[LINK] How does COVIDSafe compare to Europe's contact tracing apps?

[Bernard Robertson-Dunn]

How does COVIDSafe compare to Europe's contact tracing apps?

https://www.abc.net.au/news/science/2020-07-27/how-does-covidsafe-compare-contact-tracing-apps-apple-google/12488188

By technology reporter Ariel Bogle
<https://www.abc.net.au/news/ariel-bogle/9224490>

COVIDSafe was sold as Australia's ticket out of lockdown. But almost
three months since launch in late April, its impact is hard to measure.

Victoria has accessed data from the app almost 400 times, but health
authorities are yet to point to any potential COVID-19 exposure that was
not picked up by manual contact tracing.

In New South Wales, app data has been extracted 23 times. In one
instance, a person whose contact details were unavailable during manual
contact tracing was contacted using app data.

But COVIDSafe's ability to reliably transmit and collect encrypted codes
<https://www.abc.net.au/news/science/2020-06-17/covidsafe-contact-tracing-app-test-documents-rated-poor-iphone/12359250>
using Bluetooth from other apps remains under scrutiny.

And there is another option.

In May, Google and Apple launched an exposure notification API
<https://www.abc.net.au/news/2020-05-21/google-apple-technology-help-coronavirus-contact-tracing/12271728>
or framework built into their devices' operating systems that allows
health authorities to build their own apps, and ostensibly helps the
technology perform better with less bugs and workarounds.

Germany and Ireland, as well as a handful of other European countries,
have now launched their own COVID-19 exposure notification apps using
the Google-Apple framework.

So how do they compare to COVIDSafe?

*A centralised or a decentralised model*

COVIDSafe and apps built using the Apple-Google API both deploy
Bluetooth to create an encrypted log of random codes from other devices
with the app, that come into close range.

But Ireland's COVID Tracker app and Germany's Corona-Warn-App differ
when it comes to the next step.

Broadly, if someone tests positive for the virus and has one of those
apps, they can voluntarily make their weeks of random codes available to
the exposure notification system.

Each individual app regularly checks the exposure codes they have stored
against ones the system has identified as belonging to an infected person.

If there is a match, they receive a warning notification on their phone
and can then choose to get in touch with a doctor.

All the data processing is done on the device.

In contrast, if someone with COVIDSafe is diagnosed with the virus,
health authorities may ask them to share their app's data with a central
database. Then those random codes will be sorted into close contacts
(1.5 metres for upwards of 15 minutes) and used by local health
authorities to track potential exposures.

Ireland and Germany's apps operate more as a warning system and offer
much less information to authorities.

That lack of centralised data collection is part of what makes security
expert Vanessa Teague, chief executive of Thinking Cybersecurity,
believe Australia should move to the Google-Apple API.

"It has this huge privacy advantage," she said.

And although we do not yet have sufficient empirical data comparing the
performance of available models, she suggested it's likely apps built
using the Google-Apple framework will work more reliably than COVIDSafe
because the Bluetooth detection technique is built into the devices'
operating systems.

"By work, I mean, when two people are near each other, the likelihood
that it exchanges the pings it's supposed to exchange is likely to be a
lot higher," she said.

*Are apps built using the Google-Apple API a success?*

Like in Australia, German and Irish authorities have been quick to boast
about download figures.

Germany launched its app in mid-June. As of July 23, the Corona-Warn-App
has registered 16.2 million downloads, according to the Robert Koch
Institute, in a country with a population of more than 80 million.

Ireland's Health Services told the ABC that almost 1.4 million people
have downloaded the app since July 7 — out of almost 5 million people —
and 91 COVID Tracker app users have received an exposure alert.

But like in Australia, where the app has been downloaded more than 6
million times, there are few metrics publicly available to understand
the app's contribution to pandemic control, or even how many people have
the app open and working each day.

In Germany, about 660 people who were shown to test positive for
SARS-CoV-2 had the opportunity to warn others via the app by July 20.

