Nine months after the COVID-19 outbreak in the United States, countries around the world are experiencing “a second wave” of the coronavirus pandemic. Months ago, government agencies, health institutions, and companies deployed COVID-19 apps with hopes to both track and contain the spread of COVID-19. For many countries, tracking pandemic spread through apps sparked fears about surveillance and built momentum to rethink how we communicate data-collection and privacy through app collection. Some countries have attempted to inform users with increased transparency.
With this context in mind, our team analyzed 31 COVID-19-related apps around the world with a focus on data privacy through app design. Given such unprecedented conditions, the goal was to highlight similarities and differences in information and design implementations disseminated to the public. We also wanted to see the different aspects of the apps’ user experience and how these features may impact adoption as the pandemic progressed.
We highlight the key findings in a two-part analysis:
- Part I: Data transparency through app design features
- Part II: App data permissions, data deletion policies, and installs
Part I: Three key themes that show how data transparency manifests through app design features.
One major component that stood out was how COVID-19 apps have been forced to rethink how users onboard upon downloading the apps. This key piece of an app’s user experience is important in terms of building trust and training people on how to use the technology. For decades, policymakers and practitioners have debated and attempted to transform data privacy consent into readable, transparent, and effective notice. Despite weedy and complex technical functionality, several countries have attempted shorter, more human-readable language with visual illustrations in the first several screens. Out of 18 apps with some onboarding components, 17 used an app “walkthrough” step-by-step onboarding method, while 16 apps showed information in short bullet point format as opposed to paragraphs of information. Visually, 8 of the 18 apps created warm illustrations of people and families, while 10 of 18 used simple iconography paired with longer blocks of text.
Second, we examined app data-related settings. Apps usually tuck privacy settings away in a corner, yet some digital contact tracing apps bumped up data sharing permissions onto the main home screen. Some institutions highlighted thoughtful governance with app design processes to increase public trust. Out of 31 apps analyzed with some aspect of privacy settings, 15 apps placed app permissions or data collection features on one of the app’s main tabs. Of those 15 apps, 9 apps directly placed key data settings on the “home” or “main” tab. In terms of what “data settings” are featured, between 1-6 apps show that user data collection is on or off through checkmarks, cards, toggles, buttons, iconography, and color-coded backgrounds. In addition, 1-3 apps highlight different elements that can be turned on or off, including Bluetooth, notifications, locations, contact registration or proximity tracing, a “delete data” button, and a remove tracking of geolocation option.
Part II: Comparing the apps’ data permissions, data deletion policies, and installs.
We analyzed 28 apps available and live for download on the Google Play Store as of August 01, 2020 1.
App permissions. As data privacy is a concern with COVID-19 apps, we investigated what different app permissions are highlighted through the Google Play Store app page. While these are data permissions, not all of them are clearly triggered in the app. For example, we were unable to find any evidence of actual photo- or video-taking capabilities through the apps, despite the fact that 5 apps asked permission to be able to do this.
- 4 of 31 apps asked for access to user data permissions before teaching any information
- 17 of 28 mentioned both use of approximate and precise location information
- 17 of 28 access bluetooth settings
- 28 of 28 request full network access
- 26 of 28 view network connections
- 10 of 28 can read the contents of your USB storage
- 5 of 28 ask permission to take pictures and video
Data deletion. We tracked the policies related to data deletion in 31 apps. In a pandemic, which aims to be constrained to a period of time, many privacy advocates and policymakers have highlighted how data deletion should be core to COVID-19 apps.
- 23 apps we found reference to user app deletion
- 8 apps we did not find reference to user app and data deletion
App downloads. We captured the number of app installs through the Google Play Store. Note that this number is not representative of total downloads.
- We analyzed 28 apps available and live for download on the Google Play Store as of August 01, 2020:
- 2 of 28 listed 1,000+ installs
- 3 of 28 listed 10,000+ installs
- 4 of 28 listed 50,000+ installs
- 8 of 28 listed 100,000+ installs
- 2 of 28 listed 500,000+ installs
- 6 of 28 listed 1,000,000+ installs
- 2 of 28 listed 5,000,000+ installs
- 1 of 28 listed 100,000,000+ installs
App download increases in a 3-month period between August 01 to November 02, 2020. We note that the install numbers are a “ballpark” and not exact figures.
Category A: Up to 100,000+ increase
- Ghana: 1,000+ to 5,000+
- Mexico: 10,000+ to 50,000+
- Alberta Canada: 50,000+ to 100,000+
- Iceland: 50,000+ to 100,000+
Category B: Up to 1,000,000+ increase
- Canada: 100,000+ to 1,000,000+
- Czech Republic: 100,000+ to 1,000,000+
- Poland: 100,000+ to 1,000,000+
- Italy: 1,000,000+ to 5,000,000+
Category C: Up to 5,000,000+ increase
- Germany: 5,000,000+ to 10,000,000+
- Turkey: 5,000,000+ to 10,000,000+
We investigated potential reasons for the spikes in adoption through installs for apps in Category C, which had the largest increase of those analyzed. According to media reports in October, Germany’s app, Corona Warn-App, was used internationally, being accessible to “exchange warnings with apps from Ireland and Italy.” The source also highlights that it is “increasingly likely that a network of 16 national apps could be in place by the end of the year.” According to data from Johns Hopkins University and published in The Guardian, another key factor for potential rise in installs may be the number of new coronavirus cases per day over time in 2020. From October to November, the number of daily cases have increased from approximately 5 thousand to 20 or 25 thousand cases per day. In Turkey, local media publications have indicated that their COVID-19 app, Hayat Eve Sığar, was “made mandatory for entrance to some public institutions.” There also seems to be evidence that there is a “HEPP code” within their app that is “mandatory in many areas of life for controlled social life” such as urban public transportation, intercity travel, accommodation facilities, workplaces, and all public places that require individual communication. One example is Turkish Airlines’ website, which mentions that it is”mandatory to have a valid HES code when purchasing a ticket.”
While the pandemic continues to rise in countries around the world, people are still trying to understand and track app efficacy in their communities. We hope that with these insights, researchers and other COVID-19 app makers can be aware of the ways in which app transparency can be positioned through design features. We also hope this raises more awareness of the treatment of potentially sensitive public health and personal data through app permissions and data deletion policies.
To see our full publication, please visit our report via the button below:
- We note that some information may have changed since the time of investigation.
Cover image licensed under Creative Commons CC0 1.0 Universal Public Domain Dedication.