Covid-19: a tech post-mortem

Two years ago, in the first half of 2020, private companies and governments alike were rolling the dice and betting on tech-solutionism to fight the global spread of SARS‑CoV‑2, better known as COVID19.

One of the pillars in the global response has been the roll-out of Apps, which Privacy International have been keeping an eye on since the beginning.

Thermographic camera display at the Museum of Science and Industry, Chicago

Image CC-BY-ND 2.0; Opacity on flikr:


The majority of apps settled on using Bluetooth for proximity tracing.

Samsung SGH-F480V controller board with Samsung BTM48B2SB - Bluetooth / FM Module highlighted. Original image © Raimond Spekking / CC BY-SA 4.0 (via Wikimedia Commons)

Just what is Bluetooth?

Named after the 10th Century King Harald "Bluetooth" Gormsson who unified Scandinavia — and whose runic initials comprise the logo — Bluetooth is a wireless, low-power, and therefore short-distance, set of protocols used primarily to connect devices directly to each other in order to transfer data, such as video and audio.

Bluetooth for tracking?

Most of us who've encountered Bluetooth use it to send files between devices, connect a wireless mouse, or to wirelessly listen to music.

Bluetooth tracking is done by measuring the Received Signal Strength Indicator ("RSSI") of a given Bluetooth connection to estimate the distance between devices. Simply put: the stronger the signal, the closer the devices are to each other.

Apple, Google, and limiting access to data

In April 2020, Apple and Google joined forces to build a common proximity tracking feature directly into their iOS and Android mobile phone operating systems, utilising Bluetooth.

In designing this shared feature, they were able to overcome problems encountered by third-party developers such as cross-platform support, outdated, unsupported, or low-cost devices, and could also implement hard limits on the data these apps could access from the phones.

Importantly, by having one - open - implementation it can be looked at by data protection bodies such as the UK's Information Commissioner's Office, and others.

English-language Wikipedia lists 238 apps having been deployed around the world, all with varying functionalities. However, as explained in our Bluetooth piece two of the major real-world problems encountered by those opting for Bluetooth proximity testing have been uptake and false-positives.

False Positives

Since the release of iOS 5 (Q4 2011), Windows Phone 8.1 (Q3 2014), BlackBerry 10 (Q1 2013), and Android Jelly Bean (4.3 - Q3 2012), mobile phone operating systems have supported a further subset of Bluetooth protocols known as Bluetooth Low Energy ("Bluetooth LE"). Although Bluetooth and Bluetooth LE are not directly compatible with each other, i.e. they have different rules about how to communicate, most modern Bluetooth chips are designed to talk both "Classic" and "LE" as they share a frequency range, meaning they can also share an antenna.

As the name suggests, the Bluetooth LE protocol is a far lower-power type of Bluetooth connection than Bluetooth Classic, making it ideal for low-power devices, or where only small amounts of data need to be transferred. Unlike Bluetooth Classic, which is designed for sustained data transfer, Bluetooth LE "sleeps" between connections.

The problem with Bluetooth is it's incredibly noisy; it's like the person in the room who won't stop talking. Bluetooth LE devices use broadcast "advertising" to announce their presence to other Bluetooth LE devices — constantly saying "I'm here" to any device that's close enough to hear it. In addition, as the radio frequency range used by Bluetooth (2.4~2.48GHz) is incredibly congested — by WiFi, embedded devices, garage door openers, baby monitors, unshielded USB 3 cables, and even microwave ovens amongst other things — BLE transmits these advertisements in three different parts of the spectrum (the beginning, end, and middle, avoiding WiFi channels) in order to try and overcome any interference.

How noisy does that make Bluetooth? Open Bluetooth search on your phone and see how many devices you can see.

Over time, false-positives have been reduced by tweaking the algorithm to change the parameters required to prompt a "contact", however the apps were further hampered in uptake by the perverse incentives of people not wanting to be notified to not be forced into quarantine at a loss of income.

Telecommunications data

Despite many governments opting for transparency around the operation of their contact-tracing apps, in parallel at least 19 governments either are or have been tracking the movement of mobile phones as a way to monitor the movement of the populace at large. Some countries are re-purposing counterterrorism technology, whilst others are working directly with Telcos to obtain the information.

PI have been warning for over 20 years that the usage of Telecomms data to surveil is already widespread.

Wait, my phone operator is tracking me?

As covered in some depth in our report on metadata in humanitarian contexts, the mobile telephone network is, by design, also a tracking network. We also explore these data in more depth in our long-read piece, here.

In order to try and maintain a signal whilst moving, as well as to connect you to the "best" tower, mobile phones send constant "pings" to towers in their vicinity, meaning their position can be easily triangulated.

So what's the problem?

A crucial difference between using Telco data and app-based tracking is that by definition Telco data is not opt-in, and cannot be opted out of. Indeed, in several countries around the world, Telcos are legally compelled to store these records. Unlike proximity tracking through Bluetooth where it's based on physical proximity of users of the app to each other, Telco data are generated as a result of the connections your mobile phone makes to masts.

