Several governments across the globe have recently released open source contact-tracing applications designed to help identify potential COVID-19 cases based on users’ exposure to confirmed cases.
Several countries around the world have launched Bluetooth-based contact-tracing apps to help fight COVID-19 by notifying people who are potentially at risk of contamination. For example, in Europe, the eRouska app is available in Czech Republic and the Stop Korona app in North Macedonia. Other governments, such as France, Ireland, and the UK, have announced their plans to build similar apps in the coming weeks.
At the European level, the Pan-European Privacy-Preserving Proximity-Tracking project (PEPP-PT) is to assist national initiatives by supplying ready-to-use, well-tested, and properly assessed mechanisms and standards. The project, supported by eight European countries (with many others having expressed their interest in participating), has gathered more than 130 international experts. PEPP-PT aims to ensure that apps developed by European governments are fully GDPR-compliant and respect users’ data privacy.
It is worth noting that, on 16 March, the European Commission published “Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection” that addresses privacy issues.
Singapore was one of the first governments to release a contact-tracing app. On 20 March 2020, Singapore’s Government Technology Agency and the Ministry of Health launched the TraceTogether application to quickly track people who have been exposed to confirmed COVID-19 cases. Since then, the app has amassed almost one million users. Once TraceTogether users activate their Bluetooth, the application will record all other TraceTogether users nearby. If a TraceTogether user tests positive for Coronavirus, public health authorities will be able to alert other TraceTogether users that have recently been in close contact with the infected individual. Only people who have been in contact with an infected person for 30 minutes or longer will be considered at risk of contracting the virus and will be contacted by Singaporean authorities.
In several official communications, the Singaporean authorities confirmed that geolocation data is not retained by the application but stored on the user’s device. Other devices with the TraceTogether app or third parties cannot access users’ personal data. Data collection by the application requires user consent, which can be withdrawn at any time. Additionally, all the data stored by the TraceTogether app is automatically deleted after 21 days.
Finally, the TraceTogether app uses an open source privacy protocol called BlueTrace. The Singaporean authorities have published a white paper explaining in detail the functioning of the TraceTogether app and the BlueTrace privacy protocol.
TraceTogether is available free of charge on Google Play and the Apple App Store in Singapore only. However, on 9 April 2020, the Singaporean government released the OpenTrace repository which holds the source code of the TraceTogether app that other countries can adapt and tailor to their needs. The OpenTrace repository gathers the source code for an iOS app, an Android app, a cloud-based backend, and baseline signal strength calibration data. The repository is publicly available on GitHub under a General Public Licence 3.0 (GPL-3.0). Developed under Kotlin for the Android version of the app, Swift for iOS and TypeScript for the Cloud functions, OpenTrace is open for contributions.