- Contact tracing apps could be used to control the COVID-19 outbreak. Most of them work by automatically registering another smartphone when it is close by for a set period of time. If the user then tests positive for COVID-19 in the future, the contact tracing app notifies these contacts.
- Some countries adopted or rolled out contact tracing apps early, however recent reviews have found there is still a lack of evidence supporting contact tracing approaches based on apps.
- Concerns have been raised about misuse of personal data.
- Initial data suggest there has been slow uptake of this new technology by users, and it’s unclear if contact tracing apps have had or will affect the pandemic.
- The original NHSX app has never been released. Apple and Google jointly released a software tool, known as an Application Programming Interface (API), to allow decentralised contact tracing apps to access additional functionality,
- Northern Ireland released a contact tracing app on 30 July based on Apple and Google’s software interface. This became the basis for Scotland’s app which was released on 10 September.
- An app based on Apple and Google’s software was released in England and Wales on 24 September.
- The first version of this article was published on 1 May and will be updated as the research progresses. This article is a refreshed version of the update published on 14 May to cover further developments since that time.
- This is part of our rapid response content on COVID-19. You can view all our reporting on this topic under COVID-19.
Contact tracing is the process of identifying all the people who have come into contact with an infected individual so they can be warned that they may be at risk of illness. Based on factors such as the closeness and duration of the contact, decisions can be made about whether those at risk need to act (for example, by taking a test for the infection or self-isolating). Mobile phone apps can automate this process by detecting when people come into close contact and notifying users that they may be at risk. One of the reasons that COVID-19 is difficult to contain is that transmission can occur from individuals without symptoms. A recent review of the evidence found that 25% of cases did not have symptoms at the time of testing. Contact tracing increases the chances of identifying these cases and isolating them.
Many governments and public health bodies across the world have launched contact tracing apps to support the fight against COVID-19. For example, a contact tracing app was introduced in Singapore in March and the Australian Department of Health released their contact tracing app in April. Apps have been released in many European countries including France, Ireland, Italy and Germany.
On 12 April, the UK Government announced that NHSX, a unit of the NHS responsible for digital innovation, was developing a contact tracing app for the UK. After early testing at RAF Leeming in Yorkshire, a trial of this app began on the Isle of Wight on 5 May and the app’s source code was published. A national roll-out was expected to follow this trial before the end of May but the app was never released. As of 15 August, £10.8 million had been spent on the NHSX app.
On 18 June, the Government announced that they would be changing the trialled app to make use of a software interface released by Apple and Google in May. On 30 July, Northern Ireland became the first part of the UK to release a contact tracing app. Their app uses Apple and Google’s software interface and is based on an app released in the Republic of Ireland on 7 July. The Republic of Ireland’s app was also used as the basis for Scotland’s app which was released on 10 September. An app based on Apple and Google’s software was released in England and Wales on 24 September. In addition to carrying out contact tracing, this app enables users to report symptoms, book tests, and check in to venues such as pubs and restaurants using QR codes. The app was tested on the Isle of Wight and in the London Borough of Newham in August.
Using mobile phone apps for contact tracing
At the beginning of the COVID-19 pandemic, contact tracing in the UK was carried out manually, using interviews with infected individuals to understand where they had been and who they had been in contact with. This approach ceased on 12 March when the disease became too widespread to trace contacts in every case. Manual contact tracing restarted in England and Scotland on 28 May, as part of the Test and Trace, and Protect and Trace programmes respectively. On 1 June, contact tracing was re-established across Wales and it has been used in Northern Ireland since 18 May.
