Governments and private companies around the world are launching apps and websites to help inform the public and prevent the spread of COVID-19. Many of these apps collect users’ personal information, health status, and location history in order to better track how the spread of COVID-19 is advancing.
Comparitech examined more than 100 of these apps from over 40 countries to find out whether they’re catching on and what risks they might pose to users’ privacy.
Coronavirus-related apps come in a few different varieties. They include features such as:
- Contact tracing, such as maps of known nearby infections
- General information, news updates, and alerts
- Quarantine enforcement
- Symptom checkers and self-diagnosis
- Remote interaction with medical professionals
Coronavirus Apps & Websites
These apps and websites collect a range of personal information. Some of it is automatically collected just by interacting with the app. The user’s location, for example, can be pulled from a smartphone GPS or IP address. Other information is volunteered by the user, such as name, address, contact info, and medical info.
Some countries, particularly those where quarantines are strictly enforced, require citizens to download apps. Others are completely voluntary.
Most of these apps have good intentions and could be helpful in the fight against COVID-19, but they could also have long-lasting privacy implications for the people that use them.
In the haste to develop and launch these apps, we found many instances where user privacy and data security was ignored or overlooked. Many fail to adequately secure user data, don’t address how information can be shared with third parties, or lack clear data retention policies.
Here’s the location of all of the government/healthcare apps we have found (to date):
Please note: Any apps that aren’t available on Google Play and/or are website-based apps have been given a score of 500 to create the location point on the map. Please see the table below.
Update: 04/20
We have added over 20 more apps to our list with many countries still being in talks to release even more. Meanwhile, for the apps we had already listed, there have been 43 million more downloads, increasing from 27,839,220 to 71,239,650.
The majority of these (40 million) came from India’s Aarogya Setu (A Bridge of Health) app which went from over 10 million to over 50 million downloads. Interestingly, the app also met with criticisms with many privacy groups saying that the app isn’t healthy for people’s privacy. For example, it’s not clear which ministries, officials, or departments will be accessing the data.
Some apps also dropped through the rankings in the App Store and received few additional downloads. In many cases, this occurred in countries where other apps have been introduced and/or they’re only relevant to specific areas, i.e. a city.
Growth in contact-tracing apps
A number of contact-tracing apps are to be launched in the coming weeks, including an EU-based one, one from the UK’s NHS, and one in Australia. These are thought to be based upon Singapore’s controversial app, TraceTogether.
The Australian Prime Minister, Scott Morrison, hasn’t said that the app will be compulsory but did say, “I will be calling on Australians to do it, frankly, as a matter of national service.”
Apple and Google are also in collaboration to build a similar app. The two tech giants are working to create a technology that would allow smartphones to trace every other device it comes into contact with. Utilizing Bluetooth signals, records would be stored on a user’s phone and alerts sent if and when someone they’ve been in contact with is tested positive.
Although anonymous, none of these technologies can absolutely guarantee that the coronavirus victim’s identity won’t be known. Even though none of their personally-identifiable details will be given, that’s not to say that the person who is alerted to the new case won’t be able to figure out who it is that they have been in contact with.
“Snitching” apps
A number of apps have been developed to allow people to “snitch” on those who aren’t following social-distancing rules.
For example, in the US, an app was launched in Riverside County, California, which allows users to report a violation of the new rules, i.e. unorganized gatherings, the opening of nonessential businesses, and essential businesses who aren’t following health orders, e.g. not wearing appropriate masks or not adhering to social distancing guidelines. Reports can also be accompanied with a photo. So far, over 1,000 people have downloaded the app on Google Play Store.
But in San Francisco, a similar type of feature in the community’s app had to be removed after it received negative complaints from residents who deemed it the “Big Brother” app.
We have also noticed that quite a few countries have online forms available for people to report violations, including one for the Met Police (London, UK) and one in New Zealand (which crashed upon launch as 4,200 people made reports in the first 24 hours). We’ll include more of these in our next update.
