Contact tracing apps have a crucial role to play in combating COVID-19, but are we sacrificing our privacy in the process?
Public interest vs. civil liberties: The great contact tracing debate
Contact tracing may be our best bet in containing the Covid-19 pandemic and getting back to some form of normal. Contact tracing can be extremely effective in identifying and isolating individuals who may have been exposed to the virus. Government health agencies and private app developers across the globe have rolled out contact tracing apps to digitize the process in hopes of increasing its efficiency in response to the Covid-19 crisis.
How do they work?
Contact tracing apps work by leveraging the Bluetooth functionality or location services (such as GPS), sometimes both, on a user's device to determine proximity to other mobile phones running the same app. In China, for example, QR codes are scanned basically anywhere individuals may go, and are used to track their movements. Some apps also rely on location data directly from telecom providers, but Bluetooth is the least invasive.
This proximity data is then recorded by each of the devices running the app that come within a certain radius of one another for a sustained period. If a user ends up testing positive for Covid-19, they can let their app know. Any user whose phone had recorded contact with the infected user's phone in the preceding days would then get an alert notifying them that they had been in close proximity to someone infected with Covid-19, and would advise the user to self-isolate to limit the further spread of the virus.
These apps can be crucial in combating the spread of Covid-19 by urging those who may have been exposed to the virus to isolate themselves from others.
The downside is, contact tracing apps potentially pose considerable privacy concerns. This means it is important for governments and app developers to not lose sight of protecting user privacy and not to verge into what could amount to surveillance.
There is concern that contact tracing apps can set a precedent for extended government monitoring practices that go well beyond the scope and timeline of the current crisis. This is why these measures, as important as they are right now, should be temporary in nature and limit data collection to only what is necessary for the explicit purpose of the applications' functionality.
Privacy is crucial when deploying technological solutions that involve the processing of sensitive personal data. We investigated over sixty different contact tracing apps to determine whether they appropriately protect the privacy of users. Some had strong privacy protections, others had weak privacy protections, but most were somewhere in the middle.
Contact tracing apps around the world
We've created a table and assigned each a "Privacy Score" out of a possible 10. Please scroll across for more information.
| Country | App | Privacy Score | How Does It Work | Mandatory | Released | Data Collected | Who Accesses Data | Where Is Data Stored | Privacy Framework |
|---|---|---|---|---|---|---|---|---|---|
| Brazil | Coronavirus - SUS (Official National App) | 8 | Bluetooth | No | Yes | None | Ministry of Health | User's Device (can submit) | Apple Google |
| Bulgaria | ViruSafe | 1 | GPS | No | Yes | Contact Details, Location, Demographic Information, Health Information | Health Officials | Centralized Servers | No |
| Canada | COVID Alert (Official National App) | 8 | Bluetooth | No | Yes | None | Health Officials | User's Device (can submit) | Apple/Google Framework |
| China | Alipay Health Code | 0 | QR codes/User reported location info | Yes | Yes | Contact Details, Location, Medical Information, Demographic Information, Travel Information | Government, Law Enforcement | Centralized Servers | No |
| Columbia | CoronApp | 1 | Self-reported data, location data | No | Yes | Contact Details, Location, Medical Information, Demographic Information, Travel Information | Health Officials | Centralized Servers | No |
| Cyprus | CovTracer | 0 | GPS | No | Yes | Location, Contact Details, Demographic Information, Health Information | Research Centre of Excellence on Information and Communication Technologies | User's Device (can submit) | No |
| Czech Republic | eRouška | 5 | Bluetooth | No | Yes | Contact Details | Health Officials | Users Device (can submit) | No |
