ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

COMPARING CONTACT TRACING APPS FOR CORONAVIRUS AROUND THE WORLD

Contact tracing apps have a crucial role to play in combating COVID-19, but are we sacrificing our privacy in the process?

Public interest vs. civil liberties: The great contact tracing debate

Contact tracing may be our best bet in containing the Covid-19 pandemic and getting back to some form of normal. Contact tracing can be extremely effective in identifying and isolating individuals who may have been exposed to the virus. Government health agencies and private app developers across the globe have rolled out contact tracing apps to digitize the process in hopes of increasing its efficiency in response to the Covid-19 crisis.

How do they work?

Contact tracing apps work by leveraging the Bluetooth functionality or location services (such as GPS), sometimes both, on a user's device to determine proximity to other mobile phones running the same app. In China, for example, QR codes are scanned basically anywhere individuals may go, and are used to track their movements. Some apps also rely on location data directly from telecom providers, but Bluetooth is the least invasive.

This proximity data is then recorded by each of the devices running the app that come within a certain radius of one another for a sustained period. If a user ends up testing positive for Covid-19, they can let their app know. Any user whose phone had recorded contact with the infected user's phone in the preceding days would then get an alert notifying them that they had been in close proximity to someone infected with Covid-19, and would advise the user to self-isolate to limit the further spread of the virus.

 

These apps can be crucial in combating the spread of Covid-19 by urging those who may have been exposed to the virus to isolate themselves from others.

The downside is, contact tracing apps potentially pose considerable privacy concerns. This means it is important for governments and app developers to not lose sight of protecting user privacy and not to verge into what could amount to surveillance.

There is concern that contact tracing apps can set a precedent for extended government monitoring practices that go well beyond the scope and timeline of the current crisis. This is why these measures, as important as they are right now, should be temporary in nature and limit data collection to only what is necessary for the explicit purpose of the applications' functionality.

Privacy is crucial when deploying technological solutions that involve the processing of sensitive personal data. We investigated over sixty different contact tracing apps to determine whether they appropriately protect the privacy of users. Some had strong privacy protections, others had weak privacy protections, but most were somewhere in the middle.

Contact tracing apps around the world

We've created a table and assigned each a "Privacy Score" out of a possible 10. Please scroll across for more information.

