COVID19 contact tracing apps: a call for open source

A comment by Julian Kunkel, Simon Worthington, Jeremy Bennett, Andy Bennett

Governments worldwide are developing smartphone apps that track the location and movement profile of citizens in order to quickly identify contact persons of COVID-19 infections. According to The Financial Times, if even 40% of smartphone users install such an application, the infection levels would be significantly reduced in the UK. Therefore, the widespread usage of such an application is an important instrument in the current crisis.

How could such a smartphone app work? In a nutshell, a device can scan other nearby devices and exchange device IDs, for example, using Bluetooth. This information then needs to be stored with a timestamp. If the owner of a device contracts the virus, s/he could indicate this fact in the app allowing to associate the own device ID with the information that s/he may have infected others. This data then needs to be recorded on a server to allow the app of other users to query the register and then compare any contact information with the register of COVID-19 victims.

Open source can accelerate the development of tracking apps significantly

Let’s investigate the key challenges (requirements in IT terminology) associated with the development of a smartphone app. 

Firstly, the software itself must be robust and tailored to the local needs of a country. So far, each national government and sometimes even local administrations develop their own solution but the development of a new application isn’t cheap, and quick development bears risks in terms of software quality. 

Secondly, the application must be safe and secure in regards to execution, as it will be widely installed and hackers may aim to exploit potential security flaws.

Finally, an inhibitor to the wide uptake of a solution is the privacy concerns of citizens. This can be broken down into malicious attempts of hackers to obtain data about users and the abuse of data for other purposes. For instance, people suspect that generated data is abused for mass surveillance and not restricted to the expected usage to track coronavirus contacts. 

Open-source mitigates risks of tracking apps

An open codebase accelerates development, fosters collaboration, and provides extreme transparency and trust:

  1. Code can be shared among all countries that want to develop their own application while local modifications can still be made.
  2. Potential security flaws can be investigated by experts and closed quickly. It is expected that many developers will contribute to such an application and therewith, the risk of overlooking a bug is reduced.
  3. Privacy concerns are mitigated by assuring which information is transmitted with the smartphone and to which servers. Solutions using an open and decentralized protocol, e.g., partitioning data by county or by day, can minimize the potential that a hacker obtains the data about a person at once. The idea is that different trustworthy stakeholders hold different pieces of data and if the data of one of them is obtained or abused the data will only give such a fragmented view that is of no value. Some developers aim to store the contact information on the smartphone itself. However, still, a central register of COVID-19 victims needs to be stored. 

Note that no solution can guarantee that data won’t be abused to analyze user behavior as much as possible but we believe that the transparency of open source and decentralized open systems will minimize the risk.

Please spread the word for joint open developments to fight our social challenges together!

Update: since the release of our article, NHS X have open-sourced the COVID-19 tracker app. See the NHS X GitHub for more information.

Disclaimer: we are aware that there are some open solutions for COVID-19. However, governments appear to ignore them which is why we post this article.