(Photo by STR/AFP via Getty Images)
Given his enthusiasm for all things digital, it wasn’t a surprise when the Health Secretary, Matt Hancock, made his announcement on Easter Sunday: NHSX, the new unit driving forward the digital transformation of health and social care, would shortly begin testing a smartphone app that might be our way out of lockdown. By tracing an infected person’s recent contacts, it could contain the spread of the virus while allowing people to get back to work and something more like normal life.
Sound too good to be true?
Other countries are already using contact-tracing apps. Contact-tracing is also used in sexually transmitted infections, where previous partners may be contacted with advice to get themselves a test. But whereas we tend to remember our sexual partners, we tend not to remember everyone who shared our train carriage or served us in a shop several days before we had symptoms. That’s where technology could help.
I write constantly about the threat to privacy of letting our smartphones share data that reveals where we go, what we do, and who shares our personal space. And although these are exceptional circumstances, we should not stop valuing our privacy. Emergency measures have a habit of becoming the new normal. And information about who we’ve been close to could be of interest to all sorts of people, from blackmailers to over-enthusiastic police officers enforcing their own interpretation of “necessary activities”.
Let’s compare some of the contact-tracing technology already in use, to see how the UK could avoid the pitfalls while harnessing our phones to battle the virus.
The Chinese app, AliPay HealthCode, raises some red flags. It assigns users a unique QR code which displays red, yellow or green, indicating your health status, and which determines how much freedom of movement you’re permitted. How that risk category is calculated remains opaque, though it uses proximity to known infected individuals or hotspot locations in that calculation. It sends your identity and location directly to a server accessible by the police, who can use it to enforce the quarantine demanded by your colour status. Use of the app is not compulsory, but even local movement may be impossible without it.
South Korea uses existing sources of data when tracing contacts, rather than a specific app (though they do have an optional app to monitor infected people in mandatory quarantine). They use interviews, supplemented with CCTV footage, smartphone location data, and even credit card records, to reconstruct an individual’s pre-diagnosis activities. They have been criticised for making public the locations and activities where others may have been infected, which has led to individuals being publicly identified, and deterred others from getting tested.
Israel has already allowed its internal security agency, Shin Bet, to access cellphone geolocation data, and that can now be used for coronavirus tracking. Cellphone users who have been close to known infected individuals may receive text messages telling them to self-isolate. However, Israel’s Association of Public Health Physicians criticised the project, asking why no health professionals were involved in designing it. The Ministry of Health then launched a location-based app, Hamagen, on an opt-in basis, also using GPS data.
Singapore’s TraceTogether app supplements interview-based contact-tracing in a similar way to South Korea’s. TraceTogether doesn’t collect data on where you have been, because it only wants to identify who has been within infectible range. To do this, it uses Bluetooth.
Where geolocation-based apps use the cellphone’s GPS function, and its connections to the nearest cellphone towers, Bluetooth exchanges signals, not with a cellphone network, via a tower, but with other Bluetooth-enabled devices within a few metres.
Good news if you want to identify people at risk from the cellphone’s infectious owner, without handing over to a central database lots of personal data about where you were. All the app needs is Bluetooth’s Relative Signal Strength Indicator readings to approximate how close you were to another device, and for how long.
As the app’s ‘How Does TraceTogether Work?’ page puts it: “This proximity and duration information is stored on one’s phone for 21 days on a rolling basis – anything beyond that would be deleted. No location data is collected.” The data stays on each person’s phone unless they test positive for Covid-19, in which case they’re asked to hand it over to Singapore’s Ministry of Health (MOH).
The MOH works with them to trace their contacts for the previous 14 days. There’s a legal requirement to help MOH map recent activities if requested, including producing other data held on your phone in other apps. But it’s not compulsory to use TraceTogether at all.
Several other countries are introducing apps modelled on this app: the pandemic has spurred a worldwide rush of innovation and technical experimentation.
Most of us would welcome the chance to contain the spread of the virus without having to stay locked down until a vaccine arrives. But do we have to trade our privacy by turning everyone’s phone into a tracking device? Perhaps not.