Country App Privacy Score How Does It Work Mandatory Released Data Collected Who Accesses Data Where Is Data Stored Privacy Framework
BrazilCoronavirus - SUS (Official National App)8BluetoothNoYesNoneMinistry of HealthUser's Device (can submit)Apple Google
BulgariaViruSafe1GPSNoYesContact Details, Location, Demographic Information, Health InformationHealth OfficialsCentralized ServersNo
CanadaCOVID Alert (Official National App)8BluetoothNoYesNoneHealth OfficialsUser's Device (can submit)Apple/Google Framework
ChinaAlipay Health Code0QR codes/User reported location infoYesYesContact Details, Location, Medical Information, Demographic Information, Travel InformationGovernment, Law EnforcementCentralized ServersNo
ColumbiaCoronApp1Self-reported data, location dataNoYesContact Details, Location, Medical Information, Demographic Information, Travel InformationHealth OfficialsCentralized ServersNo
CyprusCovTracer0GPSNoYesLocation, Contact Details, Demographic Information, Health InformationResearch Centre of Excellence on Information and Communication TechnologiesUser's Device (can submit)No
Czech RepubliceRouška5BluetoothNoYesContact DetailsHealth OfficialsUsers Device (can submit)No
EstoniaHoia8BluetoothNoYesNoneHealth OfficialsUser's Device (can submit)DP-3T/Apple & Google
EUCOVID19 Alert6BluetoothNoNoNoneRelevant Official BodyUsers Device (can submit)No
FinlandKoronavilkku6BluetoothNoYesPhone number, Anonymized IDsSocial Insurance InstitutionUser's Device (can submit)Apple/Google
FranceStopCovid (Rebranded as TousAntiCovid) (Official National App)4BluetoothNoYesUser ID, Demographic InformationThird-party hosting providerCentralized ServersROBERT Protocol
GeorgiaStop Covid/NOVID202Bluetooth/GPS location dataNoYesContact Details, Location, Device InformationRelevant Official BodyUsers Device (can submit)No
GermanyIto9BluetoothNoYesNoneHealth OfficialsUsers DeviceTCN
GhanaGH COVID-19 Tracker App0Bluetooth/GPS location services/Self-reported dataNoYesContact Details, Location, Demographic InformationGovernmentCentralized ServersNo
GibraltarBeat Covid Gibraltar8BluetoothNoYesNoneHealth OfficialsUser's Device (can submit)Apple/Google Framework
HungaryVirusRadar4BluetoothNoYesContact DetailsPublic Health OfficialsCentralized ServersNo
IcelandRakning C-192Location dataNoYesContact Details, LocationRelevant Official BodyUsers Device (can submit)No
IndiaAarogya Setu0Bluetooth/GPS location trackingNoYesContact Details, Location, Demographic, Travel InformationGovernmentCentralized ServersNo
IndonesiaPeduliLindugi3BluetoothNoYesContact Details, Device InformationRelevant Official BodyCentralized ServersNo
IrelandCOVID Tracker App8BluetoothNoYesNoneHealth OfficialsUsers Device (can submit)Apple/Google
IsraelHaMagen2GPS location trackingNoYesLocationHealth OfficialsUsers Device (can submit)No
ItalyImmuni (Official National App)7BluetoothNoYesDemographic Information, IP addressHealth OfficialsUser's Device (can submit)Apple/Google
JapanContact-Confirmation Application (COCOA) (Official National App)8BluetoothNoYesNoneHealth OfficialsUser's Device (can submit)Apple/Google
JerseyJersey Covid AlertBluetoothNounknownunknownApple/Google Framework
JordanAman2GPS/BluetoothNoYesLocationHealth OfficialsUser's Device (can submit)No
KuwaitShlonik0GPSNoYesLocation, National ID numberHealth Officials, Central Agency of Information, Telecom ProviderCentralized ServersNo
LatviaApturi Covid7BluetoothNoYesContact DetailsHealth OfficialsUser's DeviceApple/Google Framework
MalaysiaMyTrace5BluetoothNoYesNoneMinistry of HealthCentralized ServersNo
MoroccoTrackorona1UnknownNoYesUndisclosedRelevant Official BodyUndisclosedNo
NetherlandsCoronaMelder6BluetoothNoNoNoneUnknown at this timeUser's DeviceDP-3T
New ZealandNZ Covid Tracer1QR CodesNoYesContact Details, Demographic InformationNZ Ministry of HealthCentralized ServersNo
North MacedoniaStopKorona!4BluetoothNoYesContact DetailsHealth OfficialsCentralized ServersNo
Northern IrelandStopCovid NI5BluetoothNoYesAge, Full postcode, Health informationHealth and Social Care Northern Ireland (HSCNI), Public Health England, Universities, Auditors, Research OrganizationsUser's Device (can submit)Apple/Google Framework
NorwaySmittestopp SUSPENDED OVER PRIVACY CONCERNS (170)1Bluetooth/GPS location servicesNoYesContact Details, LocationHealth OfficialsCentralized ServersNo
PeruPeruEnTusManos0GPSNoYesGPS Location dataPeruvian GovernmentCentralized ServersNo
PhilippinesWeTrace1GPS locations servicesYesYesContact DetailsHealth OfficialsCentralized ServersNo
PolandProteGO Safe2BluetoothNoYesContact Details, Demographic, Medical InformationHealth Officials, Relevant Official Bodies, Private CompaniesCentralized ServersNo
PortugalStayAway Covid (Official National App)8BluetoothNoYesNoneHealth OfficialsUser's Device (can submit)DP-3T
QatarEhteraz0GPS/BluetoothYesYesLocation, National ID number, Health Information, Contact DetailsHealth Officials, Ministry of InteriorCentralized ServersNo
Russia????????? ???? ???????????0GPS/QR CodeYesYesContact Details, Location, Travel Information, Demographic InformationLaw Enforcement AuthoritiesCentralized ServersNo
Saudi ArabiaTabaud8BluetoothNoYesNoneMinistry of HealthUser's Device (can submit)Apple/Google
SingaporeTraceTogether4BluetoothNoYesContact Details, "Identification Details"Health Officials, Law Enforcement AuthoritiesCentralized ServersBlueTrace
SlovakiaZostan zdravy0GPS location servicesNoYesContact Details, Location, Medical InformationPrivate Company, Government,Centralized ServersNo
South AfricaCOVI-ID0QR CodesNoYesContact Details, Medical Information, Biometric Information, Demographic InformationPrivate Companies, Third Party Entities (including marketers/advertisers), Health OfficialsCentralized ServersNo
South KoreaCorona 100m (Official National App)0Location servicesNoYesLocation, Contact DetailsPrivate CompanyCentralized ServersNo
SpainRadar COVID (Official National App)8BluetoothNoYesNone (anonymized IDs)Health OfficialsUser's Device (can submit)DP-3T
SwitzerlandSwissCovid-App10BluetoothNoYesNoneUser OnlyUsers DeviceDP-3T/Apple & Google Project
ThailandMor Chana1Bluetooth/GPSNoYesContact Details, LocationHealth OfficialsCentralized ServersNo
TunisiaE7mi4BluetoothNoYesContact DetailsHealth OfficialsCentralized ServersNo
TurkeyCoroWarner0Bluetooth/GPS location services/Telecom location dataNoNoUndisclosedUndisclosedUndisclosedNo
UAEALHOSN4BluetoothNoYesNational ID number, Contact DetailsHealth OfficialsUser's Device (can submit)No
UKNHS App (Official National App)4Bluetooth/QR CodesNoYesPost Code District, Venue Check-in DataHealth OfficialsUsers Device (can submit)Apple/Google
UruguayCoronavirusUY8BluetoothNoYesNoneMinistry of Public HealthUser's Device (can submit)Apple/Google
USANovid8BluetoothNoYesNoneHealth OfficialsUsers Device (can submit)TCN
VietnamBlue Zone6Bluetooth Low EnergyNoYesNoneHealth OfficialsUsers Device (can submit)No
ArgentinaCoTrack2GPSNoYesLocation, Medical Information, Travel InformationHealth OfficialsUsers Device (can submit)No
AustraliaCOVIDSafe (Official National App) 7BluetoothNoYesContact Details, Demographic InformationHealth OfficialsUsers Device (can submit)BlueTrace
AustriaStopp Corona7BluetoothNoYesContact DetailsRelevant Official BodiesUsers Device (can submit)DP-3T
BahrainBeAware0GPS location dataNoYesLocation, National ID Number, Contact Information, Demographic Information, Health Information, Travel InformationHealth Officials, Relevant Official Bodies, Third part entitiesCentralized ServersNo
BangladeshCorona Tracer BD0Bluetooth, GPS location servicesNoYesPhone number, National ID number, unique user IDHealth Officials, Information and Communication Technologu DivisionCentralized ServersNo
BelgiumB-fence8BluetoothNoNoNoneRelevant Official BodiesUsers Device (can submit)DP-3T

