The world's first contact-tracing app built on the backbone of the API jointly developed by Google and Apple has launched as a large-scale pilot in Switzerland. Dubbed SwissCovid, the tool can now be downloaded by several thousand users that have been designated as belonging to "pilot populations", which include the army and some hospital workers.
SwissCovid is designed to quickly track and warn users who have been in prolonged contact with somebody who has tested positive for the COVID-19 virus in an effort to control the spread of the disease. Sign-up is voluntary, and it is expected that the app will be available to the wider public by mid-June, subject to the Swiss Parliament giving the tool the green light.
The pilot version of the app is also available to employees of the EPFL University in Lausanne, and of the ETH University in Zurich, which led the development of the technology. The two Swiss institutions decided to build the app on the basis of a model jointly put forward by Apple and Google last month, which was pitched by the tech giants as the better way to develop contact-tracing technology that incorporates privacy by design.
Apple and Google's API follows a decentralized approach, which means that every operation that might involve privacy is carried out on users' phones, rather than through a central database. At the heart of the concept is the imperative to keep data from being stored, and therefore at risk of being hacked or de-anonymized.
Last week, Apple released iOS 13.5, which includes a new COVID Exposure Notification feature. This feature enables the API that lets health officials and developers build contact-tracing technology.
In parallel, EPFL and ETH have been working on their own protocol called Decentralized Privacy-Preserving Proximity Tracing (DP3T). According to the universities' team, researchers have been in ongoing talks with Apple and Google to enable compatibility between DP3T and the tech giants' API. This means that the Swiss DP3T-based app can switch to Apple and Google's protocol as soon as it becomes widely available, and integrate easily with iOS and Android devices.
Marcel Salathé, an EPFL associate professor who worked on DP3T, told ZDNet: "We've been working on DP3T since the beginning of the crisis, and we based it on a decentralized model largely because of privacy concerns. A week or so after we went public, Google and Apple announced their API, and publicly said that it had been heavily inspired by our protocol," he said.
"For us, therefore, it was a no-brainer. Most of the things we had proposed with DP3T were in Apple and Google's API, and would be in iOS and Android. Since then, we have kept working with them to make sure they understand where we come from."
Scientists in the two Swiss universities have been testing and fine-tuning DP3T for the past month, with the help of the Swiss Army. The protocol operates via Bluetooth, continuously broadcasting random and impossible-to-guess strings of characters between smartphones. All signals are stored locally, on the devices, for a maximum of 14 days. If a user tests positive for COVID-19, they can then share the keys stored on their phone that were picked up on the days that they were contagious.
The app then finds out which contacts carried risk – those that lasted more than 15 minutes and took place less than two metres from another user – and generates a notification indicating the day of exposure to the risk, and the procedure to follow.
The decentralized principle at the heart of DP3T, and of Apple and Google's API, is not without shortcomings. Experts have repeatedly highlighted the technology's lack of reliability. Without a central organization supervising the alerts, and making sure that only the users who are at risk are being warned, there is a risk that the app gets swamped in false positives and turns to complete chaos.
A centralized approach, in addition, would let health services run analytics on data to better understand how the disease is spreading. For these reasons, the UK's NHS decided to snub Apple and Google's API, and instead to release its own centralized protocol.
"I have some sympathy for the idea that you can improve your knowledge of the outbreak with more data," said Salathé. "That's accurate, but I don't think we should develop a potentially very intrusive technology on the back of an epidemiological argument. Let's not use this tool to find out more about a virus, but let's use it to support regular contact-tracing."
The scientists behind the Swiss app also argued that the effectiveness of the tool depends on its widespread adoption by the public; and the way to achieve trust is to minimize the collection of information. Carmela Troncoso, who worked on the DP3T protocol at EPFL University, said: "Our goal is to offer a solution that can be adopted in Europe and around the world. There are millions of users and we owe it to them to be transparent."
In a webinar, the creators of SwissCovid further stressed that the technology was developed so as to secure the trust of the public. Troncoso said that users can decide to stop using the app and delete it permanently from their phone at any time.
Building a technology using Apple and Google's API, of course, also comes with some technical benefits: there are some obvious perks to creating a tool that is immediately compatible with iOS and Android. In that respect, the UK's homemade app, which is currently being trialed on the Isle of Wight, might need some more tweaking: it was reported that the technology profoundly impacts battery life for users with older iPhones.
Salathé said: "I assume other countries like the UK will eventually go down the decentralized route, because compatibility is key. You want to have a tool that works on users' phones, and Google and Apple control 99.5% of operating systems. I'm a bit puzzled that there is still a debate."
The road to deployment certainly hasn't been smooth for the NHS app. From an initial launch date estimated for mid-May, the government has now admitted that the tool wouldn't be ready until June.
In addition, concerns have been raised that the UK's centralized approach wouldn't enable interoperability with other European systems, which tend to favor decentralization – and that this could affect Britons' ability to travel abroad.
It recently emerged that the UK government has contracted private company Zuhlke to investigate whether the NHS's contact-tracing app could be switched over to Apple and Google's API. The £3.9 million contract's terms involve investigating the "complexity, performance and feasibility of implementing native Apple and Google contact tracing APIs within the existing proximity mobile application and platform." NHSX has not responded to a request for comment.
On the other hand, Apple and Google said last week that 22 countries, as well as some US states, had requested access to their API.