Update: Since publishing this post, the HSE app has been released. You can download it here.
The HSE have released the details of their new public facing app “Covid Tracker“. They released a very comprehensive overview, access to the app’s source code, and their detailed Data Protection Impact Assessment.
With the details of app now public, journalists, policy makers and citizens will want to start analysing and appraising the app. So what are the questions we should be asking? What constitutes a good app or a bad one? What are the trade-offs other countries had been considering, and how have they been handled here?
I’ve sketched out a series of questions which I hope are a useful framework for analysing this, or any other app that is used in the fight against Covid-19.
If you want to keep updated on the app as it progresses, you can subscribe to my free weekly newsletter. Every Friday morning I share the interesting tech & public policy news of the week.
Overview – A “Touchpoint” for the Wider Regime
We couldn’t assess a restaurant’s new app for food delivery, without the wider context of the restaurant business itself. Is an app good if it’s always accessible, but the kitchen is only open and making food in the mornings?
Here too it’s worth a quick recap on contact tracing as a wider programme of activity before we assess how an individual app fits within that.
A contact tracing regime is a prediction exercise that takes in data from infected patients (cases), makes predictions about others they may have infected (contacts) and then takes action on those predictions. Here’s an example:
Data: A person gets diagnosed with Covid at a hospital. A staff member at the hospital asks them for all the names and phone numbers of all the people they’ve seen in the last week.
Prediction: Their contacts are predicted to have an increased likelihood of infection.
Action: Somebody calls them to recommend they self-isolate or come in for testing.
An app is a tool that can play a part in this wider regime. Most countries are looking at an app to a) help gather more data to make infection predictions and b) take action by notifying people they are at risk. Some countries, mostly Asian, are also adding proactive testing as an action, deploying resources to schools, workplaces, churches etc. where infection is predicted.
With this in mind, here are some of the key questions we can ask about an app, to assess its role in the wider trace & test regime, the data and privacy implications of the data it gathers and the actions it will enable our health service to take.
I’ve discussed each question in more detail below, but here’s the cheatsheet to get started:
||Uncertainty around the accuracy of a “contact” prediction with bluetooth
||International standard. Better than any alternative bluetooth option. Anonymised solution.
||No sense of “place” for the virus. Can’t use location for contact prediction. Can’t show where outbreaks are occurring
||Alerts users to potential infection. Introduces spoofing risk.
||Only allows confirmed diagnoses from HSE. Removes risk of fake activity.
||Anonymous information passed to HSE, but “probably” positive people are encouraged to isolate and test
||Goes beyond “news” seen in other apps. Encourages people to “check in” every day and shows country-wide stats on app downloads, check-ins and symptom reporting.
Let’s dig into each of these here in detail.
The Apple/Google Bluetooth Exposure Notification Service
This is one of the core functionality choices within the app. They have chosen to use bluetooth to measure proximity and predict a contact.
Generally, a contact is defined someone you share a pocket of air with for a period of time. This app will endeavour to record anyone you’ve been near for a while (within 2 metres or less, for 15 minutes or more) in the 14 days leading up to either of you getting diagnosed with covid. This is the European CDC definition of a close contact.
The Apple/Google exposure notification framework sits “always on” in the background on your phone. It gives your phone an anonymised id. When your phone comes near another person with the app installed, your phones swap ids via bluetooth. Later, if one of you get diagnosed with Covid, you’ll be asked if you have the app installed.
If you do, then the HSE will ask if you’re willing to upload your contact history, which is a list of all the anonymised ids you came in contact within the previous 14 days. If you say yes, the HSE send you a code by SMS. You input this into your app and it uploads a list of all the IDs of contacts on your phone.
The HSE servers will send this list to every single app. Each app will scan through the list, and if one of the IDs matches that person’s phone, the person gets an alert.
GPS and Location Data
This app does not ask the users to automatically share location data. This was a big choice by the HSE, which alleviates many privacy concerns, but removes any sense of “place” from the data the app gathers.
This means that bluetooth will be the only measure of proximity when determining a contact. The app will know if a likely contact took place, but not where in the country that was, or who the people involved were.
This will surely calm the concerns of many privacy experts and advocates. It helps the HSE avoid the risk of headlines that read “HSE app tracks your location data” which could severely hamper adoption and public trust in the app.
On the flip-side, it means the app gives the HSE less information about where the virus is in Ireland, but I think they have made some clever prompts and additions in other parts of the app and system which will capture much of this information in different ways, but without the attention-grabbing headlines of location tracking.
Because the contact predictions are all being done anonymously, the HSE cannot text, call or visit anyone who might have the virus, they can just send them an anonymous push notification.
The app will alert a contact with a push and with a persistent in-app message. It will then show them a list of recommendations for keeping safe and self-isolating.
Most interestingly, it will also ask if they would like to share their phone number and get a call from the HSE. This will allow for more traditional contact tracing to take place. It will be really interesting to see what the uptake rate on this option is.
One feature of successful contact tracing regimes, like Singapore and South Korea, is proactive testing. Reaching out to people and groups of people (like workplaces) where contacts might have occurred and proactively test as many of them as you can.
At first glance, with anonymised bluetooth and no GPS, it would seem that this app wouldn’t support such activity, but digging a bit deeper it looks like it might?
The first way it does this is by offering users the ability to request a phone call from the HSE once they get a contact notification. On that phone call, there’s every possibility that the person can be asked some extra information, if they wish to share it, about where in the country they live. They could be also be encouraged to take a test, at which point their details could be taken, including where they live and a verbal contact history recorded, as happens today without the app.
The other place some additional personal data can be captured is in the app’s symptom tracking section.
This is, to my mind, the most unique part of the Irish app, which I haven’t seen in any other country’s apps. The app will encourage people to “Check In” every day, and report how they’re feeling.
One of the motivators to do this is the nationwide stats that will be shared within the app – how many tens of thousands “checked-in” today. Sort of like an Operation Transformation, but for Covid fighting.
This is really hard to assess before launch. You can see the potential if it goes well, but also the risk of how publicly and visibly it could fail. Those aren’t the kind of risks usually taken by the civil service, so fair play to them on that front.
If it works, a large portion of the country will be recording their symptoms. Without any extra information, there isn’t much action that can be taken based on that data, but the app does prompt users to enter their sex, age range and location. So the HSE can get some self-reported data on location and demographics of users who are reporting symptoms. They also keep capturing extra data on confirmed cases outside the app, like they do today.
You can see the balance they’re trying to strike here. Removing any functionality that is greedy for user data, or could even be perceived as a privacy concern, will help build trust and get adoption. Using the Apple/Google exposure notification system is the most privacy conscious route to allow for contact notification, but it doesn’t really support “contact tracing”.
They then layer in some behavioural nudges in the form of “join the fight” daily check ins and “would you like a phone call?” notifications, which capture just a small amount of actionable data, and from only the most interesting users (probable infections) and in a manual way that doesn’t feel invasive. In that way they bring in some contact tracing elements, but just the minimum effective dose.
There are probably 3 key risks they need to overcome with the launch:
- That the Apple/Google bluetooth system proves effective enough at recording contacts accurately
- That people trust the app and download it
- That people check it regularly enough to make the data capture from check-ins meaningful
It seems like a very well intentioned, good faith effort at balancing all the competing concerns and I hope, for all of our sakes, that the bets they’ve made pay off.