Several other countries are introducing apps modelled on this app: the pandemic has spurred a worldwide rush of innovation and technical experimentation.
Most of us would welcome the chance to contain the spread of the virus without having to stay locked down until a vaccine arrives. But do we have to trade our privacy by turning everyone’s phone into a tracking device? Perhaps not.
More than 25 scientists across eight European universities decided that, rather than wait for others to produce bad apps, they would write their own. Or at least, write the basic code that others could use, and make it freely available. And the result was DP-3T.
Like Singapore’s TraceTogether, DP-3T is designed around Bluetooth’s capacity for device-to-device communication. Like TraceTogether, it transmits and receives ID codes that can later be used to reconstruct whether a sick person has been close enough to infect you. But it has some important refinements that mean no centralised body ever needs to know who has been close to whom.
Instead of transmitting codes that can be linked back to the person using the app, a DP-3T app transmits a random jumble of letters and numbers that changes regularly. Other devices receiving the codes won’t even know if this is the same device as yesterday, which is an important layer of protection for anonymity. Each device running the app will store all the codes sent and received.
If one person does get a diagnosis of Covid-19, they get a passcode from the healthcare professional making the diagnosis, which allows them (just once) to upload their “sent” codes from the pre-symptomatic contagious period to a database. This gives the database no information about the patient’s identity, location, or anything else, just the codes transmitted during the relevant period.
All the other phones running the app have access to the database of codes, but only to cross check against the codes in their own “received” file. The app can do this regularly and automatically, and alert the user if the level of exposure means they should self-quarantine, or get tested.
Everyone keeps control of their own data, the centralised database contains only anonymous codes from infected people, and nobody has the whole picture. It is possible to have both contact tracing and privacy.
Is this the basis for the NHSX app being developed, which is also designed to use Bluetooth to track proximity?
Probably not.
“All data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research,” according to Hancock’s announcement, “and we won’t hold it any longer than is needed.” But this implies that data from the app will be uploaded to a central database, where it can be used for other purposes. The fact the government felt the need to say that the police would not have access to the data suggests that it won’t be anonymous.
The public’s appetite to put the app on their phones will be reduced even further by the revelation that NHSX has teamed up with Palantir, a data-processing giant that works with the CIA (which part funds it). Palantir will be processing, not controlling the data, but our government has a patchy record on transparency over data retention and use.
However, a few developments over Easter weekend could force NHSX to radically rethink their project.
On Good Friday, Apple and Google released a joint statement, in itself a sign of the unprecedented times we are living in. They plan to design contact-tracing technology, either apps or the digital infrastructure on which apps can be built, which looks very like the DP-3T model. The two tech giants also announced another change that sounds like a minor technical detail, but could be more significant for the NHSX app. It concerns the way Bluetooth runs on Apple, and newer Android, devices.
When I asked a Singaporean friend about the TraceTogether App, he told me, “It’s a pain to use,” because it needs Bluetooth to be running all the time. But because Bluetooth is a digital blabbermouth, dishing out your data to any local device that wants to know, Apple devices don’t allow it to run in the background while you’re doing anything else, or while your phone is locked. Google’s newer Android systems run along the same lines.
This means that if you want the TraceTogether app to work “you have to leave it on and … ‘upside down’ in your pocket to go into Low Power mode,” says my Singaporean app user, “but of course everything’s haywire if you leave your phone unlocked in your pocket as you walk around!” At best, you pocket-dial your ex. At worst, a pickpocket has access to your entire life.
Dilemma for Google, and especially for Apple. It makes a big point of privacy, and of keeping your data on your device instead of on somebody else’s database. Could it allow Bluetooth to run when the app is not active, but for approved Covid-19 apps only?
This in effect, is what it has said it will do. But its definition of approved Covid-19 apps is drawn more narrowly than many expected. In fact, Apple devices will only allow Bluetooth to run in the background for more privacy-friendly, decentralised contact tracing systems, like DP-3T.
The solution to the Bluetooth privacy problem is that the exchanging and storing of randomly generated codes will happen, not in an app, but securely within the operating system. Data will leave the device only for explicitly authorised uploading to an approved database. The only other interactions possible with external databases will be queries about matching numbers. The app could potentially export any risk scores it has calculated for you, but not the codes sent and received by Bluetooth.
It sounds like a minor detail. But it could be a big spanner in the works for the NHSX app, if it doesn’t conform to that decentralised model. The app wouldn’t work with the phone locked or while you are using it for anything else. This inconvenience has been a big barrier to uptake in Singapore, where few people are using it, certainly fewer than the 60% of the population that public health experts have estimated as the minimum needed to make it work.
