Has South Africa’s COVID Alert contact tracing app been zero-rated?

By Alex Comninos · David Johnson · Alison Gillwald

Research ICT Africa, and the School of IT's David Johnson, test the COVID Alert contact tracing app.

When President Ramaphosa addressed the nation on the move to Alert Level 1, he encouraged everyone with a smartphone to download the new COVID Alert app to help stop the spread of COVID-19. He also said that the app has been zero-rated by mobile network operators and could thus be downloaded without incurring any data costs.

The launch  of the app, especially its privacy features, is a positive and long overdue development. But there are obstacles to its take-up that are likely  to  undermine its success. In order for detection of contacts to reduce infections a critical mass of around 60% of the population need to download the app. With smartphone penetration in South Africa estimated on the basis of the RIA 2018 After Access survey to be around 60%, and the population reach required to be effective also being 60%, it is very unlikely to reach uptake of 36 million to be effective. Currently, there are “100 000+” downloads of the COVID Alert App on the Google Play store, an encouraging increase from the “10K+” on the day of Ramaphosa’s speech.  

Despite these constraints, the COVID Alert App will be a critical component in South Africa’s contact tracing regime to reduce the spread of COVID-19 that includes manual contact tracing and screening, as well as digital symptom screening/risk assessment and information provided by the CovidConnect WhatsApp and SMS platform. 

The cost of data will be a key obstacle to the successful deployment of the app  to combat the spread of the virus. Data required to access information about the coronavirus is needed when we quarantine, self isolate, shelter at home, or work from home, and can be used in symptom screening and contact tracing. 

The COVID Alert app itself requires data, and costs data to download. On Android, downloading the app requires data for the app itself (approximately 3MB)  and an update to Google Play Services (around  45MB) – the backend system that contains the contact tracing component used by the app. In addition, after downloading, the app would need to transmit and receive randomized contact tracing data  but would probably transmit only a few kilobytes per week. 

Although this is a relatively low cost data application, COVID Alert is a public health instrument to contain the virus and there should not be cost considerations for the public to use it, which was clearly the thinking behind the President’s message that it was zero-rated. 

Zero-rating in this context means there are no data charges associated with downloading and the use of the application. While regulated mobile operators can be required to zero-rate data use or may offer to, can apps downloaded from the Google Play store or the Apple App Store be zero-rated? It seems not.

Research ICT Africa has begun testing downloading the app on different mobile networks without airtime or data and so far we have not been able to download the app or load the page on the Google Play Store. This was predictable since it is impossible on a technical level, without zero-rating both the Google and Apple stores in their entirety, which would have to include all the apps included in these stores. So while apps may be free of charge in these stores, the cost of downloading the app is not.

Modern encryption (HTTPS, TLS and SSL) is baked into our banking, our email, and connections to many of our apps (including the Apple and Google stores), allows a third party such as an internet service provider (ISP) or mobile operator to know where we are connecting to (e.g. https://nedbank.co.za, https://researchictafrica.net or https://play.google.com/) but not to read the content of our communications such as the specific page visited or app downloaded.  And so your mobile operator may know you are downloading an app from the Google or Apple store but they cannot (and should not)  know/track which app you have downloaded. 

Seven years since Edward Snowden’s revelations, encryption has become widely used. HTTPS is extensively used and adopted by the tech giants almost ubiquitously. Server to client encryption (HTTPS, TLS/SSL) means that theoretically a third party cannot intercept  the communication between two people (though those two people could share each other’s data). Encryption is fundamental to protecting our privacy, having a secure internet and enabling e-commerce.

Encryption is also a significant obstacle to zero-rating data based on content or specific pages of a web site. When data is encrypted, zero-rating can only be done at domain (e.g. datafree.co) and subdomain level (e.g.coronavirus.datafree.co) when data is encrypted. While it may seem like a good idea, educational content on YouTube, for example, cannot be zero-rated, the whole of YouTube must be zero-rated. 

It is neither possible or desirable to do away with encryption in the name of zero-rating and foregoing protecting privacy as having a secure internet connection is critical to exercising our rights and providing a safe platform to use or produce digital goods and services. 

Encryption is only one of a few significant obstacles in the feasibility of zero-rating. Another obstacle is that most websites and apps aggregate and embed content on their sites. A zero-rated COVID-19 informational site, or an education site, might for example embed a YouTube video on a page, or embed social media content. This integration of websites with each-other has been called “Web 2.0” or “Web 3.0” and has for over a decade been a characteristic of the contemporary internet. When the site is loaded, the domain (e.g. coronavirus.co.za) is zero-rated, but the content embedded on it is not -another huge obstacle to zero-rating. 

Another very significant obstacle to zero-rating is modern cloud services. Many websites and applications used cloud platforms or cloud infrastructure to make websites or apps. This is often done with one of the three big cloud providers (Amazon Web Services, Google Cloud Project, and Microsoft Azure). For example ABSA banking makes use of Amazon Web Services, the South African Government uses Microsoft services and have agreed that Azure will be the official cloud provider of government, the RIA podcast makes use of an Azure Blob for hosting files. One cannot zero-rate sites using these cloud providers without zero-rating all the relevant infrastructures of cloud providers. 

Zero-rating can only serve static, 1990’s and 2000s style content, it cannot currently serve Web 2.0/Web 3.0 content or cloud service driven content without significant additional effort. The only way that zero-rating can achieve its goals is by zero-rating whole domains (like Wikipedia.com or YouTube.com) or by creating “walled gardens” – special portals for curated internet access usually created by ISPs or mobile operators. http://datafree.co by biNu is one example of a zero-rated “walled garden” used for governments coronavirus information site: http://coronavirus.datafree.co/

So how would one zero-rate the COVID Alert App? We would suggest that instead of zero-rating the app, users are given a data rebate for downloading the app. The app itself would cost just under 50MB to download (the app is 3MB  but requires a 45MB Google Play services app to operate, one would also use a data searching for the app on the store). 

A way of ensuring there are not inequalities in deploying the app would be to provide users who download the app with a rebate code.  This can then be submitted to the mobile operator to turn into a data bundle to cover the data costs, as well as to incentivise downloading the app. A rebate of 100MB, would cover the  50MB to download the app, as well as other communication costs needed to support isolation or to seek information about COVID-19.

Originally published: https://researchictafrica.net/2020/09/25/has-south-africas-covid-alert-app-been-zero-rated/