Contact tracing is an essential part of any strategy to halt the spread of Covid-19 and ease the restrictions on how people go about their lives.
Working outwards from confirmed cases to find and isolate other people who may have been exposed is standard procedure for dealing with infectious diseases. But the way contact tracing is done is evolving, and one of the big questions in the current debate is about the role of apps running on the public’s phones.
Complements, not substitutes
Both automated and manual approaches to contact tracing have their advantages, and they should be seen as complementary parts of a wider public health strategy.
The manual approach relies on using trained contact tracers to interview infected people, in order to establish where they have been and who they have come into contact with. They then try to track down and alert those people before they go on to infect others. The big advantage of manual tracing is context. For example, human contact tracers can ask you important questions to inform their risk assessments, such as whether you were wearing a mask, or if contact happened indoors or outdoors.
An automated approach relies on technology to capture occasions when people have been in close proximity, and then using this data to alert people if someone they have previously been near becomes infected. The big advantage of automated tracing is speed. Notifications propagate quickly because they can be sent directly to people using the app, which helps keep pace with how fast the disease spreads. Apps also increase coverage – without them, it would be almost impossible to track down all the people someone shared a bus or train journey with.
It’s important to remember that any contact tracing programme involves an element of intrusion. This is true whether it relies on human interviewers, or an app, or both. But there are different options for implementing contact-tracing apps, with different implications for what data they collect and how well they are likely to work.
App design: user-centric or system-centric?
There are two main approaches to contact-tracing apps. This table provides an overview of the main features of the two main approaches and how they differ.
A: User-centric, distributed trust
B: System-centric, centralised trust
1. Day-to-day use
Nothing for me to do, it just works – like e.g. the step counter or payment wallet built into my phone’s software
No material impact on battery life
May require the app to be kept running (possibly in the background), or to be kept awake by other phones nearby
Unknown impact on battery life
2. What my phone emits
Random Bluetooth identifiers generated by my phone
Changed often with no pattern
Potentially interoperable between apps and countries
Random Bluetooth identifiers issued by a central system
Changed often but can be linked on the central system
Designed for a single system/country
3. Submitting my diagnosis
First consult my health authority using the normal channels to review my symptoms and/or get tested
Then receive a one-time code from them, which I must enter in the app to confirm a diagnosis
Self-report my diagnosis based on answering a questionnaire in the app, or by adding a test result
Add other information to my profile e.g. location, symptoms, possibly other data if requested
4. Sharing data
If I’m diagnosed, send a list of my phone’s recent identifiers to a server for other phones to download
If I’m diagnosed, send the identifiers from all the other phones that my phone has seen to the central system
5. Notifying users
Each phone independently compares the list of published identifiers to its own, private proximity records
If these exceed a risk threshold, the phone alerts its user
Central system builds up a map of all users and their proximity over time based on received identifiers
System sends alerts to users exceeding a risk threshold
6. Fixing false alarms
If a subsequent test comes back negative, enter another one-time code to recall my identifiers
Other users’ phones automatically revert to all clear
If a subsequent test comes back negative, add this to my profile on the central system
Central system cascades the allclear to other users
7. Updating the risk model
Push app updates to end users as required
Alter the software parameters on the central system
User-centric options typically distribute trust throughout the population, relying on confirmed diagnoses or tests and limiting the amount of information held in any one place whilst still enabling notifications of potential exposure. Apps using this approach are often described as “decentralised”.
System-centric options typically centralise trust in a system operated by a health authority or other government institution. They rely on building up an overview of all the data about people’s interactions in order to decide who to notify. Apps using this approach are often described as “centralised”.
People value convenience
Contact-tracing apps are most effective when deployed at scale. The primary consideration must therefore be to deliver an app that is easy for people to use and robust to the messy reality of how people use their phones as they go about their daily lives.
Some of the first contact-tracing apps struggled on this front. The first releases of Singapore’s TraceTogether app required iPhone users to keep the app open and their phone unlocked. Australia’s new CovidSafe app has also run into similar problems.
The exposure notification system being deployed by Apple and Google tackles this challenge head on, by integrating the core technical functionality directly into the smartphone operating system. People who own an iOS or Android device simply opt in to the exposure notification system when their phone gets its next software update. They can then be prompted to install an approved app from their health authority to receive official information and advice.
The tech companies have released sample code and user interfaces for apps using their exposure notification system, including examples of the different alerts that can be shown and which API calls should be made. An increasing number of countries are adopting this approach, including Germany, Italy, Switzerland, Austria and Estonia. Singapore is re-working its app to take advantage of the Apple and Google exposure notification system, and Australia is also reported to be moving in the same direction.
