The Tracing App Source Code Has Been Made Public
Q and A with the experts: the efficacy of tracing apps
Tracing apps are here, many people have them on their phones already, and governments are endorsing them in every part of Canada – but do they work?
We spoke with Professor Urs Hengartner, an expert in smartphones and mobile applications’ privacy challenges, about the new mobile app that will be used to help with tracing COVID-19 across Canada.
How do tracing apps work?
Contact tracing apps (also called exposure notification apps) make a smartphone broadcast a unique, periodically changing signal over Bluetooth. Nearby smartphones receive this signal and remember it for a period of time. If a person tests positive for COVID-19, the person uses their app to notify a central server. All smartphones periodically contact this server to learn of new notifications. If any of the Bluetooth signals recorded earlier by a phone is among these notifications, the phone has been close to an infected person, and the app alerts the user of the exposure.
What happens after you are notified that you’ve come into contact with someone with COVID? Where does public health come into play?
The app can recommend certain actions to the alerted user, such as taking a test for COVID-19 or going into quarantine. In the outlined approach, public health by design gains no information about a detected exposure. The app may give the alerted user the option to notify public health of the exposure.
Are tracing apps effective in curbing the spread of COVID-19?
Nobody currently knows. Exposure notification apps suffer from false positives (a person gets alerted of exposure even though the person did not get infected) and false negatives (a person gets infected but does not get alerted). Of course, other controls against COVID-19, like testing for the virus or wearing a face mask, have similar weaknesses. Therefore, it is important not to have a single control, but a combination of them, and design exposure notification apps in a privacy-preserving way.
Do tracing apps jeopardize data privacy? Should people be worried about the security of their personal information?
The outlined design, followed by Canada’s recently announced exposure notification app, is privacy-preserving. There is no central party, like public health, that can learn of people’s locations and contacts. Therefore, Canadians using the app should not be worried about the privacy of their personal information. To give Canadians the option to convince themselves that the app is free of security vulnerabilities, the app’s source code has been made public.
Apart from effectiveness concerns, have other concerns been raised about tracing apps?
Such an app should get accompanied by a legal framework that prevents businesses from discriminating against people who cannot use the app to demonstrate non-exposure, maybe because they do not have a smartphone to start. In addition, the legal framework should ensure that people do not have to worry about losing their salary when being asked by their app to go into quarantine.
About Professor Urs Hengartner
Urs is a member of the Cryptography, Security, and Privacy (CrySP) research group, the Centre for Applied Cryptographic Research and the Systems and Networking Group.
His research interests are in information privacy and in computer and networks security with a focus on security and privacy challenges that arise in the context of smartphones and mobile applications.