The state of Utah has settled on a contact-tracing mobile app that collects detailed user location information to track the spread of COVID-19 among citizens – eschewing the API model proposed by Apple and Google in April.
The app is called “Healthy Together” and it was created by a startup called Twenty Holdings – best-known for making a social app that allows users to “See who’s around. See who’s down. Hang out.” In other words, the company specializes in enabling physical, in-person connections.
It’s perhaps no surprise then that Twenty’s coronavirus app for Utah uses a raft of location data, including GPS, cell tower triangulation and Bluetooth, to pinpoint users.
The idea is to provide public health workers “with a faster and more accurate picture of where and how the virus is spreading in our community to focus public health efforts,” according to a notice on Utah’s official website.
The information collected by the app will be shared with public health officials (as expected) as well as a “limited number” of Twenty employees. Speaking to CNBC, Twenty chief strategy officer Jared Allgood explained how the state would use the data.
“Jeff and Sarah are two individuals in this example who don’t know each other but they both have the app on their phones,” he told the outlet. “And so both phones are emitting Bluetooth and GPS signals,” Allgood said. “Through that data we can identify whether or not two people have spent some time together.” From there, contact tracers can swing into action, making calls and contacting infected and exposed persons’ other contacts.
Armed with the data from the app, contact tracers and the patient “together can step through his list of location history,” Allgood said.
In marked contrast, Apple and Google’s API allows public health officials to build apps that have no centralized data collection on citizens. It makes use of an anonymous identifier beacon, which will be transmitted to other nearby devices via Bluetooth. When two people who have opted into contact tracing are in close contact for a certain period of time, their phones will exchange their anonymous identifier beacons. When people find out they’re infected, they can choose to upload the last 14 days of their broadcast beacons to the cloud. Any other person who has been in close proximity to someone infected will then be notified via the phone that an exposure to someone who has tested positive for coronavirus took place.
Utah officials said that the Apple/Google reliance on Bluetooth alone gives a less accurate picture of where disease hotspots are.
“Bluetooth helps us understand person-to-person transmission, while location/GPS data helps us understand transmission zones — having both of these important data points provides a more effective picture of how COVID-19 spreads,” according to the site FAQ. “This data helps policy makers make the best possible decisions about how and where we begin to relax and modify restrictions as our community and economy begin to reactivate.”
In terms of privacy protections, Healthy Together is an opt-in scheme, and users can limit location services if they choose. “While the State will have access to your symptom data, location and Bluetooth data will only be released to the state should you test positive for COVID-19,” according to the official website. And according to the app’s privacy policy, the data is stored on Twenty’s servers for 30 days, after which it’s deleted.
Healthy Together is in beta testing and is not yet using live data. Besides contact tracing, the app offers a symptom checker, the ability to find the nearest COVID-19 testing center and access test results.
Contact-tracing apps have set off a slew of controversy over privacy concerns, even as contact tracing has emerged as a top idea for dealing with the coronavirus pandemic and is considered by many to be an important step towards reopening economies worldwide.
The National Health Service (NHS) in the U.K. is test-driving its own app on the Isle of Wight, also rejecting the Apple/Google approach. Recent leaked documents showed that roadmap features for the app include the ability for people to upload their health “status” on a self-reporting basis, with options that could include labeling oneself: Quarantine, self-isolating, social distancing, shielding and none. Future plans also indicate the integration of granular location data; and, future versions of the app could also “collect self-reported data from the public like post code, demographic information and co-location status to enable more effective resource planning for NHS,” the documents reveal.
While that level of data collection worries privacy advocates, the concerns go further. The documents also showed that the officials behind the NHS initiative are concerned about how unverified information could be used. Because the information would be self-reported, the data collected by the app could include unverified diagnoses – and could be open to abuse or lead to unjustified “public panic,” according to the documents.
Any approach to app-based contact tracing comes with potential problems, Paul Bischoff, privacy advocate with Comparitech, told Threatpost. For instance, the Apple/Google decentralized model is more private and less prone to developer abuse and data breaches than using centralized GPS tracking like Healthy Together – however, it makes it more difficult to verify diagnoses without users’ identities.
It’s also vulnerable to attacks, he explained. “The most private method combines a decentralized model that keeps users’ identities anonymous with Bluetooth for proximity checking [like Google and Apple],” he said. “Bluetooth offers more accurate real-time proximity tracking than GPS and the data is easier to anonymize, though…it’s more prone to trolling, and a well-resourced adversary could track users with linkage attacks.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.