COVIDSafe was sold as Australia’s ticket out of lockdown. But almost three months since launch in late April, its impact is hard to measure.
Victoria has accessed data from the app almost 400 times, but health authorities are yet to point to any potential COVID-19 exposure that was not picked up by manual contact tracing.
In New South Wales, app data has been extracted 23 times. In one instance, a person whose contact details were unavailable during manual contact tracing was contacted using app data.
But COVIDSafe’s ability to reliably transmit and collect encrypted codes using Bluetooth from other apps remains under scrutiny.
And there is another option.
In May, Google and Apple launched an exposure notification API or framework built into their devices’ operating systems that allows health authorities to build their own apps, and ostensibly helps the technology perform better with less bugs and workarounds.
Germany and Ireland, as well as a handful of other European countries, have now launched their own COVID-19 exposure notification apps using the Google-Apple framework.
So how do they compare to COVIDSafe?
A centralised or a decentralised model
COVIDSafe and apps built using the Apple-Google API both deploy Bluetooth to create an encrypted log of random codes from other devices with the app, that come into close range.
But Ireland’s COVID Tracker app and Germany’s Corona-Warn-App differ when it comes to the next step.
Broadly, if someone tests positive for the virus and has one of those apps, they can voluntarily make their weeks of random codes available to the exposure notification system.
Each individual app regularly checks the exposure codes they have stored against ones the system has identified as belonging to an infected person.
If there is a match, they receive a warning notification on their phone and can then choose to get in touch with a doctor.
All the data processing is done on the device.
In contrast, if someone with COVIDSafe is diagnosed with the virus, health authorities may ask them to share their app’s data with a central database. Then those random codes will be sorted into close contacts (1.5 metres for upwards of 15 minutes) and used by local health authorities to track potential exposures.
Ireland and Germany’s apps operate more as a warning system and offer much less information to authorities.
That lack of centralised data collection is part of what makes security expert Vanessa Teague, chief executive of Thinking Cybersecurity, believe Australia should move to the Google-Apple API.
“It has this huge privacy advantage,” she said.
And although we do not yet have sufficient empirical data comparing the performance of available models, she suggested it’s likely apps built using the Google-Apple framework will work more reliably than COVIDSafe because the Bluetooth detection technique is built into the devices’ operating systems.
“By work, I mean, when two people are near each other, the likelihood that it exchanges the pings it’s supposed to exchange is likely to be a lot higher,” she said.
Are apps built using the Google-Apple API a success?
Like in Australia, German and Irish authorities have been quick to boast about download figures.
Germany launched its app in mid-June. As of July 23, the Corona-Warn-App has registered 16.2 million downloads, according to the Robert Koch Institute, in a country with a population of more than 80 million.
Ireland’s Health Services told the ABC that almost 1.4 million people have downloaded the app since July 7 — out of almost 5 million people — and 91 COVID Tracker app users have received an exposure alert.
But like in Australia, where the app has been downloaded more than 6 million times, there are few metrics publicly available to understand the app’s contribution to pandemic control, or even how many people have the app open and working each day.
In Germany, about 660 people who were shown to test positive for SARS-CoV-2 had the opportunity to warn others via the app by July 20.
“However, we cannot say exactly how many people were warned because of the decentralized approach of the app,” the president of the Robert Koch Institute Professor Lothar H. Wieler said in a recent statement.
Stephen Farrell, a computer security researcher at Trinity College Dublin, said questions remained for the Australian and European apps when it comes to the ability of Bluetooth to accurately gauge distance — and so, to accurately identify close contacts.
“It suffers that same challenges with Bluetooth proximity detection in terms of making it reliable in all sorts of contexts,” he said. “Handsets in all different positions, in pockets, in handbags … walking, cycling.”
Dr Farrell suggested it will ultimately be difficult to definitively measure the impact of this technology.
We need to know how many people who would have been missed by manual contract tracing are caught by the app, he suggested. And of those people, how many are false positives or true positives.
Privacy concerns remain
As well as privacy bugs found after the launch of COVIDSafe, its centralised method of data collection has been an ongoing focus for security researchers.
But there is also concern in Europe that exposure notification apps built using the Google-Apple API could be used to track location, especially on Android.
The implementation of Bluetooth on Android has long (and wrongly, in her view) been “inextricably linked” to location permissions Dr Teague said, as some non-contact tracing apps use the technology to work out a user’s location.
For example Bluetooth beacons in a shopping centre, she said, could be used to serve users with hyper-specific advertising.
“The implication is, if you’re not going to let Google track your location, then you’re not using Bluetooth scanning.”
The COVIDSafe version of Android as well as apps made using the Google-Apple API ask for location permission when the app is downloaded — although all insist location is not recorded as part of the contact tracing process.
“In keeping with our privacy commitments for the Exposure Notification API, Google does not receive information about the end user, location data, or information about any other devices the user has been in proximity of,” a Google spokesperson said.
Professor Alexandra Dmitrienko, head of Secure Software Systems Research Group at the University of Würzburg, is troubled that location services must be turned on when using the exposure notification API on Android.
While many people may choose to use products like Google Maps and have location services operating, she suggested those that do not are forced into a choice: allow location permissions when downloading the German app or give up the ability to use your country’s public health app.
As more countries accept the Apple-Google solution, she is also concerned about the control being ceded to the two technology giants.
“As an expert in security and privacy, I see … that we give too much power to two American companies,” she said.
Could Australia move to the Google-Apple API?
As it stands, Australia’s COVIDSafe would have to fundamentally change its approach to use the Google-Apple API.
The companies’ API rules stipulate that a government can only request and not require users to share personal information such as a phone number.
COVIDSafe requires these details upon sign up. Ireland’s COVID Tracker app on the other hand asks only for opt-in metrics.
Minister for Government Services Stuart Robert said the Government is open “to improving [the] technology” if it maintains a key role for health officials in the process.
“The current structure of the Google-Apple API does not do that,” he said.
“We will continue to work with Google and Apple, particularly to see if they can remove their barriers in allowing a sovereign tracing app — that has health professionals at its core — access to improved Bluetooth functionality”.
Ultimately, it may still be too early to say whether any piece of technology can be the pandemic silver bullet so many countries are after.
Professor Dmitrienko thinks it’s too early to know how effective these apps are.
“[The] general opinion is that this technique cannot really replace the manual contact tracing, but it can be complementary,” she said.
But then, there’s the price tag.
By some estimates, COVIDSafe has reportedly cost around $2.75 million in contractors fees, not including millions of dollars in advertising costs.
The Irish app cost €850,000 ($1.4 million).