How to Create a COVID-19 Contact Tracing App at the State or Local Level
- Product Development /
Human contact tracing has been used to manually track and prevent the spread of infectious diseases for decades. Now the ubiquity of smartphones is enabling a new technological approach to tracing potential COVID-19 virus exposures. The global impact of COVID-19 has spurred many governments to develop and release applications that track human contact via the location and proximity of their citizens’ smartphones. The idea is that anyone with a smartphone is able to know if they’ve come into contact with someone infected with COVID-19, as long as that person also carried a smartphone with them.
What Are the Challenges of Creating a Contact Tracing App?
Implementing a smartphone contact tracing app can be fraught with challenges:
- A British study estimated that 56% of the general population must use the app to halt an outbreak, which equates to 80% of all existing smartphone owners. The most widely adopted app in the United States (South Dakota) only has a 2% app penetration in their population as of May 2020. That said, every installation matters and can still make a difference, even if the number of total installations is below the target.
- Apps that record some sort of contact or location data must constantly run in the background in order to be effective. Unfortunately, most apps are in a constant struggle with the mobile operating system to remain running. Operating systems will frequently hibernate or terminate apps that attempt to run battery draining operations in the background. Running GPS or the Bluetooth radio is a surefire way to get your app shut down.
- Privacy concerns abound as there are fears that COVID-19, much like September 11, could be an event that leads to a permanent loss of privacy on a global scale. Some governments, such as China, are assumed to secretly turn over their populations’ tracing data to law enforcement. Others, such as Turkey, are openly warning citizens that security forces will be informed if they flout quarantining rules.
- Accuracy of tracing data varies significantly, based on implementation approach. Considering that the chance of infection can come down to being within a few feet of an infected person, using location data that is only accurate up to 20 or 30 feet can cause lots of misses. This location data can be collected via GPS, Wifi signals, or cell phone tower triangulation, each of which has its own limitations and accuracy constraints. Contact data is most commonly collected using Bluetooth Low Energy (BLE), which requires devices to be physically close to each other, although based on physical obstructions between two devices, this can also be inaccurate. For example, someone located a floor above you might have the virus, and while your phones were able to exchange data via BLE, you are unlikely to have contracted the virus from them through the wall.
Which Health Departments are Creating COVID-19 Contact Tracing Apps?
Up to this point every country’s health department has had to devise their own methodology for helping citizens receive information about potential exposures. In the United States, where we have a very limited coordinated federal response, individual states are left to develop their own apps (Utah and the Dakotas are amongst the first to have launched mobile apps for contact tracing). Below is a table of COVID-19 contact tracing apps listed by country:
What are Possible Solutions for Implementing a Contact Tracing App?
Fortunately, there have been international efforts to create standards for smartphone-based contact tracing that addresses privacy concerns, such as DP-3T. This inspired Apple and Google’s approach to develop and embed a joint contact tracing functionality directly into their mobile operating systems. Their solution, Exposure Notification API, is considered privacy friendly and decentralized. Exposure Notification API opens new possibilities for adoption of COVID-19 tracing apps, as Google and Apple collectively control a 3 billion smartphone market, equivalent to 40% of the world’s population. One of the biggest benefits of their approach is that much of the functionality is baked into the operating system. Functionality at the operating system level is not impacted by battery management issues the same way regular apps are. Therefore the contact tracing functionality can run 24/7 in the background without being terminated.
Here’s how the Exposure Notification API works: Each iOS and Android mobile device in the population will exchange anonymous encrypted key data with other devices in proximity of its Bluetooth radio, so every individual phone keeps its own key log of devices it has been in proximity to. Every public health authority can then launch their own mobile app and run their own exposure notification server, which collects encrypted key data from citizens that voluntarily self-report if they have been infected with COVID-19. The keys of the “infected” device are then sent to all phones in the population, and if there is a contact match between an “infected” device and your device, you would receive a notification.
On May 20, Google and Apple released their initial versions of their COVID-19 contact tracing functionality for Android (via a Google Play Services update) and iOS (via iOS 13.5) to the public. Alabama, South Carolina, and North Dakota have already announced their intentions to include the Exposure Notification API functionality in their contact tracing apps. National governments have also committed to implementing the Apple/Google API approach. Austria, Germany, and Ireland are some of the first countries to announce that they will adopt it in their respective COVID-19 mobile apps.
