COVID Tracing Apps: What Europe Has Done Right, and Wrong

Europe has been in COVID-containment mode for the last month, in contrast to the prior three months of serious lockdown. Kids went back to school, in shifts, and people went on vacation to countries with similarly low infection rates. Legoland and the zoo opened back up, capped at 1/3 capacity. Hardware stores and post offices are running “normally” once you’ve accommodated mandatory masks and 1.5 meter separations while standing in line as “normal”. To make up for the fact that half of the tables have to be left empty, most restaurants have sprawled out onto their terraces. It’s not really normal, but it’s also no longer horrible.

But even a country that’s doing very well like Germany, where I live, has a few hundred to a thousand new cases per day. If these are left to spread unchecked as before, the possibility of a second wave is very real, hence the mask-and-distance routine. The various European COVID-tracing apps were rolled out with this backdrop of a looming pandemic that’s tenuously under control. While nobody expects the apps to replace public distancing, they also stand to help if they can catch new and asymptomatic cases before they get passed on.

When Google and Apple introduced their frameworks for tracing apps, I took a technical look at them. My conclusion was that the infrastructure was sound, but that the implementation details would be where all of the dragons lay in wait. Not surprisingly, I was right!

Here’s an update on what’s happened in the first month of Europe’s experience with COVID-tracing apps. The good news is that the apps seem to be well written and based on the aforementioned solid foundation. Many, many people have installed at least one of the apps, and despite some quite serious growing pains, they seem to be mostly functioning as they should. The bad news is that, due to its privacy-preserving nature, nobody knows how many people have received warnings, or what effect, if any, the app is having on the infection rate. You certainly can’t see an “app effect” in the new daily cases rate. After a month of hard coding work and extreme public goodwill, it may be that cellphone apps just aren’t the panacea some had hoped.

Europe is a Patchwork

The first thing you need to know about Europe’s COVID apps is that there’s a ton of them, and they’re all different. Just as our neighbors to the south make phenomenal pizza, those to the west fantastic baguettes and cheese, and those to the east delicious Pilsner, the nationally endorsed tracing apps differ in more than language.

There are three frameworks in play, but two of them are essentially the same. The Google/Apple “Exposure Notification System” (ENS) was inspired by the original drafts of the European “Decentralized Privacy-Preserving Proximity Tracing” (DP-3T) framework, and both use date-time-ID hashes broadcast over Bluetooth LE to allow individual phones to determine if they’ve come into contact with infected individuals. We covered the ENS extensively before. Since the hashes change frequently and since your secret ID is never communicated outside your phone, these two provide very strong privacy guarantees. And since the DP-3T and EN frameworks are essentially the same, it should eventually be feasible for apps using both systems to converge; ENS basically incorporates the concepts of DP-3T into OS-level API calls in both Android and iOS. So while Europe is split about 50/50 between DP-3T and ENS, it’s fundamentally all the same thing.

“Croissants” by Jo@net, CC BY 2.0

The odd country out is France, which is using a centralized version of the same Bluetooth LE beacons approach. The ROBERT system used in their StopCovid app collects both your random ID and the date-time-ID hashes that your phone has heard, compares them in a central databank, and then informs you if there is a match. ROBERT is essentially a spinoff of the forerunner to DP-3T, the “Pan-European Privacy-Preserving Proximity Tracing” framework (PEPP-PT).

The “privacy” in PEPP-PT is due to the fact that the ID numbers are generated randomly per-phone as with the decentralized solution, so they are pseudonymous. On the other hand, if the central server could somehow correlate numbers with people, then they would have a tremendously detailed log of who has been near whom, when. The potential de-anonymizing of the data lead most of the Universities participating in PEPP-PT development to leave for DP-3T, and also resulted in possibly the most passive-aggressive whitepaper title of all time: “Proximity Tracing Applications: The misleading debate about centralised versus decentralised approaches” from the French camp.

You don’t have to fear the government to not want your data stored centrally, either. The Korean app’s encryption was just broken, and since it reports not only your COVID status but your location and purchase history back to the central server, this is a huge privacy breach. (The password with which everything was encrypted? “1234567890123456”. At least it’s long.) There don’t seem to be any similar howlers in the French code, but the database of everyone’s activities and contacts is going to be a juicy target for bad hackers.

But even leaving France aside, the apps that use the same framework don’t work together yet. Even though the apps use similar frameworks, a government agency needs to broadcast the authoritative list of contagious hashes daily for your phone to compare against. Should the German app pull data from the Italians and from the Spanish? The consensus seems to be that it should, and there is work afoot to make it possible before long. But for now, Europe’s COVID apps remain a patchwork delineated by national borders, even though travel restrictions within Europe have been partially lifted.

And still a few countries have no system up and running yet. Spain is notable here, although it’s in progress.

Europe is Open

One of the most reassuring sights in the European COVID app development process has been how thoroughly the development was debated in the public sphere. Here in Germany, the switch from the only-pseudonymous PEPP-PT to the DP-3T was widely reported on in the press, and probably due in no small part to efforts by the Chaos Computer Club and other public-interest groups with security expertise, and of course those in parliament who listened to them.