More than 25 scientists across eight European universities decided that, rather than wait for others to produce bad apps, they would write their own. Or at least, write the basic code that others could use, and make it freely available. And the result was DP-3T.
Like Singapore’s TraceTogether, DP-3T is designed around Bluetooth’s capacity for device-to-device communication. Like TraceTogether, it transmits and receives ID codes that can later be used to reconstruct whether a sick person has been close enough to infect you. But it has some important refinements that mean no centralised body ever needs to know who has been close to whom.
Instead of transmitting codes that can be linked back to the person using the app, a DP-3T app transmits a random jumble of letters and numbers that changes regularly. Other devices receiving the codes won’t even know if this is the same device as yesterday, which is an important layer of protection for anonymity. Each device running the app will store all the codes sent and received.
If one person does get a diagnosis of Covid-19, they get a passcode from the healthcare professional making the diagnosis, which allows them (just once) to upload their “sent” codes from the pre-symptomatic contagious period to a database. This gives the database no information about the patient’s identity, location, or anything else, just the codes transmitted during the relevant period.
All the other phones running the app have access to the database of codes, but only to cross check against the codes in their own “received” file. The app can do this regularly and automatically, and alert the user if the level of exposure means they should self-quarantine, or get tested.
Everyone keeps control of their own data, the centralised database contains only anonymous codes from infected people, and nobody has the whole picture. It is possible to have both contact tracing and privacy.
Is this the basis for the NHSX app being developed, which is also designed to use Bluetooth to track proximity?
Probably not.
“All data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research,” according to Hancock’s announcement, “and we won’t hold it any longer than is needed.” But this implies that data from the app will be uploaded to a central database, where it can be used for other purposes. The fact the government felt the need to say that the police would not have access to the data suggests that it won’t be anonymous.
The public’s appetite to put the app on their phones will be reduced even further by the revelation that NHSX has teamed up with Palantir, a data-processing giant that works with the CIA (which part funds it). Palantir will be processing, not controlling the data, but our government has a patchy record on transparency over data retention and use.
However, a few developments over Easter weekend could force NHSX to radically rethink their project.
On Good Friday, Apple and Google released a joint statement, in itself a sign of the unprecedented times we are living in. They plan to design contact-tracing technology, either apps or the digital infrastructure on which apps can be built, which looks very like the DP-3T model. The two tech giants also announced another change that sounds like a minor technical detail, but could be more significant for the NHSX app. It concerns the way Bluetooth runs on Apple, and newer Android, devices.
When I asked a Singaporean friend about the TraceTogether App, he told me, “It’s a pain to use,” because it needs Bluetooth to be running all the time. But because Bluetooth is a digital blabbermouth, dishing out your data to any local device that wants to know, Apple devices don’t allow it to run in the background while you’re doing anything else, or while your phone is locked. Google’s newer Android systems run along the same lines.
This means that if you want the TraceTogether app to work “you have to leave it on and … ‘upside down’ in your pocket to go into Low Power mode,” says my Singaporean app user, “but of course everything’s haywire if you leave your phone unlocked in your pocket as you walk around!” At best, you pocket-dial your ex. At worst, a pickpocket has access to your entire life.
Dilemma for Google, and especially for Apple. It makes a big point of privacy, and of keeping your data on your device instead of on somebody else’s database. Could it allow Bluetooth to run when the app is not active, but for approved Covid-19 apps only?
This in effect, is what it has said it will do. But its definition of approved Covid-19 apps is drawn more narrowly than many expected. In fact, Apple devices will only allow Bluetooth to run in the background for more privacy-friendly, decentralised contact tracing systems, like DP-3T.
The solution to the Bluetooth privacy problem is that the exchanging and storing of randomly generated codes will happen, not in an app, but securely within the operating system. Data will leave the device only for explicitly authorised uploading to an approved database. The only other interactions possible with external databases will be queries about matching numbers. The app could potentially export any risk scores it has calculated for you, but not the codes sent and received by Bluetooth.