This sort of tracking, by definition, can never be truly anonymised. It is some of the most intrusive tracking available; as a by-product of the network itself, there is no way to avoid it other than by leaving your phone behind, in a Faraday cage, or (if possible) removing the battery - although in Taiwan this could lead to the police knocking on your door.

In 2012, Malte Spitz, a German politician teamed up with Die Zeit to turn the data held by his domestic mobile service provider into an interactive map.

This profile reveals when Spitz walked down the street, when he took a train, when he was in an airplane. It shows where he was in the cities he visited. It shows when he worked and when he slept, when he could be reached by phone and when was unavailable. It shows when he preferred to talk on his phone and when he preferred to send a text message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life.

But don't just take our word for it. Watch the following promotional video from a company providing direct access to these data

Not all governments were as open about their use of telco data, with news coming as recently as January 2022 that the Public Health Agency of Canada tracked 33 million mobile phones -- representing roughly 78% of Canada's population. Given ongoing location data health analysis is currently up for tender, it seems Canada, at least, plans to add this highly invasive methodology to its long-term government arsenal.

GPS Tracking

The next technology we covered in our tech primers was GPS tracking.

Thankfully we haven't seen much uptake in this form of tracking, with Governments opting for geo-fencing using mobile phone sensors rather than GPS reports.

The reasons for this are varied, but include inaccuracy, susceptibility to interference, and just not working indoors, particularly in built-up areas.

What is Satellite Navigation?

GPS Constellation, public domain

Many of us have used Satellite Navigation ("SatNav") for getting around in an area we don't know, but just how does it work?

Satellites orbit the Earth at roughly 20,000km (~12,000mi) above sea level. The orbits for these satellites are tightly controlled, ensuring the satellites take 12 hours to circle the Earth, completing two orbits in a 24-hour period, and making sure that multiple satellites are always in view anywhere on Earth.

As these satellites orbit, they broadcast their location and the current date and time as measured by an onboard atomic clock {t1}. These broadcasts travel through space at the speed of light; nearly 300,000km/second (~180,000mi/second).

When a device on Earth receives a signal, it records the exact time of receipt {t2} and uses algebra first credited to Galileo Galilei to calculate its distance from the satellite:

distance = speed x time

Distance = Speed of Light x (t2 - t1) gives us the device's relative distance to the satellite. Once it calculates its distance from four satellites, it can calculate its position on the surface through simple geometry.

How can it be used for tracking?

Anyone who has used a SatNav app on their smartphone will have seen something very similar to how a COVID-19 SatNav app would in principle work; the device/app will record your movements as latitude/longitude - a raw location on the Earth's surface - as well as recording your vertical height above sea level, direction of travel, and speed.

It is important to note that satellite navigation is done entirely on the recipient device, there's not a two-way communication with the satellites themselves. This means that the actual tracking implementation is up to the app, rather than the satellite technology itself.

How accurate is it?

Like all radio signals, satellite navigation is heavily affected by interference and background noise, whether intentional or not. It is also line-of-sight, meaning you have to be able to 'see' a satellite. Buildings and other structures can badly interfere with SatNav, as the satellite signals are easily reflected off surfaces, which adds extra time (and therefore increasing the measured distance), or such constructions can block the signals entirely.

Infrared temperature screening

The final technology we discussed was our primer on Infrared temperature screening.

Using infrared light to take someone's temperature is a great idea - as long as you don't want it to be particularly precise. Unfortunately, that's exactly what's expected of these technologies.

There are three main infrared screening technologies we're seeing deployed around the world:

Spot/laser infrared thermometers

A passenger arriving in Hong Kong gets his temperature checked by a worker using an infrared thermometer on Feb 7, 2020 (Reuters)

These are usually hand-held devices, which work by reflecting a laser beam off a surface to measure its temperature.

These devices are designed for spot-measuring the temperature of surfaces without touching them - an important design feature as they're for measuring temperatures in the hundreds (sometimes thousands) of degrees.

Because light beams spread over distance, these thermometers are highly affected by the distance from the surface they're measuring, and require regular calibration against (usually) a reference heat source, from a fixed distance. This calibration should be done right before using it, if you drop it, after you charge it, or after measuring extreme temperatures, like boiling or freezing - again, not uncommon given their second application of measuring food temperatures in kitchens. "Generally, you should calibrate your device every time you feel it’s a bit off."

Thermographic cameras

Original image CC BY-SA / Vladyslav Hladkyi

These are usually hand-held or tripod-mounted cameras which "see" infrared instead of visible light. Originally designed for detecting gas leaks and other hotspots in industrial or mechanical equipment, these cameras use temperature differences to show multicoloured heat maps. The resolution of these cameras is very low (often 640x480) compared to modern visible light cameras, again making them incredibly sensitive to distance from their subject.

As we describe in detail in our primer, the use of thermographic cameras is not the "silver bullet" it may appear at first glance, and given that many are being combined with facial recognition capabilities with some claiming to be able to ID people whilst they're wearing masks, this is a pernicious technology which thankfully has not seen much uptake outside of airports.

Crowd/mass scanning cameras

Image copyright Mitie

There are no cameras fit for the purpose of crowd scanning. The cameras used are the thermographic cameras discussed above... and as discussed above, they are not fit for this purpose.



A protocol to transmit data on short distances