First announced in late March, the Health Service Executive's Covid-19 contact/exposure tracing app was based on a seemingly simple idea - use a smartphone's wireless sensors to identify when a person had been near to someone with Covid-19.

The app could then warn that they may be at greater risk of infection, making the work of the HSE's contact tracing team much easier.

Similar to an app launched in Singapore a week earlier, the HSE's version was supposed to arrive within days of its announcement, and would be an important tool in the country's fight against the virus.

But two months - and multiple target dates later - it is still not available.

Of note to privacy experts too is the fact that, weeks after being unveiled, very little is still known about the app and its features.

"It's very hard to say [if there are privacy issues] without having clear details of what the app will do," said Dr Paolo Palmieri, lecturer in cyber security at University College Cork.

"The fact that the specifications are not available is a problem in itself. It may be the case because they're not fully defined yet, but I would prefer the code [of the app] or at the very least a very detailed specification of how the application works.

The continued lack of information is also an issue for Daragh O’Brien, managing director of privacy and information governance advisory firm Castlebridge.

"The first concern about the Covid app...is that we don't actually know what it is at the moment," he said.

It's a relatively simple concept in theory but a relatively hard one to implement in practice

"There needs to be specificity and clarity as to what the app is doing, or what any contact tracing app was doing anywhere around the world, and the functions should be limited just to the contact tracing process."

He worries that the delayed roll-out, and secretive nature of its development may point to 'feature-creep' - with extra, possibly superfluous, functions being added beyond the core exposure tracing service.

Dr Palmieri, though, suggests a delayed development may not be such a bad thing in this case.

"To be fair I think that has been the case for most countries," he said. "It's a relatively simple concept in theory but a relatively hard one to implement in practice so it may have taken a bit longer for that reason.

"I wouldn't read too much into the fact that Ireland is a bit delayed."

For its part the HSE says it will begin field testing the app this week, with a full launch coming "once it is fully operational".

It says a launch will only happen when approval has been received from the Data Protection Commissioner, the National Public Health Emergency Team, the Government and the HSE itself.

Patient/app confidentiality

That may give some reassurance to those with privacy concerns - as will the decision to make the app compatible with the framework recently developed by Apple and Google.

That is a step-change from the initial course plotted by the HSE and Government, which reportedly considered tapping into users' location data and storing all information in a central database.

"Location data is widely recognised as being very sensitive," said Dr Palmieri. "The position of an individual reveals a lot.

"If you imagine, for example, an individual that attends services of a particular religion - be it in a mosque, a synagogue or a church - the position of that individual in a particular place and a specific time will immediately reveal their religion."

With the sensitivity of this data in mind, the Apple/Google framework specifically forbids apps from requesting a users' location. It also follows a decentralised model, which means that a user's encounters are checked locally on their phone.

Only an anonymised ID code - which changes every few minutes - is sent back to a central server.

And even that limited interaction requires the user's active consent, as they must first download a designated app and then agree to give it access to their phone’s wireless sensors.

Its 'opt-in' nature means there has to be substantial buy-in from the public

However, there is nothing to stop the HSE layering other data requests on top of that core function.

"It is possible that the app asks for your phone number if you’ve been in close contact with a positive case," said Mr O’Brien. "They need to be asking for that information only when they need it."

It is also common for app developers to use off-the-shelf, third party tools within the code of their apps, which could inadvertently create a privacy issue.

That was the case when Professor Douglas Leith, chair of computer systems at Trinity College Dublin analysed the data flowing from Singapore’s Covid app.

"They were using Google to provide all of their services, so it wasn’t just the health authorities there that were involved - it was Google that was seeing all of the data too," he said.

"Also a bunch of their data was hosted in America even though it was a Singapore app."

This is why privacy experts see the publication of the app's source code as vital, as it gives the clearest possible picture of just what is happening behind the scenes once users sign up.

The HSE has pledged to publish that, along with technical documentation and a Data Protection Impact Assessment, before any launch.

This could be crucial to the app's ultimate success, as its 'opt-in' nature means there has to be substantial buy-in from the public.

"Privacy is important, not just as an end in itself, but because it enables people to trust technology," said Carly Kind, human rights lawyer and director of the Ada Lovelace Institute, when speaking to RTÉ News recently.

"And trust in contact tracing apps is going to be particularly important because there is a need to have a really widespread uptake in contact tracing apps in order for them to be effective."

Baseline user base

The more people that ultimately use the Covid-19 app, the more chance it has of helping the work of contact tracers. But much like the 'herd immunity' concept, there is a threshold below which it will likely be ineffective.

