Countries around the world are scrambling to create contact-tracing apps that will help track the spread of COVID-19. But a beta app launched by the UK this week shows the huge challenges they face and, crucially, the difficulty in designing an effective app without the help of the tech giants that make our phones.
The UK is one of the few countries that has chosen to create a contact-tracing app that is incompatible with the contact-tracing API currently being developed by Google and Apple. Instead of decentralizing the data across devices, the UK will pool the information it collects in a single database operated by the National Health Service, or NHS.
Users who download the app to their phone can voluntarily opt-in to record details of their symptoms when they start to feel unwell.
The app keeps a trace of others who have been in close contact through Bluetooth signals that transmit an anonymous ID. These low energy Bluetooth signals perform a digital “handshake” when two users come into close contact, but keep that data anonymous.
If an individual later reports that they are positive for coronavirus, it will then ping a message to people who have been in close-contact with them in the last 28 days based on their anonymous IDs.
The app will recommend those people self-isolate in case they have contracted the disease. Those contacted won’t know the identity of the person who may have passed on coronavirus.
If the person then takes a test and tests negative, they may be released from their self-isolation by a notification through the app.
For trials on the Isle of Wight, people who voluntarily report their symptoms will be brought a testing kit within 24 hours, the government has said.
The data will not be stored longer than 28 days and the NHSX has said it will be deleted after the app’s use is finished and the pandemic is over.
The core issue is one familiar to mobile security experts app permissions. Contact-tracing apps use Bluetooth to create a log of nearby devices using the app, and, by extension, people with whom users have come into contact. When a user is diagnosed with COVID-19 or starts to show symptoms, they notify their app which then pings the devices of those people. Some apps, like the one built by Singapore, constantly broadcast Bluetooth pings to find nearby devices. Others, like the one built by the UK, try to create active Bluetooth pairings or “handshakes.”
The problem is that both Google and Apple restrict how apps can use Bluetooth in iOS and Android. They don’t allow developers to constantly broadcast Bluetooth signals, as that sort of background broadcast has been exploited in the past for targeted advertising. As The Register reports, iOS apps can only send Bluetooth signals when the app is running in the foreground. If your iPhone is locked or you’re not looking at the app, then there’s no signal. The latest versions of Android have similar restrictions, only allowing Bluetooth signals to be sent out for a few minutes after an app has closed. Such restrictions will block devices from pinging one another in close quarters, drastically reducing the effectiveness of any contact-tracing app.
Google and Apple can rewrite these rules for their own contact-tracing API because they control the operating systems. But for countries trying to go it alone, like the UK, the restrictions could literally be fatal. iPhone users with the app installed could interact with someone who is later diagnosed with COVID-19 and never know it, if their phone doesn’t keep a log of their interaction.
The UK government has implied it’s created some unknown workaround to these issues, and there certainly are subtleties in how these protocols operate that might work in its favor. For example, while iOS devices can’t broadcast Bluetooth signals constantly, they can receive them from older Android devices. Doing so would essentially wake up the software and allow the app to exchange vital data.
Exactly how the UK’s problems will play out is impossible to predict. The beta contact-tracing app is only launching as a small pilot this week in the Isle of Wight, an island with a population of 141,000 off the south coast of England. The UK government still has time to tweak its functionality or switch to a decentralized system, just as Germany did last month. For as coronavirus has shown, although every country has to fight its own idiosyncratic battle with the virus, that doesn’t stop them learning from others.