Manual tracing has been widely used in the past to tackle a range of diseases, from Ebolavirus to sexually transmitted infections. It relies on a person’s ability to accurately recall their movements, is time and labour intensive, and does not easily allow contacts who are strangers to be identified. Contact tracing using mobile apps is a new and relatively untested technology, but potentially allows for quicker and more precise tracing because it uses automated data collection and analysis. Research has indicated that the spread of COVID-19 is too fast to be contained by manual contact tracing alone, but containment would be possible using a more efficient method involving a mobile app. However, recent systematic reviews of existing scientific studies have shown that the effectiveness of digital contact tracing in real world epidemics is currently unproven. Furthermore, apps cannot be used by those who do not own a smartphone, may face difficulties with accurately determining when contact has been made and have prompted concerns about privacy and data protection.
How do contact tracing apps work?
Contact tracing apps work by digitally tracking who an individual has come into contact with. When two people come within a certain distance of each other, their phones exchange ‘tokens’ (unique identifying numbers) that have been allocated to each phone. The app stores a list of the tokens belonging to all contacts they have made over a given period. If an individual begins to show symptoms of COVID-19, or tests positive for the virus, the app is notified. It can then alert other users that they may be at risk of infection if the infected person’s token is stored in their phone.
When designing an app to carry out this process, different technical specifications can be chosen to suit specific functions or meet certain standards of accuracy, security and user privacy.
Firstly, the criteria that defines whether two people have come into contact needs to be determined. EU guidelines recommend that apps for COVID-19 should be able to determine proximity with a resolution of 0.5 m so that the distance within which there is a high risk of infection, about 1.5m, can be measured. The longer the time that individuals are close to each other, the higher the risk of infection, so the duration of close contact is also measured. The Australian app, COVIDSafe, defines a contact as someone who has been within 1.5 m of the user for 15 minutes or more.
Most contact tracing apps, including all the apps in operation in the UK, use a type of Bluetooth known as ‘Bluetooth low energy’ to exchange information between devices. A phone can estimate the distance to another Bluetooth device by measuring the signal strength received from the other device. This measures the proximity of other devices but not their absolute location. This is one reason why Bluetooth is generally preferred over other sources of location data; by not measuring absolute location, less identifiable personal data are collected. Norway’s app collected users’ location data via GPS rather than Bluetooth and was suspended on 16 June after the country’s data protection agency raised concerns that the app’s use of location data was unnecessarily invasive to privacy. Research has shown that an individual’s location data are highly unique and hence individuals could be identified from their data even if it is stored anonymously. In South Korea, where location data of infected individuals is published anonymously on a website, two people were reportedly accused of having an extramarital affair by online comments after their identities were inferred from their data.
However, Bluetooth also has limitations, particularly the accuracy of its proximity measurements. For example, the radio waves used by Bluetooth can penetrate physical objects so there is a risk of false positives if people are a few metres apart but separated by a wall. There is also a risk of false negatives if the phone is in a bag or pocket that could weaken the signal, making it seem as if it is coming from further away. Research suggests that the orientation of a phone can also change the strength of Bluetooth signal received and this could make distance measurements unreliable.
Having a phone’s Bluetooth constantly switched on could also pose a security risk. The Bluetooth chip in a phone is designed to broadcast a unique identifier which could be collected by third parties in the vicinity or other apps on the phone and used for malicious purposes such as tracking. Bluetooth can also be used to attack phones by uploading malicious software.
It is generally agreed that, to protect an individual’s privacy and prevent surveillance, the unique tokens that the app broadcasts for exchange between contacts should be anonymised and not derived from personal details such as names or phone numbers. EU guidelines recommend that tokens are generated randomly and changed on a regular basis to protect users against tracking by third parties.
In some cases a central, secure database may be used to link the tokens with personal details so that at risk individuals can be contacted. Some privacy experts criticise this approach as it means at risk users are not anonymous to the app administrator (usually the government or public health body) and tokens could theoretically be deanonymised. Tokens could also potentially be deanonymised if they are generated centrally by the app administrator and sent out to users, rather than being locally generated on individual phones. However, there are ways of setting up anonymous communication between the central server and individual devices to protect anonymity when sending out tokens. The Scottish, Northern Irish, and forthcoming English and Welsh apps use anonymous tokens, generated on phones, for exchange between users.