All data above has been ethically researched and fully cited. If you would like to explore the data, get a better idea of exactly how each country's app works, or explore the citations.

How we score contact tracing apps

In order to assign each app a privacy score, we asked five different questions, scoring each question out of 2 based on how they protected user privacy. We then added up the totals, giving the contact tracing apps a score based on their approach to user privacy. A maximum possible score of 10 means the app's privacy protection is impeccable, whereas a score of 0 means that users of the app are afforded no privacy whatsoever.

How is this scored?

2 – Applications that use strictly Bluetooth to determine proximity between devices.

0 – Applications that rely on any form of location tracking. This is because using specific location data is unnecessarily invasive for the functionality of a contact tracing app when Bluetooth is a viable alternative.

What personal data is collected?

The most privacy-focused contact tracing apps in our list do not collect any personal data at all and instead use anonymized, randomly generated, rotating identifiers to determine which devices came within close contact with one another. Any data collection beyond that is not necessary for achieving a workable digitized contact tracing solution.

How is this scored?

2 – apps that do not collect any personal user data.

1 – for any app that collects a minimal amount of data such as a UUID.

0 – For any app that collects location data or other sensitive data such as name, email address, physical address, gender, age, or health data. If the data collection information is not disclosed the app gets a 0 by default.

Who can access that data?

It is critical that people who can access the data are relevant to it, after all, location and medical data are highly sensitive pieces of information.

Usually, for the government-contracted contact tracing apps, a government agency of some sort is able to access the collected data. Other apps are shown to be sharing data with third-parties, including marketers, for no good reason at all. 

How is this scored?

2 – Only when the user is able to access the data we assigned a score of 2.

1 – When the data is collected strictly by a health authority, with express user consent.

0 – If the data is shared with third parties, can be accessed by the government at large in any country, or the information is not clearly disclosed. 

Where is the data stored?

There are two ways data these apps collect can be stored, either in a centralized or decentralized way. A centralized data model means data collected from the app is stored on a centralized server, whereas decentralized means all data collected is stored on the user's device.

A decentralized approach therefore makes your data both more secure and more private.

How is this scored?

2 – Uses a decentralized system, where data is stored on a user's device.

1 – Sends data to a centralized health authority server only if the user tests positive for the virus, with the express consent of the user. 

0 – Any app that stores collected user data on centralized servers by default, or if the developer or authorities do not disclose the information.

Privacy framework?