| Estonia | Hoia | 8 | Bluetooth | No | Yes | None | Health Officials | User's Device (can submit) | DP-3T/Apple & Google |
| EU | COVID19 Alert | 6 | Bluetooth | No | No | None | Relevant Official Body | Users Device (can submit) | No |
| Finland | Koronavilkku | 6 | Bluetooth | No | Yes | Phone number, Anonymized IDs | Social Insurance Institution | User's Device (can submit) | Apple/Google |
| France | StopCovid (Rebranded as TousAntiCovid) (Official National App) | 4 | Bluetooth | No | Yes | User ID, Demographic Information | Third-party hosting provider | Centralized Servers | ROBERT Protocol |
| Georgia | Stop Covid/NOVID20 | 2 | Bluetooth/GPS location data | No | Yes | Contact Details, Location, Device Information | Relevant Official Body | Users Device (can submit) | No |
| Germany | Ito | 9 | Bluetooth | No | Yes | None | Health Officials | Users Device | TCN |
| Ghana | GH COVID-19 Tracker App | 0 | Bluetooth/GPS location services/Self-reported data | No | Yes | Contact Details, Location, Demographic Information | Government | Centralized Servers | No |
| Gibraltar | Beat Covid Gibraltar | 8 | Bluetooth | No | Yes | None | Health Officials | User's Device (can submit) | Apple/Google Framework |
| Hungary | VirusRadar | 4 | Bluetooth | No | Yes | Contact Details | Public Health Officials | Centralized Servers | No |
| Iceland | Rakning C-19 | 2 | Location data | No | Yes | Contact Details, Location | Relevant Official Body | Users Device (can submit) | No |
| India | Aarogya Setu | 0 | Bluetooth/GPS location tracking | No | Yes | Contact Details, Location, Demographic, Travel Information | Government | Centralized Servers | No |
| Indonesia | PeduliLindugi | 3 | Bluetooth | No | Yes | Contact Details, Device Information | Relevant Official Body | Centralized Servers | No |
| Ireland | COVID Tracker App | 8 | Bluetooth | No | Yes | None | Health Officials | Users Device (can submit) | Apple/Google |
| Israel | HaMagen | 2 | GPS location tracking | No | Yes | Location | Health Officials | Users Device (can submit) | No |
| Italy | Immuni (Official National App) | 7 | Bluetooth | No | Yes | Demographic Information, IP address | Health Officials | User's Device (can submit) | Apple/Google |
| Japan | Contact-Confirmation Application (COCOA) (Official National App) | 8 | Bluetooth | No | Yes | None | Health Officials | User's Device (can submit) | Apple/Google |
| Jersey | Jersey Covid Alert | Bluetooth | No | unknown | unknown | Apple/Google Framework | |||
| Jordan | Aman | 2 | GPS/Bluetooth | No | Yes | Location | Health Officials | User's Device (can submit) | No |
| Kuwait | Shlonik | 0 | GPS | No | Yes | Location, National ID number | Health Officials, Central Agency of Information, Telecom Provider | Centralized Servers | No |
| Latvia | Apturi Covid | 7 | Bluetooth | No | Yes | Contact Details | Health Officials | User's Device | Apple/Google Framework |
| Malaysia | MyTrace | 5 | Bluetooth | No | Yes | None | Ministry of Health | Centralized Servers | No |
| Morocco | Trackorona | 1 | Unknown | No | Yes | Undisclosed | Relevant Official Body | Undisclosed | No |
| Netherlands | CoronaMelder | 6 | Bluetooth | No | No | None | Unknown at this time | User's Device | DP-3T |
| New Zealand | NZ Covid Tracer | 1 | QR Codes | No | Yes | Contact Details, Demographic Information | NZ Ministry of Health | Centralized Servers | No |
| North Macedonia | StopKorona! | 4 | Bluetooth | No | Yes | Contact Details | Health Officials | Centralized Servers | No |
| Northern Ireland | StopCovid NI | 5 | Bluetooth | No | Yes | Age, Full postcode, Health information | Health and Social Care Northern Ireland (HSCNI), Public Health England, Universities, Auditors, Research Organizations | User's Device (can submit) | Apple/Google Framework |
| Norway | Smittestopp SUSPENDED OVER PRIVACY CONCERNS (170) | 1 | Bluetooth/GPS location services | No | Yes | Contact Details, Location | Health Officials | Centralized Servers | No |
| Peru | PeruEnTusManos | 0 | GPS | No | Yes | GPS Location data | Peruvian Government | Centralized Servers | No |
| Philippines | WeTrace | 1 | GPS locations services | Yes | Yes | Contact Details | Health Officials | Centralized Servers | No |
| Poland | ProteGO Safe | 2 | Bluetooth | No | Yes | Contact Details, Demographic, Medical Information | Health Officials, Relevant Official Bodies, Private Companies | Centralized Servers | No |
