Watch CBS News

New Contact Tracing Apps Need Access To Users' Private Data To Control Spread Of COVID-19

SAN FRANCISCO (KPIX) - With coronavirus infections once again on the rise, contact tracing is ever more critical to control the spread of the virus. A growing number of new apps are designed to help do that.

Some are privately developed, others are developed by governments. Here in the U.S, only four states are using them as part of their pandemic strategy. But in other countries they're getting popular.

Brett Hall just started using a contact tracing app for COVID-19 called Corona-Warn, developed by the German Government.

"I heard about it and downloaded it pretty quickly, actually, on the day that it was released officially," said Hall.

Hall's been living in Berlin for the past decade. He says downloading the app was voluntary.

"The more people have it the more effective it is, so I felt it was something that I should do to help get back to a sense of normality quicker," said Hall.

Here's the way the app Hall is using and most others like it work: On your way through the day from home to work or exercise or shopping, it documents the digital encounter between two smartphones. If someone using the app tests positive for the coronavirus, they can notify others if they chose to. If you had contact with that person, the app will quickly inform you.

"Any contact is then held anonymous. So your details are held anonymously on your phone and you only receive information," said Hall.

Corona-Warn does not allow you to know who it is that was infected or where you met them. Vice-versa, the infected person can't tell who was informed. Most contact tracing apps are designed that way. But that doesn't guarantee you privacy protection.

"There certainly are some privacy concerns," said Quentin Palfrey.

Palfrey heads up the newly formed International Digital Accountability Council (IDAC) that analyzed privacy protocols on 108 COVID-19 related apps in 41 countries, 23 of them used specifically for contact tracing.

"In some instances the apps didn't even have a privacy policy that is actually required by the Google Play store terms. There were other instances where there was a privacy policy, but it was clearly inadequate," said Palfrey.

One problem the research highlights: Something called a permission.

"When you download an app, sometimes you get a request, you know, is it okay if we look at your contacts? Is it ok if we read some of the data that's on your phone? And that can be a gateway to passing information along to third parties," said Palfrey.

For instance the Healthy Together contact tracing app, used by the state of Utah, asked for permission to read location and contacts. Other apps they reviewed asked only for location.

"The data you give to an app should relate to what you're getting out of the app," said Palfrey.

Healthy Together currently has 52,500 active users according to a spokesperson for the Utah Department of Health.

Researchers also found connections with third party marketers were not always clearly spelled out. For example North Dakota's app called CARE 19 was at first called out for its relationship with Foursquare, a marketing company.

It now discloses that it uses Foursquare "to determine nearby businesses that you may have visited."

The app's developer told KPIX 5 that Foursquare has agreed not to retain data. The app currently has 35,000 active users.

But Matthew Guariglia, an attorney with the Electronic Frontier Foundation, told said privacy agreements are not a guarantee, and any kind of third party arrangement might make users apprehensive.

"If you think that the app that's supposed to keep you safe from a virus is going to sell you shoes the next day from a shoe store you walked by, you're not going to want to use it," said Guariglia.

He adds says there's also a security risk.

"Whenever you have a company or entity that is storing a vast amount of sensitive information, that data, that storage, is going to have a huge target on it," said Guariglia.

Researchers with the Digital Accountability Council found some apps, including the one developed by Centers for Disease Control, also sent transmissions that were not encrypted.

"We thought that created a cybersecurity risk, that might undermine the public's trust in the CDC," said Palfrey.

In general though, the researchers found the apps do a lot to protect the privacy of users. The most secure apps reviewed were Private Kit and Pathcheck GPS.

KPIX 5 asked the IDAC to review Hall's app, Corona-Warn, for this story. Their verdict without having tested it was a preliminary thumbs up.

Back in Berlin, Brett Hall is, so far, happy with it too.

"If it's for something as serious as this then I am willing to accept it," said Hall.

California is currently not using a contact tracing app. A spokesperson for the Department of Health told us most of that work can be done by phone, text, email and chat.


 
Statement from the developer of North Dakota's CARE-19 contact tracing app, Tim Brookins:

Care19 Diary is an app that helps users remember where they have been over the last 14 days, to aide in contact tracing. The phone gives us numerical coordinates (latitude\longitude) but that isn't helpful to people. Se we take that coordinate and send it to a "reverse geo-location service". The service takes the coordinate and matches it in a database of around 100 million businesses. It then returns the closest business, so the user can remember they went to "Wal-Mart" rather than 46.433434, -96.340349

There are many firms that provide reverse geo-location: Apple, Google, Microsoft\Bing, Here and Foursquare to name a few. We use Foursquare. Jumbo Privacy saw us transmit to Foursquare and jumped to the conclusion that we were "sharing" data with Foursquare. In actuality we had a legal agreement with Foursquare that they would simply return the closest business and not retain any data beyond that. Foursquare officially confirmed this the next day after the Jumbo Privacy report, but now media just keeps recycling the (incorrect) story.

Germany's Corona-warn app is based on an exposure notification technology developed by and google. Neither company would give us a list of governments using their technology, but Google sent us these testimonials from North dakota and Alabama"

Statement from Governor Doug Burgum, North Dakota:

North Dakota is excited to be among the first states in the nation to utilize the exposure notification technology built by Apple and Google to help keep our citizens safe. The CARE19 Exposure app will help us improve contact tracing and continue our ND Smart Restart by notifying people who may have been exposed to COVID-19, reaching the greatest number of people in a way that protects their privacy. As we respond to this unprecedented public health emergency, we invite other states to join us in leveraging smartphone technologies to strengthen existing contact tracing efforts, which are critical to getting communities and economies back up and running.

Statement from Dr. Scott Harris, Alabama State Health Officer:

The State of Alabama's priority as we fight the COVID-19 pandemic together is the health and safety of its citizens as well as their privacy. In partnership with Apple and Google, the Alabama Department of Public Health, University of Alabama System, and the University of Alabama at Birmingham, we are harnessing technology to accelerate exposure notification to slow the spread of COVID-19 so that we can all be safe together.

Statement from Apple:

We leave it to public health agencies to announce their own plans. You may have seen a number of recent announcements about the launches of apps in a number of U.S. states and countries including Latvia, Germany, Poland, Italy, Uruguay, and Denmark.

Also Google and Apple have prioritized user privacy and security in the development of our exposure notification technology, as embodied in the following protections:

  • Users must explicitly choose to turn on exposure notifications — and can turn it off at any time
  • The system doesn't collect or use device location, including for users who report positive
  • Users decide whether they want to report a positive diagnosis
  • User identities are not known to other users, Google, or Apple
  • Matching for exposure notifications is only done on device, under the user's control
  • The system is only used for exposure notifications by official public health authorities, and isn't monetized
  • Google and Apple will disable the exposure notifications system on a regional basis when it is no longer needed. Apps must be created by or for a government public health authority and they can only be used for COVID-19 response efforts.
  • Apps must require users to consent before the app can use the Exposure Notifications API.
  • Apps must require users to consent before sharing a positive test result, and the "keys" associated with their devices, with the public health authority.
  • Apps should only collect the minimum amount of data necessary and can only use that data for COVID-19 response efforts. All other uses of user data, including targeting advertising, is not permitted.
  • Apps are prohibited from seeking permission to access Location Services.
  • Use of the API will be restricted to one app per country to promote high user adoption and avoid fragmentation. If a country has opted for a regional or state approach, the companies are prepared to support those authorities.
  • View CBS News In
    CBS News App Open
    Chrome Safari Continue
    Be the first to know
    Get browser notifications for breaking news, live events, and exclusive reporting.