States’ smartphone exposure notification apps get mixed reviews
Connecting state and local government leaders
While the apps improved the speed and reach of contact tracing, the Government Accountability Office found several challenges limiting app use and the ability of states and others to determine whether the apps were effective.
COVID-19 exposure notification apps that alert people when they have been in close proximity to an infectious user have five major challenges that limit app use and the ability to determine their effectiveness, a new Government Accountability Office report found.
GAO studied app use in nine states – Alabama, Colorado, Connecticut, Minnesota, Nevada, North Carolina, Pennsylvania, Virginia and Washington – between November 2020 and this month, and released its “Exposure Notification” technology assessment Sept. 9.
The first challenge GAO cites is the accuracy of measuring the distance between users at the time of potential exposure because distance calculations can only be estimated. The metrics that assess the signal strength between apps on devices use a common smartphone wireless radio transmission technology called Bluetooth Low Energy (BLE) to broadcast encounter messages containing a random identifier. Any phone with the same or similar app that’s within range of the broadcast signal can receive and store the encounter messages. If a message is from the device of someone who later tests positive for COVID-19, the smartphone analyzes the distance between devices to determine risk and alert users.
But BLE cannot always reliably measure whether two smartphones are within 6 feet of each other – the standard for social distancing, the report stated. What’s more, signal strength doesn’t always decrease as people move apart, and objects in the environment between a sender and a receiver can interfere with the signal.
Privacy and security are a second area of concern. Although the Centers for Disease Control and Prevention recommends that the apps undergo independent security and privacy assessments and the results of those be made public, none of the nine states had done that. Five said they had conducted assessments but had not released results. No public law has clear privacy protections for the information that exposure notification apps gather, the report added.
Security threats to the apps include revealing the identity of an infected app user, denial-of-service attacks, phone tracking, and false positives, or notifications of exposure despite not being in close contact with an infected person.
A third challenge is adoption, GAO said. Some states have spent more than $3 million to market their apps, but the public still has its doubts. Officials in six of 11 states (the nine from GAO’s selected sample plus Louisiana and Utah, which provided feedback when they deployed apps in the later stages of GAO’s evidence collection) said user concerns about using the apps for surveillance were a top obstacle. Lack of understanding how the apps work and of their availability were other impediments.
Verification code delays were cited as another challenge, according to GAO. These codes are used to confirm that a person had a positive test or diagnosis before they can upload their recent temporary keys to the National Key Server. That process was developed by Microsoft and the Association of Public Health Laboratories so that apps nationwide could interoperate, allowing users to find out if they have been exposed without needing to download and use apps from multiple states. Several states require a public health official to provide the code, and staffing shortages have caused delays, GAO said.
“To help address this challenge, five of the nine selected states implemented an automated process to distribute the codes,” the report stated. “Instead of providing the codes entirely through phone calls, some states also send text messages with the code or a link to a website with instructions for how to obtain the code. State officials reported that this automated distribution resulted in an increase in the number of verification codes disseminated to app users.”
The fifth challenge GAO found is a lack of evidence of the apps’ effectiveness. A major reason for this is that states collect limited data from the apps and lack guidance on measuring effectiveness.
The report noted two main benefits of the apps, however: speed and reach by automating and augmenting manual contact tracing.
“Apps are also expected to provide more complete and faster identification of contacts because, unlike manual contact tracing, they do not rely on a person’s memory to identify the people they came into contact with, according to CDC documents,” the auditors stated.
In the report, GAO posits four policy options to help address the five challenges: research and development, privacy and security standards and practices, best practices and a national strategy. “Policymakers could recommend a national app that public health authorities could decide to use based on their individual needs,” the report suggested. “A national app could add more functions by integrating exposure notification capabilities with test scheduling and vaccine delivery coordination.”
As of June, almost 26 of 56 U.S. states, territories and Washington, D.C., had deployed an exposure notification app for COVID-19, all using a system developed jointly by Google and Apple and released in May 2020. Also as of June, the number of times apps had been downloaded in selected states ranged from 200,000 to more than 2 million.