Australia is not unique when it comes to launching a COVID contact tracing app that didn’t quite live up to the hype.

According to an Oxford University Report, when it comes to the effectiveness of a tracing app about 60 per cent of the population needs to “use the app and adhere to the app’s recommendations”, but Australia didn’t reach that. In fact, COVIDSafe was languishing at No. 8 in iTunes App Store’s health and wellness charts – one behind the Tasmanian Government’s own QR code scanning app Check in TAS.

Despite good intentions and many merits, the notion that a particular app was the solution to a health and societal crisis was the root problem for countries that jumped on the Covid tracing app bandwagon. Perhaps the only two to come out smiling were Ireland, because its app was spectacularly cheap to build and hence a cheap failure, and New Zealand, which led with a truly integrated approach.

The fundamental problem for COVIDSafe was not the technical implementation, how it was built nor how often it was installed, but omission of the health practice and public trust. In Autumn 2020, COVID-19 was poorly understood and the public was unschooled in pandemic management strategies. Nonetheless, Australians understood technology was not the strategy and were reluctant to accept that an easy-to-purchase tech solution would make an impact, because they didn’t have the evidence it was the “sunscreen” we needed. Compounded by behaviours that had eroded public trust in Government technology solutions over an extended period, society was not buying it.

Technology does not solve every problem but what the technology could do needed to be understood before believing an app was the easy answer that would mean it was safe to go back to the pub. In the Government’s defence, COVIDSafe was not an invalid experiment – we knew less about the epidemiology of COVID-19 then and health advice has evolved over time – but it was not framed as such.

Like several other countries, COVIDSafe was born by adapting solid code from Singapore‘s contact tracing app. It broadly does what it says on the tin, yet COVIDSafe conversations were plagued by privacy concerns from the start.

Australia’s Access and Assistance Bill of 2018, looking at how data would be created and looked after, dictates the app could be broken into at any point by the Government or intelligence services. Not carving out exemption for COVIDSafe meant that few could have any confidence in it – especially when questions were previously raised about the level of trust that could be accorded to government-sponsored solutions – Robodebt, My Health Record and other incidents undermining public trust. Why would a reasonable person, knowing there is some chance the Government could hoover up their data and start using it against them for some reason, want to install that app?

The Government can still be commended for its partial satisfaction of technology and legal controls around data privacy for COVIDSafe – privacy safeguards and acting on privacy concerns, a commitment to open source and legislating how data was to be treated – but this did not resolve the trust issue or the societal confidence and acceptance that was missing. It does show the Government can improve, and sets a good standard we should rightly expect across all Government systems we interact with in future. Indeed, apps like the Service NSW app and its QR code scanner have arguably been more successful as the pandemic has continued and the public has become used to changed habits.

But COVIDSafe is still afflicted by failing public trust and rightly so. Most people at the time wouldn’t have known the app did not send a notification if you were in contact with somebody who had tested positive to COVID-19. You would have in theory been called by a physical contact tracer, tracers who were not even set-up when we were first encouraged to download the app. Then there was the security vulnerability that allowed people to identify and trace your unique identity on your phone, across any location, which persisted even after the app was uninstalled.

The issue goes somewhat further. The COVIDSafe app code was released but code for the server was not. So while we could have confidence the app does what it says, we have no idea what really goes on once the data hits the server. This could have been addressed with a decentralised – instead of centralised – system design. Regardless of whether it was an oversight or deliberate omission, you must be able to see security of the whole system in order to trust it.

As we understood more about transmission mechanisms, and whether the app is sound from a health perspective, it became clearer that bluetooth radio signal strength is a poor proxy for COVID-19 transmission. False positives and negatives can be problematic. It is hard to spot a meaningful contact and easy to categorise a lot of meaningless contacts. Note that venue check-in apps have emerged as a simpler and more effective tech solution, though attracting their own privacy issues. An agile and proactive Government would have been able to move quickly to set standard and privacy-preserving solutions here. Nationally, we have a mix of solutions for check-in apps, some standardised and well designed State Government solutions, but also an unfortunate proliferation of unverified third party apps, sometimes piggybacking on venue marketing solutions.

If technology had to be the beacon of hope for this pandemic, we needed to work with what we knew, with a customised, risk-based approach. The spread at that time had been prominent among financially precarious workers who needed to go into work to earn money and many virus hot spots have been workplaces. Investing in technology to actively make a difference might have been about identifying people at risk and providing them with better support or identifying employers putting employees at risk and enforcing safer working practices. In contrast, the unverified COVIDsafe was presented as a one-size-fits-all solution.

The ‘spray and pray’ approach of COVIDSafe was further rendered ineffective or even counter-productive considering those most vulnerable to COVID-19 – like some low-income migrant workers or elderly residents of aged care facilities – are also least likely to have a modern mobile phone capable of running the app, let alone be capable of installing and using the app by themselves. Meanwhile, younger users, heavily socialising while using prepaid plans, may have saved data for TikTok over COVIDSafe.

While much of COVIDSafe’s perceived failure stems from fear around data security and conspiracy theories, a similar app might still have a role to play in the fight against COVID-19 – and ‘the next pandemic’ experts are already foreshadowing. An app that is completely voluntary, adheres to critical privacy and technical principles, and continues to evolve based on the latest health evidence, would provide people with greater trust and empower them to make a risk-based decision on whether to use it.

The COVIDSafe experience has been an education and if one thing is clear, it is that if we are going to pin all our hopes on a piece of public health technology, it must be built on sound health evidence and a solid platform of trust for it to have any real value in protecting the communities it serves.

Dave Colls is the Director of ThoughtWorks Australia’s Data & AI Practice