Given his enthusiasm for all things digital, it wasn’t a surprise when the Health Secretary, Matt Hancock, made his announcement on Easter Sunday: NHSX, the new unit driving forward the digital transformation of health and social care, would shortly begin testing a smartphone app that might be our way out of lockdown. By tracing an infected person’s recent contacts, it could contain the spread of the virus while allowing people to get back to work and something more like normal life.
Sound too good to be true?
Other countries are already using contact-tracing apps. Contact-tracing is also used in sexually transmitted infections, where previous partners may be contacted with advice to get themselves a test. But whereas we tend to remember our sexual partners, we tend not to remember everyone who shared our train carriage or served us in a shop several days before we had symptoms. That’s where technology could help.
I write constantly about the threat to privacy of letting our smartphones share data that reveals where we go, what we do, and who shares our personal space. And although these are exceptional circumstances, we should not stop valuing our privacy. Emergency measures have a habit of becoming the new normal. And information about who we’ve been close to could be of interest to all sorts of people, from blackmailers to over-enthusiastic police officers enforcing their own interpretation of “necessary activities”.
Let’s compare some of the contact-tracing technology already in use, to see how the UK could avoid the pitfalls while harnessing our phones to battle the virus.
The Chinese app, AliPay HealthCode, raises some red flags. It assigns users a unique QR code which displays red, yellow or green, indicating your health status, and which determines how much freedom of movement you’re permitted. How that risk category is calculated remains opaque, though it uses proximity to known infected individuals or hotspot locations in that calculation. It sends your identity and location directly to a server accessible by the police, who can use it to enforce the quarantine demanded by your colour status. Use of the app is not compulsory, but even local movement may be impossible without it.
South Korea uses existing sources of data when tracing contacts, rather than a specific app (though they do have an optional app to monitor infected people in mandatory quarantine). They use interviews, supplemented with CCTV footage, smartphone location data, and even credit card records, to reconstruct an individual’s pre-diagnosis activities. They have been criticised for making public the locations and activities where others may have been infected, which has led to individuals being publicly identified, and deterred others from getting tested.
Israel has already allowed its internal security agency, Shin Bet, to access cellphone geolocation data, and that can now be used for coronavirus tracking. Cellphone users who have been close to known infected individuals may receive text messages telling them to self-isolate. However, Israel’s Association of Public Health Physicians criticised the project, asking why no health professionals were involved in designing it. The Ministry of Health then launched a location-based app, Hamagen, on an opt-in basis, also using GPS data.
Singapore’s TraceTogether app supplements interview-based contact-tracing in a similar way to South Korea’s. TraceTogether doesn’t collect data on where you have been, because it only wants to identify who has been within infectible range. To do this, it uses Bluetooth.
Where geolocation-based apps use the cellphone’s GPS function, and its connections to the nearest cellphone towers, Bluetooth exchanges signals, not with a cellphone network, via a tower, but with other Bluetooth-enabled devices within a few metres.
Good news if you want to identify people at risk from the cellphone’s infectious owner, without handing over to a central database lots of personal data about where you were. All the app needs is Bluetooth’s Relative Signal Strength Indicator readings to approximate how close you were to another device, and for how long.
As the app’s ‘How Does TraceTogether Work?’ page puts it: “This proximity and duration information is stored on one’s phone for 21 days on a rolling basis – anything beyond that would be deleted. No location data is collected.” The data stays on each person’s phone unless they test positive for Covid-19, in which case they’re asked to hand it over to Singapore’s Ministry of Health (MOH).
The MOH works with them to trace their contacts for the previous 14 days. There’s a legal requirement to help MOH map recent activities if requested, including producing other data held on your phone in other apps. But it’s not compulsory to use TraceTogether at all.
Several other countries are introducing apps modelled on this app: the pandemic has spurred a worldwide rush of innovation and technical experimentation.
Most of us would welcome the chance to contain the spread of the virus without having to stay locked down until a vaccine arrives. But do we have to trade our privacy by turning everyone’s phone into a tracking device? Perhaps not.
More than 25 scientists across eight European universities decided that, rather than wait for others to produce bad apps, they would write their own. Or at least, write the basic code that others could use, and make it freely available. And the result was DP-3T.
Like Singapore’s TraceTogether, DP-3T is designed around Bluetooth’s capacity for device-to-device communication. Like TraceTogether, it transmits and receives ID codes that can later be used to reconstruct whether a sick person has been close enough to infect you. But it has some important refinements that mean no centralised body ever needs to know who has been close to whom.
Instead of transmitting codes that can be linked back to the person using the app, a DP-3T app transmits a random jumble of letters and numbers that changes regularly. Other devices receiving the codes won’t even know if this is the same device as yesterday, which is an important layer of protection for anonymity. Each device running the app will store all the codes sent and received.
If one person does get a diagnosis of Covid-19, they get a passcode from the healthcare professional making the diagnosis, which allows them (just once) to upload their “sent” codes from the pre-symptomatic contagious period to a database. This gives the database no information about the patient’s identity, location, or anything else, just the codes transmitted during the relevant period.