All these developments will have taken the NHSX project by surprise. It now faces a choice between carrying on with an app that’s less convenient to use, and that fewer people will trust, or starting again with a different model, delaying rollout, and denying them access to data that could be useful for research and for planning.
In the long run, however, adopting the DP-3T model has huge advantages. It makes it easier for lots of us to download and run an app, without worrying about whether we’re releasing data to big corporations and government bodies to use for other purposes. It avoids setting precedents for centralised databases of who we spend time with. And it’s the foundation for internationally-compatible anti-Covid-19 digital solutions, which we may need for some time to come.
So, quick redesign, and Matt Hancock can roll out the app and get the UK back to normal life in a couple of weeks?
Sadly, it’s not quite that simple.
Allowing app users to self-diagnose opens the door to false alarms by hypochondriacs (or schoolkids who aren’t happy their school reopened). Medical validation needs readily available Covid-19 tests, so that professionals can authorise uploading the codes. Society needs to facilitate people going into self-quarantine, getting tested themselves, and locking themselves away for weeks, without delays. And a majority of the population needs to be using the app, but not everyone has a smartphone equipped with low-energy Bluetooth.
Automated alerts can’t replace detailed contact tracing, as practised in South Korea and Singapore. But interview based contact-tracing is labour intensive. Contact-tracing tens of thousands of cases individually would be an immense task for a health service that can’t even pick up every 111 call.
However, a widely used app in conjunction with testing could be a workable compromise, reducing the transmission rate to a scale that the NHS can handle, while allowing people for whom the risk is acceptably low to return to work, and to a more normal life.
How low a risk is acceptable, and how normal life should be, are political questions. No app can answer those.
Main Edition
US
FR
Join the discussion
Join like minded readers that support our journalism by becoming a paid subscriber
To join the discussion in the comments, become a paid subscriber.
Join like minded readers that support our journalism, read unlimited articles and enjoy other subscriber-only benefits.
SubscribeI find the mob’s addiction to the smart phone fascinating. Clearly, it’s an electronic pacifier for adult minds. And, no, all the smart phone can do is reveal your location to tyrannical government authoritarians. Throw it away and free yourself.
I surely can’t be alone in not having bluetooth or GPS location services enabled deliberately. but then I can read maps and use wired headphones when necessary. it’s bad enough we can be triangulated using cell phone towers though thankfully not as accurately as is being proposed.
I’m not picking on your personally, but you do typify a certain view on this whole question. Unless you are doing something criminal at the time, do you think anybody in charge of the database is really that bothered where you personally are or what you are doing or who you are doing it with? Frankly, they have better things to do. I know the standard retort: you’re being complacent, the authorities cannot be given the opportunity to abuse their power blah, blah. The trouble with this sort of slippery slope argument is that it uses a potential, but in fact very, very improbable future scenario, rather than any hard evidence of past abuse or any credible future threat.In this case, it seems like there is a workable solution without any great intrusion, but I don’t think even this would satisfy you.
“Don’t put too much faith in metrics” is just as accurate a headline. Statistical or risk analysis, not a human strongpoint 🙂
Like many others, I do feel that the privacy invasion of big tech over our lives is going too far. However, if you read this article carefully and if you take a close look at that Singapore solution (the code is public at https://bluetrace.io/) then it does appear to me that this is very far from “big brother watching me”. The Singapore solution does NOT track GPS location – it only listens for bluetooth signals from nearby phones. And, contrary to the statements in this article, it does actually use random and frequently rotating identifiers like the DP-3T model. So there’s no way to figure out what phone numbers you’ve been close to just by looking at the list of identifiers locally recorded. Also it doesn’t send anything to government unless, after having been diagnosed positive with COVID-19, you approve the release of the last 21 days of random contacts. Only then can the government figure out which other phones you have been close to. Given the undoubted pain that economic shutdown is causing for millions, would I take part in this kind of technology if it became evident that it is a key part of a shutdown exit strategy? In a heartbeat. Don’t confuse the egregious behaviour of big tech through our smartphones with a genuine effort from a government that cares about both privacy and health of its citizens.
Good heavens. And I thought I was bonkers !
What about people who do not possess a mobile phone? Do they just remain in lockdown whilst everyone else just get back to normal, my Wife has a mobile which I sometimes share if I really have to, but normally I don’t have a mobile with me.
I doubt the benefits that contact tracing apps can give us. On 1st May Bruce Schneier blogged about the problems of false positives and false negatives, and there don’t seem to have been solutions proposed for the problems he raised then. For example unnecessary quarantining because of false positives when Bluetooth passes through walls or till-screens which prevented transmission of the virus; but also “false negatives” because large numbers don’t have an app running, or when virus transmission occurs without close proximity – e.g. via common surfaces.