There has been a lot of discussion and controversy about forthcoming contact tracing apps (currently being tested on my beloved Isle of Wight).

I thought you might enjoy a computer science deep dive into exactly what's going on and why some people are freaking out.

What is a contact tracing app? It's a small program that runs on your smartphone, and keeps a list of other app users with whom you have had close contact. If any of them then gets sick with COVID, the app tells you that you might be at risk. Easy huh?

But how does it actually work? Well, currently most approaches to contact tracing work by using "Bluetooth beacons" to detect when you have been near another user device. You have probably come across Bluetooth for connecting to speakers, headsets, etc.

Bluetooth is a low power, low range radio system, which allows devices to be connected together for many different reasons. When you "scan" for Bluetooth-capable devices, your phone might see your car, your TV, other phones, etc. These devices are 'advertising' their services.

Contact tracing will be just another one of these services. When you get near another user who is advertising a contact tracing service, the phones "talk" to each other and swap just enough information to record the "contact".

Typically the apps record some anonymised identity information about the other device, along with the length of time that contact was made, and the strength of the Bluetooth signal. Signal strength is a poor indicator of distance, but it's better than nothing.

You will notice that these apps rely on *network effects*. In other words, you need a lot of people to be running the app for it to work effectively. Otherwise it's like being the first (or last) person with a fax machine. And you thought lockdown was lonely.

I am not sure of the exact uptake needed for the app to be effective, but a quick web search suggests it's quite high - something like 80% of all smartphones. There will be other layers to the contact tracing strategy, but this is still a lot.

h/t BBC https://www.bbc.co.uk/news/technology-52294896

Let's look now at how notifications work - because this is actually a core part of the controversy and the debate currently raging online. Because, there are *two schools of thought* and that is always fun on the internet.

The first method is the "Decentralised Approach". I describe it here. Say you've been using the contract tracing app for a few weeks. On a daily basis, you've been broadcasting a tracking ID to everyone who gets near you. Suddenly you fall sick with COVID.

You hit the "Gah! I'm sick!" button in the app, and this gathers all your (outgoing) tracking IDs for, say, the last 14 days and uploads them to a cloud server. Everyone who is newly sick does this, and so this cloud server now has a "hit list" of potentially infectious IDs.

Everyone's app downloads this "hit list" on a daily basis, and checks it against their stored list of (incoming) tracking IDs that have been encountered in the past 14 days. If you get a match then you know you were in proximity to someone who has since fallen ill.

The app pops up the actions you should take, which will depend on the health advice being given in each country, etc.

Why is this "decentralised"? Well, it's because the matching of IDs happens *on your phone*, and not on a central server. The only thing that goes to the central server is a list of "hot" IDs. The IDs themselves are just numbers - they cannot be tied to a phone or individual.

It's important to realise that the IDs don't even come from a central authority - they are randomly generated *on your phone*, so only your phone ever knows about them.

This has privacy advantages for the citizen - the authorities in question cannot use this to spy on you.

There is a disadvantage though - the authorities learn almost nothing about how the disease is spreading! They get no location info (not even high level), no info about which interactions are riskiest, no way to look for clusters, super spreaders, or individuals at high risk.

This brings us to the second approach, the "Centralised Approach". The app works in almost the same way - sending and receiving tracking IDs from people you have been near. And if you get COVID, you still hit the "big red button" in the app. But now things are a bit different..

In this approach, you upload not just your outgoing tracking IDs, but also the list of all the incoming IDs that you have been near, and the information about the length & strength of the interactions. You would upload this to the central health authority.

They then use your information in a centralised risk model, to figure out which of your contacts are most likely to have been infected by you, and send them a notification directly with information about which steps to take.