Cough/voice detectors
A number of apps are looking to help diagnose (and understand) COVID-19 through a person’s voice or cough. These apps record a cough and use artificial intelligence to deem whether or not they have coronavirus.
Published list of quarantined people
In Chandigarh, India, the government website publishes daily lists of those who are in quarantine and those who have completed a quarantine period. This includes their name, address, age, gender, and quarantine period. The list of those who have completed quarantine also comes with additional notes, i.e. where they have traveled from.
Notable COVID-19 apps
Singapore: TraceTogether
This app works by exchanging Bluetooth signals across short distances between phones to detect if there’s another user within two meters. The app stores records of these encounters and, when requested, these logs must be sent to the Ministry of Health. Any data on users’ phones is encrypted and only stored for 21 days. The app doesn’t access any other information, i.e. the user’s location and it isn’t compulsory to download the app, though the government encourages people to share it.
Other countries known to be utilizing Bluetooth contact-tracing methods are Austria (Stopp Corona app), India (Aarogya Setu app), Italy (Covid-19, ADiLife), and the United Arab Emirates (TraceCovid). Austria and the UAE assure users that data is anonymized and/or data isn’t shared beyond the phone, but India and Italy appear to suggest that data may be shared with governments (even if precise user details and locations aren’t revealed).
China – Aliplay Health Code/Close Contact Detector
Although not compulsory, this app is required in order to move from place to place. A central database collects two types of information – movement and coronavirus diagnosis. A green-orange-red color code indicates free movement, local movement only, and quarantine, respectively. It uses QR codes to see the users’ real-time contact networks, GPS to look at their location, and Bluetooth to sense proximity between phones.
QR codes have to be scanned before someone can enter their workplace, apartment, and other key areas and they also have to write down their ID number, name, recent travel history, and temperature. Telecom operators are also tracking movements, while hotlines have been set up by social channels like Weibo and WeChat so people can report others who are sick. Some cities are also rewarding people for informing them about sick neighbors.
Chinese companies are also implementing facial recognition that can detect citizens who aren’t wearing face masks and can detect high temperatures within a crowd. A number of apps are also using citizens’ personal health information to alert others who are within the same proximity of infected patients or if they’ve been in close contact with someone.
Poland – Kwarantanna Domowa (Home Quarantine)
“People in quarantine have a choice: either receive unexpected visits from the police, or download this app,” Karol Manys, digital ministry spokesman, told AFP.
The app requires people undergoing the mandatory 14-day quarantine (after returning from abroad) to check in with police by registering with facial recognition on the app then submitting selfies throughout the day when the app alerts them. If they fail to respond within 20 minutes, the police are alerted. The app uses geolocation and fines of PLN 5,000 ($1,100) are issued to those breaking their quarantine.
A number of other countries have followed Poland’s quarantine-tracking methods, including Hong Kong, India (in numerous forms in different locations), Italy, Russia, South Korea, the United Arab Emirates, the United States, and Vietnam. In all of these cases, location and user details are being shared with various government agencies and users are often being asked to check-in with the app regularly.
For example, COVID19 Regione Sardegna is mandatory for anyone entering Sardinia, Italy after the state of emergency was declared. In Russia, the “Social Monitoring” app was removed from Google Play after reports that it wanted access to numerous features, i.e. files, camera, and fitness trackers.
Israel – CoronApp
Israel’s app allows people to submit their symptoms and track cases of coronavirus. There has already been a known breach of the data (although the government said nothing had been compromised). A security researcher found the data of 70k+ people was easy to hack using a common tool, and all of the data was stored on a three-year-old server. The bug has since been fixed.
Hong Kong – StayHomeSafe (with Wristbands)
To make sure those in quarantine aren’t leaving their homes, Hong Kong is administering wristbands which are connected to a smartphone app.
