
Once an individual downloads Care19, he or she is assigned a random ID number and the app anonymously caches the individual’s locations. The app only stores the location of any place a person visits for 10 minutes or more. If an individual tests positive for the coronavirus, Department of Health staff in both states have been instructed to ask an individual using the app if they will consent to provide their location history to the state. (It’s not clear whether the North Dakota and South Dakota iterations of Care19 share data between one another.) Around 29,600 people—approximately 1.5 percent of the combined population of both states—have downloaded the app. And as of April 27, only 17,031 people are actively using it.
The app currently relies on WiFi location data, triangulation using cell tower data, and GPS location data. Public health officials reportedly use the GPS data to determine locations where users may have spread the virus and attempt to determine whom they may have interacted with.
Utah Gov. Gary Herbert announced the launch of a similar voluntary app, called Healthy Together, on April 22. If an individual tests positive, public health officials will be able to access a list of contacts and past locations. The app—which was designed by the social network startup Twenty—relies on a combination of GPS, WiFi, IP address, cellular location data and Bluetooth to identify contacts. It also requests access to phone contacts. Unlike North Dakota’s anonymized location data, Utah’s website states that “[p]ublic health officials and a limited number of development employees with Twenty Holdings, Inc. will have access to your name, phone number, and location data for COVID-19 tracing purposes only.” In other words, the app grants public health officials access to personally identifiable information and location trails.
Utah argues that Bluetooth alone provides public health officials with a less accurate picture of the spread of the coronavirus than Bluetooth and GPS location data combined. “Bluetooth helps us understand person-to-person transmission, while location/GPS data helps us understand transmission zones,” according to the state’s website. Location data will automatically be deleted after 30 days. As of April 27, at least 30,000 people had downloaded the Healthy Together app—less than 1 percent of the state’s population.
The number of state and municipal contact-tracing apps will likely grow once Apple and Google’s technology is made available to public health departments and other developers. The Coalition App—a contact-tracing app developed by the “internet of things” company Nodle and the city of Berkeley, California—is now available in the Google Play Store. The Georgia Department of Public Health is conducting pilot tests in at least three counties for a tracing app developed by MTX Group. And Utah’s partner, Twenty, has suggested that it is looking to roll out its app in other states.
But privacy advocates have raised concerns surrounding the location data the Care19 and Healthy Together apps rely on. These three states’ apps share with government officials location data that Apple and Google have seen as too sensitive to catalog. Apps using the tech giants’ Bluetooth framework would keep a log of devices with which the user’s phone has had contact on the phone itself. If the user reports to the app that he or she has been diagnosed with COVID-19, the app could anonymously send that user’s contacts an “exposure notification” alerting them that they are at risk, without ever sharing identifying information with health officials. The state apps, by contrast, provide information to public health departments in order to supplement manual contact-tracing efforts. Instead of storing a log of “contacts” on each user’s device, location data gets sent to a central government-owned server if individuals test positive for the coronavirus and consent to share their data.
In light of privacy concerns, Google and Apple recently decided to ban GPS location data from contact-tracing apps that rely on their technology. On April 4, the companies said they will not allow the use of GPS location data in conjunction with their new Bluetooth contact-tracing system. In effect, this decision forces states to choose between tracking encounters using Bluetooth and collecting location data, since Bluetooth workarounds to the tech giants’ API would be unstable and would likely miss some encounters. Countries worldwide now face this choice: While Germany has pledged to use Apple and Google’s API, France and the U.K. have shunned the companies’ framework in favor of developing a centralized platform. Likewise, North Dakota, South Dakota and Utah will have to weigh whether to scrap their apps entirely or continue down a separate path from Apple and Google.
But even setting aside these privacy issues, digital contact-tracing efforts cannot single-handedly tamp down the pandemic. Experts have argued that tracing apps will help only if the majority of a population opts in: Researchers at Oxford University’s Big Data Institute showed that, for digital contact tracing to be effective, 80 percent of current smartphone owners would need to use an app and follow its recommendations. And it may not be possible to reach this target in the U.S., as a recent Washington Post-University of Maryland poll found that nearly three in five Americans say they would be either unable or unwilling to use the infection-alert system being developed by Google and Apple. Even in Singapore, only one-fifth of residents have downloaded the country’s TraceTogether app—meaning that in any encounter between two randomly chosen people, there is only a 4 percent chance that both will have the app. The product lead for TraceTogether in Singapore recently wrote: “If you ask me whether any Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is, No.” Rather than replacing old-school, shoe-leather contact tracing, in other words, digital contact tracing may work best as a supplement to it.
In fact, most U.S. states are currently prioritizing human-led efforts to track the virus. New York has partnered with New Jersey and Connecticut to launch a tri-state contact-tracing program, and New York City plans to hire 1,000 health workers next month to track cases. Massachusetts has already hired 1,000 tracers, and California plans to build a corps of 10,000 people to follow the trail of coronavirus exposure. And states that have released digital contact-tracing apps are using them mostly to supplement in-person efforts rather than replace them. North Dakota, for instance, has already enlisted 300 contact tracers—the only state that currently meets its estimated contact-tracing needs, according to an NPR survey. In the coming weeks, states will have to decide whether to develop apps that use sensitive location data but can work alongside manual tracing efforts—or to rely on a privacy-preserving approach that won’t mesh as easily with in-person contact tracing.