All the other phones running the app have access to the database of codes, but only to cross check against the codes in their own “received” file. The app can do this regularly and automatically, and alert the user if the level of exposure means they should self-quarantine, or get tested.
Everyone keeps control of their own data, the centralised database contains only anonymous codes from infected people, and nobody has the whole picture. It is possible to have both contact tracing and privacy.
Is this the basis for the NHSX app being developed, which is also designed to use Bluetooth to track proximity?
“All data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research,” according to Hancock’s announcement, “and we won’t hold it any longer than is needed.” But this implies that data from the app will be uploaded to a central database, where it can be used for other purposes. The fact the government felt the need to say that the police would not have access to the data suggests that it won’t be anonymous.
The public’s appetite to put the app on their phones will be reduced even further by the revelation that NHSX has teamed up with Palantir, a data-processing giant that works with the CIA (which part funds it). Palantir will be processing, not controlling the data, but our government has a patchy record on transparency over data retention and use.
However, a few developments over Easter weekend could force NHSX to radically rethink their project.
On Good Friday, Apple and Google released a joint statement, in itself a sign of the unprecedented times we are living in. They plan to design contact-tracing technology, either apps or the digital infrastructure on which apps can be built, which looks very like the DP-3T model. The two tech giants also announced another change that sounds like a minor technical detail, but could be more significant for the NHSX app. It concerns the way Bluetooth runs on Apple, and newer Android, devices.
When I asked a Singaporean friend about the TraceTogether App, he told me, “It’s a pain to use,” because it needs Bluetooth to be running all the time. But because Bluetooth is a digital blabbermouth, dishing out your data to any local device that wants to know, Apple devices don’t allow it to run in the background while you’re doing anything else, or while your phone is locked. Google’s newer Android systems run along the same lines.
This means that if you want the TraceTogether app to work “you have to leave it on and … ‘upside down’ in your pocket to go into Low Power mode,” says my Singaporean app user, “but of course everything’s haywire if you leave your phone unlocked in your pocket as you walk around!” At best, you pocket-dial your ex. At worst, a pickpocket has access to your entire life.
Dilemma for Google, and especially for Apple. It makes a big point of privacy, and of keeping your data on your device instead of on somebody else’s database. Could it allow Bluetooth to run when the app is not active, but for approved Covid-19 apps only?
This in effect, is what it has said it will do. But its definition of approved Covid-19 apps is drawn more narrowly than many expected. In fact, Apple devices will only allow Bluetooth to run in the background for more privacy-friendly, decentralised contact tracing systems, like DP-3T.
The solution to the Bluetooth privacy problem is that the exchanging and storing of randomly generated codes will happen, not in an app, but securely within the operating system. Data will leave the device only for explicitly authorised uploading to an approved database. The only other interactions possible with external databases will be queries about matching numbers. The app could potentially export any risk scores it has calculated for you, but not the codes sent and received by Bluetooth.
It sounds like a minor detail. But it could be a big spanner in the works for the NHSX app, if it doesn’t conform to that decentralised model. The app wouldn’t work with the phone locked or while you are using it for anything else. This inconvenience has been a big barrier to uptake in Singapore, where few people are using it, certainly fewer than the 60% of the population that public health experts have estimated as the minimum needed to make it work.
All these developments will have taken the NHSX project by surprise. It now faces a choice between carrying on with an app that’s less convenient to use, and that fewer people will trust, or starting again with a different model, delaying rollout, and denying them access to data that could be useful for research and for planning.
In the long run, however, adopting the DP-3T model has huge advantages. It makes it easier for lots of us to download and run an app, without worrying about whether we’re releasing data to big corporations and government bodies to use for other purposes. It avoids setting precedents for centralised databases of who we spend time with. And it’s the foundation for internationally-compatible anti-Covid-19 digital solutions, which we may need for some time to come.
So, quick redesign, and Matt Hancock can roll out the app and get the UK back to normal life in a couple of weeks?
Sadly, it’s not quite that simple.
Allowing app users to self-diagnose opens the door to false alarms by hypochondriacs (or schoolkids who aren’t happy their school reopened). Medical validation needs readily available Covid-19 tests, so that professionals can authorise uploading the codes. Society needs to facilitate people going into self-quarantine, getting tested themselves, and locking themselves away for weeks, without delays. And a majority of the population needs to be using the app, but not everyone has a smartphone equipped with low-energy Bluetooth.
Automated alerts can’t replace detailed contact tracing, as practised in South Korea and Singapore. But interview based contact-tracing is labour intensive. Contact-tracing tens of thousands of cases individually would be an immense task for a health service that can’t even pick up every 111 call.
However, a widely used app in conjunction with testing could be a workable compromise, reducing the transmission rate to a scale that the NHS can handle, while allowing people for whom the risk is acceptably low to return to work, and to a more normal life.
How low a risk is acceptable, and how normal life should be, are political questions. No app can answer those.