This text was published in Finnish on 26 June, and it sums up the implementation principles of the COVID-19 tracing application which will be deployed in Finland in early September.
The app that traces COVID-19 exposure in Finland helps break chains of infection and fight against the spread of the coronavirus. This text reiterates the app’s operating principles and the technologies used, and describes how users’ privacy protection is ensured.
Operating principles of the COVID-19 tracing app in a nutshell:
- Users download the free and safe mobile application to their phones from their app store.
- During an encounter, app users’ phones send each other an anonymous signal that does not allow for identification of the individual. The phone stores a tracking code of each encounter if it lasts long enough to make exposure possible. The app does not collect personal data or position details.
- Anyone with a positive test result for the coronavirus receives a verification code from a health care provider and can warn others by distributing this information, anonymously, to other users of the app.
- Users who have been in contact with the infected person receive a warning of possible exposure on their phone, along with instructions to contact a health care provider.
The mobile app that traces exposure to COVID-19 works in a decentralised manner; using it is voluntary and privacy protection is ensured. The section below includes a detailed description of implementation, the technologies used and how privacy protection is ensured. The party responsible for the app in Finland is the Finnish Institute for Health and Welfare (THL), and it is implemented by Finnish technology company Solita Oy, which won the public competitive tendering for the app. Parties contributing to implementation and integration with the national architecture also include the Social Insurance Institution of Finland (Kela) and the Ministry of Social Affairs and Health.
How does the COVID-19 app work and why is it safe?
The Finnish app is based on the DP-3T (Decentralised Privacy-Preserving Proximity Tracing) implementation protocol jointly developed by European universities, and the Exposure Notifications interface implemented on its basis by the key phone manufacturers. It is a decentralised, privacy-preserving procedure in which a phone’s operating system collects anonymous data about proximity with other phones and where the app verifies whether these include phones whose owners have sent a warning about their infection.
Once you have deployed the exposure tracking app and given your permission for exposure tracing, your phone begins to send a tracking code to its surroundings via the Bluetooth connection. The code does not include personal data: it is a random number that changes to a new number approximately every 15 minutes.
What information does the app collect?
When you move around carrying your phone, phones of other users who have downloaded the COVID-19 app “hear” a transmission when they come near you. The phones record information about the encounter if you and the user of another phone spend enough time close enough to each other that the chance for a coronavirus infection emerges. Your phone stores the tracking code sent by their phone, and the phone of the person in your vicinity saves the tracking code sent by your phone.
The COVID-19 app does not collect personal data or details about location and movement. As a user of the app, your phone’s memory begins to accumulate a list of anonymous tracking codes of phones you have encountered. The memory only includes tracking codes consisting of random numbers, and details of the date and time of each encounter and the other phone’s distance from you. The app does not send even these details outside the phone. Details of encounters more than three weeks old are removed from your phone automatically after the risk of the possible incubation period of the disease is over.
Does the app consume the battery? Will my phone operate as normal?
All this occurs in a user’s phone automatically and in the background – the COVID-19 app does not even have to be running. It is enough that your phone is on and Bluetooth is switched on. You can use the phone and its auxiliary devices normally. The tracking feature uses Bluetooth Low Energy (BLE) version, so it has a negligible effect on battery life. You can disable tracking at any time, and you can also delete encounter details stored in the phone whenever you wish.
How can I warn others if I am diagnosed with a coronavirus infection?
If you are unfortunate enough to become infected, you can use the app to warn people you may have exposed to the disease. If you receive a positive test result for COVID-19 and decide to send a warning, your phone will contact a database maintained by THL and upload the tracking codes your phone has transmitted in recent days. No details of encounters will be sent to the database, only specific tracking codes consisting of random numbers. No identification, positioning or personal data will be collected or transmitted. The database’s owner (THL) is unable to use the tracking codes to make any conclusions about the sender – not even who has transmitted the data.
To prevent false alarms and mischief, transmitting a warning requires a verification number that is only given to people with a positive COVID-19 diagnosis by a health care provider. Sending such a warning is voluntary, but recommended. Nobody else – not even the healthcare authority – can send the warning for you, because the information of encounters exists only in your own phone.
Similarly, if any person you have encountered in recent days transmits a warning about their coronavirus infection, you will receive a warning of this. At regular intervals, your phone’s COVID-19 app downloads from THL database the tracking codes that were used by infected persons, and compares them with codes your phone has encountered earlier. If any of them matches a code found in your phone’s memory, this means you have been in close proximity to a person infected with the coronavirus for a lengthy period and may be exposed to the disease, so you receive a warning message.
The message warning you of exposure to the coronavirus indicates the date when you may have become exposed, and gives instructions on contacting a health care provider. The app does not give any other information, because it does not collect any precise location or identification details of your encounters. Health care providers are informed of your possible exposure only if you contact them, and even after this they do not have access to information contained in your phone.
Does the app store my personal data or location details?
The app does not collect personal data, location details or any other personal information. The app is kept as simple as possible on purpose, and each user’s privacy protection is carefully ensured. Tracking codes and details of encounters are removed automatically after 21 days. App users always remain anonymous to other users of the application, unable to see which individuals have been warned of exposure. People issued with a warning also do not learn which person or situation may be the origin of the potential exposure. Details of encounters stored in phones are not disclosed to anyone.
Which technologies are used in the app? What kind of phone do I need to have?
To create tracking codes and details of encounters, the app uses the Exposure Notifications interface jointly created by Apple and Google. This interface is available in all iPhones with the iOS 13.5 operating system or higher, and in Android phones with the Android 6.0 (Marshmallow) operating system or higher and Google Play services.
Additionally, the user needs the COVID-19 tracking app, which provides features for sending tracking codes, comparing details of encounters, and receiving warnings. Each country can only have one application using the Exposure Notifications interface provided by an authority – the Finnish COVID-19 tracking app is managed by THL. The solution makes use of existing components, standards and open-source solutions, the published DP-3T protocol and the possibilities offered by Finland’s national health care IT architecture, especially Kela and the Omaolo.fi service. The warning database uses Kela’s technology environment.
Where can I download the app?
The COVID-19 app can be downloaded from Apple’s and Google’s app stores in the future. The goal is to also make the tracking app available in Android phones that do not feature Google Play services or Google’s app store (such as the newest Huawei phones).
Apps using the same technology are being developed and deployed around the world right now. At present, apps based on the same technology are in use in e.g. Switzerland, Latvia, Italy, Poland, and Germany.
Will the mobile app be published as open-source software?
As a partner in the project, Solita is committed to open source publishing, and THL will evaluate the matter at a later date. Efficient and open cooperation is already underway at many levels. At the moment, mobile apps that trace COVID-19 infection chains are being developed in several countries, and the team working on the Finnish app is closely following the situation in other countries. Lessons learned have already been shared from the pilot project implemented earlier in Finland. We would also like to give our warmest thanks to, e.g. Sitra, Reaktor, Futurice, Fraktal, Columbia Road, and Vaasa Central Hospital for their work on the pilot project in Vaasa.
Welcome to the webinar!
The joint project by Solita and THL was launched, in line with competitive tendering schedules, on 22 June, and we held a webinar on the subject on Friday 26 June at 10 am. Read more and watch webinar recording in Finnish!