Amidst the many roles big tech is expected to play during the COVID-19 pandemic, contact-tracing using smartphones is perceived to be one of the most important in containing the Novel Coronavirus and flattening the curve. To help public health agencies across countries develop such apps for their citizens, Apple and Google worked together on an Exposure Notifications System API (for iOS) and a Google Play Services update (for Android) for several weeks. It was finally unveiled on May 20.
Now, Switzerland will be the first country to develop an app using the API developed by the tech giants. The app is called SwissCovid and is developed by Swiss University EPFL. The app is presently in pilot testing and will be used by the EPFL employees, ETH Zurich, the Army and some hospitals and government agencies. The Swiss parliament also has to amend a law on epidemics to allow the existence of such an app for the general public. The country plans to roll out the app en masse by mid-June.
The SwissCovid contact tracing app works using Bluetooth. When two people meet in close proximity (less than two meters) for more than 15 minutes, phones with the app installed will exchange key codes. If one person is infected by COVID-19 and updates the status of the app, the other person will be notified of the same and asked to be tested.
The app relies on the API developed by Apple and Google, and as such, the app should work on iPhones running iOS 13.5 and above while Android phones running on versions as old as Android 6.0 are supported.
The fundamental difference between SwissCovid’s approach and India’s own Aarogya Setu app is the way it stores the information. The Apple-Google model focuses on combating the virus while protecting user privacy. Relying on the API developed jointly by the company relies heavily on user consent.
The app will ask for user consent before using the API and before a positive result is shared to other users. Users can also turn off exposure notifications manually. Furthermore, the apps cannot request location data and the data collected cannot be used for targeted ads.
The Apple-Google model also uses a decentralised protocol called “DP3T”, short for Decentralized Privacy-Preserving Proximity Tracing where most of the work is carried out in user’s phones, and not in centralised databases.
The Aarogya Setu app was developed and rolled out before the Apple-Google contact tracing API went live, uses a centralised approach to contact tracing. The app, according to NITI Aayog, has been downloaded 114 million times and reached out to 9 lakh contacts, giving it a larger scope than all other contact tracing apps in other countries combined.
Yet, despite the raging popularity (happened primarily due to enforced installs), gaps in the app’s privacy protection, data usage and public perception of how the data is used and processed have been a concern for many.
The app was proven to be vulnerable to third-party access, and that’s primarily because data from users is uploaded in a centralised database. Furthermore, the Aarogya Setu apps also collects the real-time location of people infected by COVID-19. There’s also no way to turn off exposure notifications.
As a result, the app made for Indians to contact-trace COVID-19 infections cannot use the API developed by Apple and Google, keeping user privacy in mind.
A good respite is the fact that Aarogya Setu is now open-source. The source code of the app is now available on a public GitHub repository. For now, only the Android app’s source code is available. Source code for iOS (for iPhones) and KaiOS (for JioPhones) will be released in the next few weeks. NITI Aayog also promised the back-end code for the servers will also be made open-source in the future. This came as an effort to assuage users of privacy concerns by providing transparency to how the app works.