Privacy Tracker: Contact Tracing & Digital Health Certificate Apps

This live tracker documents new initiatives introduced in response to the pandemic that pose a risk to digital rights and data privacy around the world.
Photo of a man walking in shadow of surveillance cameras, it's the main image for the "Privacy Tracker: Contact Tracing & Digital Health Certificate Apps" report.
Samuel Woodhams

First published 20 March, 2020. Last updated to confirm that this tracker will not be updated further.

Digital Rights: Key Risks

Digital Health Certificate Apps

  • 73 digital health certificate mobile apps are in operation globally
  • We consider 60 mobile apps (82%) to have inadequate privacy policies
  • 32 apps (44%) track users’ precise location
  • 14 of the 20 most popular apps have permissions with implications for data privacy
  • There are now 14 vaccine passport mobile apps, with 13.4 million downloads

Contact Tracing Apps

  • 120 contact tracing mobile apps are available in 71 countries
  • 45 mobile apps now use Google and Apple’s API. 75 don’t use the API, with potentially greater risk for data privacy
  • The U.S. has 23 apps, more than any other country in the world
  • 19 apps, with 4 million downloads combined, have no privacy policy and thus no expectation of data privacy

Location Tracking

  • 60 location tracking measures have been introduced in 38 countries
  • Telecom providers have shared users’ location data in 20 countries

Mass Surveillance

  • 43 physical mass surveillance initiatives have been adopted in 27 countries
  • Drones have been used in 22 countries to help enforce lockdowns
  • Europe introduced more new instances of mass surveillance than any other region

Monitoring Location Tracking & Surveillance

The goal of this tracker was to monitor the flood of new initiatives introduced by governments around the world in response to Covid-19 that posed a potential risk to data privacy and security.

While this index is no longer being updated, it remains a vitally important document of the wide range of location tracking used by authorities, the proliferation of contact tracing mobile apps, and introduction of new physical mass surveillance.

Some of these may well have been proportionate, necessary and legitimate actions during an extremely challenging period of time. However, some dramatically threatened citizens’ civil liberties and right to privacy.

In maintaining this document, our aim remains to help stem overreach, promote scrutiny, and ensure that intrusive measures don’t continue for any longer than absolutely necessary.

See our complete findings in this public Google Sheet.

Digital Health Certificate Apps

China’s AliPay Health Code mobile app, which assigned citizens a color code that represented their COVID-19 status and was used to determine whether or not a user could access public spaces, led the way.

Since then we have recorded 73 apps designed to similarly log and display the status of individuals for domestic and international travel, access to academic institutions and workplaces. The mobile apps had been downloaded almost 19 million times combined at the time of publication.

However, like digital contact tracing apps, much of this software has been developed in a haphazard way, putting users’ data privacy and security at significant risk.

Data Privacy Risks

  • There are currently 73 digital health certificate apps in operation
  • The apps have been downloaded at least 18.8 million times combined
  • 60 apps (82%) have inadequate privacy policies
  • U.S. developers have created almost half (35) of all apps
  • Employee screening apps (19) and venue access apps (19) are the most common, followed by international travel apps (17)

Vaccine Passport Apps

An increasing number of mobile apps have also been developed to log and display users’ vaccination status.

Developers have claimed these apps will also encourage international travel to resume safely and allow domestic economies to reopen. However, few of these apps have adequate privacy safeguards, which raises significant concerns about collection of personal data and the erosion of users’ digital rights.

Data Privacy Risks

  • There are currently 14 vaccine passport apps in operation
  • The mobile apps have been downloaded at least 13.4 million times combined
  • 10 apps (71%) have inadequate privacy policies
  • 6 apps (43%) track users’ precise locations
  • 17 apps are expected to be released in the coming months

The following data table shows details of all such mobile apps available globally. Android install figures have been sourced from the Google Play Store, while the iOS monthly install statistics are from SensorTower for February 2021.

* Note: WeChat – Digital Health Certificate install figures may not reflect the true number of vaccine passport users as this feature is integrated into the wider WeChat application. It has therefore been excluded from the overall install figure provided in the key findings.

Privacy Analysis

The following section provides a deep dive into the privacy policies of all of the digital health mobile apps, with a particular focus on collection of personal data, data security and location tracking.

Privacy Policy Analysis: Key Findings

  • 36 (49%) mobile apps do not have dedicated privacy policies
  • 36 (49%) apps do not disclose exactly what personally identifiable information (PII) is collected
  • 59 (81%) apps do not disclose how long users’ data will be stored for
  • 42 (58%) apps share information with third parties in some way
  • 49 (67%) publicly state they will share user information with law enforcement agencies and authorities when requested.
  • None of the apps are open source

Some of the privacy policies were not just inadequate, they were potentially misleading.

According to Canada’s ArriveCAN privacy policy, the app “doesn’t use GPS or other technology on your mobile phone to track your location.”[1] Yet our analysis showed the app requested the ACCESS_FINE_LOCATION permission which could allow the app to monitor a users’ precise location via GPS. The app has been downloaded almost 200,000 times.

We also discovered some apps have potential vulnerabilities. Scans of Brunei’s BruHealth app, for example, showed that it potentially contained malware. The app has been downloaded over 100,000 times.

Even when software is developed with data privacy in mind, there is always a risk that it will be misused in the future.

In January, law enforcement agencies in Singapore were reportedly given access to personal data from the TraceTogether app, despite clear indications on the original privacy policy that this would not happen.[2]

In our analysis, more than half of all apps explicitly state they will share users’ personal data if asked by a relevant authority.

Privacy advocates have warned of this type of mission creep and these mobile apps are similarly at risk of serving more nefarious purposes in the future.