Applying Contact Tracing Apps in Large Businesses and Organizations
This also sets a precedent for large companies, healthcare, and higher education organizations, with tens of thousands of people on their campuses, to implement their own contact tracing apps. Companies with large facilities, such as Boeing, could benefit from an employee-focused contact tracing app, for which they control the data. For example, if through cell phone proximity data they can identify and notify the 50 employees who were in the same manufacturing space as someone diagnosed with COVID-19, that would provide tremendous value to them to suppress an outbreak in their facilities.
Focusing on corporate, healthcare, and higher ed campuses as an ecosystem also opens up additional location tracking technologies. Campus facilities that use Aruba networking equipment have access to Meridian, which provides real time indoor location (RTLS) data down to a few feet in accuracy. This data can be used to identify possible infection vectors within a facility while also providing an improved employee experience through the app. In addition to contact tracing, an employee app can also be valuable in addressing other crises related to communication issues, such as helping organizations build trust and confidence in their leadership, thus making employees feel safer at work.
How to Get Started With the Exposure Notification API
Apple and Google tightly control access to their new contact tracing API. In order for a public health authority to be granted access to the Exposure Notification API, they need to adhere to the following guidelines:
- The app must be created by or for the use of an official government public health authority. Use is solely for the purpose of responding to COVID-19.
- Users must consent to usage of the API prior to any use.
- The public health authority operating the app must be granted consent from a user prior to broadcasting/sharing a positive test result.
- Apps are restricted to compiling data solely for the purposes of exposure notification for COVID-19. It is explicitly forbidden to use data for any other purposes, such as advertising.
- It is strictly forbidden to request permission to access a device’s Location Services, providing specific geolocation data. Google and Apple have agreed that public health authorities apps already making use of location data will continue to be offered. They have however stipulated that apps making use of that information will not have access to the new Exposure Notification API.
- In order to avoid fragmentation and facilitate fluidity/alignment, every country is restricted to using one app. Google and Apple are willing to assist and support authorities in countries that are relying on a regional or state-based approach when able. In a scenario where Apple is notified by a country of an intention to provide different states varying apps, they will provide access to multiple apps in that particular country’s stores. Apple is further willing to work with countries refining the notification mechanics delineating parameters such as cross-state notifications.
If you are in a local government and are looking to launch your own COVID-19 contract tracing app, utilizing the Apple/Google API approach is likely the most effective path moving forward. Here’s how to deploy the Exposure Notification API for your own local government:
- Provide advance notice to Google and Apple about your intentions to use the API.
- Build and launch an Exposure Notification server. You can use Google’s reference build as a starting point.
- Design, build, and launch the iOS and Android mobile applications for your health authority leveraging the Exposure Notification API on the devices. Google and Apple provide reference designs on how to implement the API.
- Design, build, and launch a website that explains how the app works and addresses any concerns citizens might have.
- Promote, promote, promote. The value of your app solution is only as good as its adoption within your target population.
As your application becomes public, it is certain to receive scrutiny. Privacy advocates are understandably critical of any government-sponsored mobile app that records citizen data. Here are some best practices to get ahead of any criticism:
- Release your app’s source code openly. Not only does this build trust, but it enables cooperation and efficiencies between governments wanting to implement similar solutions. One example is the Austrian COVID-19 contact tracing app, which is maintained by the Austrian Red Cross and released as open source on Github.
- Ensure user consent is granted before tracking any data on their device. When using the Apple/Google API approach, this is handled by the devices’ operating system. If you implement your own solution, you will need to clearly communicate to your user.
- Be transparent about who gets access to the collected data. Health departments? Police? Intelligence agencies?
- Set clear expectations if you are going to make the app mandatory for certain people. For example, India has made their COVID-19 contact tracing app mandatory for all public and private sector workers.
- Communicate that you will disable the app and delete all data after the COVID-19 crisis has passed. And follow through on that promise.
- Do not attempt to replace human contact tracing with your app. This technology is unproven and can only serve to supplement the existing human contact tracing efforts.
If you are in a local government looking ahead to how you will manage the crisis as potential future waves of infections surface, now is the time to invest in a contact tracing mobile app. The release of the Apple/Google API provides one of the most powerful tools to help individuals receive information about possible exposure while still honoring privacy. Between the available reference architectures and applications open sourced by other governments, the level of effort to launch a contact tracing app has never been lower.
EMERGE provides end-to-end mobile app platform design and development for the healthcare industry, and can help your government launch its own contact tracing app. Contact us today to talk about how we can help.