Apps and Covid-19

Considering the billions of people who have smart phones generally use apps on these devices, it's possible to reach people and draw extensive data from their devices.

PI has been repeatedly exposing how smartphone apps can put users' privacy and security at risk. For instance we revealed how popular non-Facebook apps leak data to Facebook beyond the user's control or knowledge. We recently revealed similar levels of exploitation by menstruation apps.

The reality is that smartphones are highly complex interactions between hardware (chips and processors and storage and antennas), operating systems (generally Apple and Google), app stores (Apple and Google again), platforms (analytics companies and social media companies), and the apps themselves.

China was an early mover on apps: people were required to install the Alipay Health Code app, fill in personal details, and then were issued with a QR code with one of three colours denoting quarantining status. The app reportedly shared location data with the police. 

Using apps in the context of Covid-19 is useful to the general public to help people to report their symptoms and to learn about the virus and the health response. Apps are now being explored to trace contacts through interaction and proximity analysis. 

They are also being explored as quarantining enforcement tools, monitoring location and interactions. In this context, they are not necessarily voluntary tools.

The apps can help you report, generate data without your involvement, or lift data from your device. The apps can store the data locally or send the data to servers. And they can leak data to analytics firms and social media platforms.

So the Norwegian health app stores location data for 30 days on a centralised server. The Colombian app asks people to provide their data and answer questions about participation at protests and ethnicity. 

The apps are generally poorly spread. The Singapore app apparently has been downloaded only by 13% of the population. The UK is aiming for at least 50% of the population with their app.  This is because they are mostly voluntary at the moment.

Even when 'voluntary', compulsory data entry varies. In Argentina the app for self-diagnosis requires people to include their National ID, email and phone number. 

We are concerned that the voluntary nature of these apps will be rescinded for travellers and when borders are re-opened. Yet meanwhile, according to reports from  Thailand, SIM cards and apps were provided to every foreigner and travelling Thai, expecting this data to report on their locations; and Hong Kong is using bracelets with an app on people under compulsory quarantine and shares their location with government over messaging platforms.

It's in this context that apps like the one developed for Home Quarantining by the Polish government. It requires phone numbers, reference photos, and regular check-ins. South Korea's app uses GPS to track locations to ensure against quarantine breach, sending alerts if people leave designated areas.

Finally, there is the ever-present monitoring that goes on as part of commercial exploitation. Facebook, Google, and analytics companies have been accumulating location data for years, sometimes in great detail and sometimes in aggregate.

Some apps are exploring storing limited data. Argentina's CoTrack, MIT Media Lab, and Oxford University's apps appear to collect location and proximity data on the device and share only with consent and with no identifying data.


This week we talk to Juan Diego from Fundación Karisma - one of our  partners based in Colombia - about the use of technology in the response to the Covid pandemic and their report "Useless and Dangerous: A Critical Exploration of Covid Applications and Their Human Rights Impacts in Colombia".

19 Aug 2020
As a condition of returning campus, all 1,500 students at Michigan’s Albion College were required to download and install a contact tracing app called Aura, which was developed by Pennsylvania-based Nucleus Careers and tracks students’ real time locations 24/7 with no opt-out. collects and stores
04 Sep 2020
Numerous US colleges are forcing students to download location-tracking apps or wear symptom-tracking devices, many of them similar to tracking systems student athletes are often required to install on their phones. Tracking athletes did little to help them gain either an education or a professional
30 Jul 2020
As part of efforts to make returning to campus safer, US universities are considering or implementing mandates requiring students to install exposure notification apps, quarantine enforcement programs, and other unproven new technologies, risking exacerbating existing inequalities in access to both
23 Jun 2020
By the end of its first three weeks of availability, the French contact tracing app, “StopCovid”, had seen 1.9 million downloads. Of these, only 68 people had entered a positive COVID-19 test result, and only 14 were notified that they might have been exposed, according to the French junior minister
25 Jun 2020
A study of 17 Android mobile contact tracing apps from 17 different countries found that most government-sponsored contact tracing apps are insecure and risk exposing users’ privacy and data. The researchers used the presence or absence of six basic hardening techniques: name obfuscation (just one
18 May 2020
In March the Dutch government announced that a contact tracing app would become the core of its testing policy. Of the 750 proposals it received in response to its open tender, 63 were long-listed; however, none of the seven finalists met the privacy and security criteria. Research simulating the
28 May 2020
Lithuania’s data protection authority has suspended the country’s COVID-19 contact tracing app for failing to comply with GDPR’s principle of accountability at the Lithuanian health ministry, which is the relevant data controller. It investigated the app in response to media coverage and public
30 Jul 2020
As part of efforts to make returning to campus safer, US universities are considering or implementing mandates requiring students to install exposure notification apps, quarantine enforcement programs, and other unproven new technologies, risking exacerbating existing inequalities in access to both
10 Aug 2020
Manchester-based VST Enterprises is developing a rapid COVID-19 testing kit intended to help restart stadium sporting events. The results of tests, which fans will take the day before the event they wish to attend and provide results within ten minutes, will be stored in VSTE’s V-Health Passport, a
A study describes the data transmitted to backend servers by the Google/Apple based contact tracing (GAEN) apps in use in Germany, Italy, Switzerland, Austria, and Denmark and finds that the health authority client apps are generally well-behaved from a privacy point of view, although the Irish
29 Jul 2020
Individuals accept giving more information in emergencies, and the tradeoffs between providing emergency help and privacy must be carefully considered. A study of popular disaster apps finds that many apps ignore privacy policies and government agency policies. Twelve of the 14 apps studied capture
28 Apr 2020
An audit of two apps and a website used by national and local governments in Colombia finds: an absence of public information about the tools, how they work, or how their security and privacy is protected; non-compliance with Colombia’s data protection legal framework, particularly in the area of
06 May 2020
The Australian government reported soon after releasing its CovidSafe contact tracing app that the app doesn’t work properly on iPhones because it doesn’t use Apple’s Exposure Notification framework and the Bluetooth functions deteriorate if the app isn’t kept running in the foreground. The
07 May 2020
Colombia will adopt the Apple-Google contact tracing platform after finding it necessary to remove the contact tracing functions from CoronApp, the official Colombian coronavirus information app because they didn’t work. CoronApp was downloaded by 4.3 million people, and includes features to report
20 May 2020
The outsourcing company Serco, which the UK government has contracted to perform contact tracing, accidentally shared the email addresses of almost 300 of the contact tracers it hired when a staff member sent an introductory email and used CC rather than blind CC. Serco does not intend to refer