As New Zealand opens up, we look at the big questions around how good is your country's contact tracing app

To quote a statesman much in the news this past week: ‘This is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.’

For the first time since the Live Event lockdown started in early March, a back-to-normal, full-venue Live Event will take place this coming Saturday in New Zealand, when the Otago Highlanders play the Waikato Chiefs at Forsyth Barr Stadium in Dunedin.

The following day the Auckland Blues host the Wellington Hurricanes at Eden Park, all as suggested by The DAIMANI Journal last week.

All of the matches are part of a revised New Zealand-only rugby competition called Super Rugby Aotearoa, title-sponsored by Investec. NZ’s prime minister Jacinda Ardern took her country out of Alert Level 2 earlier this week and into Alert Level 1 meaning there will be no limit on crowd numbers when the first two rugby matches are played.

New Zealand Rugby’s CEO Mark Robinson said, ‘We're incredibly proud, and grateful, to be the first professional sports competition in the world to be in a position to have our teams play in front of their fans again. [Super Rugby Aotearoa] is going to be a very special and unique competition and it's fitting that New Zealanders now have a chance to be part of it.’

But, as some readers may be surprised to know, for all of the country’s meticulous handling of the coronavirus response, there is no New Zealand government contact-tracing app. Scientists estimate this may be several months away from being ready.

So with rugby fans packing into the five venues [the Auckland Blues are estimating 35,000 at Eden Park on Sunday], the NZ Government and rugby bosses are having to use the low-tech solution of asking ticket-holding fans to scan the QR codes displayed at match venues to identify themselves and create an offline contact tracing system.

Given that much of the past six months has been a crash-course for all of us in pandemics, it’s worth repeating that virtually all medical professionals—and medical bodies from America’s Centers for Disease Control to the World Health Organization -  say contact tracing is a crucial part of the three-pronged plan for returning the world to normal: test, trace, isolate.  

‘I don’t think we can overstate the importance of contact tracing,’ says Seema Yasmin, director of the Stanford Health Communication Initiative and a former CDC investigator who focused on epidemics. ‘It’s been at the cornerstone of every major epidemic investigation from SARS to Ebola and beyond.’

Contact tracing apps are also – in the public’s mind – a critical component of reining in the spread of coronavirus and giving that ‘peace of mind’ which is seen as so important to the successful return of ticketed Live Events in countries still labouring under a lockdown of some form or another.

Currently more than 45 countries have, or plan to, rollout coronavirus contact tracing apps including Australia, France, Italy, the Netherlands and the UK.

As the MIT’s Technology Review reported, there has been an explosion of apps, services, and systems developed for governments to assist with contact tracing: ‘identifying and notifying all those who come in contact with a carrier. Some are lightweight and temporary, while others are pervasive and invasive: China’s system, for example, sucks up data including citizens’ identity, location, and even online payment history so that local police can watch for those who break quarantine rules.’

‘Some services are being produced locally by small groups of coders, while others are vast, global operations. Apple and Google are mobilizing huge teams to build their upcoming systems that notify people of potential exposure, which could be used by hundreds of millions of people almost immediately,’ says MIT Technology Review.

The purpose of the MIT Technology Review article is to explain how very little is known about the contacting tracing apps and how they could affect society. ‘How many people will download and use them, and how widely used do they have to be in order to succeed? What data will they collect, and who is it shared with? How will that information be used in the future? Are there policies in place to prevent abuse?’

The MIT Technology Review found startling levels of difference and discrepancy when viewed across all the countries using contact tracing apps:

‘When we began comparing apps around the world, we realized there was no central repository of information; just incomplete, constantly changing data spread across a wide range of sources. Nor was there a single, standard approach being taken by developers and policymakers: citizens of different countries were seeing radically different levels of surveillance and transparency.’

The perils of this can be shown by the case of Qatar. At the end of last month, the government told all citizens and residents to have the Ehteraz contact-tracing app installed on mobile devices when leaving their homes. This would allow the government to track if the user has been in touch with an infected person. [Although Qatar has had only 23 coronavirus-related deaths, there have been more than 40,000 infections.] Those caught without the app face fines equivalent to US$ 55,000 or three years in prison.