| Portugal | StayAway Covid (Official National App) | 8 | Bluetooth | No | Yes | None | Health Officials | User's Device (can submit) | DP-3T |
| Qatar | Ehteraz | 0 | GPS/Bluetooth | Yes | Yes | Location, National ID number, Health Information, Contact Details | Health Officials, Ministry of Interior | Centralized Servers | No |
| Russia | ????????? ???? ??????????? | 0 | GPS/QR Code | Yes | Yes | Contact Details, Location, Travel Information, Demographic Information | Law Enforcement Authorities | Centralized Servers | No |
| Saudi Arabia | Tabaud | 8 | Bluetooth | No | Yes | None | Ministry of Health | User's Device (can submit) | Apple/Google |
| Singapore | TraceTogether | 4 | Bluetooth | No | Yes | Contact Details, "Identification Details" | Health Officials, Law Enforcement Authorities | Centralized Servers | BlueTrace |
| Slovakia | Zostan zdravy | 0 | GPS location services | No | Yes | Contact Details, Location, Medical Information | Private Company, Government, | Centralized Servers | No |
| South Africa | COVI-ID | 0 | QR Codes | No | Yes | Contact Details, Medical Information, Biometric Information, Demographic Information | Private Companies, Third Party Entities (including marketers/advertisers), Health Officials | Centralized Servers | No |
| South Korea | Corona 100m (Official National App) | 0 | Location services | No | Yes | Location, Contact Details | Private Company | Centralized Servers | No |
| Spain | Radar COVID (Official National App) | 8 | Bluetooth | No | Yes | None (anonymized IDs) | Health Officials | User's Device (can submit) | DP-3T |
| Switzerland | SwissCovid-App | 10 | Bluetooth | No | Yes | None | User Only | Users Device | DP-3T/Apple & Google Project |
| Thailand | Mor Chana | 1 | Bluetooth/GPS | No | Yes | Contact Details, Location | Health Officials | Centralized Servers | No |
| Tunisia | E7mi | 4 | Bluetooth | No | Yes | Contact Details | Health Officials | Centralized Servers | No |
| Turkey | CoroWarner | 0 | Bluetooth/GPS location services/Telecom location data | No | No | Undisclosed | Undisclosed | Undisclosed | No |
| UAE | ALHOSN | 4 | Bluetooth | No | Yes | National ID number, Contact Details | Health Officials | User's Device (can submit) | No |
| UK | NHS App (Official National App) | 4 | Bluetooth/QR Codes | No | Yes | Post Code District, Venue Check-in Data | Health Officials | Users Device (can submit) | Apple/Google |
| Uruguay | CoronavirusUY | 8 | Bluetooth | No | Yes | None | Ministry of Public Health | User's Device (can submit) | Apple/Google |
| USA | Novid | 8 | Bluetooth | No | Yes | None | Health Officials | Users Device (can submit) | TCN |
| Vietnam | Blue Zone | 6 | Bluetooth Low Energy | No | Yes | None | Health Officials | Users Device (can submit) | No |
| Argentina | CoTrack | 2 | GPS | No | Yes | Location, Medical Information, Travel Information | Health Officials | Users Device (can submit) | No |
| Australia | COVIDSafe (Official National App) | 7 | Bluetooth | No | Yes | Contact Details, Demographic Information | Health Officials | Users Device (can submit) | BlueTrace |
| Austria | Stopp Corona | 7 | Bluetooth | No | Yes | Contact Details | Relevant Official Bodies | Users Device (can submit) | DP-3T |
| Bahrain | BeAware | 0 | GPS location data | No | Yes | Location, National ID Number, Contact Information, Demographic Information, Health Information, Travel Information | Health Officials, Relevant Official Bodies, Third part entities | Centralized Servers | No |
| Bangladesh | Corona Tracer BD | 0 | Bluetooth, GPS location services | No | Yes | Phone number, National ID number, unique user ID | Health Officials, Information and Communication Technologu Division | Centralized Servers | No |
| Belgium | B-fence | 8 | Bluetooth | No | No | None | Relevant Official Bodies | Users Device (can submit) | DP-3T |
All data above has been ethically researched and fully cited. If you would like to explore the data, get a better idea of exactly how each country's app works, or explore the citations.
How we score contact tracing apps
In order to assign each app a privacy score, we asked five different questions, scoring each question out of 2 based on how they protected user privacy. We then added up the totals, giving the contact tracing apps a score based on their approach to user privacy. A maximum possible score of 10 means the app's privacy protection is impeccable, whereas a score of 0 means that users of the app are afforded no privacy whatsoever.
