Our data says a lot about us – where we go, who we see, and what we do. And since our smartphones come with us everywhere, they are almost always collecting our data. To improve my understanding of how our data and devices can be used to fight the COVID-19 pandemic, I sat down with (over Zoom of course) Robert Furberg, PhD an Informaticist at RTI International and an expert in the field of digital health and emerging technologies.
Can you provide a brief overview of your background and the focus area of your research?
I’m a Senior Clinical Informaticist at RTI International. My work focuses on how emerging technologies (such as smartphones, mobile apps, and/or wearable devices) can be used to support applied public health and clinical interventions.
How does your work intersect with the COVID-19 pandemic?
As the pandemic progresses, we’re seeing more public health authorities (PHAs) turn to digital technologies as a way to support ongoing “manual” efforts of tracking and tracing COVID-19 cases. For instance, North Carolina (NC) has the SlowCOVIDNC exposure notification app, which notifies users if they’ve been in close contact with someone who tested positive for COVID-19. I’ve been tracking the global development and dissemination of exposure notification apps to determine if people are using them and if they are effective.
Besides SlowCOVIDNC, what does the overall landscape look like for using digital technologies for COVID-19 cases?
To understand the landscape, countries can largely be grouped into two extremes:
- First, there are countries where consumer privacy and data protection regulations are not as pervasive. Here we see a high level of digital tech “adoption”, albeit less voluntary. This also includes the collection of very detailed personal data, including real-time location data, to track potential exposure to COVID-19.
- On the other end of the spectrum are the European Union nations. These countries must comply with the General Data Protection Regulation that provides elevated levels of protection for personal data. It imposes strict, staggering fines for violations of these protections by technology vendors. This regulation protects the rights of the individuals who engage with digital technology. This also includes the hallmark “Right to be Forgotten” that obligates erasure of data from a system upon user request. These conditions require a completely different approach to acquiring and managing data, even during a public health emergency.
For the U.S., there are currently 11 states with publicly-available exposure notification apps that support tracking COVID-19 cases. And there are six more states that have publicly committed to releasing their own app. This was made possible after Apple and Google developed an exposure notification Application Programming Interface (API) to ease the burden of app development. With the combined efforts of these two tech titans, you won’t get 100% coverage. But you will get better results than if each developed their own solution that was only compatible with their own platform.
Can you describe the API and what this unlocked?
The exposure notification API was released in May of 2020. It is only available, however, to credentialed developers working on behalf of a PHA. Developers with access to the API can use these resources to build an app and customize it for their PHA.
Beneath the hood, all exposure notification apps work the same way. The apps take advantage of the Bluetooth radio on our smartphone that is constantly transmitting and receiving information. Anytime two Bluetooth-enabled smartphones are within range of one another, the devices exchange a small packet of information, like a virtual handshake. Physical distance is then estimated by measuring the signal strength during this handshake. The exchanged data only contains identifiers specific to the phone, not the person or their location. This information is used to create a rolling, 2-week inventory of encounters.
The data collected in the COVID-19 app then confirms if a person has been in “close contact” with other Bluetooth-enabled smartphones. If someone logs a positive COVID-19 test in the app, the app will use the 2-week inventory of encounters to send a push notification to other phones confirming potential exposure.
Given the widespread interest in exposure notification apps, I want to be clear about the function of these apps. They are not meant to replace the people performing contact tracing. These apps are meant to increase the efficiency of those people-driven contract tracking operations.
Are there any privacy concerns that app users should be wary of?
Not really. There are two features unique to this approach. First, no personally identifiable information or location data is required for the system to work as designed. Second, data are processed and stored locally on your phone until a positive diagnosis of COVID-19 is reported. Further, access to the exposure notification API is restricted. As part of this restriction, there are a number of terms PHA developers must agree to before receiving access to the API. For example, they must not conduct research with the collected data. This was done deliberately to increase confidence around privacy and security, and to (hopefully) increase adoption.
Can you speak to the uptake and adoption of exposure notification apps?
As far as what we need for exposure notification apps to be effective, initial calculations estimated about 60% of the population needed to use the app for it to have an impact in fighting the pandemic. However, since that likely isn’t feasible, this number has been modified to about 15%, but ONLY IF paired with traditional contract tracing programs. Exposure notification apps are not meant to function in silos. They need to be paired alongside manual contract tracing efforts.
In addition, just because an app is downloaded doesn’t mean that someone is going to use it. It doesn’t even mean the app was downloaded by someone in your state. For instance, the SlowCOVIDNC app just reached 100,000 downloaded in early October. But that doesn’t mean that it’s being used by 100,000 people in NC.
Is there any data about the effectiveness of exposure notification apps?
The apps currently have enhanced privacy/security for users. The downside is researchers are unable to assess and evaluate how well these apps work in the real-world. One study done in Dublin asked participants on a public transport tram to routinely switch seats every 15 minutes. The participant data was then run through contract-tracing apps (which have since been re-named to exposure notification apps) to confirm if close contact between participants could be confirmed. Unfortunately, the study results showed the app was not much better than identifying potentially exposed participants through random selection. Additional research is needed, but this is currently restricted due to the regulations around use of the exposure notification API.
Is effectiveness of the exposure notification app solely dependent on people using it?
Well, the exposure notification API is not static. Initially, setup and use was a three-part process: 1) individuals had to download their state’s app, 2) go into their device settings to enable “Exposure Notifications”, and 3) manually submit their positive COVID-19 test results in the app. After submitting a positive test result, the app then reviews your phone’s record of close contacts over the past 2 weeks. The app can then broadcast a notification to all of those devices in the record of close contacts.
With recent updates to the API (the updates are called “Exposure Notifications Express” or “EN Express”), this now allows for push notifications to be distributed without the need to install a dedicated exposure notification app. This is an important change because it means that even people who don’t download their state-based app can still benefit. If your state uses EN Express and your mobile operating system is up to date, you can just turn on “Exposure Notifications” in your phone’s settings. By enabling this feature, your Bluetooth handshake will still be recorded by others. You will also still be notified if a positive test is reported in the app, even without downloading it yourself.
What do you think is next in the use of digital technologies for COVID-19 exposure notification and tracking?
It’s only a matter of time before wearable devices and sensors (such as smartwatches and fitness trackers) will be used for disease detection and exposure notification. Dependency on a phone will always be there, but Bluetooth will soon allow for exposure notifications to be triggered by wearable devices as opposed to apps.
Also, an important avenue of future research will be describing the factors associated with states’ use of digital technologies for COVID-19 tracking and tracing. What are the characteristics of those states that have deployed an exposure notification app? How early did they see COVID-19 infections in their state? What have these states learned from their constituents about uptake? Knowing this will help us better understand the development and rollout of future technologies to help control the spread of COVID-19. It will better prepare us for the next pandemic.
I would like to thank Dr. Furberg for sharing his insights. To learn more about the use of technology during the COVID-19 pandemic, check out these other posts “Using Technology to Improve Community Health After COVID-19” and “What’s Next for Virtual Care After the Pandemic“. Both are published here at The Medical Care Blog.