Since this COVID-19 crisis began people have looked to technology to assist in contact tracing and notification. Technology will never be a silver bullet to solve a deeply human crisis, even if it might assist. No app will work absent widespread testing with human follow up. Smartphones are not in the hands of everyone, so app-based COVID-19 assistance can reinforce or exacerbate existing social inequalities.
De-centralized Bluetooth proximity tracking is the most promising approach so far to automated COVID-19 exposure notification. Most prominently, back in April, Apple and Google unveiled a Bluetooth exposure notification API for detecting whether you were in proximity to someone with COVID-19, and sending you a notice.
Over the last month, we have seen a number of contact tracing and exposure notification apps released, including several from public health authorities using the Google-Apple Exposure Notification (GAEN) Bluetooth proximity technology. These include North Dakota Care19, Wyoming Care19 Alert, Alabama Guidesafe, and Nevada COVID Trace. Some, like Canada’s Covid Alert and Virginia Covidwise, have gotten good reviews for privacy and security.
Other new apps are more concerning. Albion College required students to download and install a private party tracking app called Aura, which uses GPS location data and had security flaws. Citizen, a very popular safety alert app, has added a Bluetooth-based SafePath technology. Since Citizen itself uses GPS, this raises the risk of connecting the location data to the COVID-19 data. To mitigate this concern on iOS, one has to use an add-on app, SafeTrace, which will separate the GPS used by Citizen and the bluetooth data from SafeTrace, but the technology is integrated in Android.
Ultimately, many people may end up participating without choosing an app. Last week, Apple rolled out iOS 13.7 which allows users to choose to participate in the Apple-Google Bluetooth exposure notification system without an app, via Exposure Notifications Express (ESE). Google will be implementing a similar technology in Android 6.0 later this month, creating an auto-generated app for the local public health authority. Independent apps will still be allowed to use the GAEN system, but the easy path for most smartphone users will be to the Apple-Google ESE system.
Whether considering a new app or the app-less system, we must not lose sight of the challenges of proximity apps, and be sure they are safe, secure and respect fundamental human rights. In summary, consent is critical, no one should be forced to use the app, and users should be able to opt-in and opt-out as needed. Strong privacy and security safeguards are also necessary. Fear of disclosure of your proximity or, worse, your location data, could harm effectiveness (insufficient adoption) and chill expressive activity. All exposure notification technologies need rigorous security testing and data minimization.