X

Contact-tracing apps have a trust problem, even if they do protect your privacy

Experts believe that at least half the population needs to use contact-tracing apps for them to work. The challenge will be convincing the public to opt in after years of trust issues with big tech.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
7 min read
Statue of Liberty wearing a face mask to protect from Coronavirus

Governments and technology companies have a mountain of skepticism to overcome to get people to download contact-tracing apps.

James Martin/CNET

On a call explaining how their contact-tracing capabilities would take on the COVID-19 pandemic, representatives from Google and Apple laid out their biggest challenge: getting people comfortable enough to actually use the technology. The whole project -- a mission that two of the world's largest tech companies teamed up for about three weeks ago -- would fail if they couldn't convince enough people to sign up.

To do that, Apple, Google and any government looking to take advantage of a contact-tracing app have to climb a mountain of skepticism, created in part by the tech industry's long history of data abuses. For years, lawmakers, privacy watchdogs and regulators have felt deceived by tech companies, who've used technical details to hide their tracking capabilities. 

The "move fast and break things" mindset has created innovations, but it's also deeply broken public trust in big tech. Facebook's mission of "bringing the world closer together" also helps it gather millions of people's information for targeted advertising. Google offers educational tools, and directions through its Maps services, but it also faces lawsuits for location-data tracking and allegedly collecting students' biometric data. Apple, which has turned privacy into a feature of its products, has previously taken shots at its rivals for their tendency to share their users' information. 

To help track people who've been exposed to COVID-19, technology companies and governments have proposed contact tracing apps as a solution. Such apps would add a tech element to something health care workers have done manually for decades, where they've thoroughly interviewed people to get a history of who those people may've exposed to infection. But some of the same tools that've fueled mistrust in big tech are what the industry is proposing as part of the answer. Critics warn that the whole effort could fail if the tech industry can't pull itself out of the hole its own missteps dug over the years.  

"Both the companies that deploy these things and the governments have a hurdle to overcome in terms of encouraging people to trust that these systems are for their good," said Daniel Kahn Gillmor, senior staff technologist with the American Civil Liberties Union. "The privacy landscape has been a disaster over the last several years." 

The tech giants want to improve on the concept of manual contact tracing by using Bluetooth technology to log exposures rather than relying on a person's memory. Apple and Google's concept, as well as a proposal from researchers at the Massachusetts Institute of Technology, looks to use randomly generated IDs on devices that silently send out Bluetooth signals to other devices that have the app installed. 

If people mark themselves as COVID-19 positive, and give consent to share that information through the app, then every device that interacts with those people's ID in a select time range would get a notification about potential exposure to the disease.

Governments in the US, the UK and Singapore have warmed to this concept, but for any of this to actually work, you need people to download the technology. And government officials rolling out this tool have found that especially challenging.  

Adoption rates

Apple and Google didn't give a specific number on how much of the population they'd need to actually opt in for their contact-tracing solution to work. They only noted that each new person who downloads the app has an exponential impact. 

oxford-study.png

An Oxford University study found that a country would need more than half its population to use a contact-tracing app for it to be effective.

Oxford University

But an Oxford University study found that governments need 56% of the population to use the app to help stop COVID-19's spread. The study used a computer model of a city with 1 million people, based on the UK's demographics and mobile phone usage. 

"Our results suggest a digital contact-tracing app, if carefully implemented alongside other measures, has the potential to substantially reduce the number of new coronavirus cases, hospitalizations and ICU admissions," Christopher Fraser, the senior researcher behind the report, said in a post. "Our models show we can stop the epidemic if approximately 60% of the population use the app, and even with lower numbers of app users, we still estimate a reduction in the number of coronavirus cases and deaths."

In Singapore, the government's national development minister told the Straits Times that 75% of the population would need to download the country's TraceTogether contact-tracing app for it to be truly effective. 

But in many countries, the adoption rate needed doesn't match the current acceptance rate. A Pew Research Center study released on April 16 found that 60% of Americans believe location tracking won't make a difference in limiting COVID-19's spread, and only 45% believe it's acceptable to track people who have had contact with an infected person. 

In countries including France, Germany and Italy, the acceptance rate for downloading contact-tracing apps ranged between 67.5% and 85.5%, according to an Oxford University survey

Governments can't solve the adoption rate problem by making the contact-tracing apps mandatory, either. 

