Start of main content

COVID-19 and tracing apps – where will this end?

In an attempt to stop the spread of COVID-19 and enforce social distancing practices, governments are reaching out to various companies in the private sector, including social media companies like Facebook and Google and telecommunications providers such as Vodafone, Deutsche Telekom and Telefonica, to use app-enabled geolocation features, facial recognition solutions and other technologies.

The hope is that this information will provide a better understanding of how the virus is spreading globally and whether individuals are practicing appropriate social distancing measures.

Using Phones to Trace

Across the globe, unsurprisingly, a variety of privacy considerations have arisen as a result of this information-sharing between the public and private sector.

One country where they have utilised mobile phone apps to contract trace is Singapore. They have directed their population to download an app called TraceTogether that collects Bluetooth signals from other phones to log meetings between the app and people of the country. The data can then be used to identify those that may have been exposed to the virus and thus allow them to self-isolate.

The app works by storing data locally on the device, which helps protect privacy and enhance security, meaning that data from individuals is not stored centrally.  Data is extracted only when is needed by the authorities for contact tracing. The mobile app has been found to fill the gaps and quickly identify potential carriers, who then monitor their health and take action sooner.

Elsewhere, some states have gone further with public health security measures. Taiwan, for example, has rolled out a mobile phone-based “electronic security fence” that uses location tracking to ensure people who are quarantined stay in their homes. The Russian Government has also increased its digital surveillance activities by turning ordinary cameras into facial recognition systems to track the movement of individuals who break the curfew.

Other countries including South Korea, Israel and China are using data collected from mobile devices and other sources as one tool to fight the spread of the virus.

South Korea has managed to limit the spread of the virus in part to aggressive test, track and trace based on data from mobile phones, electronic transactions and in some cases, security cameras.  In Israel, the security service is using location data it receives from telecommunications companies to warn citizens of possible exposure and requiring them to self-isolate if that is the case.

Case Study – A Closer Look at China

In early February 2020, China developed a ‘close contact detector’ app to curb the spread of COVID-19. When the app is downloaded, the user must upload their name and ID number, which helps track movement. The system is used on either social media platform, WeChat, or the payment app, Alipay, in over 200 cities. When going outside and into shops, users can scan a QR code which in return, provides them with a colour – they can be green (healthy and unrestricted), yellow (you have been in close proximity with someone who has COVID-19 and must quarantine for 7 days) or red (must quarantine for 14 days). It has become very useful for contact tracing and testing of COVID-19 across China. This is helping China avoid mass lockdowns across the country and helps track the virus as it moves.

Nevertheless, there are associated problems with the app. It has been noted that several members of the same family who live together have received different results from the QR code, making the messaging sometimes confusing. Also, The New York Times has cited privacy concerns regarding the app sharing QR code information with the police to help enforce quarantines. China also has a direct method of following and tracing people, which the state may decline to relieve its citizens of.

Concerns About Privacy?

In the UK, on 22nd April 2020, Matt Hancock MP, Secretary of State for Health and Social Care, announced that a UK app is in beta trials and will be ready for use within a few weeks. Last month, it was revealed that the NHS would be partnering with a number of big tech companies to develop a shared data platform to assist COVID-19 surveillance. This has sparked widespread unease across the UK regarding the role tech companies play and their motivations especially during a global health emergency. There is also a question as to how long these measures will stay in place and how data may remain with large tech companies after this time.

These global efforts have caused concern among privacy and human rights experts. Governments are in active talks with technology companies about using location data taken from mobile phones to track the proliferation of the virus and to track whether people are adhering to social distancing protocols.

Apple and Google

Apple and Google have recently announced that they will start to add features to their mobile operating systems. This will make it possible for certain approved apps to use Bluetooth radios to track phone locations in proximity to others. 

Currently, the two tech companies are embarking on a two-step process. The first is to make an interface available that will allow developers to build apps that can access Bluetooth signal information for contract tracing. Only official apps will be allowed to do this. The next step is to build the contact tracing functionality into Google’s Android and Apple’s iOS operating systems.

The reaction from data ethicists and privacy experts are mixed. On the one hand there has been no mention that the software required to make contract tracing will be temporary. In fact, the mobile operating systems required to make it work are at a deep integration level. On the other hand, there are other organisations globally who may well be able to tackle this issue.

Consumers will also be forced into these measures with a lack of choice across privacy settings and civil liberties.

Still, there is concern in the UK that the Google and Apple COVID-19 contract tracing tech is too private for the UK.

In Europe, Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), a coalition of technologists and scientists from eight countries, are working on contact tracing proximity technology for COVID-19 to comply with strict privacy rules. The huge spike in demand for citizens’ data that’s intended to offer not just another app, but what it describes as a “fully privacy-preserving approach” to COVID-19 contact tracing. While many countries have already led the way and provided apps for their citizens, this group plan to get a standardised approach up and running across the bloc.

PEPP-PT was created to adhere to strong European privacy and data protection laws and principles, vis a vie GDPR, the EU’s General Data Protection Regulation compliance framework.

Google and Apple, and others are going to release further information in the next month, which will force us, as a country, to make a tough decision of whether getting our normal life back is worth some loss of privacy.

  NHSX approach Google / Apple approach
Mechanism Proximity-based upon Bluetooth communication between smartphones. Proximity-based upon Bluetooth communication between smartphones.
Assumption Assumes Bluetooth proximity works in the majority of cases. Assumes Bluetooth proximity works in the majority of cases.
Approach Centralised (with the NHSX, and HMS Government) Decentralised (with the user, on their phone, who can release their proximity history when an infection is detected)
Led by UK Government-backed; focuses on the UK alone. Cross borders industry consortium.
Privacy Reasonable privacy concerns; specifically around data custodianship and fears of data exploitation. Some privacy concerns; around obfuscation of data and what is shared to Google / Apple.
The power is in the hands of the user, however.
Adoption Expect adoption to be lower than hoped for and useful.   Expect adoption to be reasonable; however, if the technology is not adequate for accurate proximity measurement, expect a quick & significant drop off in usage. 

Table 1: Comparison between centralised and decentralised approaches



With Governments around the world starting to explore how digital technology can transition society from lockdown measures we recommend the following areas should be given careful consideration in response to COVID-19:

Accountability and transparency

There must be a suitable accountability process during these sensitive times taking into consideration societal, ethical and legal implications.  An independent body to have oversight will support the public trust in the deployment of a suitable symptom tracking and contracting tracing apps.

Cybersecurity and privacy by design

Government to encourage security and privacy by design in technical implementations of applications around symptom tracking.  And to ascertain when personal data after the crisis should be deleted.  Working closely and in line with recommendations by NCSC and ICO.

Legislation - data

Government should lay out legislation around how data will be regulated during symptom tracking and contract tracing applications.  Suitable timeframes need to be considered.


To set out detailed use of the utilisation of data and its processing during the symptom tracking and contract tracing efforts including but not limited to who has access to the data and the purpose, requirements around deletion and by when. Thus, fostering public trust in the use of people’s data.


Get Involved

We know the importance and positive impact sharing knowledge and information within our community has and invite your opinions. We are keen to find out if your thoughts and if there is any advice that you’d like to share. To get involved, please contact us at