AVG Signal Blog Privacy Privacy Tips Contact Tracing Apps and Their Privacy Concerns

Written by Colin Asher
Published on May 21, 2020

What is contact tracing?

Contact tracing is a method used to track the spread of a disease as it moves from person to person. The practice of contact tracing isn’t new, and is generally an effective tool to mitigate disease spread by figuring out who an infected person has come in contact with. In an attempt to stop the spread of COVID-19, the technosphere has proposed a method of leveraging our ever-present smartphones to track who we’ve crossed paths with. However, such an approach to contact tracing may be both helping and hurting as it spreads a viral surveillance that could become the new normal. This extraordinary health crisis is now also a watershed moment for the future of our privacy.

This article contains:

    What are the origins of contact tracing?

    Contact tracing arose in different forms before the shape it’s taking today with smartphone apps. Syndromic surveillance picked up steam on a government level with the Anthrax scares of 2001. Then the 2002-2004 outbreak of the SARS virus solidified the need. Early methods of contact tracing consisted of tracking spikes in hospital visits where patients had reported similar symptoms to those of the disease, and then comparing the data from different hospitals. Today, thanks to the technology that everyone has in their pockets, the people who track diseases are looking for a more direct, elegant solution.

    How contract tracing apps work

    The general idea behind contact tracing mobile apps is that they notify you on your smartphone if you’ve crossed paths with someone who has indicated in the app that they have the virus. In most non-surveillance states, this involves a person willingly uploading their infected status into their mobile app. Users will then be notified if they previously crossed paths with a person who identified as infected.

    Will they actually work?

    One of the key conditions for such a proximity app to be effective is its adoption by a sufficiently large number of people. While on one hand it’s nice that people in many countries can select for privacy with multiple app options, the more competing apps there are, the more the system will be fragmented. This in turn will make them all less encompassing and effective. Experts say a contact tracing app needs adoption by at least 80% of a country in order to be really effective, and that is an essentially impossible percentage to reach, especially when people have different options and so many differing opinions about privacy. Another often unmentioned elephant in the room: if there aren’t enough COVID-19 tests, then the apps are pointless. They only make sense if people have a legitimate way of testing for the disease.

    Development of apps

    Currently, mobile apps are quickly being developed individually within many countries. Because they are being created ad hoc, many of them have much room for improvement. For example, depending on how the privacy factor is taken into account, they differ in their tracing methods and their efficacy. 

    In a prominent move, tech giants Google and Apple have teamed up to create a contact tracing API. This is not an actual app, but rather an interface for the contact tracing apps of different countries to be built upon, which should help standardize the functionality of any apps created using this technology.

    The Google-Apple API

    Most remarkably, the Google-Apple effort has put privacy measures front and center, at least when compared to other methods of contact tracing. 

    Part of the security measures of Google-Apple’s system is that it is decentralized, so location info won’t be collected in a big monitorable or breachable database. That means apps can be built on top of this system and won’t send data back to the government or the companies, but will instead store anonymous data directly on the phones. The API makes use of Bluetooth signals between phones, which should be sensitive enough to measure whether you were close enough to someone to have been exposed to the virus. This is more accurate than general location tracing, which uses GPS and can’t discern distances accurately enough to measure contact. As opposed to GPS, Bluetooth can be implemented to track merely how close you were to someone at some point, not your actual location when it happened. 

    With Bluetooth, if you get closer than two meters (six feet) from someone else with the app, your devices will exchange anonymous identifiers to create a list of people you’ve come in contact with that is stored on your phone. Unlike the aforementioned older methods of contact tracing where health organizations compared patient records, keeping the data on users’ phones will ensure privacy, but also prevent detailed collection and analysis by health authorities.

    Varying technology and privacy around the world

    Depending on the app and the technology it’s built on, the privacy of smartphone contact tracing does vary rather significantly. Let’s take a look at some different approaches and how they have been implemented around the globe.

