Due to the COVID-19 pandemic, countries around the world have been feverishly looking for solutions to flatten the curve, including the development of contact tracing apps. By identifying people who have been in contact with infected individuals and testing them for COVID-19, asymptomatic spread can possibly be reduced. However, such apps have attracted controversy because of the potential risks to informational privacy, excessive surveillance, and habituation to security policies. Not all contact tracing apps are implemented identically; they vary drastically in execution in terms of transparency, data collection, and whether they are voluntary or mandatory.

Critiques of Contact Tracing Apps

Countries such as China and Qatar have chosen to make downloading contact tracing apps compulsory. In fact, in Qatar, refusing to do so carries a potential three year prison sentence, as well as a $55,000 fine. In China, a mandatory contact tracing app has helped ease lockdowns and reopen the economy quicker. Meanwhile, Qatar’s contact tracing app could be viewed as an example of the dangers governments put their citizens into by hastily pushing forth poorly designed apps.

Amnesty International was able to find a critical flaw in Qatar’s contact tracing app regarding easily guessable National ID numbers. These numbers were used to access QR codes with personalized information and if gone unfixed, could leave up to one million users at risk to cyber attackers hijacking highly sensitive personal information, including their name, national ID, health status, and location data.

Critics of contact tracing apps mention the many barriers that they face regarding their effectiveness. For one, they need to be almost ubiquitous; Oxford University has quantified this magic figure at around 60% of the population.

Many people have misrepresented this percentage, taking it out of context to push forward the notion that any usage rate other than this figure renders the whole application’s contribution null. However, the Oxford study points out that lower rates of usage can still have a positive effect when used in conjunction with other preventative measures such as social distancing and manual contact tracing. That being said, if only a small portion of the people an app user comes into contact with downloads the app, it could be potentially harmful. This is because the app could potentially instill a false sense of security in the user.

An argument can be made for the unwillingness to share data due to privacy concerns, considering that only four random data points can be used to completely deanonymize 95% of users. Individuals may also have worries about the repurposing of collected data post-pandemic. Due to this, nations such as the U.K. are deciding to set fixed time clauses on current emergency powers, with periodical renewal checkpoints. In contrast to this, an argument can also be made in favor of decentralized contact tracing apps being relatively safe, due to the tokenization of the information transmitted between devices.

Use of Bluetooth Technology in Contact Tracing Apps

Much discussion has occurred over how a contact tracing app would best determine individuals at risk of infection, due to contact with an individual who has tested positive. Various countries, such as Norway, decided to use live tracking of users’ locations by frequently uploading GPS coordinates to a central server. However, Bluetooth has arguably emerged as the most optimal method to do so, having been implemented in apps such as Singapore’s Trace Together and Australia’s COVIDSafe apps. This is primarily because it is one of the least intrusive forms of tracking, on the basis that it uses proximity to other devices rather than storing your unique location like a GPS or cell tower would.

A specific subset of Bluetooth protocols known as Bluetooth Low Energy (BLE) has been utilized in many contact tracing apps. BLE signaling in the context of COVID-19 contact tracing is done through “advertisements”, or broadcasts (typically less than 500 bits) from a device at fixed time intervals of 250 ms. Such adverts contain crucial information including device type and a Universally Unique Identifier (UUID), a 128 bit long pseudo-generated/device property generated series of numbers. UUIDs are especially useful due to their low probability of repetition, which makes them an ideal form of consistently identifying a single device.

However, Bluetooth has the potential to pose security risks for contact-tracing apps. Two phenomenons of malicious attacks using Bluetooth networking are bluesnarfing, which refers to a hacker gaining authorized access to information on a device through Bluetooth, and bluebugging, which is when an attacker takes over your mobile phone and all its functions.

Skepticism Remains in the General Public’s views of Contact Tracing Apps

Countries such as Australia have tried to garner reliability with the general public by enacting the Privacy Amendment (Public Health Contact Information) Bill. This bill introduces strict penalties such as up to five years of jail time for decryption or disclosure of any data sent through their app for any purposes other than contact tracing. However, apart from privacy concerns, questions have also been raised about the general effectiveness of their app COVIDSafe. Speculation has been rising with videos being published online claiming that the app cannot send and receive encrypted identifiers and, therefore, cannot log contacts without it being unlocked on both phones. Chief Randall Brugeaud of the Digital Transformation Agency rejected these claims, but admitted the Bluetooth signal strength and app performance was variable depending on the recency of the phone model it was downloaded on.

