How will the contact tracing App for COVID-19 work?
6 min read
A trial is underway on the Isle of Wight to test an NHS contact tracing App to help in the fight against the Covid-19 pandemic. How do contact tracing Apps work, and how will the data be used? Susie Wright from the Parliamentary Office of Science and Technology explains
Contact tracing is the process of identifying the people who have come into contact with an infected individual so they can be warned that they may be at risk of illness. Mobile phone apps can automate this process by detecting when people come into close contact and notifying users that they may be at risk. Traditionally, manual contract tracing uses interviews with infected individuals to understand who they have been in contact with. Mobile phones could allow for faster and more precise tracing. However, proposals for apps have prompted privacy concerns.
Governments and public health bodies across the world are developing contact tracing apps to support the fight against COVID-19. In Singapore, contact tracing app TraceTogether was introduced in March and the Australian Department of Health released their app, COVIDSafe, in April.
On 12 April, the UK Government announced that NHSX, a unit of the NHS responsible for digital innovation, was developing a contact tracing app for the UK. A trial began on the Isle of Wight on 5 May.
How do contact tracing apps work?
Contact tracing apps work by digitally tracking who an individual has come into contact with. When two people come within a certain distance of each other, their phones exchange ‘tokens’. Tokens are unique identifying numbers that have been allocated to each phone. The app stores a list of the tokens belonging to all contacts they have made over a given period. If an individual begins to show symptoms of COVID-19, or tests positive, they can notify the app. It can then alert other users that they may be at risk of infection if the infected person’s token is stored in their phone.
When designing an app to carry out this process, different technical specifications can be chosen to meet certain standards of accuracy, security and user privacy.
Measuring proximity
The app needs to determine whether two people have come into contact. Being closer to each other for a longer time increases the risk of infection. The Australian app defines a contact as someone who has been within 1.5 metres of the user for 15 minutes or more.
Most contact tracing apps use Bluetooth to measure proximity. A phone can estimate the distance to another Bluetooth device by measuring the signal strength received from that device. Bluetooth provides some privacy protection. It measures the proximity of other devices, not their absolute location. This way, less identifiable personal data are collected. However, using Bluetooth can come with security risks and a risk of false positives if people are separated by a wall, as signals can penetrate physical objects.
User anonymity
It is generally agreed that, to protect an individual’s privacy, the unique tokens that the app exchanges between contacts should be anonymised, generated randomly and changed regularly.
In some cases, Australia for example, a central database may be used to link the tokens with personal details so that at-risk individuals can be contacted. This approach has been criticised as the tokens could theoretically be deanonymised.
Data storage and sharing
Most apps currently manage data using one of two models. In decentralised models, data are managed locally on a user’s device and data sharing is minimised. In centralised models, data are shared with a central computer managed by the app authority. In both cases, experts recommend that the source code for the app is published so that the collection of data is well understood.
In April, 300 academics signed a letter warning against the adoption of centralised models as they could allow surveillance of app users. An advantage of a centralised system, however, is that the central database could be used to research the spread of the virus. To do this in a decentralised model, users would have to volunteer data for this purpose.
The European Parliament supports the adoption of decentralised apps and Apple and Google have announced a partnership to develop a framework for running decentralised apps. The Australian app has been described as ‘hybrid-centralised’ as data are stored on a user’s phone but their identity is revealed to the health ministry only if they are at risk of infection.
Notifying the app of an infection
Many experts suggest that contact tracing apps are of greatest use when used in combination with widespread testing so that the app has the most accurate data. Some practitioners suggest that users should also be able to self-report their symptoms to reduce risk whilst they await test results, but this could lead to false positives.
Uptake
For contact tracing apps to work effectively they must be used by a large proportion of the population. One study estimated that uptake by 80% of UK smartphone users would be required. Ongoing manual tracing may be needed to support those without access to smartphones. In Singapore, it is estimated that less than 20% of the population have installed the app and there are no studies on the impact this has had on the spread of the virus there. In a recent survey, 65% of UK adults supported the use of smartphones for contact tracing.
EU guidelines say that it is essential that app use remains voluntary. Commentators have expressed concerns that citizens could be coerced into using an app. For example, an airline might forbid someone from flying unless they have the app installed.
Contact tracing in the UK
The UK app, under development by NHSX, is expected to be technically ready for national use before the end of May. Bluetooth will be used to measure proximity, and users will be able to self-report symptoms. The app will be built on a centralised model where the NHS will have access to anonymised graphs of contacts to allow them to research the spread of the disease. Anonymous tokens will be generated daily on phones but each user will also have an anonymous, fixed identifier which is assigned centrally at installation. At some point, not necessarily before national roll out, the full source code will be released.
Susie Wright is a physical and digital science adviser at the Parliamentary Office of Science and Technology. You can find an extended version of the article here. For more content on COVID-19, visit the POST COVID-19 hub.
PoliticsHome Newsletters
Get the inside track on what MPs and Peers are talking about. Sign up to The House's morning email for the latest insight and reaction from Parliamentarians, policy-makers and organisations.