Scott David

Principal Investigator

Research Scientist/Engineer - Principal

EIS Department



U.S. Deparment of Homeland Security
Silicon Valley Innovation Program

Contact Tracing / Exposure Notification Mobile Apps

Testing Principles and Requirements for Security, Usability, Privacy and Efficacy

A Distributed Testing Ecosystem for S-U-P-E

Concern Reports Library

This program supports the establishment and maintenance of a distributed testing ecosystem through which communities can gain assurance regarding the security, usability, privacy and efficacy (S-U-P-E)-related performance of mobile applications that are designed, developed and operated to support contact tracing and exposure notification (CT/EN) functions used by public health organizations to help track the spread of infectious diseases.

The COVID-19 pandemic required an urgent response. Many CT/EN mobile app systems were launched. Our program enables CT/EN mobile app testers to identify new performance indicators and candidate practices and principles that they can apply to enhance the S-U-P-E performance of the various CT/EN mobile app systems they test. Our program enables asynchronous and distributed collaboration and contribution to a dynamic library of Concern Reports, from which future testing principles and testing requirements can be derived.

Contact Tracing / Exposure Notification During the COVID-19 Pandemic

CT/EN systems have been used for decades to identify and manage potentially infected people during disease outbreaks. New, ubiquitous information technology networks, carried in mobile devices, enable CT/EN to be improved with advanced telecommunications, computing and information processing capabilities that were not available in past public health management settings.

During the COVID-19 pandemic, many CT/EN mobile app systems were established across the world, applying different information technologies in various ways to supplement traditional CT/EN work. Within the U.S. itself, there were many different approaches to designing, developing and operating CT/EN mobile apps.

In most U.S. states, CT/EN mobile app systems are up and running with relatively balanced consideration of community needs. There appear to be relatively few significant lingering concerns about system security, usability, privacy and efficacy, although continued diligence is always warranted.

Whenever data about people are collected and subject to actions such as storage, transfer or processing, high levels of care and diligence are necessary to protect against both legally recognized harms and emerging harms to individual rights.

This program seeks to capture system participant reports of concerns with security, usability, privacy and efficacy (S-U-P-E) as an early warning system of potential emerging harms. The Concern Reports form presents 8 questions through which reported concerns are converted to system performance requirements that can be tested in a distributed testing ecosystem. Please see the FAQ for additional details about the concern reports process.

A Shared Adoption Challenge

The public health information benefits of CT/EN mobile app systems are enhanced at greater levels of adoption. Individual and organizational concerns about potential harms from participation, such as security, usability, privacy and efficacy concerns, can constrain adoption.

CT/EN systems, like the virus itself, depend on network effects for success. While there is no fixed threshold adoption percentage that assures CT/EN mobile app success, it is clear that broader adoption yields more comprehensive information to public health officials, and that adoption rates under certain percentages of the population undermine optimal system function.

To enable public health authorities to gather epidemiologically relevant contacts with sufficient granularity to track and predict virus spread, they need to include a greater number of individuals in the data. The prerequisite is for individuals to voluntarily load and open a CT/EN mobile app operated in their local jurisdiction.

All CT/EN mobile app systems will benefit from greater adoption. Whatever is limiting adoption by a person or community limits the public health benefits afforded by CT/EN mobile app systems.

There is one problem shared by all CT/EN mobile apps deployed in every jurisdiction globally: INSUFFICIENT ADOPTION.

Given the variety of CT/EN Mobile App systems, and also the different cultures and jurisdictions in which such systems have been deployed, it is not realistic to seek to create a single, centralized, set of performance principles and testing requirements for all security, usability, privacy and efficacy issues. How can S-U-P-E concerns, that are potentially limiting adoption, be addressed? We need distributed solutions for distributed problems.

The Urgent Need for Modular Testing Principles and Requirements

In recognition of the variety of CT/EN mobile apps deployed during the COVID-19 pandemic, we are designing a database of CT/EN mobile app S-U-P-E principals and practices for reference by app testers, public health authorities, states, DDOs and individuals to aid in their review and improvement of their locally-deployed system. The database is compiled from the candidate principals and testing requirements drawn from Concern Reports directed at S-U-P-E concerns. Public health authorities can select locally-appropriate solutions from among the variety of principles and requirements in the database to help address local S-U-P-E-based adoption hurdles.

How can already strained public health authorities address the vast administrative task of identifying and addressing the myriad reasons a person or community might not load and open a CT/EN mobile app? Individually they cannot, but together, we can.