Data storage and sharing
Most apps currently use approaches that minimise data collection and storage, and manage data using either a ‘decentralised’ or ‘centralised’ model.
- Decentralised models: Data are managed locally on a user’s device and as little sensitive data as possible is shared with the app administrator.
- Centralised models: Data are shared with a central server managed by the administrator which carries out data processing and/or storage.
In both cases, experts recommend that data are deleted once the risk of infection has passed. The EU recommends deletion of data 14–16 days after contact. They also recommend that the source code and protocol for the app is published so that the use and collection of data is well understood.
In April, 300 academics from across the world signed a letter warning against the adoption of centralised models as, even with anonymous tokens, the centralised data could be deanonymised and used for surveillance purposes. The Ada Lovelace Institute, an independent research body, has recommended that Parliament works to impose strict time and purpose limits on the use of contact tracing apps and data in the UK.
However, an advantage of a centralised system is that anonymised data in the central database could be used for research into the effectiveness of the app and understanding the spread of the virus. Some developers of decentralised apps have raised concerns that they are unable to easily determine how well their apps are working. However, in a decentralised model, users could be given the option of volunteering their data for this purpose. Many countries, including the UK, initially pursued a centralised approach that would allow them to collect data to research the spread of the virus. However, Apple and Google, as well as some academic groups, supported a decentralised model. The European Parliament has voted to support the adoption of decentralised apps. The apps currently in use in the UK are decentralised.
In May, Apple and Google jointly released a software tool, known as an Application Programming Interface (API), to allow decentralised contact tracing apps to access additional functionality, such as the ability to run as a background process, which is usually denied to apps for security reasons. Apple and Google have stated that only apps developed by public health authorities will be able to use the API and these apps must meet certain security, privacy and data control standards. There has been some controversy surrounding the power exercised by Google and Apple over sovereign governments as they decide which apps are able to use their API. Privacy experts have generally welcomed the privacy protections implemented by Apple and Google but have suggested further privacy enhancements should be implemented and have recommended that both companies allow the code underlying their software to be independently audited. Some of the countries that initially planned to use a centralised approach, including the UK, Germany and Italy, switched to a decentralised model before their apps were released to allow them to make use of the API.
In September, Apple introduced further functionality as part of a routine update to allow their phones to carry out contact tracing without downloading a specific app. This functionality can only be used in areas where the local health authority has set it up. It offers the potential for a more unified approach across different countries and means individual authorities do not need to invest in making an app. However, concerns have been raised that users may not trust this technology as much as an app developed by a health authority. Similar functionality is expected to be added to Android phones in the near future. The state of Colorado in the US has announced plans to adopt this approach.
Other countries, including France, have opted to follow a centralised approach. One concern that has arisen from countries using different approaches is that their apps may not be compatible with each other and so contacts from other countries may not be recognised. The EU is developing a framework to allow apps developed by individual member states to interact when citizens move across borders. Initially, this will link the decentralised apps that most EU member states have adopted, but the Commission has expressed interest in extending the framework to the centralised apps in use in France, Hungary and Slovakia.
Notifying the app of an infection
The only way to be certain that an individual has contracted the virus is to test them. Hence, many experts suggest that contact tracing apps are of greatest use when used in combination with widespread testing so that the app has the most accurate data. A password or authorisation key can be used to ensure only official, verified test results are uploaded. Many practitioners advocate obtaining consent before uploading test results as this may help maintain public trust. In addition to informing the app of test results, some practitioners suggest that users should be able to self-report their symptoms. Although this could reduce the risk of infection whilst users await test results, it could also lead to false positives.
The Scottish and Northern Irish apps only notify users that they may be at risk if they have come into contact with someone who has received a positive test result; they do not allow users to report their own symptoms. The app for England and Wales allows users to report symptoms. If their symptoms are consistent with COVID-19 then the app will allow them to book a test, advise them to self-isolate, and send the first part of their postcode to the Joint Biosecurity Centre so that emerging local outbreaks can be identified as soon as possible. However, the contacts of the symptomatic individual will only be sent a notification if that individual tests positive.
