Attention: We are inundated with apps that try to detect Covid-19 exposures. Is there danger?

Attention: We are inundated with apps that try to detect Covid-19 exposures. Is there danger?

New York, May 28, 2020

Because this vast flood of apps claiming to detect your Covid 19 exposure is almost impossible to manage and because numerous offers are not very transparent, researchers at MIT have set themselves the goal of determining sense or nonsense, danger or progress. Their project is called „Project Covid Tracing Tracker“.

In a hurry, technologists everywhere would have set out to develop applications, services and systems that would identify contact persons and identify and notify all those who came into contact with a carrier.

Some services are provided locally by small groups of coders, while others are huge, global operations. Apple and Google are mobilizing huge teams to build their upcoming systems that inform people of a potential threat that could be used by hundreds of millions of people almost immediately.

Opinions differ on whether these apps are just a technocratic daydream or – if done right – a potentially useful addition to manual tracking, where human operatives interview people who have been diagnosed with Covid-19 and then track down their most recent contacts. However, the reality is that these services are already in use and many more are likely to be added in the coming months.

However, despite the avalanche of services, we know very little about them or how they might affect society. MIT researchers are looking for answers to the following questions: How many people will download and use them, and how much will they need to be used to succeed? What data will they collect, and to whom will they share it? How will this information be used in the future? Are there guidelines to prevent abuse?

We started to ask these questions and found that there were not always clear answers.

When we started comparing apps around the world, we realized that there was no central repository of information, but rather incomplete, ever-changing data spread across a variety of sources. Nor was there a single, standardized approach by developers and policy makers: citizens in different countries saw radically different levels of monitoring and transparency.

To help monitor this rapidly evolving situation, our Covid Tracing Tracker is the first time we are collecting the information in a single place – a database to capture details of all major automated contact tracing efforts around the world.

We’ve worked with a number of experts to understand what we need to look at. We draw on sources such as government documents, announcements, and media reports, and speak directly to those who create these applications to understand the technologies and policies involved.

Here is the first version of this database:

https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/

To date, we have documented 25 separate, significant automated efforts to track contacts globally, including details of what they are, how they work, and what policies and processes have been implemented around them.

We ask for your help in monitoring and improving this database so that the development, implementation and evolution of these services can be tracked over time. (See „How to Submit a Change“ below).

But first, many caveats and details need to be worked through. Our tracking efforts are an ongoing process. The information is constantly changing and will continue to change as more applications become available, these initiatives are scrutinised more closely, tracking efforts spread and the pandemic continues.

What the Covid Tracing Tracker contains

At the most basic level, we are compiling a list of apps for automatic contact tracking supported by national governments. These are apps designed to automatically notify users or public health officials if someone has been potentially exposed to Covid-19; this is what is commonly known as „exposure notification“.

For every application we find, there are basic questions to answer: Who makes them? Has it already been published? Where will it be available and on which platforms? What technologies will be used? And then, over time, we will also learn more about how each of these services works in practice, for example, how many people have downloaded it and how widespread it has become.

But then there are even more complicated questions. Is it compulsory? How private is the app? Are civil rights respected? How transparent are the creators about their work? To gather this information, we asked five questions, guided by the principles of the American Civil Liberties Union and others.

Is it voluntary? In some cases the apps are voluntary, but in other places many or all citizens are forced to download and use them.

Are there any restrictions on the use of the data? The data can sometimes be used for purposes other than public health, such as law enforcement, and this may take longer than with Covid-19.

Is data destroyed after a certain period of time? The data collected by the applications should not be kept forever. If they are automatically deleted within a reasonable period of time (usually a maximum of about 30 days), or if the app allows users to manually delete their own data, we award a star.

Is the data collection minimized? Does the app only collect the information it needs to do what it says?

Is the effort transparent? Transparency can take the form of clear, publicly available guidelines and designs, an open source code base, or all of these forms.

For every question that we can answer with yes, the app receives an asterisk. If we can’t answer yes – either because the answer is negative or because it is unknown – the rating is left blank. There is also a field for notes that can help to put things into context. We track the updates in our changelog.

We also say something about the basic technology that the app is based on. Here you can find an explanation of the key terms:

Location: Some apps identify a person’s contacts by tracking the phone’s movements (for example, using GPS or triangulation from nearby cell towers) and searching for other phones that have been in the same location.

Bluetooth: Some systems use „Proximity Tracking“, in which the phones exchange encrypted tokens with other nearby phones via Bluetooth. It’s easier to make anonymous and is generally considered better for privacy than location tracking.

Google/Apple: Many applications will rely on the common API that Apple and Google are developing. It allows iOS and Android phones to communicate with each other over Bluetooth, so developers can create a contact tracking application that works for both. Later, the two companies plan to incorporate it directly into their operating systems.

DP-3T: This stands for decentralized, close-range tracking that preserves privacy. It is an open source protocol for Bluetooth-based tracking, where the contact logs of an individual phone are stored only locally, so no central authority can know who has been exposed.

These categories can be expanded over time.

What the database does not contain

First, we focus on automated contact tracking apps that the public already uses or will use in the near future. This means we don’t track the underlying protocols that will be incorporated into the apps (which is why the Google/Apple API itself is not on the list), nor do we track early-stage initiatives to develop new products or experimental apps that have no government support or connection to public health services. In our initial search, we found more than 150 of these preparatory efforts, but many don’t have a clear path to be used by the public. As the projects develop into real products, we will add them to our list.

Second, although the interaction between manual contact tracing efforts and automated systems will be critical, we do not currently monitor manual efforts.