How the Latest COVID-19 Contact-Tracing Apps Actually Work


At least 21 percent of the U.S. population has access to one of the official COVID-19 contact-tracing apps developed by various state governments, but only a fraction of people actually use them.

And that’s the inherent problem with these kinds of apps: Enough people must use them for them to be at all effective. I get why there’s so much trepidation: There’s still a lot we don’t know about COVID-19; tech companies have a terrible track record with data privacy; government surveillance is a real threat; and America’s current political and social climate is challenging (to put it mildly). People are naturally going to be skeptical in the face of so many questions and concerns.

So let’s focus on what we do know about the latest contact-tracing apps.

The tech protects user privacy

Eleven U.S. states, plus Guam, have official contact-tracing apps available now. Ten more have announced plans to release their own, including California and Arizona, two states with apps currently in beta testing. Most of the state-developed apps use contact-tracing technology that is now built into the latest versions of Android and iOS by default.

Instead of using geographic data or wifi, these apps ping nearby devices using a low-power Bluetooth signal—without sharing any personal data. If one user tests positive, the app sends an alert to all of the devices that were close enough to register each other; none of the tracing or contacting is done based on name, phone number, or other personally-identifying information. 

iPhones and Android phones can do this by default, so developers don’t need to create their own tracing technology. In fact, many contact-tracing apps are open-source, meaning the code is freely available and readable by anyone.

Your phone still needs an app

While its true that Android and iOS now have built-in contact-tracing capabilities, those features are different from the functions of the apps themselves. Your phone still needs a contact-tracing app in order to use those features, and such an app will not just mysteriously show up on your device. No one is forcing you to use them.

Even if you believe that these apps are spying on everyone, the argument falls short given all the information you already surrender to various companies (including Apple and Google) simply by using their hardware, software, and services. Companies (and governments) don’t need to hide their data collection behind a contact-tracing app. They’re already doing it right out in the open.

Scams and malware are a bigger issue

It’s true the initial wave of contact-tracing apps was rife with privacy issues. Some of these security flaws were accidental; others were deliberate. However, most of these occurred before Apple and Google rolled out their contact-tracing APIs, and are entirely unrelated.

There were also reports of “contact-tracing” arrests after protests—which is a serious issue—but it’s more accurate to call those “social-engineering” arrests; the police weren’t using data from contact-tracing apps to make arrests. Low-level Bluetooth tracing can confirm that devices pinged one another, but no useful identifying info can be gleaned from that.

That said, independent developers are still free to use different methods of tracing if they choose, and that’s where things get shady. Coronavirus scams and malicious apps are on the rise. Hackers and identity thieves will definitely try to dupe you into fake contact-tracing apps and websites. As long as you’re using an official open-source app from your state, one that uses the APIs built into your phone for contact-tracing, there’s little to worry about. Or, to frame it differently, the benefits you’ll experience from knowing that you were potentially exposed to a life-threatening disease should far outweigh any other concerns you might have.