How is this scored?
2 – Applications that use strictly Bluetooth to determine proximity between devices.
0 – Applications that rely on any form of location tracking. This is because using specific location data is unnecessarily invasive for the functionality of a contact tracing app when Bluetooth is a viable alternative.
What personal data is collected?
The most privacy-focused contact tracing apps in our list do not collect any personal data at all and instead use anonymized, randomly generated, rotating identifiers to determine which devices came within close contact with one another. Any data collection beyond that is not necessary for achieving a workable digitized contact tracing solution.
How is this scored?
2 – apps that do not collect any personal user data.
1 – for any app that collects a minimal amount of data such as a UUID.
0 – For any app that collects location data or other sensitive data such as name, email address, physical address, gender, age, or health data. If the data collection information is not disclosed the app gets a 0 by default.
Who can access that data?
It is critical that people who can access the data are relevant to it, after all, location and medical data are highly sensitive pieces of information.
Usually, for the government-contracted contact tracing apps, a government agency of some sort is able to access the collected data. Other apps are shown to be sharing data with third-parties, including marketers, for no good reason at all.
How is this scored?
2 – Only when the user is able to access the data we assigned a score of 2.
1 – When the data is collected strictly by a health authority, with express user consent.
0 – If the data is shared with third parties, can be accessed by the government at large in any country, or the information is not clearly disclosed.
Where is the data stored?
There are two ways data these apps collect can be stored, either in a centralized or decentralized way. A centralized data model means data collected from the app is stored on a centralized server, whereas decentralized means all data collected is stored on the user's device.
A decentralized approach therefore makes your data both more secure and more private.
How is this scored?
2 – Uses a decentralized system, where data is stored on a user's device.
1 – Sends data to a centralized health authority server only if the user tests positive for the virus, with the express consent of the user.
0 – Any app that stores collected user data on centralized servers by default, or if the developer or authorities do not disclose the information.
Privacy framework?
A privacy-preserving framework works to protect user privacy with a decentralized approach to contact tracing and limits the collection of data to anonymous identifiers is essential for maintaining proper user privacy. Many do not employ this framework, but those who do are clearly head and shoulders above the rest when considering user privacy.
How is this scored?
2 – Applications that apply a privacy-preserving framework into the development of the app.
1 – Any app that employs PEPP-PT. This is due to the controversy swirling around the PEPP-PT approach and agencies increasingly pulling out of the project for its centralized approach and general lack of transparency.
0 – Any app that doesn't employ any privacy-preserving framework.
Comparing the best with the worst
We found a few apps that are excellent at protecting user privacy and scored an 8, and one scored a 9. Only one scored 10 (Switzerland's SwissCovid-App). The Swiss app works using Bluetooth, collects zero personal data, restricts access to the data to only the user, never allows any data to leave the user's device at any time, and employs the privacy-preserving contact tracing framework developed by Apple and Google. In other words, users should feel safe using the app knowing that their privacy will be respected.
Unsurprisingly, we found quite a few Covid-19 contact tracing apps that did little to protect user privacy and scored 0 overall, fourteen in total. These were the apps being used in Bahrain, Bangladesh, China, Cyprus, Ghana, India, Kuwait, Peru, Qatar, Russia, Slovakia, South Africa, South Korea, and Turkey.
All of the 0-rated apps use GPS location services, collect wide-ranging and unnecessary amounts of sensitive personally identifiable data, allow third-party or otherwise questionable access to that data, store the data on centralized servers, and do not employ any privacy-preserving framework for contact tracing.
These apps do pretty much everything wrong when it comes to protecting user privacy and have a real potential for misuse beyond the scope of the current crisis. Users should be extremely wary of using any of these apps.
Conclusion
Contact tracing by its nature can never be considered 100% anonymous or completely private, as we have seen, but digital contact tracing methods can work to preserve user privacy as much as possible.
The data we have collected throughout our investigation into Covid-19 contact tracing apps shows that there are a few developers and governments making the effort to protect user privacy. Many, though, do not. This could set a precedent for extended misuse of user data or continued government surveillance practices, even well after the pandemic is over.
Extraordinary times call for extraordinary measures. However, we must ensure that these measures are temporary in nature, limited in scope, remain voluntary and that governments do not use the crisis as an opportunity to conduct surveillance on their citizens or otherwise exploit or invade their privacy.