Show evidence that apps for COVID-19 contact-tracing are secure and effective

30 Apr, 2020
Governments see coronavirus apps as key to releasing lockdowns. In exchange for people’s health data, they must promise to work together to develop the highest standards of safety and efficacy.

Like any health-care intervention, coronavirus apps need to conform to the highest standards of safety and efficacy. And yet, despite the pandemic’s global nature, countries are developing apps independently, and there are no global standards — which is rightly raising concerns.

Some countries are already starting to use phones to record data, including names, addresses, gender, age, location, disease symptoms and COVID-19 test results. For example, users of Australia’s COVIDSafe app, launched last weekend, will be contacted by health officials if an app user they have had close contact with tests positive for COVID-19. Germany’s app, which is still in development, will also use actual test results. Australia is storing data centrally, but, after much debate, and expressions of concern from researchers, Germany’s app will store coronavirus data on individuals’ phones. And Egypt’s app, launched earlier this month, uses a phone’s location services to alert users if they have been near anyone with COVID-19.

One serious concern is accuracy. Apps that link to official validated tests are obviously more likely to give accurate results. An alert based on self-diagnosis that turns out to be wrong — a false positive — could, of course, be corrected. But if incorrect information has been sent to a large group of contacts, it will have caused unnecessary alarm, and could have wrongly sent people into isolation for weeks.

An equally important concern is privacy. As we have pointed out before, it is becoming easier to identify individuals from anonymized data sets. Researchers have shown that it is possible to re-identify individuals even when anonymized and aggregated data sets are incomplete

Most apps share information using Bluetooth, a radio-frequency technology that allows devices to exchange information at close range. This is convenient, because most smartphones have it. But it has a history of security breaches that have been much-reported and studied. Smartphone users are usually advised to turn off Bluetooth when it is not needed, and especially when in close proximity to other phone users. But to work, COVID-19 apps need users to keep Bluetooth running — particularly when they are in public places.

COVID-19 smartphone apps are a health-care intervention, too, and will potentially affect hundreds of millions of lives. But they are being rolled out without pilot studies or risk assessments being published. Therefore, t’s not that digital contact tracing shouldn’t be done, but it should not be a substitute for human contact-tracing teams; nor should it be seen as a replacement for necessary COVID-19 testing.