No, Malta’s COVID-19 app is not tracking your movements, developers say

Is the government tracking the movements of users downloading its new COVID Alert smartphone app?  

It is a straight answer as far as the developers of the app say: no. There is no geolocation data, no GPS data, and the app sends data to the health ministry only when users voluntarily declare they are COVID-19 positive.  

The COVID Alert Malta app notifies users at risk of having been exposed to the virus as early as possible – even when they are asymptomatic. The notification should encourage users to get tested through an early alert.  

Its exposure notification system makes it possible to quickly alert those who may have been exposed to a potentially infectious user. But how does it work?  

The system is based on Bluetooth Low Energy technology, which means the app only determines that contact with someone COVID-positive when both people have downloaded the app and came into close proximity to each other.  

The app sends out a Bluetooth signal with a secret code that is always being changed, randomly, on a continuous. When two app users are in close proximity, their phones mutually store the other’s code, registering the event, how long it lasted, and the approximate distance between the devices.  

The codes are generated randomly: the app cannot collect data that identifies users, such as name, date of birth, address, telephone number, or email address. So when COVID Alert Malta determines contact has taken place, the app does not know who they are or where the contact occurred. 

Distance estimation 

As established by the Ministry for Health, the exposure must have taken place for more than 15 minutes at a distance of less than 2 metres.  

However smartphones cannot measure the distance at which contact takes place directly. The app estimates this ‘distance’ on the basis of the attenuation of the Bluetooth Low Energy signal.  

But the developers admit it cannot be a precise estimate due to a number of disruptive factors. “The app cannot guarantee with absolute certainty that the distance was actually less than 2 metres. What is certain is that, if you receive a notification for a risky exposure, you’ve been in the proximity of a potentially contagious user for a prolonged period of time.”  

So in a hypothetical case of contact between ‘Mario’ and ‘Roberta’, if Mario does test positive for SARS-CoV-2, he is provided with a code by Public Health to voluntarily enter in his smartphone. This will broadcast secret codes (cryptographic keys) from his smartphone app to a server. Those keys make it possible to track all the codes broadcast from Mario’s phone during the time he was potentially infectious.  

Crucially, the app is regularly downloading these keys, which are stored in the device memory so that the system can detect the ‘smartphone’ contacts that occurred in the previous 14 days. “Roberta’s app will find Mario’s random code (without knowing that it is Mario’s) and will notify Roberta that she was potentially exposed to the virus.”  

The developers do admit that Bluetooth Low Energy signals are impacted by various disruptive factors and the information is limited and can never be perfect. “As such, the app’s assessments won’t always be flawless. If the app recommends that you request a test, it doesn’t mean you definitely have SARS-CoV-2. It just means that, based on the information the app has available, taking a test is the safest thing to do for yourself and those around you.” 

Privacy issues 

If you read the privacy policy, the developers say the data collected by the app will not be used for any other prupose by to track proximity events between user devices. However, it says that while processing for purposes of scientific research is not currently envisaged, should such a change occur, the privacy policy will be updated. Users will be alerted of such changes. 

And while the data is processed exclusively on GDPR-compliant secure servers, under the control of the Superintendent of Public Health and operated technically by the Malta Information Technology Agency (MITA), it may in future be processed in another EU member state. Again, watch out for privacy policy changes. 
“The system has been designed so that only a user’s device processes or stores any identifiable personal data about that user. No entities are involved in the processing of any identifiable user personal data,” the developers say. 

Thanks to the secret codes and a decentralised data processing, the Superintendent of Public Health cannot identify the smartphone users through the codes sent to the server, nor can they access their data on their devices. “It is not possible for the Superintendent of Public Health, for example, to provide information on the proximity events logged for a specific person or to correct this data. The Superintendent of Public Health cannot inspect this data, as it is stored only on the mobile phones of the respective user.” 

The app does not collect any identity data such as name, date of birth, address, telephone number, or email address. 

People’s movements are not being tracked. That is because the app does not collect geolocation data, including GPS data. “COVID Alert Malta doesn’t (and can’t) know where you go.” 

And the Bluetooth codes change several times each hour, generated completely randomly and does not contain any information about you or your device. The data stored on the smartphone is encrypted, as are the connections between the app and the server are encrypted.  

Importantly, all data – whether stored on the device or on the server – is deleted when no longer relevant, “and certainly no later than 21 days after transfer between app and server”, the developers say.