Skip to content

State-Based Contact Tracing Apps Could Be a Mess

While governments around the world have launched nationwide Covid-19 contact-tracing smartphone apps over the last months, the US pointedly has not. Instead, it seems like the apps designed to detect coronavirus exposure stateside will launch on a state-by-state basis—and they may be anything but united.

When Google and Apple officially launched their exposure notification API for Android and iOS last week, their announcement included statements from three states—Alabama, North Dakota, and South Carolina—that are already building apps that will integrate the company’s Bluetooth-based system.

But it increasingly seems that neither the Centers for Disease Control and Prevention, nor the Department of Health and Human Services, nor any other US federal agency will release a nationwide coronavirus contact tracing app. “There is no effort I know of at the national level to build anything” like a contact tracing app, says someone familiar with the White House Covid-19 task force deliberations led by President Donald Trump’s son-in-law Jared Kushner, speaking to WIRED under the condition of anonymity. “Just like you’ve seen with the plan on testing and reopening, it’s being pushed to the states.”

Another adviser to that task force, Andy Slavitt, who led Medicare and Medicaid policy in the Obama administration and reportedly offered recommendations to Kushner, tells WIRED that any contact-tracing smartphone apps are almost certain to be left to the states alone. “I don’t think the federal government wants the responsibility to figure out the best and most efficient way to execute a contact tracing app,” says Slavitt. “If it’s like everything else they’re doing, they’re going to want to make sure the states have the responsibility.” Neither the CDC nor the HHS responded to WIRED’s request for comment about any plans to launch a national Covid-19 tracking or notification app.

“If this is getting done on a state-by-state level or even a confederacy of states, like the Western Pact, the question is then around security and interoperability,” says Ashkan Soltani, the former lead technologist for the Federal Trade Commission, who has been analyzing Covid-19 tracing and notification apps. “If each state is trying to put this together, you run the risk of commercial entities building this, the systems’ backends not being secure, and reliability issues.”

The potential for privacy disasters from contact tracing apps already have been well demonstrated. North Dakota’s app was found to be sharing data with Foursquare and Google’s advertising system. India’s contact tracing app made it possible to locate some Covid-19-infected users by spoofing GPS locations. And a flaw in Qatar’s contact tracing system leaked hundreds of thousands of users’ personal data, including health status and locations.

Rather than auditing one national app for security and privacy issues, Soltani says, every state-level contact tracing or exposure notification system will have to be individually vetted for those sorts of issues. And for each one, the devil will be in the details of its implementation.

Google and Apple’s Bluetooth-based system, for instance, offers app makers a relatively privacy-preserving approach: It doesn’t collect any location information from phones, and doesn’t even collect any information at all from the phones of users who don’t voluntarily mark themselves as having been diagnosed as Covid-19 positive. For the vast majority of users, no information is ever uploaded to the server of the organization running the app.

But when a Covid-19 patient self-reports as positive through the system, their apps upload a set of rotating codes that their phones have transmitted to other users via Bluetooth for the previous two weeks. While those codes aren’t identifying in themselves, every app maker will have to take care not to collect the IP addresses of those Covid-19 patients’ smartphones, which could be used to identify infected individuals. Or if they do collect those IP addresses—say, to prevent denial of service attacks on their servers—they’ll have to be careful not to keep the data for too long or allow it to leak.