General public perception of contact tracing apps in the U.S. is similarly skeptical. According to a national study of 2,000 Americans, only 42% of respondents approved of the government encouraging the use of contact tracing apps, and only 36% of respondents favored a government-mandated version. In the same study, Americans were five percentage points more likely to support a decentralized version of a contact tracing app.

A centralized data storage system would send an infected person’s anonymized ID and all their key codes that their phone recently received to a federal or state-owned database. This ensures that it is within the government’s jurisdiction to match contacts and notify those in contact with an infected individual. On the other hand, under a decentralized system, when an infected person reports to the app, only their anonymized ID will be sent to a central database. Other users’ phones would download this database on a recurring basis, and contact matching would be done locally on users’ phones rather than via a central server. However, with a decentralized system, what is gained in privacy protections and potential greater public trust, is also possibly lost in government insight about the spread of the virus.

COVIDWISE; The U.S’s First Contact Tracing App

In Virginia, the first contact tracing app in the country was developed, named COVIDWISE, which was created using technology from Apple and Google. The state utilized around $229,000 of federal COVID-19 relief funding to develop and launch the app, As of August 25th, over 430,000 people have downloaded it, approximately 10% of the 18-65 population in VA with a smartphone. For COVIDWISE specifically, the Virginia Department of Health has defined a “close contact” as exposure to an infected person within 6 feet of distance for around 25 minutes. If this were to occur, an automated notification would be sent to these individuals at risk of infection using the aforementioned BLE technology.

To confirm a positive test case, the app will require the user to input a six-digit PIN issued by the State Department of Health. This means that the app will be of limited use to non-Virginia residents, but propositions have been put forward to create a national server for interoperability between different states contact tracing apps. The Association of Public Health Laboratories is championing the effort to construct a national key server on behalf of the public health community, to allow states to deploy contact tracing apps quicker, and for exposure notifications to be extended to inter-state travel.

How Much Exposure Could Contact Tracing Apps Catch?

According to Pew Research Center, around 81% of U.S. adults currently own a smartphone. Using Metcalfe’s Law, which states that the value of a telecommunications network is proportional to the square of the number of the users of the system(n2 ), approximately 65% of total exposure could potentially be caught using the contact tracing application. Since a network node can’t connect to itself, the actual formula used to calculate this figure is (n(n-1))/2. The 65% figure should be taken with a grain of salt, however. It is unreasonable to assume everyone with a smartphone inherently chooses to download the app, whether this is due to privacy concerns or lack of knowledge about its existence. A mandatory compulsion order to download the app would also face heavy backlash in the U.S. and possibly be viewed as an extreme form of authoritarianism. Therefore, it is safe to assume this maximum amount of caught exposure would be far from the actual percentage in reality.

Through Teen Lenses: What are your initial thoughts on contact tracing apps such as COVID-WISE? Do you think the possible benefits in slowing the spread of COVID are worth possibly setting unwanted precedents for data collection and surveillance?

“Initially, I assumed the app, COVIDWISE, would take our personal data and ultimately track our location, so I was skeptical. However, I did more research into the app, how it works, and I think it is worth it. From what the creators of the app explained, it seems safe since the app doesnt’t require you to input your identity In my opinion, I believe this app will help slow the spread of COVID-19 and/or at the very least make contact tracing much easier. The only thing is, the majority of virginians will have to contribute by downloading the app to see a significant difference when tackling this virus.” Trinity Taylor, 16, Rising Junior, Thomas Edison High School, Alexandria, VA

“Contact tracing apps are unreliable and pose major threats to our privacy rights. I’m skeptical that the data collected through bluetooth will be stored securely enough to not risk hackers taking our personal information. Not enough people will use it if it is voluntary to make a dent in the spread of the virus, and there is no way it can be government mandated in the U.S. because this would be too authoritarian to be allowed. This app will also give people false senses of security when in reality the only way to truly stop the spread of the virus is protecting yourself by quarantining and taking necessary precautions when leaving your house.” Nour, Rising Junior, Lewis High School, Springfield, VA

“I think it’s a great concept and could be really helpful if used widely enough. We give away our privacy for the sake of convenience everyday, and COVIDWISE doesn’t even ask you to make that sacrifice, all the while helping to keep you safe. It doesn’t ask for any permissions and is keen to making sure the users understand their privacy is being completely protected. Even though it’s not perfect, it still will have a positive impact on slowing the spread, and I hope that it’s as respectful of privacy as its advertised to be.” Ghalia Alsadig, Rising Sophomore, Hayfield High School, Alexandria, VA