Caution and Criticism: Contact Tracing through Mobile Apps

Jul 9, 2020 by BBB National Programs

Across the world, new apps are being created to facilitate contact tracing through mobile devices. The hope is that through these technologies, governments across the globe avoid future lockdowns and moderate social distancing orders. Though governments and corporations have marshalled impressive resources to develop these strategies, contact tracing powered by smartphones comes with inevitable challenges, regardless of the technologies used and the categories of contact data generated. 


Practical Impediments

Availability of testing.

The goal of a contact tracing app is to inform individuals that they have had a close interaction with someone who has tested positive for coronavirus. Because coronavirus may be spread by individuals with mild or no symptoms of infection, widespread testing must be available for contact tracing to work. That way, even asymptomatic carriers can know whether they have the virus and log this information with the appropriate app.

“One of the most important assumptions, really important assumptions, is that if you’re the source case you’ve bothered to go and get tested,” said Mary-Louise McLaws, Professor of Epidemiology, Hospital Infections and Infectious Diseases control at the University of New South Wales, Sydney. “This app must be paired with a community responsibility and a bit of guilt.”

At this time, testing capacity in the United States remains somewhat limited and many of the existing tests are known for false positives and false negatives.


A sufficient user base.

Even if testing is available, a critical mass of users must be willing to download, install, and use a contact tracing app for the technology to be successful. Many individuals might be unwilling or unable to use this technology, especially individuals who are less tech-literate. Elderly individuals who are both more vulnerable to the virus and less likely to own smartphones might refrain from downloading or using a contact tracing app. 


Technology adoption and use.  

A system that relies on voluntary adoption of the tech, as opposed to a government-mandated adoption, might prevent a enough individuals from using the technology. In contrast, a system that is government-mandated and strictly enforced could generate a backlash from the public, in the same manner the promotion of masks and lockdown orders in the United States has created a backlash. 


Human behavior.

In the same way that users ignore notices for software updates, emails about suspicious banking behavior, and banners and icons about privacy choices, users might ignore advice from a contact tracing app to self-quarantine or change their behavior. Further, individuals using a contact tracing app may feel a false sense of security and fail to take necessary steps to sanitize and self-quarantine. 

“Most Australians understand about sunscreen – we’re obsessed with sunscreen – we were told if you put this app on your phone it’ll be like sunscreen. And it’ll protect you,” said Ms. McLaws. “[The app] will only work if you get tested, and early. It won’t work if you don’t bother getting testing. So that’s another assumption that you’ll work it out that you need testing.”


Fragmented contact tracing efforts. 

If state or local public health authorities do not coordinate with one another effectively about the spread of the virus, the contact tracing efforts might be frustrated. This issue is compounded with decentralized apps, which by design share little to no data with third-party public health authorities. On an international scale, a fragmented approach to contact tracing might prevent neighboring countries from effectively coordinating to stop the virus. A successful approach to contact tracing where there are multiple apps may therefore require some level of cross-border interoperability.


Technical Limitations

Compatibility issues regarding Bluetooth.

As discussed in our last article, the Google and Apple exposure notification API and many other contact tracing apps depend on use of Bluetooth LE. Many older handsets do not have the Bluetooth LE chip that would be necessary for such a contact tracing app to function.


Bluetooth challenges with the iPhone.

On Apple’s mobile operating system, iOS, Bluetooth does not run in the background while the device is locked. While the Google and Apple exposure notification API can alter this default for iOS, health authorities that decline to adopt the Google and Apple decentralized approach are faced with this problem on the iPhone versions of their apps.

Currently, contact tracing apps for iPhones in Australia, France, and Britain are not sending the necessary Bluetooth signals when a user’s iPhone is locked. To date Apple refuses to make any changes to its operating system absent adoption of the exposure notification API, which has put pressure on many governments to adopt Google and Apple’s model.


Bluetooth’s relative accuracy.

Due to Bluetooth’s inherent limitations, solutions relying on it may yield false positives or negatives. For instance, if John and Jane are on opposites sides of a thin apartment wall, and John has logged that he is positive for coronavirus, Jane could receive a false notification of contact. Similarly, if a user accidentally toggles their Bluetooth radio off or leaves their phone at home during a sundries run, correlation of Bluetooth IDs will be impossible even where viral exposure may have occurred.


Signals in a high-density locality.

In high-density locations, such as New York City, where a person might encounter many other individuals throughout their day, contact tracing may be less effective. Constant Bluetooth encounters could render such a notification system pointless. For example, if Jane lives in New York City and receives dozens of notifications each day that she has had contact with a coronavirus patient, she might be disinclined to change her behavior.


Privacy Tradeoffs

Bluetooth vs. location data.

Google, Apple, and many governments have opted to develop Bluetooth-based contact tracing technology, declining to utilize more precise location technologies such as GPS for their apps. Although this choice may increase personal privacy, it might also lead to less effective outcomes for tracing the spread of the virus. In the alternative, sharing users’ precise location data with a centralized public health authority has clear risks to user privacy. Public health authorities and corporations seeking to help during this pandemic must analyze and carefully consider the tradeoffs involved.



With contact tracing apps that rely on the use of location data, there is some risk of reidentification if location data is paired with other data points. For example, a security researcher recently found flaws in India’s Aarogya Setu contact tracing app that allowed him to identify individuals suffering from coronavirus within a certain geographic radius. These risks also exist with apps and operating systems that only use Bluetooth for contact tracing. Even if security measures are put in place to stop reidentification of users as a technical matter, a savvy user might be able to use a combination of her memory and an app’s notification to identify which person in her social network is positive for the virus, raising privacy concerns. 


Setting precedent for future challenges.

The use of contact tracing apps, the storage of contact data with third-party corporations and health authorities, and the deployment of other means of data collection alongside these apps raise questions about the future of user privacy once coronavirus has subsided.


A Question of Success

At the end of May 2020, Google and Apple launched their joint exposure notification API, and across the world many contact tracing apps are becoming available for download. While these technologies are promising, whether these apps will be successful at slowing the spread of coronavirus remains to be seen. 

Suggested Articles


Case Study: Getting to Compliance with CARU and COPPA

In a recent case, CARU worked with TickTalk to help them achieve compliance with CARU’s Privacy Guidelines and the Children’s Online Privacy Protection Act (COPPA). CARU sat down with TickTalk once the case had closed to discuss their experience as well as some of the privacy challenges many companies face in the children’s space.
Read more

What to Know About the Georgia Lemon Law

BBB AUTO LINE provides an overview of each state’s lemon laws. In our ongoing blog series, we offer further insights on the laws for select states, and how BBB AUTO LINE can support consumers with lemon law disputes. Florida, California, and Texas have been covered. This post reviews the nuances of the lemon law in the Peachtree State – Georgia.
Read more

The TAPP Roadmap: Helping U.S. Companies Responsibly Collect and Manage Teenager Data

Even as data privacy and safety practices that work for adult consumers provide a firm foundation for teens, they simultaneously run the risk of being insufficient to respond to the unique needs of teens. The TeenAge Privacy Program (TAPP) Roadmap was designed to assist any business that wishes to engage proactively with teen consumers, providing an operational framework to map the broad spectrum of potential harms impacting teens onto a concrete set of operational considerations.
Read more

Pursuing Best Practices For Representation In Advertising

As advertising volume increases, so too do people’s expectations of representation in advertising. Unfortunately, advertising collectively is still falling short, and consumer perceptions reflect that. Why answer this call from consumers? And what is being done about it?
Read more