However some countries – most notably the UK and France – have rejected Apple and Google’s system. The debate comes down to the ground rules that the tech companies have set for apps using their system. Their frame of reference is customers, and they therefore prioritise user-centric issues like privacy and security. In practical terms this means matching data on devices rather than a central system, and a pledge to shut the system down once the public-health crisis has passed.
Go your own way
Rejecting the Apple and Google framework comes at the cost of increasing friction for end users. This is likely to have a direct effect on usability and hence take-up. Nevertheless, there are reasons why countries may still prefer to pursue a system-centric approach.
First, a centralised approach is more likely to maximise public-health insights. For public-health practitioners, having visibility over both diagnoses and a proximity graph provides a new source of data that may aid understanding of how infections are spreading. This in turn may improve the authorities’ ability to respond to the crisis. The technical director of the National Cyber Security Centre (NCSC) notes this as a factor that has influenced the UK’s approach.
Second, centralisation may be a by-product of limited testing capacity. If a health-care system doesn’t have enough bandwidth to quickly and reliably test large numbers of people, then it will be necessary for users to self-diagnose. Left unaddressed this could become problematic – either because the system risks being swamped by a large volume of false positives, or because it is open to abuse from people maliciously self-reporting. The response to these problems is central oversight, in order to detect and eliminate incorrect diagnoses, spurious correlations and other sources of false positives. If a health authority can credibly perform this function by analysing the accumulated data of everyone’s interactions, this may be enough for people to trust the alerts they receive.
Much of the debate about contact-tracing apps has focused on the privacy implications of a system-centric approach. The strongest critics argue that although an approach like the UK’s starts out anonymous, individuals can easily be re-identified in the large linked datasets the system will hold. This opens up a number of risks relating to privacy, cyber security and mission creep that are simply not present under the user-centric alternative. There are also questions about what legal safeguards need to be put in place.
These risks are real, but as ever must be balanced against the wider risks to public health from the spread of Covid-19. The public-health experts and technologists involved in the UK app will understandably be optimising for insights and control, and the design choices they have made reflect a genuine belief that a system-centric approach will best achieve this.
In the end, the critical success factor for any contact-tracing app is take-up, and this is where the biggest risks lie for the UK in the weeks ahead. At the end of the day, if people don’t actually use the app, then its benefits will remain theoretical, regardless of how it works.
Despite the high-profile arguments about privacy and trust in recent days, in practical terms this may turn out to be a second-order question. It seems plausible that most people have more confidence in Apple and Google when it comes to designing apps. But it’s also likely that most people trust the NHS to have our best interests at heart and to do what they believe to be right when it comes to protecting public health.
Of course some people will remain sceptical about the government’s motives for accumulating new stores of sensitive data, or their competence in analysing and securing it.
But for most people, the biggest influence on downloading and using the app will be whether it works seamlessly and reliably. A direct consequence of rejecting the Apple and Google system is that the UK app has to deploy various technical workarounds to ensure that it keeps operating when people switch to another app or lock their phone. Thus far the government has asserted that it has a way to make the app work “sufficiently well”. But there are reports that this approach may fail in some cases, and the impact on battery life remains unknown.
There are also growing concerns about international interoperability. Because all apps built on the Apple and Google system will share the same underlying architecture, it should be straightforward for compatible apps to support people visiting different countries. For countries choosing a proprietary approach, however, it is far less clear what form of interoperability might be feasible. In the UK this gives rise to particular concerns about people’s ability to move freely across the Northern Ireland border.
What the UK should do next
It remains to be seen how successful the UK app – or indeed others – will be at reducing the spread of the virus and ultimately saving lives. But what is clear is that the choices countries make around contact-tracing apps really matter. Any app must strike the right balance between utility and privacy, and quickly achieve uptake on a large scale.
We should know a lot more about the practical consequences of the UK approach following the trial currently underway on the Isle of Wight. In the meantime, there are three things the UK government can do immediately to increase its chances of success.
Immediately prepare an alternative app based on the Apple and Google exposure notification system. It is clear that this approach has the lowest friction for users and hence the best chances of high uptake. Sample code, user interface elements and documentation are also now all available from the tech companies. If the trials reveal any material technical or usability problems stemming from the UK’s original approach or workarounds, then there must be an alternative ready for immediate deployment.
Be straightforward with the public about the trade-offs. The debate about privacy has consumed a huge amount of energy, and continued attempts by the government to rebut criticism from credible technology experts risks backfiring with the public. If the UK continues with a centralised approach to its app, those in charge should be much more upfront about the risks and benefits, and publish the analysis that supports their conclusion.
Situate the app more clearly in the wider response to Covid-19. Whatever approach is chosen for the app must complement human contact-tracing efforts and be calibrated for testing capacity. The government must not rely solely on the app, or allow a lack of testing capacity to drive fundamental design decisions that in turn limit uptake.