Apple and Google said that any government agencies requiring people to use their contact-tracing services would be violating their conditions, and that the tracking tools would have to be opt-in. There are concerns that if contact-tracing apps become mandatory, governments will get intentionally incorrect data, or people will find workarounds to the requirements. 

For example, if these apps were mandatory, people could still choose to not list themselves as COVID-19 positive out of fear of government overreach and could thus continue spreading the disease without people being notified of exposure. 

The whole system of contact-tracing apps is built on trust, from getting people to install the apps to how people use them, the ACLU explained in a white paper.

And despite all of the resources afforded by governments and technology companies, there's a shortage on trust. 

Tech skeptics

Apple and Google say they've spent the bulk of their efforts on privacy, releasing white papers on the cryptography and Bluetooth specifications behind their contact-tracing technology. The companies have also promised to shut down the technology once the pandemic is over

The collected IDs are supposed to be deleted every 14 days, and are stored only on people's devices unless they've marked themselves as COVID-19 positive. The cryptography behind the service is designed to make these IDs completely separate from any personal information and usable only for COVID-19 tracking, the companies said. 

tracetogether.png

The TraceTogether app from Singapore's government uses Bluetooth on people's phones to track who they've been in contact with. Only about one in six people in the country have installed it.

Screenshot by Alfred Ng/CNET

The tracking app won't be available until at least May, but Singapore's TraceTogether app might serve as a case study on how receptive people will be. 

Released by the Singaporean government in March, TraceTogether follows many of the same principles that Apple and Google are using, with data encrypted locally and consent required to share COVID-19 positive cases. 

But only about one out of every six people have downloaded the app, despite the government's assurance that the service protects people's privacy and is a public health benefit. About a month after it was released, Singapore went into lockdown due to struggles with flattening the COVID-19 curve. 

French security researcher Baptiste Robert looked at the technical details behind Singapore's app and didn't find any outstanding privacy issues with the service. 

"Singapore is a very good example of not getting adoption, even with a privacy-preserving app. Technically, everything was well done," Robert said. "The nature of the app is why people didn't download it. People don't understand the technical details behind the app, they just understand 'the government wants to trace me.'"

Not only do companies and governments have to get people to trust that their privacy will be preserved, people also have to trust that the contact-tracing apps will actually work. There are concerns about false positives and unreliable data coming from these apps, and no proof that these systems are actually a solution. 

The director behind Singapore's TraceTogether app argued that technology can't replace manual contact tracing, warning that lives are at stake during this pandemic. 

Apple and Google also noted that for the apps to work, there needs to be available testing for COVID-19, something the US doesn't currently have.

"As a baseline, we don't know whether any of them will actually work," the ACLU's Gillmor said. "These are proposals to help in the pandemic, but we don't know that they will function the way that we want them to function. None of them are going to work very well if we don't have adequate testing and medical facilities to treat people." 

Trust fall

Any contact-tracing setup, including Apple and Google's technology, will need to gain public trust for the system to work. No one has a complete solution to the trust dilemma, but one group offers some advice. 

The ACLU proposed a set of guidelines that could ensure privacy and transparency for contact-tracing services. The recommendations include complete opt-in -- no one can force you to use the app, whether it's a government agency, a business, or a school. 

https://www.cnet.com/videos/contact-tracing-explained-how-apps-can-slow-the-coronavirus/​

The contact-tracing providers would also need to ensure that the collected data was utilized in a limited way and was destroyed after use, and they'd need to give people a method for verifying that. There would also need to be proof that the system was beneficial to public health efforts, and a commitment to shutting down the service if it wasn't effective.

"The promise that Apple and Google will shut the API off is very welcome," said Jennifer Stisa Granick, the ACLU's surveillance and cybersecurity counsel. "We just want to make sure that this is something that's verifiable, and that there will be an independent review to make sure the commitments they've made is something they're living up to." 

Even if a contact-tracing app followed all of these guidelines, it's a major hurdle to win trust for a service that's essentially tracking people through their phone. People will have to see the apps as a positive benefit for their health rather than a surveillance risk. 

"This is an unsolvable equation," Robert said. "You cannot push the same app on the phones of everyone in a country. People will always be suspicious. This is not technical, but more a human sciences thing."  

Coronavirus in pictures: Scenes from around the world

See all photos
The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.