One of the first official contact tracing apps from U.S. state Departments of Health doesn't reliably record location data, which it is supposed to do in order to help state governments monitor coronavirus infections and warn other residents if they may have been exposed to the virus.
This is not to say that app is not working as intended, but the news shows the potential limitations of contact tracing apps that are supposed to help track and contain the spread of coronavirus. The news comes after Motherboard found that another app from the United Nations didn't even function correctly at all.
"The app is 'working' for tens of thousands of people," Tim Brookins, CEO of Proud Crowd, which designed the app called Care19 on behalf of North and South Dakota, told Motherboard in an email. "There are some cases, many in early versions of the app, where we missed more visited places," he added. Brookins also works at Microsoft.
Do you know about any other issues with coronavirus apps? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Last month, North and South Dakota's Departments of Health launched Care19, with the goal of helping map the spread of the coronavirus and warning those who may have been exposed.
"This app will help the NDDoH [North Dakota Department of Health] reduce the spread of COVID-19 by more efficiently and effectively identifying individuals who may have had contact with people who have tested positive," an announcement from the North Dakota state government reads.
According to screenshots on the Play Store page, once a user tests positive for COVID-19, the disease derived from the coronavirus, their respective Department of Health will contact them, and enable two buttons in the app that lets the user either share their location history with state officials to help with contact tracing, or to notify other users of the app who have been closeby that they may have been exposed too.
But multiple users on the app's Google Play Store page have reported issues with the app, particularly around the software not recording certain locations. John Scott-Railton, a senior researcher from University of Toronto's Citizen Lab, posted a screenshot of some of the reviews on Twitter on Wednesday.
"I downloaded this to be a good citizen and help protect myself and others, but it clearly is not working," one review said.
"I have driven to a friends house several times and was there longer than 10 min. I am still getting the no visit detected," another said. There are some similar reviews for the Apple version of the app, as well.
Brookins added, "We know from our telemetry that we are recording hundreds of thousands of visits a week for our 60,000 users in ND & SD and the vast majority are happy with their experience. I take about 10-15 support emails a day on average."
Brookins explained that the phone decides what sort of location data to gather, be that cell tower or otherwise, based on what is available. "It heavily favors cell tower and wifi sniffing as those are the lowest power options by far."
"However, there is no way the phone will wake up every five minutes and spin up the GPS. It would drain your battery. So this is a good example of where we could miss a visit. If a farmer in the country drives to visit his neighbor farmer and neither has wifi, we will likely miss it. However, most commercial places you would visit would be in a place where there is some wifi spots, etc… so it isn’t very common," he added.
Google and Apple have developed their own API for government health departments that uses Bluetooth Low Energy to try and perform contact tracing tasks, but without the need for location data. That may help protect privacy while also stopping an app from draining a device's battery too quickly. The North Dakota page announcing the app reads, "It will incorporate the joint Bluetooth proximity tracking technology that Apple/Google announced to be released mid-May."
Beyond an app that may miss some data points, experts argue that an application by itself will not be enough for effective contact tracing. That will also require a large amount of human labor alongside a technological solution.
"We need an army of 300,000 people," Tom Frieden, a former director of the Centers for Disease Control and Prevention, told health publication STAT.
"There are some cases, many in early versions of the app, where we missed more visited places."
The North Dakota page for Care19 adds it will, "Improve electronic case management capability to Local Public Health and others as contact tracing capacity in the state expands."
Brookins said Proud Crowd has continually updated the app since launching it three weeks ago. They found that some users disable wifi on their devices entirely, so they added a prompt letting users know the app won't function correctly without wifi.
In some cases the app itself may not be malfunctioning, but users' expectations may be different from what the app designers intended.
"There are cases where we did not set expectations properly. People get the app and expect it to record every single place they go with 100% accuracy. Given the parameters [of] how the phone sleeps (screen off, etc) we probably will never hit 100% accuracy. We will be adding the ability to manually add visited places in an upcoming update to cover cases where we miss," Brookins added.
North and South Dakota representatives did not respond to a request for comment.
Subscribe to our cybersecurity podcast, CYBER.