I wanted to share an account of my startup’s journey, Asgard Analytics, to build a pro bono anonymous Bluetooth contact tracing app for COVID-19. To skip to the ending, we are stuck in limbo due to Apple’s rejection like many other developers who have tried to do this and are unable to find an institutional partner per Apple’s guidelines to release with “a governmental entity, hospital, insurance company, non-governmental organization, or university.”

It’s been close to two weeks since we’ve built the app. Personally, I couldn’t bring myself to write an account about it due to the sheer emotion of everything that’s transpired until now. Broadly, I recognize it’s nothing but a data point in the many challenges the US is facing battling the coronavirus pandemic.

How It Started

It all started on Wednesday night March 18th. I saw this post on Reddit during lunch and thought it was fascinating:

Uni of Ox study shows that a mobile app for digital contact tracing, w/ 60% of population adoption, can change trace delay time from 72hrs to 4hrs — which could significantly reduce spread & potentially reduce need for strict lockdown measures.

Throughout the day the thought must have spread through my subconscious like a wildfire because out of nowhere it hit me like a truck that this must happen. I couldn’t stop thinking “Why in the world isn’t there a contact tracing app that everyone knows about and is using in the US?” I immediately thought of my good friend, the fastest coder I know, and tried to pitch him the idea:

He thought it was interesting but had to spend more time thinking about it. I estimated three days (incorrectly) and he thought it would take longer. He also suggested doing Bluetooth tracing instead of GPS as it’s much more anonymized which we ended up going with.

Knowing it’s against our best interest as losing focus can be debilitating for a startup, I still couldn’t stop thinking about the positive impact this could have. I called my co-founder Adrian. He had his phone locked to focus on coding so I got sent to voicemail at which point I just hung up. I thought it was for the best. I tried to sedate my excitement while I did more work, watched some Kingdom on Netflix with my partner, and then went to bed.

When I woke up, the thought was more ferocious than ever. I just had to make it 5 hours until our standup at 11am. I figured I would then pitch it to Adrian. Fast forward after a short conversation during standup and we were both on board. While we were definitely in no position to be doing special projects right now, we agreed if there’s even a sliver of a chance that we save one life, that would be more impactful than anything we’ve ever done in our years doing the startup, consulting, or working at Microsoft, Amazon, IBM.

Building the App

During standup we decided on how to split the work to maximize speed:

iPhone app / me – I’d built Android apps ~10 years ago so I seemed like the natural fit for this part Azure backend / Adrian – repurpose existing Azure code from core business and write scalable algorithm to do contact tracing

I went to work on the iPhone app after standup. Thinking through it I decided three things mattered:

Simple – to the point where the younger generation would install it on their family’s phones and feel/look good in the process Anonymous – no footnotes, just make it impossible to know who’s who Forgettable – you forget about it unless you get sick or you are exposed to someone who was sick

Anonymous

I started with point 2 and jotted down the anonymity framework.

Anonymous Tracing

On app install generate a random word and password. (Technical detail: Both are 128-bit random GUIDs.) Store word/password in Azure without any personally identifiable information (PII). Beam the random word out to people you come in proximity with through Bluetooth. Your phone uploads your random word and the person’s you were in close proximity of random word to Azure. Generate new random word every so often and store it alongside your password so no one can track you by your random word.

To recap, people will now have a random word that they share through Bluetooth with each other when they are close. You don’t know who’s sharing this word unless you are the only two people in an area.

The random word is changing multiple times per day and the only place where the password is associated with the random word is Azure. It’s like seeing someone’s face in a public space except for their face is constantly changing.

In Azure, there is a record of random words interacting, but no information about who the person behind the random words or password is. The second you delete the app from your phone both your random words and password are irrecoverably disassociated from your device.

Disclosing Testing Positive

Your doctor/nurse/lab lets you know you’ve tested positive. 🙁 You email them your ID and ask them to email it to us with self identifying information removed. We get an email that we check comes from a trusted health authority. We input the ID which propagates to everyone of the day that you were in proximity with them and might of got them sick. We only notify someone if you came in proximity with more than 1 person that day. That’s so no one can know it was you who tested positive.

Simple

Then I quickly mocked up the idea and sent to my friend and past co-founder Tony Yoo:

We had a two hour call Thursday night and after a Saturday morning work session, Tony produced two versions of the app, beautifully thought through and designed. We ended up going with this one:

Forgettable

Thursday afternoon I went to work actually building out the iOS app. Now, having never coded in iOS before I chose Swift as what seemed the simpler language to use and went to work on the biggest risk: Bluetooth pairing.

It was a delightful first day. Got the app up and running, Bluetooth connecting, tested it outside using an iPad and my iPhone. The three day estimate of getting this totally working was looking really good. Over the weekend implemented the designs Tony created.

This was going to be great, we would be done and back to work while spending time promoting and looking for partnerships. Then BAM, turned out while Bluetooth pairing worked flawlessly in the foreground or while the phone was awake, everything came to a halt once the app was put into your pocket. You know, the natural place for proximity tracking to run.

