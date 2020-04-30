Ireland will soon get a contact-tracing app to help fight the spread of the coronavirus.

But will it work? And will we have to give up more of our privacy by letting it tell the government where we are at all times?

Progress on releasing the app has been slow. Neither the company building the technology, Waterford-based NearForm, nor the HSE has explained how it will work.

However, government figures suggest that it will use Bluetooth to connect to other phones, in line with what other countries are doing. The idea is that if someone tests positive, their notification will trigger alerts to others who might have been near them at some point in the previous days or weeks.

Even before it launches, there are two significant problems.

The first is take-up. So far, downloads of other countries' contact-tracing apps have been low.

Singapore was one of the first to introduce an app in March, but only one fifth of the country's six million population has downloaded it. The take-up rate in US states such as North and South Dakota has been even worse, at about 3pc.

In Australia, which released its contact-tracing app early last week, it has been somewhat better, reaching two million downloads - about 8pc of its population - in the first three days.

Experts such as Professor Christophe Fraser of the University of Oxford say that for a contact-tracing app to be effective, it needs about 60pc take-up.

In Ireland, that figure seems optimistic. Almost all phones sold here are Android or Apple smartphones, but there is between 10pc and 20pc of the population who still do not have one. To reach the 60pc target, this would require more than 70pc of smartphone owners to download it.

Surveys indicate that those over the age of 70, who are more vulnerable to serious health consequences from the coronavirus, are less likely to own a smartphone than younger adults. While this age group is cocooning at the moment, they are soon likely to be allowed out in limited circumstances.

Then there is the issue of privacy. One of the apps most looked at by European countries as a possible blueprint is Singapore's TraceTogether. This is based on its OpenTrace platform.

Privacy weaknesses

Professor Doug Leith and Stephen Farrell of the School of Computer Science and Statistics at Trinity College Dublin have just published a study that identifies privacy weaknesses in this system.

They say that Singapore's app potentially allows the (IP-based) location of user handsets to be tracked by Google over time. It also finds that the 'reversible encryption' used by the app relies on a "single long-term secret key stored in a Google Cloud service" and so "is vulnerable to disclosure of this secret key".

In other words, the presence of at least some Google technology in the app set-up creates problems.

Could Google use any of the data from Singapore's contact-tracing app for ad targeting?

"There's an obvious potential conflict of interest," says Professor Leith. "In this case, it's a company that collects data for advertising. Its business model is collecting personal data for commercial use. It can be done inadvertently because of the rush to produce an app quickly and all of the pressure to do this."

Prof Leith's paper, entitled 'Coronavirus Contact Tracing App Privacy: What Data is Shared by the Singapore OpenTrace App', recommends that Singapore's app be modified to disable the use of Google's Firebase analytics service.

Prof Leith also thinks there should be more transparency around Ireland's contact-tracing app before it is released.

"In fairness to the Singapore guys, they did make it open source," he says. "And that's one of the things I think the Irish government should be doing before they release it. Let some independent people have scrutiny on it. The more eyes there are on this, the more we can catch avoidable mistakes."

This is a call that is echoed by the Irish Council for Civil Liberties (ICCL) in a letter published late last week.

"Source code cannot be concealed and must be shared publicly and regularly audited by external experts," it said. "It is vital that the public trusts the solutions of our government." The ICCL also has reservations about stuffing too many functions into an app that the government is pushing on to people.

"Other countries are developing tracing apps which are for contact-tracing alone," it says. "They do not track location or symptoms. There is no known justification for location tracking. Symptom-tracking, if it is really needed, can be handled in a different app."

The HSE and NearForm declined to comment at the time of going to press. A response from Google was not available.

At present, it is assumed that downloading the app will be a voluntary. There are fears, though, that some employers may try to insist that workers download and use the app as a condition of employment once the lockdown eases.

In the UK, the civil liberties group Liberty has asked the government to introduce legislation that would prevent people being forced to used the app when going back to work, school or public facilities.

"I think we'll get something but it's not going to be any kind of silver bullet that suddenly magically works," says Professor Leith of Trinity.

"Given the history of states gathering data, it seems irresistible to use the data for other things. So I think that's a really legitimate concern. At the very least, it's good that there's a public discussion around it."

Three ways the app might work

Option 1: Big brother (South Korea, Hong Kong and variations)

Your app is tracked by location. Any Bluetooth contact with an infected person is logged and, in some cases, publicly posted.

Option 2: Not authoritarian, but still centralised (UK, Australia)

Your app gathers contact information from other phones, which is then uploaded to a health authority's system. That authority can contact you if it detects contact between an infected person and a non-infected person.

Option 3: The least intrusive option (Germany)

Bluetooth is used between phones, but the information is kept on individual devices. If someone is infected, they choose what data to upload. The health authority then works with the person to start a contact-tracing operation.