Estonia's coronavirus exposure notification app "HOIA" launches today (August 20) and is now available to download. ERR News spoke to Priit Tohver, Ministry of Social Affairs adviser in the field of e-services and innovation, to find out what the app does and how you can use it.
"HOIA" has been created in voluntary cooperation between the Ministry of Social Affairs (Sotsiaalministeerium), the Health and Welfare Information Systems Center (Tervise ja Heaolu Infosüsteemide Keskus) and 12 Estonian companies - Cybernetica, Fujitsu Estonia, Guardtime, Icefire, Iglu, Mobi Lab, Mooncascade, Velvet, FOB Solutions, Heisi IT OÜ, Bytelogics and ASA Quality Services OÜ.
The purpose of the free app - which is optional and not mandatory - is to inform close contacts of those infected with the coronavirus and to provide them with initial instructions on how to proceed. Its aim is to limit the spread of coronavirus.
In this way, the user can quickly find out about possible close contact with a COVID-19 infected person, allowing them to take steps to protect their own health and the health of others.
It works because phones that use the app register Bluetooth signals from other nearby phones. If the signal is sufficiently close and long enough, an anonymous code referring to a close contact will be stored in their phone.
It is not possible to identify a person based on an anonymous code.
In order to use the app, you need a phone based on the Android or iOS operating system. For Hoia to function best, you need to use the close contact notification interface provided by Google and Apple.
Usability is limited to phones manufactured in the last 5 years. Android phones are suitable for all phones that support the Android 6.0 operating system. All Apple phones that support the iOS 13.5 operating system (from iPhone 6S) are compatible.
Earlier this year, when the app was first announced, Anett Numa, speaker at e-estonia briefing centre, wrote it will be based on the DP-3T protocol which has been developed by leading privacy experts and it is also in line with Apple and Google's contact tracing API.
Estonia has chosen a "privacy-preserving path" to contact tracing, a key element of which is the principle of decentralisation that underpins several Estonian e-state solutions, she wrote.
Within this system, which is designed to adhere to recent EDPB recommendations, no entity will be able to store all of the tracing data and use it for any other purpose besides contact tracing.
Q&A with Priit Tohver
ERR News: Can you tell me, simply, what this app does?
Priit Tohver: It is a contact tracing application, sometimes called an exposure notification application.
The idea is that you get notified if you have been exposed to someone with COVID-19 or, the other way around, if you yourself have had COVID-19 then it is a way to anonymously inform your contacts about an exposure.
Who can use it?
It is open to everyone, so basically everyone can download it - it is not limited to Estonians. It is available in Estonian, Russian and English.
There is not, at least from ourside, a formal age limit - but children under the age of 13 cannot currently confirm their own infection in the app, which is something we hope to solve in future iterations so parents can do it for them. But there is nothing blocking children from using the application to get a notification.
What does someone do if they receive a notification?
The app gives them instructions, basically. They need to stay at home for a certain amount of time and monitor their health. If they get symptoms, then call a family doctor, a number will also be provided which they can call to ask further questions or to notify the Estonian Health Board about this close contact.
If someone has received a positive COVID diagnosis how do you let the application know?
So, the first mechanism that we have built is to do it through the Estonian patient portal - which is a staple of the Estonian e-state infrastructure - so through the app you get directed to the patient portal which checks for you your diagnosis and then either confirms or denies the fact of your infection to the application.
This allows the app to confirm who is infected and who is not and then to notify people who have come into contact with this person.
Would you encourage people who visit Estonia from abroad to download this app as well?
Yes. On an EU level we are working on an interoperability model which would make it easier for you to use whatever country's app when you are traveling but, for now, we are recommending that if you are visiting Estonia you should download the app.
If you leave the country and are then diagnosed with COVID-19 what is the procedure?
So, this is the biggest hurdle right now. This is why we are developing the interoperability model at an EU level. Currently, if you come to Estonia and you download the app then you go back home then there is no way for you to notify Estonia because you have no way to confirm the diagnosis in the Estonian system because your diagnosis was made elsewhere.
In the future, the solution which is being piloted at EU level, would create a sharing mechanism between the countries so that if you report your infection to the application of your own country then that notification gets shared with the countries that you have visited.