We didn’t think it was worth releasing the app unless it worked in the background. Adrian had been done with the contact tracing server side for a while now. As the days dragged on trying to get Bluetooth to work, night turning into day, day turning into night, I tried to keep a sticky note to keep my sanity and justify the time investment to myself:

What was supposed to be a mostly weekend project ended up taking 11 days total of coding. Of those, getting Bluetooth to run in the background and testing it to make sure it actually does took 8 days. Lifting was out the door and so was sleeping for the most part:

But after trying 29 different strategies from Stack Overflow and finding some random guy talking about how it works in Russian, we were able to overcome and get everything to work in the background. We submitted to Apple for approval on the night of March 29th and anxiously awaited our verdict. (TestFlight)

Getting Rejected By Apple

Now, we were aware Apple was rejecting COVID-19 apps right from the start. But again, we thought, what’s three days of work lost if we can save one life?

Given how misinformation and scams tend to spread using crisis, Apple’s policy made total sense. We thought they wanted people to avoid using COVID-19 as marketing fodder. We decided we would NOT include any information in our app or landing page about COVID-19 since we recognize we are not experts. Our marketing strategy was going to be entirely through word of mouth and the information we collect minimal. You don’t have to be a healthcare professional to understand how proximity tracing works.

Surely, Apple wouldn’t mind if we kept track of people anonymously coming in proximity with each other given the information running apps, sleeping apps, biking apps, FB, Google, and so on collect about people.

While waiting on Apple, Trevor Bedford, an expert virologist spun up a thread about NextTrace. NextTrace is an all up effort to mitigate the spread of COVID-19 using testing, digital tracing, and sequencing here in Seattle. The timing was surreal because Trevor was one of the people that has been putting out extremely useful and interesting information on Twitter for as long as I’ve been following him. He also happened to be one of the people we wanted to reach out about Antidote once we finished it. With the magic of twitter, even though Trevor has 201k followers, he now knew about our project. Tweet

But then came the sad news. Apple’s blanket rejection letter:

All of a sudden all the articles I’ve read over the years about “closed platforms”, “monopoly”, “Apple rejection”, “healthcare regulation”, “bureaucracy at government agencies” came flooding back. It feels very different reading about it and when it happens to you. I tried to appeal with what I already knew was futile:

We were told to find an institution to partner with if we wanted to release.

Aftermath

From the Trevor Bedford tweet, several teams reached out, including Singapore’s TraceTogether team who to our knowledge was the first app doing contact tracing in the world. It was exciting because we thought perhaps we would find a partner to help us release Antidote with and get it into the hands of people.

What came as a surprise was that the Bluetooth method of tracing while your phone is put away in your pocket was not something anyone had figured out. Turned out the purpose of the calls was simply to extract the information about how it worked so the team could build it into their own app. Completely understandable! I begrudgingly divulged how we got it working thinking, hey, at the end of the day the goal is to save lives. But there’s always the human component of seeing if our take on the problem would have worked. If it would have made a difference.

Being exhausted, deflated, and worried about not working on our startup’s core business I thought, “We tried.” I reached out to a trusted mentor from Microsoft to see if it’s something they could help with but was explained healthcare projects were a strong no. I was going to half heartedly reach out to a few people and institutions to see if they’d be interested. Seeing me this way, my partner Patricia took over and emailed hundreds of news reporters, contacted Facebook groups, reached out to institutions.

Kurt Schlosser was kind enough to include us in his article on GeekWire: https://www.geekwire.com/2020/seattle-tech-veterans-rush-build-app-trace-covid-19-exposure-run-apple-rejection/

We’ve come to understand the problem much better since then. The premise is simple, we have a pro bono fully anonymous Bluetooth tracing app we are trying to get into the hands of people. Unfortunately, it’s either a major liability to an institution that could release it with little upside given our startup would likely get the positive press. If they were willing to take the risk, they already have a team working on it. The major risk is it would be an enormous liability, potentially costing the institution millions of dollars of loss and a Cambridge Analytica type scandal. On a more simple level, most places professors and chairmen weren’t even sure who has the power to approve this sort of project.

Conclusion

It’s a bummer and really, it hurt, trying but not being able to help. The whole pandemic has felt surreal and this 11 day stretch feels like a daze. So many variables out of our control, no connections in a space where there’s something we can do and do well. It’s understandable that institutions have to protect themselves from liability but when human lives at stake, you just wish there was a better way.

Seeing the announcement from Google/Apple pairing up to tackle this problem yesterday was a beacon of hope and what we had hoped would happen earlier on. Ultimately Apple and Google building their own app would be the ideal case scenario. From our current understanding they will only build the APIs and it’ll still be up to individual institutions to complete the work.

There’s also been people like Jamison Day that are extremely passionate about work involving disaster relief and keep us in the loop about ongoing events. Just yesterday he connected us with a startup called HypeLabs from Portugal who has figured out how to run Bluetooth in the background before us and were also surprised by how valuable that turned out to be.

It was really great hearing that they have successfully deployed their solution with the government of Colombia and were working to get deployed in their own home country of Portugal.

We’ll keep trying and if there is anyone out there who reads this and knows someone who might be able to help us please reach out to me at philipp.cannons@asgardanalytics.com. We are going to keep trying because human lives are at stake.