Countries around the world are trying to create contact tracking apps that can be used to track the spread of COVID-19. A beta app launched by the UK this week shows the enormous challenges and, above all, the difficulty of developing an effective app without the help of the technology giants that make our phones.
The UK is one of the few countries that has chosen to create a contact tracking app that is incompatible with the contact tracking API currently being developed by Google and Apple. Instead of decentralizing data across devices, the UK will aggregate the information it collects into a single database operated by the National Health Service (NHS).
Britain says it can stop the spread of COVID-19 more quickly if it controls the data
The government argues that this will give greater insight into the spread of COVID-19 and will allow the NHS to decide which users are most at risk. However, advocates of privacy warn against creating new ways for government surveillance. The UK government appears to have undermined previous assurances that it will not share the data collected outside the NHS, suggesting that other organizations could use the information in the future for public health research. This is something that Apple and Google forbid for any app that uses their API, and another reason why the UK has to build its app without the help of companies.
In addition to data protection issues, researchers have identified a major problem in Britain's efforts to build an app without Google and Apple: it just doesn't work as advertised.
The core problem is familiar to an expert in mobile security: app permissions. Contact tracking apps use Bluetooth to use the app to keep a log of nearby devices and, more broadly, the people users have come into contact with. When a user is diagnosed with COVID-19 or has symptoms, they notify their app, which then pings their devices. Some apps, like the one from Singapore, are constantly sending Bluetooth pings to find nearby devices. Others, like the UK, are trying to create active Bluetooth pairings or “handshakes”.
The problem is that both Google and Apple restrict apps from using Bluetooth in iOS and Android. They do not allow developers to send Bluetooth signals all the time because this type of background transmission has been used for targeted advertising in the past. As The Register reports, iOS apps can only send Bluetooth signals when the app is running in the foreground. If your iPhone is locked or you don't see the app, there is no signal. The latest versions of Android have similar restrictions, so Bluetooth signals can be sent only a few minutes after an app is closed. Such restrictions prevent devices from pinging each other in confined spaces, which drastically reduces the effectiveness of a contact tracking app.
A beta version of the UK Contact Tracing app will be available for download this week.
Google and Apple can rewrite these rules for their own contact tracking API because they control the operating systems. But for countries like Britain trying to do it alone, the restrictions could be literally fatal. iPhone users with the app installed can interact with someone who is later diagnosed with COVID-19 and never know if their phone does not keep a log of their interaction.
The UK government has implied that it has created an unknown workaround for these problems, and there are surely subtleties in how these protocols work that could work in their favor. For example, while iOS devices cannot constantly send Bluetooth signals, they can receive them from older Android devices. This would essentially activate the software and allow the app to exchange important data.
So it can be argued that the British app works in urban environments where a mix of old and new iOS and Android devices is used all the time. However, experts say this is far from a reliable mechanism needed to track the spread of a fatal disease, especially given that iOS market share in the UK is over 50 percent.
Google and Apple have been working on their API at lightning speed
Speaking to The Verge, digital rights expert Michael Veale, who is also part of an international consortium that develops decentralized contact tracking protocols, said that without the help from Apple and Google, which he praised, there was really no way to build a contract tracking system for lightning-fast work on the subject. "You moved much faster than we expected," he said. "They provided a unified method that works across borders (and) and that many countries use."
How exactly Britain's problems will develop, however, cannot be predicted. The contact tracking beta app starts this week only as a small pilot on the Isle of Wight, an island with 141,000 inhabitants off the south coast of England. The UK government still has time to optimize its functionality or switch to a decentralized system, as Germany did last month. Because, as the corona virus has shown, it prevents every country from learning from others, even though each country has to fight its own way against the virus.
"The alternative to working with (Google and Apple) is to create a system that doesn't work on iPhones, leads to centralized databases that destroy trust, doesn't work across borders, and therefore doesn't help open up international travel." says Veale. "That is the British problem."