COVID-19 Contact Tracing apps: India’s Aarogya Setu goes open source, while Switzerland and Italy test Google/Apple’s Exposure Notification API
by Aamir SiddiquiThe novel coronavirus, also known as SARS-CoV-2, has wreaked havoc across the world. A few nations have managed to control the spread of the virus, but many others have struggled and are still trying their best to contain it. One of the strategies being tested for its containment is contact tracing, ie. tracing all the people who have recently come into contact with a person who has tested positive for COVID-19 and then undertaking steps to isolate these individuals. Contact tracing is a crucial task to get right as it impacts an individual’s privacy and liberty in the greater interest of public health. The threat to personal privacy was big enough for Google and Apple to come together and collaborate on a contact tracing API and Bluetooth spec, one that is designed to have minimal impact on user privacy and security. While these efforts are commendable and some countries have adopted these, a fair few nations have also undertaken work on their own similar solutions. In this piece, we attempt to list some of these contact tracing solutions, with a focus on those that have their source code open and available to the public for inspection and feedback.
Independent Solutions
Austria — Stopp Corona
The Austrian government adopted the Stopp Corona app developed in conjunction with the Austrian Red Cross. This app does not rely on Google and Apple’s Exposure Notification APIs. There is no location tracking in place, as the app uses Bluetooth. The app monitors the phones that have come near the user. If a user suspects COVID-19 infection or has been positively diagnosed with it, the proximity information is uploaded to what is claimed to be a decentralized database. Alerts are sent out to all users who have had proximity history. Reportedly, there is no personal information collected, and if a user wants to opt-out of tracking, they can simply delete the app and the data. For further peace of mind, the app is open source too.
Stopp Corona Source Code on GitHub
Australia — COVIDSafe
Australia has adopted the COVIDSafe app. This app does not rely on Google and Apple’s Exposure Notification APIs. Upon installation, users need to register their name/pseudonym, age range, postcode, and phone number, all of which are stored encrypted on a government server. The app relies on Bluetooth for proximity tracking, exchanging anonymized IDs that are changed every two hours. These IDs are stored encrypted on phones and deleted after 21 days. When someone tests positive for COVID-19, they receive a unique code from health officials that then uploads the list of anonymized IDs for the past 21 days. The app is open-source too, so transparency is maintained.
COVIDSafe Source Code on GitHub
Czech Republic — eRouska
Czech Republic has adopted the eRouska app. This app does not rely on Google and Apple’s Exposure Notification APIs. Similar to other implementations that are Bluetooth-only, eRouska scans the area for other eRouska app users in proximity and saves encounter data locally on the device. When a user tests positive, the user is contacted by health officials to upload the encounter data consensually. The broadcasted Device ID changes every hour, and scanning can also be manually toggled on and off. Users can opt to remove all of their collected data, including the phone number. The app is open-source, too.
India — Aarogya Setu
The Government of India decided to not adopt Google and Apple’s solution but instead develop its own solution in the form of the Aarogya Setu app. Once a user sets up their account on the application, the app asks for continued Bluetooth access and location data. Users also need to provide information such as name, age, gender, health status, and more, to build up a user profile. A self-assessment test is put forward where the user is asked whether they are showing any of the symptoms of COVID-19 along with other questions. When two smartphones with the Aarogya Setu app come close to each other, the app collects information. If one of the contacts has tested positive, the app will alert the other person and provide instructions to help in self-isolation.
The use of this Aarogya Setu app was first heavily encouraged by the government and then mandated in several instances. However, India does not have the best attitude towards citizen privacy as the country lacks key laws to regulate such use-cases. Since the app collects location data and shares it with the government—an approach that many have deemed excessive and unnecessary—it came under the spotlight for being too intrusive on user privacy and for having no transparency and accountability in the process. What followed was criticism of these approaches.
In some good news on this end, the Aarogya Setu app for Android has been made open source. The source code for the Android app is now available on GitHub. Concerned authorities promise that the source code for the iOS version and the KaiOS version of the app will also be open-sourced “in due time“. The privacy policy of the app was also updated to allow for reverse-engineering the app and reporting bugs to the government. Further, there is also a bug bounty program in place, inviting developers to identify vulnerabilities, bugs, and code improvements.
Aarogya Setu Source Code on GitHub
All of this is definitely good news since the lack of transparency was rather alarming. There are still questions on the opaque back-end infrastructure and server-side code, but reports suggest that this, too, will be open-sourced next week.
Singapore — TraceTogether based on BlueTrace Protocol
Singapore’s implementation takes the form of TraceTogether, which is also not reliant on Google and Apple’s Exposure Notification APIs but is also Bluetooth-only and not location-based. The app only needs a mobile number to initiate, and no other personal information is collected. The number forms part of the user ID, which is then used to generate temporary IDs. Proximity information on these temporary IDs is stored on a 21-day rolling basis on-device. Data is relayed to a server when a user tests positive. Further, TraceTogether’s functionality is promised to be suspended when the pandemic situation subsides.
While TraceTogether is not open source by itself, a generic codebase has been published in the form of OpenTrace. This generic codebase comprises the reference implementation of an Android app, an iOS app, and a central server built around Google Firebase. Also published is the BlueTrace protocol which forms the basis for both TraceTogether and OpenTrace. The BlueTrace protocol attempts to create interoperability across jurisdictions so that other nations can collaborate on these efforts.
OpenTrace Source Code on GitHub
UK — NHS COVID-19
The United Kingdom’s implementation takes the form of the NHS COVID-19 app, which is currently in “beta testing” and available to residents within the Isle of Wight (and to be expanded to other regions in the future). The app is not reliant on Google and Apple’s Exposure Notification APIs but also relies on Bluetooth. Upon setup, users are asked to enter the first half of their pin code, which is used to identify if there are hotspots breaking out—further details are not asked unless you report symptoms. Bluetooth proximity data is logged for 28 days through anonymous IDs. The app will also be discontinued once the pandemic situation is over. The source code of the app is already open and available for inspection.
NHS COVID-19 Source Code on GitHub
Solutions using Google and Apple’s Exposure Notification API
These implementations are built on top of Google and Apple’s Exposure Notification API. Google has also rolled out an update to Google Play Services that includes the new API. A reference design for an Android app implementing the Exposure Notifications API is also available. Apps based on this API are prohibited from collecting device location data. Instead, the API utilizes Bluetooth Low Energy to detect if you have been in the vicinity of others who have tested positive. The API will share how many days have passed since an individual “contact event” alongside an estimate of exposure time. Bluetooth metadata will be AES encrypted.
While in the case of Google, Android users will not need to install an application as the Exposure Notification API is being delivered through updates to Google Play Services. So as long as you have an Android device running Android 6.0 Marshmallow or later, you should have access to the service. Still, Google will prompt users to download a relevant public health app if a positive contact event has been detected.
Italy — Immuni
Italy’s solution comes in the form of the Immuni app, which is expected to see a broader public release in the coming days. It relies on Google and Apple’s exposure notification system, leveraging Bluetooth Low Energy, and no geolocation data is collected whatsoever.
Switzerland — SwissCovid DP-3T
Switzerland is working on a solution called Decentralised Privacy-Preserving Proximity Tracing (DP-3T). The app and server are both expected to be open-source. The app is not yet complete and released to the public, but the source code for the app is already live, so it should serve as a foundation.
SwissCovid DP-3T Source Code on GitHub
This is not an exhaustive list but meant to highlight the solutions that are available in the form of open-sourced code for interested developers to inspect and build upon.