And because transparency was seen as crucial to app uptake, almost all of the nationally sponsored apps are open source. In the case of Germany, the app was developed behind closed doors by SAP and Deutsche Telekom, firms hardly known for their open-source credentials. But a few weeks before the release, they put it all up on GitHub: server, apps, verification portal, and extensive docs. As of today, of 356 issues raised, 293 are closed and all appear to be getting triaged quickly and taken seriously. How often do you hear a grumpy security programmer say of a codebase that it’s “astoundingly clean and contains, on first look, no obvious backdoors or security holes.”? High praise! (Translated by robots here.) No code is ever 100% secure, but the open security process seems to be working.

While I’ve followed Germany’s progress most closely, code is out for many other countries. Here’s Ireland’s, Italy’s, Austria’s, France’s, Poland’s, and The Netherlands’. Notably absent are Denmark and Finland, with proprietary apps, although they are based on the ENS and DP-3T frameworks, respectively. Feel free to update us all on any other country’s programs in the comments!

If you don’t believe that open, auditable code matters, see the South Korean debacle above. A hard-coded password in everyone’s app wouldn’t stand up for one day, much less a few months, in an open environment. This is not to say that there aren’t deep bugs in any of the open codebases — they’re huge and complex after all — but low-hanging fruit like 1234567890123456 would have been caught immediately.

Now the Bad News

One of the most important factors for any COVID app to be useful is that it’s in widespread use. For example, if only 5% of the population installs the application, you have a hard maximum chance of 5% that an actual exposure will be correctly reported to you, given that you have the app installed. While the positive effects of early tracing increase as the install base grows, British scientists estimate that you’d need ~60% coverage to wipe the disease out, and uptake varies wildly from country to country.

I couldn’t find up-to-date statistics for all countries, but I’d bet that Germany has the largest install base, with over 16 million downloads. But with a population of 83 million, that’s only 19% of the population. According to Angela Merkel’s chief of staff (who is totally not biased), Germany has the “best” app, and yet when asked in a survey only 42% say they would install the app.

Ireland boasts 1.3 million users, or 27% of their 4.9 million inhabitants, probably taking the prize for highest install rate. France’s app was only downloaded 2.3 million times in the first few weeks, on 65 million. 3.5%. Ouch.

You might need this. (“charging-battery” by Wolfgang Lonien, CC BY-SA 2.0)

And that’s assuming that everyone has the app on and running all the time. Germany’s app, which is supposed to run on the Android OS facilities provided by the ENS, ending up with gaps in service as it was backgrounded on Samsung and Xiaomi phones (translated) for most of the first month, undetected. The operating systems’ power saving modes were overly enthusiastic. It runs on “prioritized background” mode now, but taking the two largest phone manufacturers out of your dataset for a few weeks isn’t going to help. The French app, which can’t use the ENS and has to run in the foreground, is reported to eat batteries like they were Nutella crepes. How many people will keep battery hogs running?

It’s not all Android, either. There was a problem with users upgrading to iOS 13.6 that prevented the app from running at all. I don’t know if that’s been fixed yet. Anyone?

Other glitches in the German system have been more policy than software. If you test positive for COVID, your doctor informs you by mail, and then you have to validate a secret code by phone with a special hotline in order to enter the system as contagious. This can cause a two-day delay in getting into the system, during which time people won’t know that they’ve had contact with someone infectious. Since speed in tracing back contacts is the name of the game, this is a shame. And that’s assuming you register at all — there’s some preliminary evidence from the Robert Koch Institute that between four and six percent of people who’ve tested positive end up registering that on the app. (Translated.)

It could be worse. While no longer technically part of the EU, England has still failed to come out with a COVID app. After months of supporting a central-server model, and serious issues getting their app to run on iOS devices, the NHS decided to switch up to the decentralized ENS after all, which is probably a good thing for privacy and uptake but results in further delays. Meanwhile Scotland and Northern Ireland, ostensibly part of the UK, have taken matters into their own hands.

On top of all this, people still debate whether Bluetooth LE range is a good proxy for close, virus-communicating proximity in the first place. The various apps require multiple exposures to trigger a warning, so the “bus passing by” scenario isn’t such a concern, but people living in an apartment below someone who has tested positive will doubtless get false positives.

A Big Experiment? A Dress Rehearsal?

What are the take-home lessons of the last month of European COVID-tracing apps? On the positive side, inviting public involvement in the requirements process and providing open and auditable code can go a long way to encourage app adoption. Comparing France, Germany, and Ireland, it looks like users also care about their privacy enough to make a significant difference in uptake as well, even when it’s as subtle as the difference between anonymity and pseudonymity.

Still, it’s hard to see any effect of the COVID apps yet. Whether this is because of the technical glitches, too low an install base, or a failure to self-report as contagious, the systems have not made a real dent in the daily case numbers. Maybe there will be some effect visible later on, or maybe not. Only time will tell, sadly. The apps could even make things worse; we can also imagine a world where people relax their behavior based on false confidence of low exposure simply because nobody is using the app around them.

It’s a little bit disheartening that there isn’t a simple technological solution to preventing the spread of a highly contagious disease that lies dormant for a week or so, even when it’s confronted with clever cryptographic frameworks and open-source development. Masks, distance, and early testing and notification really seem to be the path forward: science and medicine instead of cellphones and software.

That said, the nice thing about many of the European apps is that they are open, respect your privacy, and do at least stand a non-zero chance of helping contain the spread of the disease. You don’t have anything to lose by using them, and the development process will hopefully serve as a model for the future. And given the ample supply of anti-patterns, that’s a success in itself.