Editor's note: You should also keep HOIA installed for 14 days after you leave Estonia as you can still receive a contact notification. If you do, contact the Estonian Health Board.
Estonia and Finland already share health data, would Finland be one of the first countries which HOIA could share data with?
Indeed, we do share data with Finland but actually, in this case, we can seek to have good and early collaboration with a large number of countries. So any country which uses the Google and Apple API, which is essentially a decentralise contract tracing system, can be made interoperable rather simply with this sharing mechanism.
I think there are around 13 countries in the EU with applications which use the API and those will be the first which we collaborate with. I am aware that Finland is also moving in that direction and coming out with an application at the end of August.
And this app does not keep your data, is that correct?
The app does not process or hold personal data.
But the app also provides a mechanism for deleting all of this data, so this is up to the user.
What would you say to reduce someone's fears around privacy?
We don't want users to just believe [what] the government [says] about the application, which is why we have been working with private companies when developing this app, including cybersecurity companies who have also done their own analysis which will be made public.
Also, we have carried out an independent security audit which we will also be sharing the results of. We will also be publishing the code of the application for anyone to verify whatever concerns they might have.
Do a certain number of people need to use this app for it to be effective?
The more people that use it, the more effective it will be. However, we don't believe in a threshold, so to speak, every user counts. If there is 10 percent uptake then that still helps limit the spread because the app is not the only solution that we are relying on and we are building on top of a treasure trove of different activities to curb the infection. If people get a notification from the app it just adds to that set of activities which means you do not need to have a huge amount of uptake because there are other mechanisms in place which support this application.
What was the process like when you were working with volunteers?
It was a huge learning experience, there has been quite a lot of talk over recent years about how we need to be more flexible as a government and open ourselves up to newer forms of cooperation because the traditional way to work with private enterprises is a tending process. But, in this instance, there was simply no resources and no time to go through all this.
But at the same time, there was a lot of interest from private companies looking to help us out, who wanted to help us overcome the spread.
So, we said ok, this is volunteer-based cooperation and let's try and work together and they agreed - surprisingly - and three and a half months later we are still working together, which we are hugely thankful for and it has given us a lot of experience about how to work better with private companies and what not to do next time.
Some people have said it has taken Estonia too long to come out with this app, does this matter or have you been able to create a better app?
Yes, this time has definitely allowed us to make a better app. One of the reasons why Estonia took longer than some other countries is because we did not build an app which is just standalone - we didn't build something in a vacuum. We built it on top of the e-state infrastructure which definitely adds a layer of security to the application which is just not possible with a standalone application and it also takes a lot of time, especially, when no actual application has been developed for mobile phones on our e-health infrastructure before.
So there was a lot of learning on both sides. For private companies about what are our standards, and rules of procedure, for the state about how to build apps. That definitely took a lot of time which some other countries did not have to do.
It also allows us to go through the independent security audit, which is becoming a norm in Estonia - to go through an audit before any kind of data service is launched.
And we also got to learn from some of the experiences of other countries which have gone through iterations of what kind of parameters to put into the application which can trigger exposure notifications. The Google and Apple functionality has developed a lot since April, so definitely that has benefitted us.
That is not to say that we wanted it to take so long, we wanted it to be out as soon as possible. But there were some limitations in place due to the higher level of standards that we needed to meet and also the fact that this was a volunteer-based organization. So, it was very hard to push people for strict deadlines because, you know, they are all doing this out of good graces and free time.
What feedback did you get when HOIA was tested?
There was a lot of feedback, particularly around the language we used during usability testing. How to make the user experience more comfortable, was the main feedback that we got. But I think a lot of the feedback helped us better understand the concerns that users have had around the application.
We just have to keep it as simple as possible. As soon as you create a step which requires even a modicum of technical know-how then you are setting yourself up for failure, so we stripped it right down to be very simple.
One thing that came out of the user testing, we sometimes get questions from Android users about how to change the language. The language of the application is the same as the language of your operating system so sometimes people don't understand they have to change the language of the operating system to change the language of the application.
Editor: Helen Wright