A report said that someone who had to wear the wristband was told to walk around the corners of his home so the app would know coordinates of his living space. Those who don’t adhere to these restrictions can be fined 5,000 HKD ($644). At the time of writing, 60,000 wristbands had been made available.
Methodology
To ensure the integrity of the apps/websites included, we have only added those that are available on the Google Play/App Store (as they have rigorous coronavirus app controls in place) and/or have been released by government authorities or trusted healthcare companies. For web-based or general apps, we have focused only on ones that are requesting data or have questionable privacy practices.
Where possible, rankings have been derived from the app’s country of origin. Using a VPN, we altered our location to that of the app’s developers to gain an understanding of the ranking in that country. For example, CoronaMadrid is designed for residents in Madrid, Spain, so we altered our IP address to one in Spain before looking at the app in the App Store to see where it ranked.
Best practices for contact tracing
A Google Doc created by volunteer experts details some of the best practices for developers making contact tracing apps. The document now has dozens of collaborators working together to offer guidance on what data is relevant, how it should be collected, and how it should be analyzed for effective contact tracing.
Notably, the authors advise app makers not to collect GPS location data at present due to both privacy and efficacy concerns:
“‘Anonymization’ or ‘de-identification’ of a mobile (eg GPS) location history is difficult to do correctly. Given the weak epidemiological case for this kind of data at present (at least until testing latency is down to hours, not days) we would presently advise apps for most purposes not to try to collect that information for automated contact matching. […] Bluetooth and similar proximity based tracing methods have been identified as the most likely to produce effective warnings to exposed individuals without extremely high false positive rates. However, because they cannot be correlated against any location data, they need to be enabled on a significant fraction of devices before this provides a high likelihood of tracing contacts.”
Although location data can help enforce quarantines, it’s not so useful for actually tracking the spread of COVID-19.
Other surveillance techniques
Telecom data
A number of countries, including Austria, China, Germany, Italy, and the UK, are using telecom data to track people’s movements. The data is being used to see whether social distancing guidelines are being followed and/or to try and find patterns in how the virus is spreading.
Telecom tracking was taken even further in Israel where security service Shin Bet was given the go-ahead to track people’s phone data without requiring a court order. This is in a bid to track the movements of people who have been found to be carrying coronavirus, enabling them to see who they were interacting with in the days and weeks leading up to their diagnosis.
Shin Bet will send the information to the Health Ministry and anyone who has been within two metres of the infected person for more than 10 minutes will receive a message telling them to go into quarantine.
It appears as though phone users won’t have to give their permission in order for Shin Bet to do this. Shin Bet will only be able to use this information to fight the virus and the data will be erased as soon as it has been used. However, there are concerns that Shin Bet isn’t subject to the FOI laws of Israel so their actions could remain a secret. A law would normally need approval by Knesset, Israel’s parliament, but it was thought the approval process would have delayed the rollout, so the Prime Minister passed it under emergency powers.
Immunity certificates
Both the UK and Germany have suggested that they may issue immunity certificates to those who have had the coronavirus and are no longer at risk. This would enable them to return to work/normal life quicker.
Facial recognition technology: China has implemented facial recognition cameras that detect if someone isn’t wearing a face mask (a legal requirement when leaving their homes) and/or if they have a high temperature. In Russia, facial recognition is being used to capture those who disobey quarantine rules in the capital city, Moscow. Despite having 170,000 cameras in place already, the police have requested a further 9,000 to ensure “there is no dark corner or side street left.”
QR codes
As we have already seen, China implemented a QR-code system to track and restrict people’s movements. Russia has followed suit with the same kind of system in Moscow. Each resident has to register online for their unique code which they can show to police if they are stopped when leaving their home for essentials.
Hand stamps with indelible ink
Those arriving in India from abroad or those who are suspected as having coronavirus have their hand stamped with indelible ink. The stamp details when their period of quarantine is due to end. Governments in India are also rumored to be tracking people’s movements on airlines and railways to try and find those who could be infected.