This is particularly true given the potentially invasive permissions requested by the apps and their poor privacy policies that don’t safeguard effectively against personal data collection.

The following data table shows the 20 most popular digital health certificate apps around the world with information on their privacy policies and potentially invasive permissions. Android download figures have been sourced from the Google Play Store, while the iOS monthly figures are from SensorTower for February 2021.

Contact Tracing Apps

We have documented 120 contact tracing apps in 71 countries, with many more scheduled to be rolled out in the coming weeks.

Data Privacy Risks

  • There are currently 120 contact tracing apps available globally
  • India’s Aarogya Setu app is the most popular, with 100 million downloads
  • The U.S. has 23 contact tracing apps, more than any other country in the world
  • 30 apps (25%) use GPS as the primary contact tracing method
  • 58 apps (48%) use Bluetooth and 26 (22%) use Bluetooth and GPS
  • 45 (37.5%) contact tracing apps are now using Google and Apple’s API
  • 19 apps, with over 4 million downloads combined, have no privacy policy

Much like VPN applications, contact tracing apps have provoked heated discussions in regards to their data privacy and inclusivity.

The data privacy concerns raised initially have gradually eased in recent months by the increasingly widespread adoption of Google and Apple’s Exposure Notifications API. That’s because Google and Apple’s API requires mobile app developers to adopt a decentralized approach if they want to utilize the API’s functionalities.

The decentralized system provides users with randomly generated, anonymous temporary keys. Upon a positive test result, the users’ app will share the temporary codes it’s used to a central server. These codes are then sent to every other device with the app installed to perform contact matching risk analysis and, if the random key matches one that the app has previously logged and meets the specified risk exposure criteria, it will send an alert and ask the user to self-quarantine.

Unlike the centralized approach, the decentralized approach protects users’ anonymity by performing the contact matching analysis at the local level, rather than at the point of the central server.

Overall, 45 contact tracing apps are currently using Google and Apple’s API, including 13 contact tracing apps in the U.S. There are also plans in another six U.S. states to use the API in the future.

While an increasing number of countries have adopted the decentralized approach, an alarming number still put users’ sensitive data privacy at risk. 19 contact tracing apps, which have been downloaded over 4 million times combined, don’t even have a dedicated privacy policy.

Contact tracing apps often use GPS technology to track your precise location – a VPN that spoofs GPS is among the only consumer technology that can prevent this from happening.

Issues surrounding the interoperability of contact tracing apps dominate the public debate. The EU Commission has announced[3] that European apps would begin to be interoperable from October 17, with the German and Italian apps the first to connect.

Similarly, in the U.S. an increasing number of contact tracing apps are using the national key server created by The Association of Public Health Laboratories.[4]

In-Depth Analysis

We analyzed 47 contact tracing apps in 28 countries in detail and found that many put users’ data privacy at risk.

  • 25 apps (53%) do not disclose how long they will store users’ data for
  • 28 apps (60%) have no publicly stated anonymity measures
  • 24 apps (51%) contain Google and Facebook tracking
  • 9 apps contain Google AdSense trackers
  • 11 apps contain Google conversion tracking and re-marketing code
  • 7 apps include code from Facebook

In our analysis of these mobile apps, we found code relating to Google’s advertising and tracking platforms in 17 contact tracing apps. This includes AdSense, Google’s advertising network that allows publishers to make money by showing ads to their users, and also the much more powerful Google Ad Manager, formerly known as DoubleClick for Publishers, which allows publishers to show ads from a huge array of sources.

Aside from the ethics of monetizing this type of app, the presence of such tracking code in contact tracing apps raises red flags around data privacy and personal data collection due to the targeting options offered by Google’s ad platforms.

We also found code that enabled varying levels of integration with Facebook in seven apps. This ranges from direct integration with Facebook’s advertising platform to functionality allowing users of the apps to link their Facebook accounts, or to share content from the contact tracing apps to Facebook.

The general lack of data privacy features in these apps exacerbates concerns that contact tracing apps may be used to harvest citizens’ personal data.

Access this Google Sheet for our complete findings.

Global Contact Tracing App Details

The following data table shows the 10 most popular contact tracing apps from around the world. Download figures provided are from Google’s Play Store.

* For full list of developers, please refer to this Google Sheet.

All Measures - Regional Analysis

The following data table summarizes measures being adopted that threaten digital rights, by global region. For details of individual measures skip ahead to the following sections:

Location Tracking

Many public health authorities around the world have turned to initiatives involving location-based services to help monitor their populations.

Measures have included the use of aggregated mobile location data to track citizens during lockdowns, mobile apps designed to help identify the location of those infected, and the deployment of advanced cellphone monitoring technologies.

We have compiled a reverse chronological list of confirmed location tracking being adopted around the world on this public Google Sheet.

Mass Surveillance

Authorities around the world are also adopting increasingly extensive physical mass surveillance measures that significantly intrude on individuals’ right to privacy.

These include the deployment of facial recognition cameras equipped with heat sensors, surveillance drones used to monitor citizens’ movements, and extensive CCTV networks in a bid to help enforce curfews.

See a reverse chronological list of such measures implemented around the world on this public Google Sheet.

Supporting Documents & Additional Resources

For more updates on proposed and confirmed developments from around the world, follow Privacy International’s live tracker, Tracking the Global Response to COVID-19, and this document created by Dr. Andrew Dwyer.

References

[1] https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/arrivecan.html

[2] https://www.bbc.co.uk/news/world-asia-55541001

[3] https://twitter.com/FantaAlexx/status/1310912834897838081?s=20

[4] https://www.vox.com/recode/2020/10/2/21497729/covid-coronavirus-contact-tracing-app-apple-google-exposure-notification