Contact tracing apps could play an important role in South Africa’s fight to curb the spread of COVID-19.
Traditionally, contract tracing is performed manually by humans and involves interviewing people who have tested positive for a disease in order to identify locations and people who they may have come in contact with.
Using certain proximity or location technologies in smartphones can supplement this manual tracking by providing additional data sources.
Google and Apple have collaborated to develop their own contact tracing API called Exposure Notification (GAEN).
It should be noted this is not an app, but a platform which can be used in official COVID-19 contact tracing smartphone apps.
The API uses the Bluetooth capability of smartphones to detect whether users may have been in close proximity to persons who have been diagnosed with COVID-19.
The companies have limited use of the API to a single public health app per country.
Infected persons can choose to disclose if they have tested positive on the public health app, and this will notify users with whom they may have come into contact with in the 14-day incubation period of the virus.
South Africa’s contact tracing app
MyBroadband asked the National Department of Health (NDoH) and Google for comment on such an app in South Africa.
The NDoH did not provide a response to questions, and Google declined to provide comment on the issue.
A team from the University of Cape Town has developed and launched an alternative contact tracing system, however, which is supported by the Department of Science.
The solution is called Covi-ID and uses QR codes to capture the geolocation data of users to assist in keeping record of visited locations.
Associate Professor Co-Pierre Georg told MyBroadband the system helps users remember where they were in the event that they test positive for COVID-19, or have crossed paths with someone else who has tested positive in the past 21 days.
The system links a unique QR code to a personal data wallet which contains information such as a user’s name, contact details, and photo.
The system works with a Covi-ID verifier app that is currently available for Android on the Play Store and expected to be available soon on the Apple Store soon.
Most users will not need the app, however, as this is only used by a verifier to record when a user enters or exits a particular building or area.
How it works
Users first visit the Covi-ID web portal as shown above to generate a QR code which is tied to a personal data wallet.
Government departments, transport authorities, banks, supermarkets and other companies can then designate verifiers such as security guards to scan a person’s QR code using the Covi-ID verifier app.
A geolocation receipt is generated within the data wallet whenever the QR code is scanned.
When a person tests positive for COVID-19, they can choose to submit their test result and geolocation data to contact tracers. The data can then be used by manual contact tracers to identify other Covi-ID users who may have been in the same location as the infected person.
What makes the Covi-ID system particularly useful for South Africa is that it does not require users have a smartphone.
People who do not possess a phone or computer can have their QR code generated and printed by a friend or family member, and keep it on them when they leave home.
Privacy a priority
Georg explained user privacy is a key priority in the design of the Covi-ID system and app.
“For now, showing a QR code will only collect a geolocation receipt from a verifier,” Georg noted.
“The app does not currently show a user’s health status or anything else than a picture of the user taken during sign-up to the verifier. This is to protect privacy and because the WHO does not yet recommend immunity certificates,” he explained.
“We use a trusted execution environment – dedicated hardware provided by Intel’s Software Guard Extension – which enables us to never have unencrypted user data being handled anywhere outside the trusted execution environment.”
Georg stated the developer itself does not have access to this environment once it is deployed, which proves they will never collect, store, sell, rent or analyse users’ personal data.
No direct government access
In addition, Georg said the app is not connected to any governmental database and functions as a standalone system.
“In accordance with existing regulation and best privacy practice, we allow users who test positive to volunteer their geolocation receipts to be communicated to manual contact tracers,” Georg stated.
“We do not forward any geolocation data to any government entity unless a user who tests positive actively consents.”
“Contact data of users who potentially have been exposed will also be communicated to manual contact tracers in accordance with existing regulation and best practices.”
This will be the practice until there is clear guideline on exposure notification such as GAEN, Georg said.
Georg said although the team would be able to incorporate the GAEN API into the app, this would go against recommended practice due to various ethical implications with its implementation.
“What happens, for example, if a user receives a notification that she might have been exposed while being in a taxi? Or in another public place where she must fear stigma? What happens if users who have been exposed get discriminated against or even attacked?”
“None of these issues have been worked out by Google or Apple and until there is clear guidance from the DoH or NICD we will not use exposure notification,” he said.
He explained in the South African context, manual tracers are best placed to have exposure interviews and do the follow-up interviews in a culturally-appropriate way, while using the required local language.