We have documented 120 contact tracing apps in 71 countries, with many more scheduled to be rolled out in the coming weeks.
Data Privacy Risks
- There are currently 120 contact tracing apps available globally
- India’s Aarogya Setu app is the most popular, with 100 million downloads
- The U.S. has 23 contact tracing apps, more than any other country in the world
- 30 apps (25%) use GPS as the primary contact tracing method
- 58 apps (48%) use Bluetooth and 26 (22%) use Bluetooth and GPS
- 45 (37.5%) contact tracing apps are now using Google and Apple’s API
Much like VPN apps, contact tracing apps have provoked heated discussions in regards to their data privacy and inclusivity.
The data privacy concerns raised initially have gradually eased in recent months by the increasingly widespread adoption of Google and Apple’s Exposure Notifications API. That’s because Google and Apple’s API requires mobile app developers to adopt a decentralized approach if they want to utilize the API’s functionalities.
The decentralized system provides users with randomly generated, anonymous temporary keys. Upon a positive test result, the users’ app will share the temporary codes it’s used to a central server. These codes are then sent to every other device with the app installed to perform contact matching risk analysis and, if the random key matches one that the app has previously logged and meets the specified risk exposure criteria, it will send an alert and ask the user to self-quarantine.
Unlike the centralized approach, the decentralized approach protects users’ anonymity by performing the contact matching analysis at the local level, rather than at the point of the central server.
Overall, 45 contact tracing apps are currently using Google and Apple’s API, including 13 contact tracing apps in the U.S. There are also plans in another six U.S. states to use the API in the future.
Contact tracing apps often use GPS technology to track your precise location – a VPN that spoofs GPS is among the only consumer technology that can prevent this from happening.
Issues surrounding the interoperability of contact tracing apps dominate the public debate. The EU Commission has announced that European apps would begin to be interoperable from October 17, with the German and Italian apps the first to connect.
Similarly, in the U.S. an increasing number of contact tracing apps are using the national key server created by The Association of Public Health Laboratories.
We analyzed 47 contact tracing apps in 28 countries in detail and found that many put users’ data privacy at risk.
- 25 apps (53%) do not disclose how long they will store users’ data for
- 28 apps (60%) have no publicly stated anonymity measures
- 24 apps (51%) contain Google and Facebook tracking
- 9 apps contain Google AdSense trackers
- 11 apps contain Google conversion tracking and re-marketing code
- 7 apps include code from Facebook
In our analysis of these mobile apps, we found code relating to Google’s advertising and tracking platforms in 17 contact tracing apps. This includes AdSense, Google’s advertising network that allows publishers to make money by showing ads to their users, and also the much more powerful Google Ad Manager, formerly known as DoubleClick for Publishers, which allows publishers to show ads from a huge array of sources.
Aside from the ethics of monetizing this type of app, the presence of such tracking code in contact tracing apps raises red flags around data privacy and personal data collection due to the targeting options offered by Google’s ad platforms.
We also found code that enabled varying levels of integration with Facebook in seven apps. This ranges from direct integration with Facebook’s advertising platform to functionality allowing users of the apps to link their Facebook accounts, or to share content from the contact tracing apps to Facebook.
The general lack of data privacy features in these apps exacerbates concerns that contact tracing apps may be used to harvest citizens’ personal data.
Access this Google Sheet for our complete findings.