A privacy-preserving framework works to protect user privacy with a decentralized approach to contact tracing and limits the collection of data to anonymous identifiers is essential for maintaining proper user privacy. Many do not employ this framework, but those who do are clearly head and shoulders above the rest when considering user privacy.

How is this scored?

2 – Applications that apply a privacy-preserving framework into the development of the app.

1 – Any app that employs PEPP-PT. This is due to the controversy swirling around the PEPP-PT approach and agencies increasingly pulling out of the project for its centralized approach and general lack of transparency.

0 – Any app that doesn't employ any privacy-preserving framework. 

Comparing the best with the worst

We found a few apps that are excellent at protecting user privacy and scored an 8, and one scored a 9. Only one scored 10 (Switzerland's SwissCovid-App). The Swiss app works using Bluetooth, collects zero personal data, restricts access to the data to only the user, never allows any data to leave the user's device at any time, and employs the privacy-preserving contact tracing framework developed by Apple and Google. In other words, users should feel safe using the app knowing that their privacy will be respected.

Unsurprisingly, we found quite a few Covid-19 contact tracing apps that did little to protect user privacy and scored 0 overall, fourteen in total. These were the apps being used in Bahrain, Bangladesh, China, Cyprus, Ghana, India, Kuwait, Peru, Qatar, Russia, Slovakia, South Africa, South Korea, and Turkey.

All of the 0-rated apps use GPS location services, collect wide-ranging and unnecessary amounts of sensitive personally identifiable data, allow third-party or otherwise questionable access to that data, store the data on centralized servers, and do not employ any privacy-preserving framework for contact tracing.

These apps do pretty much everything wrong when it comes to protecting user privacy and have a real potential for misuse beyond the scope of the current crisis. Users should be extremely wary of using any of these apps.

 

Conclusion

Contact tracing by its nature can never be considered 100% anonymous or completely private, as we have seen, but digital contact tracing methods can work to preserve user privacy as much as possible.

The data we have collected throughout our investigation into Covid-19 contact tracing apps shows that there are a few developers and governments making the effort to protect user privacy. Many, though, do not. This could set a precedent for extended misuse of user data or continued government surveillance practices, even well after the pandemic is over.

Extraordinary times call for extraordinary measures. However, we must ensure that these measures are temporary in nature, limited in scope, remain voluntary and that governments do not use the crisis as an opportunity to conduct surveillance on their citizens or otherwise exploit or invade their privacy.

Written by: Attila Tomaschek

Attila is a Hungarian-American currently living in Budapest. Being in the VPN game for over 5 years, along with his acute understanding of the digital privacy space enables him to share his expertise with ProPrivacy readers. Attila has been featured as a privacy expert in press outlets such as Security Week, Silicon Angle, Fox News, Reader’s Digest, The Washington Examiner, Techopedia, Disruptor Daily, DZone, and more. He has also contributed bylines for several online publications like SC Magazine UK, Legal Reader, ITProPortal, BetaNews, and Verdict.

4 Comments

Alex
on February 27, 2022
I would like to download the csv file with the applications but I don't have access. Is it still available?
https://cdn.proprivacy.com/storage/images/2021/08/andreas-squarejpg-avatar_image-small_webp.webp
Andreas Theodorou replied to Alex
on February 28, 2022
Hi Alex, I'm not sure why the CSV file isn't available – I can't even access it... Leave this with us and we'll get to the bottom of it.
Larry
on May 9, 2020
What? I would have expected you folks to be screaming about this nonsense! Wow! I'm writing this 2 days after it was written & no one else has commented? Unreal!!
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Larry
on May 11, 2020
Hi Larry. Attila says: "Thanks for your comment. We obviously would never endorse any mechanism that would allow for the surveillance or tracking of ordinary citizens. That said, we wanted to highlight how certain countries are choosing to address the crisis through their digital contact tracing efforts, and to underscore that there are ways to conduct these efforts in a decentralized, privacy-preserving manner. That was the primary motivation behind assigning the privacy scores for each contact tracing app. Some countries are really doing their best to make their apps as private and secure as possible by not requiring any personal information whatsoever and operating in an entirely decentralized manner. Other countries, by contrast, are clearly not prioritizing user privacy in any way when building out these apps. Ultimately, we’ll see that the countries and apps that work to appropriately preserve user privacy will be the ones that generate greater user uptake and therefore could potentially achieve their intended objectives. Beyond the analysis we present here, we have also written an open letter to Matt Hancock urging the NHS to reconsider the centralized approach they have decided to take in their digital contact tracing efforts, and have provided commentary to various outlets online warning of the substantial privacy risks associated with such an approach."

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service