User engagement with apps
Apps may offer users recommendations such as checking symptoms, reporting to a test centre or self-isolating. Some commentators have expressed concerns that lack of interaction with a human health official could increase anxiety and reduce trust in the app’s advice. In Singapore, a health professional makes contact with the app user to decide an appropriate action following an alert. One of the leading developers of Singapore’s tracing app has cautioned against over reliance on apps for contact tracing as interaction with health officials can provide more assurance to the public. In June, Lord Bethell of Romford, the Minister for Innovation at the Department of Health and Social Care, told the Commons Science and Technology Committee that the trial of the abandoned NHSX app on the Isle of Wight had demonstrated the importance of human contact to reassure the public during the contact tracing process, rather than relying too heavily on an app.
For contact tracing apps to work effectively they must be used by a large proportion of the population. One study estimated that 56% of the UK population, or 80% of smartphone users, would be required to install and use the app for it to suppress the epidemic (although lower uptake could still help slow the spread of disease). According to the German Government, their app had been downloaded about 18 million times as of 8 September (the population of Germany is about 83 million). In Switzerland, about 19% of the population was using the national app on 13 September – assuming each instance of app use corresponds to a different individual. In Northern Ireland, population approximately 1.88 million, the app had been downloaded 300,000 times in its first month whilst Scotland’s app was downloaded 600,000 times on its first day (Scotland’s population is approximately 5.5 million). Amongst those who have downloaded apps, some may not be using them regularly. There are no studies on the impact the apps have had on the spread of the virus in these countries so far. In a recent survey of UK adults, 65% said they supported the use of smartphones for contact tracing.
Mobile phones offer a useful resource for contact tracing because they are widely used. However, smartphone use is much lower amongst the elderly, who are most at risk from COVID-19. Furthermore, some smartphones, about 12% of phones in active use in the UK, do not support the type of Bluetooth used by most apps. Experts generally agree that apps should complement ongoing manual contact tracing efforts, which would be needed to support those without access to compatible smartphones. Singapore is now distributing wearable Bluetooth devices with the same functionality as their app to circumvent some of the problems with using mobile phones.
EU guidelines say that it is essential that app use remains voluntary to maintain public cooperation. Commentators have expressed concerns that citizens could be coerced into using an app in some settings, for example an airline might forbid someone from flying if they do not have the app installed, or social pressure could dictate that those who have not downloaded the app are irresponsible. Some academics have suggested that protection from coercion in this way should be explicitly written into law. In May, the Joint Committee on Human Rights warned against the national roll out of an app in the UK unless privacy protections are guaranteed by legislation and the efficacy and benefits of the app are clear and frequently reviewed.
You can find more content from POST on COVID-19 here.
The rapid production of safe, effective and consistent vaccines is essential for supporting COVID-19 immunisation programmes in the UK and globally. However, manufacturing vaccines is challenging for various reasons that include the complex processes involved, the specialist knowledge and experience required, and the natural variability of the biological materials and systems used. Urgent demand is leading to manufacturers and governments taking on significant financial risks in order to speed up production. What is the UK Government doing to accelerate vaccine manufacture? How are vaccines made? Why is manufacturing vaccines at large scales so challenging?
The digital divide is the gap between people in society who have full access to digital technologies (such as the internet and computers) and those who do not. Concerns about the digital divide have been particularly acute during the COVID-19 pandemic as the internet and digital devices have played an important role in allowing people to access services, attend medical appointments and stay in touch with friends and family. What impact has the digital divide had on children and adults in the UK during the COVID-19 pandemic and what has been done to tackle it?
As mass immunisation against COVID-19 begins in the UK and elsewhere, the safety of the recently approved Pfizer/BioNTech vaccine is being closely monitored. How is vaccine safety measured and what happens when side effects are found?