Researchers at Oxford have suggested that at least 60% of a country’s population needs to use a tracing app in order for it to be effective.

To put that into context, Ipsos MRBI estimated that 66% of Irish people had an account with Facebook, the most popular social networking service in the world, at the end of last year. That would include users who login via a computer rather than a phone.

Minister for Health Simon Harris has set a far lower threshold of at least 25% take-up, however even that may be ambitious.

Singapore was first to launch a Covid-19 app, and while the country is used to a higher level of state surveillance than most, The Financial Times reports that it had only reached a 25% take-up after two months of deployment.

India is one of the few countries to make its app mandatory, but after almost two months of usage there take-up is still sitting below 8%.

By design the app will only work on smartphones

Meanwhile in Australia, a survey earlier this month put take-up of its app at 44%, though so far just one positive case has been identified through it.

"Below 20% usage, it is absolute useless," Dr Palmieri said.

The fact that Ireland's imminent app is less intrusive than the likes of Singapore may make it easier to convince users to adopt it, however even those that want to use the app may find that they are unable to do so.

By design the app will only work on smartphones, in general ones that are no more than five years old.

According to ComReg’s 2019 Mobile Phone Consumer Experience Survey, 84% of people in Ireland own a smartphone. Just under 10% of those devices are at least five years old.

However, the numbers are much worse for older people, who are among the most at risk from Covid-19 and most likely to benefit from a contact tracing app.

According to ComReg just 47% of over-65s own a smartphone, while 27% of those are more than five years old.

At the same time the HSE will limit the app to those aged over 16 in order; it says in order to comply with the digital age of consent.

"This confuses me because this is not an information society service," Mr O’Brien said. "This is not Candy Crush - this is a medical device and with these apps, the numbers game is very important."

Technical shortcomings

But even if the take-up is good enough, there are major doubts about just how effective the underlying technology is in identifying when a user has been in close contact with a Covid-19 sufferer.

At its core the app will use a phone's Bluetooth connection to measure proximity to others.

The idea is that a phone using the app will continually broadcast anonymous 'keys', while also looking out for similar messages from other devices.

When two users come within a few metres of each other, the phones exchange keys - and they are then periodically checked against a list of keys owned by users who have reported themselves as Covid-19 positive.

Modern Bluetooth can potentially connect tens of metres away, but in theory it is possible to work out if a connection is made within the critical 2m range based on how strong or weak the signal is.

In reality, though, it appears to be far more complicated than that.

Numerous factors can influence the reading, down to what way the phones are facing

"The simplistic idea is that, as you move further away the signal strength will fall, and so signal strength can be somehow a measure for proximity" said Prof Leith.

"Maybe that works out in an open field, but in complicated environments where we spend a lot of our time, that’s just not true."

Along with Dr Stephen Farrell, Prof Leith recently conducted field tests of Bluetooth's effectiveness in measuring distance.

They found that numerous factors can influence the reading, down to what way the phones are facing when they come into contact with each other.

The reading can vary significantly if a device is in a pocket as opposed to a handbag, while a Bluetooth signal can bounce around a room - making indoor readings unreliable.

Signals can also travel through surfaces including walls and glass, which means two people in adjacent rooms could be treated as though they are sitting side by side.

Prof Leith’s research was done before Apple and Google published their framework, and he is currently conducting new tests to see if the results differ following their changes. His initial impression, however, is that they are also struggling to deal with the inherent shortcomings of Bluetooth signals in this application.

If that is the case, the app may end up undermining itself quite quickly.

If it is over-zealous in treating Bluetooth connections as a 'close contact' meeting, some users could get bogged down with false positives - telling them they are at a higher risk when they're not. That could quickly put them off using the app at all.

But if developers try to eliminate too much of that noise, they could create more false negatives - failing to flag potentially risky interactions. That would render the entire exercise pointless.

It's the performance in the real world, with a population, that matters

A careful balancing app

There is a complex balancing act at play in the development of a Covid-19 exposure tracking app.

For it to be useful it will need to be trusted by a sizeable portion of the population. That will likely require an assurance that the data it demands is proportionate, and justified by the results achieved.

But, somewhat paradoxically, the effectiveness of the technology will only really be known when enough people are using it.

"It’s the performance in the real world, with a population, that matters," said Prof Leith.

That only adds to the stakes. Success could give a major boost to the HSE's contact tracing efforts, but failure not only hinders that process but reignites the central issue around privacy.

"If the app fails in correctly tracing out the virus as it's transmitted, then we are building something that is not fit for purpose," said Prof Palmieri.

"And any information that we are collecting through that app is infringing on privacy, because it lacks the fundamental reason of its existence."