Coronavirus contact tracing apps are mobile phone applications that notify users if they have been in close contact with a COVID-19 infected individual and whether they are at risk of being infected themselves (though the principle is potentially of wider applicability). The app can then advise the user to get tested and to self-isolate (or any other advice that the app developer wishes to disseminate). Contact tracing apps are seen as vital to mitigate the spread of COVID-19 and ease lockdown restrictions. The UK’s National Health Service is planning to release its app by the end of May, with testing already underway in the population on the Isle of Wight. Some countries such as South Korea, China and Australia have already deployed their apps.
In this article we will discuss:
- How contact tracing apps work
- The two approaches used in contact tracing
- The decentralised approach
- The centralised approach.
- The implications tracing apps have for data protection and privacy
How contact tracing apps work
Bluetooth Low Energy
Tracing apps work using a technology called Bluetooth Low Energy (BLE), which is a wireless means of communication across short distances, typically up to 30 metres, with a lower power consumption than traditional Bluetooth.
Let us take the example of Alice and Bob. Suppose Alice is a symptomless Covid-19 carrier whereas Bob does not carry the virus. Throughout the day Alice comes into contact with many other people including Bob. When Alice and Bob are within a short distance of one other, for example 2 metres, their mobile phones exchange “Bluetooth Identifiers”. Bluetooth Identifiers are random, anonymous numbers emitted by every person’s phone and change regularly every few minutes. Each mobile stores a log of all the Bluetooth Identifiers it has picked up throughout the day. If Alice then develops symptoms of the virus she may ask for a test. If she discovers she is infected then she records it on the app. The app then sends a notification to all the other mobile phones (including Bob’s) which have crossed paths with hers. It does this by checking the log of Bluetooth identifiers stored on Alice’s phone and looking up those identifiers in a centralised or decentralised database. The notifications could advise at risk individuals to get tested and self-isolate to stop the spread of the virus. The notifications could also vary based on the extent of the recorded contact between Alice and Bob. (See figure 1 for explanation.) No information about the time, place, date or carrier of the virus is given, so the notifications are effectively anonymous insofar as they are presented to the app user.
There is another means of contact tracing using Global Positioning System (GPS) however BLE is considered far superior for the following reasons:
- BLE is more precise. GPS cannot resolve distances of around 2 metres or less, which is the distance said to be of concern as regards the transmission of COVID-19. Therefore people who are, for example, 50 metres apart, could show up as a false positives using GPS even though they are too far away to transfer the virus. Bluetooth only has a maximum range of 30 metres and in addition the signal strength increases with proximity, which can be used to estimate how close two people are to one another within that range.
- BLE is better for data privacy. GPS is intrusive because it actually tracks a user’s movements whereas BLE just tells you whether you have been close to another person at some point. In Europe, tracking the movement of an individual is considered superfluous to the purpose of the app and goes against inter alia Article 5(1)(c) of the GDPR, which promotes data minimisation.
- BLE is better equipped to deal with encounters in multi-storey buildings, in which many people work and live. GPS could misinterpret these people as being in close contact with one another when, in fact, one person could be on the ground floor and another could be on the 10th floor (and have no chance of being infected). The limited range of BLE is again an asset in such circumstances, as is the fact that BLE is ‘phone-to-phone’ rather than ‘phone-to-satellite’, enabling more accurate estimation of vertical distances. BLE is not perfect as it may still identify a false positive from two people in neighbouring but separate rooms; however, it still provides a better estimate compared to GPS.
- BLE is more power efficient and prolongs mobile phone battery life.
For the reasons above, at present no country is using GPS as part of a contact tracing app.
The two approaches: centralised and de-centralised
There are two approaches to connecting Bluetooth identifiers to individual phones, which differ in their approach to data privacy. Although both approaches are legal and both obey GDPR, the de-centralised approach is claimed to be more respectful of individual privacy than the centralised approach.
In the centralised approach all Bluetooth identifiers from every phone using the app are uploaded to a central server regardless of whether a person is a carrier of the virus or not. In the example, Alice’s and Bob’s phone would both automatically upload their identifiers to a central server every day. If Alice is diagnosed with the virus then she informs the app and this is relayed to the central server. It is then the central server’s job to match up which Bluetooth identifiers were exchanged with Alice’s phone (which in turn shows which other phones were in close proximity to Alice, and potentially how close they were).
In the decentralised approach, if Alice and Bob come into contact and neither test positive for COVID-19 then none of their Bluetooth Identifiers are uploaded to a central server. It is only if and when Alice determines that she is positive for COVID-19 that her own Bluetooth identifiers are uploaded to the central server. Bob’s Bluetooth identifiers remain stored on his phone, however, and are not uploaded to the central server because he has not had a positive diagnosis. Instead, to establish any matches (and thus establish who has been in close proximity to Alice), Alice’s Bluetooth identifiers are broadcast to every user with the app. Bob’s app receives Alice’s Bluetooth identifier(s) and matches that to the same identifier(s) stored on his phone indicating they came into contact. The app can then tell Bob that he has been in contact with a COVID-19 carrier.
In essence, the de-centralised approach ensures that Bluetooth identifiers are only uploaded if a user is diagnosed with COVID-19. Otherwise the Bluetooth identifiers remain securely stored on the user’s phone.
The implications tracing apps have for data protection and privacy
The centralised approach is claimed to be less privacy preserving because all the Bluetooth identifiers from every single user are stored in one central location. Accordingly, if the central server is compromised then this data could be leaked. The de-centralised approach is claimed to more privacy preserving because the data is spread across thousands of user’s mobile phones, only being uploaded to a central server in limited circumstances (and potentially then being quickly erased from the central server once transmitted out to other phones). Therefore, in order to gather the same information a hacker would have to break into the phones of every user of the app, which is plainly more difficult and time consuming (if not impossible).
On the other hand, the centralised approach offers a more complete picture and it could be useful for public health authorities to use the data in other ways, for example to build a social graph of all interactions. This is simply not possible with the de-centralised approach where the data gathered is transient and can only be used for the purpose of providing notifications of contact with an infected individual. The NHSX (the digital arm of the NHS) is planning to use a centralised approach whereas, in contrast, Apple and Google have created an application framework that uses a de-centralised model. This is being used by other European countries, though there is currently a debate among European countries over which approach is better.
The Information Commissioner’s Office and the European Data Protection Board have both said that they marginally prefer the de-centralised model, since it minimises the data collected and left open to potential attack. However, they have also both said that either approach can be consistent with the necessary data protection requirements of Art. 25 (1) of GDPR, which requires data controllers to “implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation”.
The UK is currently testing a prototype of an NHSX centralised tracing app which is expected to be rolled out by the end of May. In order to have a significant impact, a team from Oxford University has estimated that 56% of the general population (which equates to 80% of all smart phone users) need to download and use the app. The app will not be compulsory to download and will be ‘opt-in’ meaning consent from the user must be gained before Bluetooth identifiers are sent to the central server.