Big Data
The University of Pavia is using anonymized data from Facebook to try and analyze the spread of coronavirus, looking at data on mobility and maps on population density. Meanwhile, Google has created its own COVID-19 Community Mobility Reports which show people’s movement trends over time, looking at different places of interest, i.e. grocery stores, residential properties, workplaces, and parks.
Virtual “electric fences”
In Taiwan, an “electric fence” is created through mobile location tracking to make sure those who should be in quarantine are remaining in their homes. The system monitors phone signals and alerts local officials and police if the quarantined are moving away from their homes or turn their phones off. Officials also call them twice a day to make sure they’re not just leaving their phones at home.
Lists of vulnerable people
In the UK, supermarkets are being given access to a government database that details the 1.5 million people who are classed as “vulnerable shoppers.” This is done in a bid to help supermarkets prioritize delivery slots.
Over the coming weeks, we are expecting a number of new apps that are designed for wide-scale use. This includes the UK’s NHS app which is currently in development with NHSX. It will use an algorithm to identify patients who are most at risk of having complications if they contract the virus and this will be recorded in numerous places, i.e. electronic records and GP systems. Approved organizations will also have access to this data to help them fight the pandemic.
The WHO is also due to release its own app which will provide up-to-date information and asks users to disclose their location so they can perform contact tracing.
Elsewhere, a GSMA global tracking system may be in production. The mobile phone industry has explored the creation of a global data-sharing system that could track individuals around the world. As of the end of March, these talks were in their early stages and decisions haven’t been made yet about whether or not this will move forward.
We will undoubtedly see a large number of other apps being released on a daily basis and will be updating our findings as we go along.
COVID-19 app survey: How do people feel about their privacy amid the pandemic?
To find out how the general population feel about their privacy when it comes to combatting the virus, we commissioned a survey of 1,500 people in the US and UK (3,000 in total) to find out whether people are more willing to compromise on privacy in order to use such apps.
78% of survey respondents said they would be willing to sacrifice any or some of their usual privacy principles in order to help fight and prevent the spread of COVID-19.
The survey was conducted by OnePoll, a UK-based market research firm.
Here are a few key stats from the survey:
- 78% of respondents would forego any or some of their usual privacy principles (e.g. sharing personal data with the government and other relevant third parties) in order to help fight and prevent the spread of COVID-19.
- 44% would be willing to download an app that tracked their location to help the government collect useful information to plan its response to COVID-19. A further 26% would do so if the app was anonymous, despite it being less useful.
- 94% would be willing to provide their name, age, and gender to a COVID-19 tracking app if they exhibited symptoms.
- 62% would be willing to tell an app all of the places they’ve visited recently to alert others who might have been who might have been in the area. A further 25% would do so anonymously despite it being less useful.
- 58% would be willing to provide frequent location updates to a government app to confirm they’re sticking to quarantine restrictions. A further 24% would do so anonymously despite it being less useful.
The survey results revealed some other interesting trends when broken down by region, age range, and gender.
- Men were more willing than women to download contract tracing apps, forego their usual privacy principles, and provide the government with location updates
- Younger people were more likely to opt for anonymous apps and data collection than older people, despite anonymous data being less useful
- 25- to 34-year-olds were the most willing to forego their usual privacy principles to help combat COVID-19
People living in the Northeast and West regions of the US were, broadly speaking, more likely than the rest of the country to provide apps with identifying personal and location data. Those include hard-hit states with densely-populated cities like California and New York.
Similar variations were observed in the United Kingdom. Respondents in Northern Ireland, in particular, were significantly more likely to give apps personal information and compromise on privacy.
Sources
For a full list of the apps and links, please see this sheet here: https://docs.google.com/spreadsheets/d/1JYLJiqBYoXQEie-baa-a8z1CV_UNrYc6Fi8mxhnJoDA/edit?usp=sharing
Writer:
Paul Bischoff