"However, we cannot say exactly how many people were warned because of
the decentralized approach of the app," the president of the Robert Koch
Institute Professor Lothar H. Wieler said in a recent statement.

Stephen Farrell, a computer security researcher at Trinity College
Dublin, said questions remained for the Australian and European apps
when it comes to the ability of Bluetooth to accurately gauge distance
<https://down.dsg.cs.tcd.ie/tact/> — and so, to accurately identify
close contacts.

"It suffers that same challenges with Bluetooth proximity detection in
terms of making it reliable in all sorts of contexts," he said.
"Handsets in all different positions, in pockets, in handbags … walking,
cycling."

Dr Farrell suggested it will ultimately be difficult to definitively
measure the impact of this technology.

We need to know how many people who would have been missed by manual
contract tracing are caught by the app, he suggested. And of those
people, how many are false positives or true positives.

"I suspect mostly likely we won't ever know," Dr Farrell said.

*Privacy concerns remain*

As well as privacy bugs found after the launch of COVIDSafe, its
centralised method of data collection has been an ongoing focus for
security researchers.

But there is also concern in Europe
<https://www.nytimes.com/2020/07/20/technology/google-covid-tracker-app.html>
that exposure notification apps built using the Google-Apple API could
be used to track location, especially on Android.

The implementation of Bluetooth on Android has long (and wrongly, in her
view) been "inextricably linked" to location permissions Dr Teague said,
as some non-contact tracing apps use the technology to work out a user's
location.

For example Bluetooth beacons in a shopping centre, she said, could be
used to serve users with hyper-specific advertising.

"The implication is, if you're not going to let Google track your
location, then you're not using Bluetooth scanning."

The COVIDSafe version of Android as well as apps made using the
Google-Apple API ask for location permission when the app is downloaded
— although all insist location is not recorded as part of the contact
tracing process.

"In keeping with our privacy commitments for the Exposure Notification
API, Google does not receive information about the end user, location
data, or information about any other devices the user has been in
proximity of," a Google spokesperson said.

Professor Alexandra Dmitrienko, head of Secure Software Systems Research
Group at the University of Würzburg, is troubled that location services
must be turned on when using the exposure notification API on Android.

While many people may choose to use products like Google Maps and have
location services operating, she suggested those that do not are forced
into a choice: allow location permissions when downloading the German
app or give up the ability to use your country's public health app.

As more countries accept the Apple-Google solution, she is also
concerned about the control being ceded to the two technology giants.

"As an expert in security and privacy, I see … that we give too much
power to two American companies," she said.

*Could Australia move to the Google-Apple API?*

As it stands, Australia's COVIDSafe would have to fundamentally change
its approach to use the Google-Apple API.

The companies' API rules stipulate that a government can only request
and not require users to share personal information such as a phone number.

COVIDSafe requires these details upon sign up. Ireland's COVID Tracker
app on the other hand asks only for opt-in metrics.

Minister for Government Services Stuart Robert said the Government is
open "to improving [the] technology" if it maintains a key role for
health officials in the process.

"The current structure of the Google-Apple API does not do that," he said.

"We will continue to work with Google and Apple, particularly to see if
they can remove their barriers in allowing a sovereign tracing app —
that has health professionals at its core — access to improved Bluetooth
functionality".

Ultimately, it may still be too early to say whether any piece of
technology can be the pandemic silver bullet so many countries are after.

Professor Dmitrienko thinks it's too early to know how effective these
apps are.

"[The] general opinion is that this technique cannot really replace the
manual contact tracing, but it can be complementary," she said.

"How effective it is? I think no one can tell at the moment."

But then, there's the price tag.

By some estimates, COVIDSafe has reportedly cost around $2.75 million
<https://www.innovationaus.com/bcg-gets-another-covidsafe-contract/> in
contractors fees.

The Irish app cost €850,000 ($1.4 million).

-- 

Regards
brd

Bernard Robertson-Dunn
Canberra Australia
email: brd at iimetro.com.au