    The USA

    The fragmentation of opinion about the apps can be seen greatly in America. According to a survey, two-thirds of Americans would install a contact tracing app, but most of that group was leery of installing an app produced by a central authority like the Center for Disease Control or, particularly, the government. Some states like North Dakota, South Dakota, and Utah have taken it upon themselves to develop apps. On one side are those who maintain a cautious, Snowdenesque position. On the other are people like California Governor Gavin Newsom, who, as Silicon Valley’s unofficial commander-in-chief, supports community surveillance. At this point, the size of the United States is proving the biggest hurdle to contact tracing being implemented and working.

    The UK

    The UK has chosen not to use the Google-Apple interface, and has opted instead for a centralized system that collects all the location data into a database controlled by the National Health Service. But besides this more authoritarian data-collection, their app may not even work correctly, because it adheres to different Bluetooth functionality than Google-Apple’s system. This is why many countries have agreed to use the G-A system. And since the NHS can’t update smartphone operating systems like those companies can, well, they may be losing this particular game of Tech Monopoly.


    Less secure methods are, for example, a contact tracing system in Israel. The system was created by the disreputable NSO group, a mobile spyware company that was implicated in the death of journalist Jamal Kashoggi and was also sued for fraud by no less than the Facebook-owned WhatsApp. Their system capitalizes on a new coronavirus-inspired law passed in Israel which allows the government to make bulk collection of people’s cell phone data.

    South Korea

    South Korea has taken contact tracing to the next level and they certainly demonstrate where the practice can lead if carried to the extreme. While there has been some attempt to keep things anonymous, their methods are stifling, to say the least. Location information is collected and dispensed publicly and enough detail about a person is collected that even without a name, it can be pretty obvious to neighbors who the person may be. Apparently, South Korean residents themselves have been clamoring for more rather than less information to be gathered, to the extent that authorities are checking apartment building CCTVs. In this case, social stigma has played a powerful part in keeping people distanced.


    India has made its COVID-tracking app mandatory for around one million people, including government workers and many employees, as well as those in food delivery services. Though it is new, the app has over 100 million users, and its fast adoption highlights the fact that legislation and applications aren’t evolving at the same rate.

    What this means for the future of privacy

    Smartphones are already rife with privacy concerns, and contact tracing adds a new chapter to the story of how technology is setting slippery precedents for future privacy laws. Just as many tech companies have been found historically unreliable when it comes to protecting user data, so too we will see more privacy problems with these apps. The UK NHS app’s data collection method has already been attacked for not being anonymous and having data that will be stored for future use by the government. Smartphones won’t be the only method of biosurveillance, either. Smart thermometers are collecting temperature-raising data, and some companies are using infrared cameras that can detect an elevated temperature.

    What should you do?

    In most democratic countries, it will be up to you to decide how you interact with contact tracing. If you are wondering whether to use it, think about the following:

    • Before downloading, look at the app’s website. While you never know what a tech company might be up to, having some of the technical aspects of the app highlighted up front is a good start and at least indicates an attempt to build trust.

    • When researching the privacy of an app, a central consideration is whether the app uses Bluetooth or GPS location data. As mentioned earlier, Bluetooth is more secure in many of the apps because it can communicate between phones directly and store data on the phone. However, having Bluetooth isn’t foolproof — for example, it’s also used by the NHS app. So the company or organization that owns the app also makes a difference.

    • Take part in old-school methods of prevention like responsible social distancing and consistent mask usage – they work.

    • Consider another way of using technology to help fight COVID-19, like Folding@home, which is a distributed way to lend your excess computing power to finding a cure.

    Surveil the surveillance – it’s the healthy thing to do

    When even tech giants like Google and Apple are erring on the side of privacy, you know you may have a potentially sticky situation on your hands for the future of surveillance. Perhaps this moment not only highlights how the world needs to be better prepared for pandemics, but also needs to start building a framework for technology and privacy to coexist before ad hoc solutions have to be crafted. The more we pay attention now and keep our critical eye on the propagation of such technology, the more we can responsibly shape the way things will look in the future.

    Connect privately on your Android with AVG Secure VPN

    Free trial

    Connect privately on your iPhone with AVG Secure VPN

    Free trial
    Privacy Tips
    Colin Asher