About Project App Assay for COVID-19


Find us on the MyData #appassay Slack channel or send e-mail to “hello@” this domain (without the www).

How we got here

Project App Assay for COVID-19 grew out of a conversation in March 2020 by members of the MyData Silicon Valley Hub on how to help with the COVID-19 pandemic.

It was clear that 24x7 data collection was going to become a primary weapon in the fight against the virus. However, it was also clear that:

  • It would bring the “surveillance gang” out in force: there have been many actors in societies around the globe who have been pushing for more, and more, surveillance of citizens, but who thankfully have been held back from their worst excesses so far. Under the guise of helping with a deadly pandemic, they would try to accomplish what they could not in healthy and peaceful times. Unless checked, this would be very bad for free and open societies, and the cause of personal data empowerment.

  • All the data collection without proper safeguards against misuse would backfire and make data collection less rather than more effective, because it requires the full consent and cooperation of the population to obtain good data.

Think of the following examples:

  • “If I tell this app my HIV status, how can I know this information won’t make it back to my employer or insurance company?”

  • “As undocumented immigrant, how can I be sure ICE does not get access to my location and contact history?” (US-centric)

  • “As a member of a persecuted religious minority, will the authorities use this to identify and imprison other followers of my belief?” (many regions with de-jure or de-facto religious persecution world-wide)

In each of these cases, and many others, people are at least incentivized not the participate, thereby degrading the effectiveness of data-based approaches to fighting the virus. Worse, they might want to proactively poison the data, e.g. by not taking their phone with them when checking on friends or relatives, or entering intentionally wrong information.

This can only be avoided if would-be participants in the data collection can be factually certain that the information they provide will not be used against them in the future. But this is only possible with a lot more research, and comparison of approaches, than had been done.

This is what we do

  1. We collect COVID-19-relevant apps and sites. (Want to help? Tell us about one we don’t know about yet.)

  2. We analyze these apps and sites, using whatever information we can get our hands on. We particularly appreciate the cooperation of their developers and operators. We look at:

    • features of the app (e.g. contract tracing via Bluetooth)
    • how exactly those features are implemented in a given app (e.g. contacts are tied to a phone number, of a pseudonymous identifier, or …)
    • the data architecture for the app or site (e.g. does the data reside on the device, on a remote server, how is it encrypted etc.)
    • who exactly develops the app or site, and who operates it? Who are all the partie that have a say in the development or operation of the app or site?
    • which are the parties that have access to which data?
  3. We publish the results, so everybody can understand what’s going on with a particular app or site.

Beyond that, we wish to assist app developers and public health authorities that are looking for guidance which technologies, architectures, governance structures and the like to encourage and which to discourage. We do this by:

  1. collecting alternative implementations of the same feature in different apps. That way, developers can pick the implementation that is best for their project and their users. For example, we make it easy to see that contact tracing can be, and has been implemented by different apps in different ways, with different privacy and feature implications. We document those as well.

  2. If some implementations are clearly better than others, we say so and issue a recommendation.