A flood of coronavirus apps are tracking us. Now it’s time to keep track of them.

Opinions differ on whether these apps are just a technocratic daydream or—if done correctly—a potentially useful supplement to manual tracing, in which human workers interview people who’ve been diagnosed with covid-19 and then track down their recent contacts. But the reality is that these services are already rolling out, and many more are likely to come in the next few months.

Despite the avalanche of services, however, we know very little about them or how they could affect society. How many people will download and use them, and how widely used do they have to be in order to succeed? What data will they collect, and who is it shared with? How will that information be used in the future? Are there policies in place to prevent abuse?

We started asking these questions and found that there were not always clear answers.

When we began comparing apps around the world, we realized there was no central repository of information; just incomplete, constantly changing data spread across a wide range of sources. Nor was there a single, standard approach being taken by developers and policymakers: citizens of different countries were seeing radically different levels of surveillance and transparency.

So to help monitor this fast-evolving situation, we’re gathering the information into a single place for the first time with our Covid Tracing Tracker—a database to capture details of every significant automated contact tracing effort around the world.

We’ve been working with a range of experts to understand what we need to look at, pulling sources including government documents, announcements, and media reports, as well as talking directly to those who are making these apps to understand the technologies and policies involved.

Here’s the first version of that database.

So far we have documented 25 individual, significant automated contact tracing efforts globally, including details on what they are, how they work, and what policies and processes have been put in place around them.

We’re asking for your help to monitor and improve this database so that the development, rollout, and evolution of these services can be tracked over time. (See “How to submit a change” below.)

But first, there are a lot of caveats and details to run through. Our tracking effort is a continuous work in progress. Information is constantly changing, and will continue to shift as more apps become available, greater scrutiny is applied to these initiatives, tracing efforts spread, and the pandemic continues. So here is more information on what we’re looking at.

What the Covid Tracing Tracker contains

At the most basic level, we are compiling a list of automated contact tracing apps that are backed by national governments. These are apps designed to automatically tell users or public health officials whether somebody has potentially been exposed to covid-19; it’s what is generally known as “exposure notification.”

For each one we find, there are basic questions to answer: Who is producing it? Is it released yet? Where will it be available, and on what platforms? What technologies does it use?And then, over time, we will also understand more about how each of these services works in practice, such as how many people have downloaded it and what level of penetration it has achieved.

But then there are more complicated issues. Is it mandatory? How private is the app? Are citizens’ rights being safeguarded? How transparent are the makers about their work? To capture this information, guided by principles put forward by the American Civil Liberties Union and others, we asked five questions.
  • Is it voluntary?In some cases, apps are opt-in—but in other places many or all citizens are compelled to download and use them.
  • Are there limitations on how the data gets used?Data may sometimes be used for purposes other than public health, such as law enforcement—and that may last longer than covid-19.
  • Will data be destroyed after a period of time?The data the apps collect should not last forever. If it is automatically deleted in a reasonable amount of time (usually a maximum of around 30 days) or the app allows users to manually delete their own data, we award a star.
  • Is data collection minimized? Does the app collect only the information it needs to do what it says?
  • Is the effort transparent? Transparency can take the form of clear, publicly available policies and design, an open-source code base, or all of these.

For each question, if we can answer yes , the app gets a star. If we cannot answer yes—either because the answer is negative or because it is unknown—the rating is left blank. There’s also a field for notes that can help put things in context. We keep track of updates in our changelog.

In addition, we say something about the basic technology underlying the app. Here’s an explanation of the key terms.

  • Location:Some apps identify a person’s contacts by tracking the phone’s movements (for instance, using GPS or triangulation from nearby cell towers) and looking for other phones that have spent time in the same location.
  • Bluetooth:Some systems use “proximity tracking,” in which phones swap encrypted tokens with any other nearby phones over Bluetooth. It is easier to anonymize and generally considered better for privacy than location tracking.
  • Google/Apple: Many apps will rely on the joint API that Apple and Google are developing. It lets iOS and Android phones communicate with each other over Bluetooth, allowing developers to build a contact tracing app that will work for both. Later the two companies plan to build this directly into their operating systems.
  • DP-3T: This stands for decentralized privacy-preserving proximity tracing. It’s an open-source protocol for Bluetooth-based tracking in which an individual phone’s contact logs are only stored locally, so no central authority can know who has been exposed.

We may expand these categories over time, at which point this article will be revised.

What the database doesn’t contain

First,we are focused on automated contact tracing apps that the public is already using or will use in the near future. That means we aren’t keeping track of the underlying protocols that will feed into apps (this is why the Google/Apple API itself isn’t on the list), or early-stage initiatives to build new products, or experimental apps that have no government backing or connection to public health services. Our initial search found more than 150 of these preliminary efforts, but many have no have clear pathway to being used by the public. As projects evolve into real products, we will add them to our list.

Second, although the interaction between manual contact tracing efforts and automated systems will be critical, we aren’t monitoring manual efforts at this time.

Similar Articles:

Famous iOS apps are snooping on the Pasteboard

Famous iOS apps are snooping on the Pasteboard

What Your Period Tracker App Knows About You

What Your Period Tracker App Knows About You

Google's Sensorvault Can Tell Police Where You've Been

Google's Sensorvault Can Tell Police Where You've Been

That mental health app might share your data without telling you

That mental health app might share your data without telling you