No sooner had Qatar’s app been launched than on May 21 the IT specialists at Amnesty International discovered a design flaw that meant as many as 1 million users’ private details could be accessed. Amnesty were at pains to confirm that the Qatari government fixed the flaw within a day of being notified.

‘Amnesty International’s Security Lab was able to access sensitive information, including people’s name, health status and the GPS coordinates of a user’s designated confinement location, as the central server did not have security measures in place to protect this data,’ said an Amnesty statement.

That is what is fascinating and appealing about the MIT Technology Review article. The authors are crowd-sourcing from all of us their attempt to gather as much contact tracing app information into a single place as possible.

That is then fed into their Covid Tracing Tracker—a database that captures details of every significant automated contact tracing effort around the world which can be seen here:

MIT Technology Review is asking for all of our help to monitor and improve their global database so that the development, rollout, and evolution of these services can be tracked over time. (‘How to submit a change’ is detailed below.)

The list, which is updated regularly, compiles automated contact tracing apps that are backed by national governments. These are apps designed to automatically tell users or public health officials whether somebody has potentially been exposed to coronavirus; it’s what is generally known as ‘exposure notification.’

For each contact tracing app, firstly there are basic questions that the MIT Technology Review want to know:

1. Who is producing it?
2. Is it released yet?
3. Where will it be available, and on what platforms?
4. What technologies does it use?
5. Is it mandatory?
6. How private is the app?
7. Are citizens’ rights being safeguarded?
8. How transparent are the makers about their work?

The more complicated issues relate to privacy, and for this the survey has adopted the principles set out by the American Civil Liberties Union and others. In five simple questions:

1. Is it voluntary? In some cases, apps are opt-in—but in other places many or all citizens are compelled to download and use them.
2. Are there limitations on how the data gets used? Data may sometimes be used for purposes other than public health, such as law enforcement—and that may last longer than coronavirus
3. Will data be destroyed after a period of time? The data the apps collect should not last forever. If it is automatically deleted in a reasonable amount of time (usually a maximum of around 30 days) or the app allows users to manually delete their own data, the survey awards a star.
4. Is data collection minimised? Does the app collect only the information it needs to do what it says?
5. Is the effort transparent? Transparency can take the form of clear, publicly available policies and design, an open-source code base, or all of these.

For each of these questions, if the survey answer is yes, the app gets a star. If a yes is not possible —either because the answer is negative or because it is unknown—the rating is left blank. MIT Technology Review also includes a field for notes that can help put things in context, and keeps track of updates in their change-log.

In addition, the survey says something about the basic technology underlying the app. Here’s an explanation of the key terms.

• Location: Some apps identify a person’s contacts by tracking the phone’s movements (for instance, using GPS or triangulation from nearby cell towers) and looking for other phones that have spent time in the same location.
• Bluetooth: Some systems use ‘proximity tracking’ in which phones swap encrypted tokens with any other nearby phones over Bluetooth. It is easier to anonymize and generally considered better for privacy than location tracking.
• Google/Apple: Many apps will rely on the joint API that Apple and Google are developing. It lets iOS and Android phones communicate with each other over Bluetooth, allowing developers to build a contact tracing app that will work for both. Later the two companies plan to build this directly into their operating systems.
• DP-3T: This stands for decentralised privacy-preserving proximity tracing. It’s an open-source protocol for Bluetooth-based tracking in which an individual phone’s contact logs are only stored locally, so no central authority can know who has been exposed.

Organisers stress a couple of key caveats: a) they’re only looking at apps that are actually being used by the public or just about to be launched [and not in development], b) they’re not looking at manual contact tracing at all and c) the reviews should not be taken as a recommendation to download or not.

Some more information:

• A public version of the underlying data is kept in this read-only spreadsheet,  which is updated daily at 1800 US Eastern Time.
• If you have an update, correction, or addition to the tracker, please email the relevant information to CTT@technologyreview.com. Please reference original sources for your claim: government or developer announcements, verifiable news sources, or published research.