Countries around the world are scrambling to create contact-tracing apps that will help track the spread of COVID-19. But a beta app launched by the UK this week shows the huge challenges they face and, crucially, the difficulty in designing an effective app without the help of the tech giants that make our phones.
The government argues this will provide greater insight into the spread of COVID-19 and allow the NHS to decide which users are most at risk. Privacy advocates, though, warn it creates new avenues for state surveillance. Already, the UK government appears to have undermined prior assurances that it won’t share the data it collects outside the NHS, suggesting other organizations might use the information for public health research in the future. This is something Apple and Google forbid for any app using their API, and another reason the UK has to build its app without the companies’ help.
But in addition to privacy issues, researchers have identified a major problem in the UK’s efforts to build an app without Google and Apple: it simply won’t work as advertised.
The core issue is one familiar to mobile security experts: app permissions. Contact-tracing apps use Bluetooth to create a log of nearby devices using the app, and, by extension, people with whom users have come into contact. When a user is diagnosed with COVID-19 or starts to show symptoms, they notify their app which then pings the devices of those people. Some apps, like the one built by Singapore, constantly broadcast Bluetooth pings to find nearby devices. Others, like the one built by the UK, try to create active Bluetooth pairings or “handshakes.”
The problem is that both Google and Apple restrict how apps can use Bluetooth in iOS and Android. They don’t allow developers to constantly broadcast Bluetooth signals, as that sort of background broadcast has been exploited in the past for targeted advertising. As The Register reports, iOS apps can only send Bluetooth signals when the app is running in the foreground. If your iPhone is locked or you’re not looking at the app, then there’s no signal. The latest versions of Android have similar restrictions, only allowing Bluetooth signals to be sent out for a few minutes after an app has closed. Such restrictions will block devices from pinging one another in close quarters, drastically reducing the effectiveness of any contact-tracing app.
Google and Apple can rewrite these rules for their own contact-tracing API because they control the operating systems. But for countries trying to go it alone, like the UK, the restrictions could literally be fatal. iPhone users with the app installed could interact with someone who is later diagnosed with COVID-19 and never know it, if their phone doesn’t keep a log of their interaction.
The UK government has implied it’s created some unknown workaround to these issues, and there certainly are subtleties in how these protocols operate that might work in its favor. For example, while iOS devices can’t broadcast Bluetooth signals constantly, they can receive them from older Android devices. Doing so would essentially wake up the software and allow the app to exchange vital data.
It’s possible to argue, then, that the UK app will work in urban environments where there are a mix of old and new iOS and Android devices constantly in use. But experts say this is a long way from a reliable mechanism necessary to trace the spread of a deadly disease, especially considering that the market share of iOS in the UK is more than 50 percent.
But exactly how the UK’s problems will play out is impossible to predict. The beta contact-tracing app is only launching as a small pilot this week in the Isle of Wight, an island with a population of 141,000 off the south coast of England. The UK government still has time to tweak its functionality or switch to a decentralized system, just as Germany did last month. For as coronavirus has shown, although every country has to fight its own idiosyncratic battle with the virus, that doesn’t stop them learning from others.