Doing Covid-19 tracking apps right: It's all about acceptance

The Paypers has sat with Martin Kuppinger, founder and principal analyst of KuppingerCole, to discuss the impact of apps that track the spread of coronavirus on keeping our data safe

In consequence of the Covid-19 pandemics, many countries have started creating Covid-19 tracking apps, and some have already rolled them out. There are good reasons for such apps, but there also is significant risk of failure. Simply speaking: If not enough people use the app, it is of little value.

Why do we need a Covid-19 app?

The first question is: Why do we need a Covid-19 tracking app. With 100,000’s of deaths already caused by Covid-19, and many other severe disorders, the need for stopping the virus in further spreading is apparent. Given that people are infectious before showing symptoms leads to the specific challenge that one might have been in contact with infected persons without knowing. Tracking helps in identifying and managing contact chains, and thus stopping the virus from further spreading.

By learning about contacts with infected persons, quarantine measures help in stopping the virus from further spreading. In a risk equation with risk being probability x impact, this reduces the probability of further infections and thus the risk of being infected.

From an economic perspective, the economic risks are based on an equation where the impact grows with the number of infected persons and the probability of others becoming infected. The higher the risk of the virus spreading, the bigger the economic impact. Thus, reducing these risks also reduces the economic impact.

Why acceptance of Corona tracking apps is the key success factor

Unfortunately, tracking apps only work well with mass adoption. The common calculation is that 60 to 70% of the citizens should use the app, which is a fairly high ratio. Unless a government can mandate the use of such app, it is about broad acceptance. Only then most critical contacts (with infected persons) will be identified, and the spread of the virus can be stopped.

While most people will understand and accept the value of such app, there are factors hindering adoption. Some are technical such as the power consumption Bluetooth might cause (or not, depending on the phone in use). However, the inhibitor #1 are privacy concerns.

Should such app store data centrally or decentralised?

The main question is whether such apps should store data of contacts centrally or decentralised. If stored centrally, this could happen identified or pseudonymised, i.e. without unveiling the identity of the user. In most societies, identified storage of such data will not be accepted. However, discussions in many countries such as Germany have proven that any form of central storage for health-related data will not be accepted by many people. This is even more true because it is not only about the health status, but about social contacts and geolocation.

Thus, from an acceptance perspective, decentralised approaches are the best way, where all data is kept on the smartphones of the individual users. If that phone ‘knows’ about the contacts and one gets infected, the app can inform all contacts just about ‘you have been in contact with an infected person’. This allows the others taking adequate measures. Apparently, such approach builds on responsible behaviour of people, more than a central app does.

Does it need decentralised identity?

One of the questions sometimes raised is whether such approach requires a concept following the models of decentralised identity or SSI (Self Sovereign Identity). The simple answer is: If you work with a decentral approach, there is no need for a decentralised identity, because there is no ID for the humans used – it is just the devices communicating in a standardised, secure manner (if following the standards being under development).

How to avoid data breaches and fraudulent use of data?

This also avoids the risk of data breaches and fraudulent use. If there is no central data store, neither governments nor cybercriminals nor other parties can abuse that data. Decentral data is not attractive for the attacker – it would be only about small chunks. Apparently, attacks might try to collect data from many smartphones via some form of malware. But even then, it is of less interest than attacking a central store.

Whether to follow Apple and Google or not?

Apple and Google are jointly working on specifications and a framework for privacy-preserving contact tracing. This builds on a decentralised approach. Again, there is a good reason for following that concept: The apps will run smoothly within both major smartphone ecosystems, Apple iOS and Google Android. They can be easily made available in the app stores of both vendors. This, in consequence, will drive usage and acceptance.

Simply speaking, the most promising approach for implementing Covid-19 tracking apps is consequently following the specifications and framework Apple and Google are jointly defining. Standards always help in adoption, and they will help even more in this area.

Summing it up: Go for mass adoption, avoid privacy becoming a barrier

In sum: We need Covid-19 tracking apps. They should use a decentralised approach. They should build on the standard, specifications, and framework defined by Apple and Google, and they should be available soon. They will need active promotion by the government, specifically to educate about the need for mass adoption for the sake of every citizen and the entire economy.

Only if the apps are implemented and promoted well, the target of achieving a critical mass and thus helping in controlling the spread of the virus will be achieved.

About Martin Kuppinger

As founder and principal analyst of KuppingerCole, Martin Kuppinger is responsible for the research division. He has written more than 50 IT books. He is a speaker and moderator at congresses. In his research, he focuses on identity management, virtualisation, cloud computing, general IT security, and others.

About KuppingerCole

KuppingerCole, founded back in 2004, is a global, independent analyst organisation headquartered in Europe. We specialise in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM, Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation.