The Spanish infection tracking app Radar Covid has been available since the beginning of July for Android and Apple. Since the second week of August it has been in the top download positions in Spain for both operating systems, along with games and QR readers, according to data from App Annie. More than 3.4 million Spaniards have downloaded it at least once.
But the operation of the app continues to depend on its integration into the health systems of the autonomous communities, and its development has not yet been completed. In the Android Play Store there are more than 4,200 comments on the app and about 50% (1,988) are 1 star. Although the second group (1,608 ratings) gives 5 stars. Most of the complaints have to do with its operation on the mobile phone and with errors found with the battery consumption reduction system or the mobile model.
The frustration of users for an application advertised with all the gallons and not yet fully working is impossible to measure. Although it is likely that there is data from how many apps are deleted or inactive. The technology community, however, does have more specific complaints, which, for the moment, have no clear response from the Government. “There is a cloud of doubts about the operation because there has not been a trust-building process. There is a lot of ignorance of the tool ”, says Gemma Galdón, founder of Eticas Consulting.
The Radar Covid app belongs to the Government, but it is developed through a contract with Indra based on the open code of DP-3T, created by a team led by the Spanish engineer Carmela Troncoso from Switzerland. So say the same policies of the app : “Radar Covid uses in its architecture the new framework provided by Apple and Google developed from the DP-3T Protocol of decentralized proximity tracking to preserve privacy.”
The DP-3T protocol is licensed under a Mozilla Public License 2.0 that obliges whoever uses it to say what they do with it and how they transform it. The Government, at the moment, has not published the code behind Radar Covid. “It doesn’t make any sense,” says David Barragán, co-founder and software developer at Kaleidos Open Source. “The license requires them to comment on what part of the code you have used and how when you use the code. But we don’t know. We must trust that they have not modified it ”, he adds.
This measure is not only for transparency, the app is made with public money. Also for efficiency. In all code creation, errors and misalignments are inevitable. More eyes see more things, “Publishing the code when it is done generates more costs because the community will find errors. It is not only about transparency, but also about having a collective review and validation process of the technical specifications ”, says Galdón.
The Secretary of State for Artificial Intelligence has announced that the code will open on September 9. It is not clear if it will give only the latest version or the process of all the changes and those that will be in the future. In the development of an app it is important to know what the code did before and what it has stopped doing and why.
In an interview with the SER, the Secretary of State, Carme Artigas, said that the Government was not “a startup “, to justify giving the code presumably already closed. It is not, however, the norm in the community: “There is a wrong perception. There are many institutions that seem to get the feeling that if you make a code and no one sees it, it will be safer. Experience tells us that this is not the case. If you open the code, someone who wants to attack you can see weaknesses. But for every person who wants to attack there will be 10 who want to help. A product with closed source is very difficult to help you improve it ”, says Manuel Carro, director of Imdea Software.
Carro speculates that perhaps Sedia and Indra wanted to avoid the urgency of having to release an app that had dozens of programmers commenting on details in public: “If you want a refined version, the more eyes see it the better. But maybe Indra and Sedia would not want to release a product if they knew, because they had been told, that it has problems, “he explains. The rush may have led to the delay in the publication of the code. But now publishing can bring bigger challenges.
For example, both the Portuguese app Stayaway and the Italian Immuni, as well as others in the rest of the continent, have their open source on GitHub.
Even if the code is not released, an app can be decompiled to keep an eye on what’s inside. Radar Covid does not leave either: it obfuscates the code. That means it changes concepts to make it incomprehensible to other programmers. If it were not obfuscated, you would get a copy similar to the initial code that the developers wrote. Although not the same. It would be a cheap copy of the original, but in the absence of being open it would be good for looking.
Why does Radar Covid obfuscate and does not allow that more panoramic look? “In open source it doesn’t make any sense. In proprietary code, maybe yes. There are many companies that obfuscate that code to make it worthwhile. Something you want to protect. It has to be something that you really want to hide, ”says Barragán.
Carmela Troncoso, the Spanish engineer who led the DP-3T project from Switzerland, is also surprised by the Spanish prudence with the code, especially when the license of her own work forces her to release it immediately.
In principle, the app is national and cannot know where each possible infected person is. All the values of the infected persons must be on a single server to be useful. How has it been resolved that the 17 health systems of the autonomous communities can offer their services without having to know where each possible contagious contact is? With a drop down.
The app includes a drop-down menu when you receive a high-risk notification, as explained by sources from the Secretary of State, “When receiving a high-risk notification, the autonomous community of your interest can be selected from a drop-down menu (by residence, by visit) and obtain the healthcare telephone number, as well as a link to its information portal. This is done without consulting geolocation, or consulting the contagion alert server. In fact, you can select the different communities and go looking at the respective telephones ”, they explain. An example can be seen in this notification:
The dropdown is already active. It works like the one for the language, which comes out when you download the app and which for now only allows Spanish, Catalan, and English. If a community wants to personalize their tour after receiving a positive, they must do so on their portal, not in the app. The codes that the health personnel will give to a positive person to introduce depend on each community and therefore each one will know how many deliveries, according to the same official sources: “The technical implementation that is done with the communities implies enabling the way they can distribute positive codes, through health personnel, when someone is diagnosed positive after a PCR. It is not a centralized process, but of each community. Therefore, as this implementation is done with each community, it is possible to know how many codes each one distributes, but obviously not to whom. The codes are also temporary and expire after seven days ”.
In the juicy interview with the SER, Artigas said that in the first days of integration in three communities there had been 20 notifications: “We have already registered that there have been positive PCR code entries in Andalusia, Castilla y León and the Balearic Islands, and that they have generated about 20 alarms in this same week from people who had received notification that they had been close to a contact, “he said. How did the secretariat know how many notifications the system had sent?
When someone is positive, that person enters a code in the app that allows the numbers that they have exchanged with other citizens in recent days to be uploaded to the server. The apps of the rest of the citizens ask the server several times a day if any of the numbers that they have stored from other close contacts are on the server. That would indicate that there has been contact with someone who is positive today.
If that coincidence occurs, the notification jumps on the same mobile. No one outside can know that there has been such a warning. At most, you can know how many calls have been received where the patient gives the app as a reason for alert. At the end of this piece, the Secretary of State had not yet responded to repeated questions from EL PAÍS on this matter. Either way, these mysteries are likely to be revealed on the 9th, when the full code comes to light.