During his recent address to the nation, President Cyril Ramaphosa asked all South Africans to install the COVID-19 Alert SA app, which the Department of Health launched at the beginning of September.
Ramaphosa also announced that when South Africa starts re-opening its borders to international travellers on 1 October 2020, visitors will be required to install the application when they enter the country.
This has resulted in many South Africans raising concerns over the infringement of their right to privacy through this “contact tracing app”.
However, it is important to understand that the COVID-19 Alert SA application is not a contact tracing app, but merely an exposure notification app.
It is based on an application programming interface (API) that Google and Apple developed in partnership specifically for the creation of exposure notification apps that respect users’ privacy.
Apple-Google COVID-19 exposure notification partnership
On 11 April 2020, Apple and Google announced that they had partnered to develop an application programming interface (API) for COVID-19 exposure notification.
- Google: Exposure Notifications: Using technology to help public health authorities fight COVID‑19
- Apple: Privacy-Preserving Contact Tracing
This technology would not replace traditional methods of contact tracing, the two companies said, but augment it.
Part of the specification of the technology is that no personally identifying information or location data is collected.
Rather than relying on GPS tracking or any other exchange of personal data, the exposure notification framework built into Android and iPhone devices uses Bluetooth low-energy signals to determine whether two people were in close proximity to each other.
According to Google, their system was heavily inspired by the Decentralized Privacy-Preserving Proximity Tracing protocol (DP-3T), which was developed by a team of European researchers.
DP-3T was one of many protocols developed by researchers to try and address the privacy concerns around contact tracing. Others include the Temporary Contact Numbers Protocol (TCN) and the Private Automated Contact Tracing (PACT) system from MIT.
However, CNBC quoted Google vice president of Android, Dave Burke, as saying that DP-3T “gives the best privacy-preserving aspects of the contact tracing service”.
Bluetooth-based “contact tracing” needed Apple and Google to work
While several countries have independently developed contact tracing apps to help in their fight against the COVID-19 pandemic, each had its pitfalls.
Chiefly, if you wanted to make use of Bluetooth as suggested by privacy-first protocols such as TCN, DP-3T, and PACT, your app had to be running in the foreground the whole time.
The Register reported that Google and Apple placed significant restrictions on how Bluetooth may be used in their mobile operating systems. There are workarounds to this, but this comes with several trade-offs, including a tremendous cost to the battery life of your device.
According to The Verge, the reason Android and iOS don’t allow the constant broadcast of Bluetooth signals is because it has been exploited before for targeted advertising.
For a privacy-centric contact tracing protocol based on Bluetooth low-energy to succeed, it needed Apple and Google on board to make it work at an operating system level.
How it works
The Apple-Google COVID-19 exposure notification framework works through the exchange of anonymous cryptographic tokens using Bluetooth low-energy signals.
When two devices are within Bluetooth range, they send each other a randomly generated token. Google calls these random IDs, though they don’t contain any personally identifying information — they are completely random.
Devices store the tokens they have sent, as well as the tokens they have received for 14 days.
If someone tests positive for the coronavirus and they have been using an app that makes use of the Apple-Google API, they can upload all of the tokens they have sent in the past 14 days to a notification server. It is up to governments to decide whether they want to put safeguards in place to try and ensure that people can’t upload tokens without a confirmed positive coronavirus test result.
The notification server then sends out these tokens for other app users to check against the collection of tokens they have received in the past 14 days.
If you have received a cryptographic token from someone who has tested positive, you will be advised to self-quarantine for a period of 14 days and seek medical advice if you experience symptoms.
Several European governments and epidemiologists actually asked Apple and Google to relax the privacy requirements of their exposure notification system.
They explained that the apps built using the Apple-Google API are essentially useless to researchers and do not provide contact tracers with any useful data to help them do their jobs.
Since no personal information is gathered, the framework also does not give governments the information they need to enforce their quarantine rules.
If the system notifies someone that they have potentially been exposed to the coronavirus, it is entirely up to that person to remain isolated and go for the necessary tests.
Traditional contact tracers may also end up duplicating the work the app has already done. They may end up investigating contacts that the app has already advised to self-isolate, as they will have no idea which contacts the app has notified.
According to the Department of Health, the app is under 3MB in size.
The app is free and does not feature in-app purchases, and the small amount of data that the app uses has been zero-rated by all of South Africa’s mobile network providers.
As the following screenshot shows, since installing the app on 1 September it has used 488 kilobytes — less than half a megabyte.
Setting up COVID Alert SA
The following screenshots show what it looks like when you install the COVID Alert SA app.
It displays a welcome screen:
Asks you to enable exposure notifications:
And informs you that it is important to alert others if you have tested positive for COVID-19:
The app has two main screens, one which shows whether you have been exposed to coronavirus in the past 14 days, and one which lets you upload your secure Bluetooth tokens in the event that you tested positive: