It really was like something out of a Marvel movie. When faced with an unprecedented evil, Iron Man, Captain America, and the Incredible Hulk team up and save the day. The situation was much the same this past spring in Estonia when the country was looking at ways to stem the spread of COVID-19. Still, in this case, the superheroes were a motley ensemble of Estonian IT companies and state institutions that wanted to develop a new application for tracing the contacts of people infected with the disease. The resulting coronavirus app, called HOIA, was rolled out on August 20 and has been downloaded more than 113,000 times since. The private-public partnership that produced HOIA also impressed its makers, not least because they did it so quickly and for free.
“To our knowledge, this is the first time such a large-scale endeavor has been successfully undertaken in such a form,” said Kristjan Aiaste, managing director of the Tallinn-based IT firm Iglu, which was responsible for technical project management, user experience (UX) analysis, and user interface (UI) design of the HOIA app. “As we needed to act quickly and many IT companies were willing to participate, there was no time nor a need for a complicated, time-consuming procurement process,” he noted. “So, the app was developed free of charge.”
HOIA — which means “take care” in Estonian — can be used to inform the contacts of those infected with the virus and to provide them with instructions on what to do if they have been in close contact with someone who tests positive. The aim is to prevent the further spread of the virus and alert those exposed to seek treatment and undertake preventative measures.
The coronavirus app relies on Bluetooth low energy technology or BLE. Phones with the app installed can pick up Bluetooth signals from nearby phones, and if the signal is close and frequent enough, anonymous codes will be collected and stored on the phone that refers to that individual. Should a person with the HOIA app installed be infected, they can alert the app, and those who are considered to have been in close contact with that person will thus be immediately notified.
The identity of the infected person, therefore, remains anonymous throughout the process.
Building on international best practice
The idea for the application did not originate in Estonia. Aiaste noted that the concept of using mobile phones and BLE technology to trace the spread of COVID-19 and to help people take the necessary precautions against the disease was first implemented in Singapore, where the Singaporean Ministry of Health and Government Technology Agency designed and introduced the TraceTogether application in March. But privacy concerns made it impossible to use the Singaporean application in Estonia, which meant that local developers had to develop their own.
“The Singapore coronavirus app was made using the principle of a centralized application, where the state has data on who came into contact with whom, and the state decides who to inform and when,” noted Veiko Raime, CEO of Mobi Lab, a Tartu-based firm that led mobile application development on the project. “For Estonia, this approach did not ensure the desired level of privacy,” he said.
Instead, the Estonian team settled on a decentralized approach where user exposures are calculated only on their own devices. A partial solution appeared in April, when the Swiss Federal Institute of Technology Lausanne introduced decentralized privacy-preserving proximity tracing, or DP-3T, as an open protocol to enable the digital contact tracing of infected participants using BLE technology. The team behind HOIA then decided to use DP-3T as the basis for the new coronavirus app, while using the Exposure Notification API provided by Google and Apple.
“Estonia did not build its application from scratch,” noted Raimo. “We built on the analysis and work of internationally recognized teams,” he said. “And we got an application that is both transparent and privacy-friendly and secure.”
Ultimately more than a dozen companies and organizations took part in creating HOIA. In addition to Iglu and Mobi Lab, Icefire, a Tallinn-based technology firm, developed back-end systems for the app, as did the Health and Welfare Information Systems Center (TEHIK), a data and communication center overseen by the Estonian Ministry of Social Affairs. TEHIK also provides customer support for HOIA and is responsible for administering and hosting the app.
Tartu-based Mooncascade and FOB Solutions in Tallinn also contributed to mobile application development, while Velvet, a strategic design agency headquartered in Tallinn’s Telliskivi district, was responsible for branding the app and homepage development. Bytelogics and Fujitsu helped in app adoption areas, while the company ASA Quality Services helped test HOIA, and Heisi IT developed the patient portal.
The use of Estonia’s e-health electronic health records system, which relies on state-issued personal identification numbers, distinguishes this coronavirus app from similar tools in use elsewhere.
“In Estonia, we incorporated the national patient portal’s registry into the process of marking yourself infected,” noted Iglu’s Aiaste. “It’s required for the app’s user to verify the COVID-19 positive test result with his or her personal id,” he said. That way, users can be absolutely sure that the possible exposure notifications are only coming from people with positive test results.”
A particular focus on privacy and security
Cybernetica, a 23-year-old Tallinn company specializing in designing secure data systems, was responsible for security architecture and analysis, in cooperation with Guardtime, another Tallinn-based company that offers blockchain-based products, Aiaste noted. Dan Bogdanov, a board member of Cybernetica who helped develop HOIA, praised the teamwork that went into producing the app. “The development of HOIA was carried out under the banner of cooperation,” Bogdanov said. “After initial discussions during which the solution was agreed upon, everyone worked toward a common goal and did everything necessary to achieve it,” he said.
Privacy was a major issue for developers. Based on survey data, they knew that mitigating public apprehension about data sharing was a priority. In response, Cybernetica and its partners crafted a solution that processes as little personal data as possible but still achieves its goals.
“The security analysis and description of security measures for the entire application are public and transparent, and we are ready to explain to everyone how HOIA is different from other applications,” said Bogdanov. He noted that its privacy provisions have been well-received enough to have a swift uptake of the app, specifically in tech circles, following its launch.
The next step for HOIA is to “achieve a warm reception more widely,” Bogdanov noted. To do this, developers must continue to “talk about the system, explain its features, and refute misinformation” about the security of the application, he said
Aiaste noted that downloads have indeed picked up in recent days, and as of mid-September, nearly a tenth of the Estonian population is using HOIA. He called this early adoption “encouraging,” and noted that there haven’t been advertising campaigns for the app yet.
Plans are also afoot to make HOIA available beyond Estonia. Aiaste noted that HOIA’s developers are working with teams from other countries to lay the foundation for the worldwide exchange of data between similar coronavirus apps used in other countries.
“A cross-border solution is definitely necessary and work towards this has begun,” he said.
The e-Estonia Briefing Centre – gateway to Estonian expertise in e-governance, invites you to connect with the Estonian IT companies directly responsible for the successful functioning of the e-state even during a pandemic. Get in touch with us to set up your custom virtual programme with the best partners you could get: email@example.com