It sounds like a minor detail. But it could be a big spanner in the works for the NHSX app, if it doesn’t conform to that decentralised model. The app wouldn’t work with the phone locked or while you are using it for anything else. This inconvenience has been a big barrier to uptake in Singapore, where few people are using it, certainly fewer than the 60% of the population that public health experts have estimated as the minimum needed to make it work.
All these developments will have taken the NHSX project by surprise. It now faces a choice between carrying on with an app that’s less convenient to use, and that fewer people will trust, or starting again with a different model, delaying rollout, and denying them access to data that could be useful for research and for planning.
In the long run, however, adopting the DP-3T model has huge advantages. It makes it easier for lots of us to download and run an app, without worrying about whether we’re releasing data to big corporations and government bodies to use for other purposes. It avoids setting precedents for centralised databases of who we spend time with. And it’s the foundation for internationally-compatible anti-Covid-19 digital solutions, which we may need for some time to come.
So, quick redesign, and Matt Hancock can roll out the app and get the UK back to normal life in a couple of weeks?
Sadly, it’s not quite that simple.
Allowing app users to self-diagnose opens the door to false alarms by hypochondriacs (or schoolkids who aren’t happy their school reopened). Medical validation needs readily available Covid-19 tests, so that professionals can authorise uploading the codes. Society needs to facilitate people going into self-quarantine, getting tested themselves, and locking themselves away for weeks, without delays. And a majority of the population needs to be using the app, but not everyone has a smartphone equipped with low-energy Bluetooth.
Automated alerts can’t replace detailed contact tracing, as practised in South Korea and Singapore. But interview based contact-tracing is labour intensive. Contact-tracing tens of thousands of cases individually would be an immense task for a health service that can’t even pick up every 111 call.
However, a widely used app in conjunction with testing could be a workable compromise, reducing the transmission rate to a scale that the NHS can handle, while allowing people for whom the risk is acceptably low to return to work, and to a more normal life.
How low a risk is acceptable, and how normal life should be, are political questions. No app can answer those.
Timandra Harkness presents the BBC Radio 4 series, FutureProofing and How To Disagree. Her book, Big Data: Does Size Matter? is published by Bloomsbury Sigma.
TimandraHarknes 
Join the discussion
Join like minded readers that support our journalism by becoming a paid subscriber
To join the discussion in the comments, become a paid subscriber.
Join like minded readers that support our journalism, read unlimited articles and enjoy other subscriber-only benefits.
SubscribeI find the mob’s addiction to the smart phone fascinating. Clearly, it’s an electronic pacifier for adult minds. And, no, all the smart phone can do is reveal your location to tyrannical government authoritarians. Throw it away and free yourself.
I surely can’t be alone in not having bluetooth or GPS location services enabled deliberately. but then I can read maps and use wired headphones when necessary. it’s bad enough we can be triangulated using cell phone towers though thankfully not as accurately as is being proposed.
I’m not picking on your personally, but you do typify a certain view on this whole question. Unless you are doing something criminal at the time, do you think anybody in charge of the database is really that bothered where you personally are or what you are doing or who you are doing it with? Frankly, they have better things to do. I know the standard retort: you’re being complacent, the authorities cannot be given the opportunity to abuse their power blah, blah. The trouble with this sort of slippery slope argument is that it uses a potential, but in fact very, very improbable future scenario, rather than any hard evidence of past abuse or any credible future threat.In this case, it seems like there is a workable solution without any great intrusion, but I don’t think even this would satisfy you.
“Don’t put too much faith in metrics” is just as accurate a headline. Statistical or risk analysis, not a human strongpoint 🙂
Like many others, I do feel that the privacy invasion of big tech over our lives is going too far. However, if you read this article carefully and if you take a close look at that Singapore solution (the code is public at https://bluetrace.io/) then it does appear to me that this is very far from “big brother watching me”. The Singapore solution does NOT track GPS location – it only listens for bluetooth signals from nearby phones. And, contrary to the statements in this article, it does actually use random and frequently rotating identifiers like the DP-3T model. So there’s no way to figure out what phone numbers you’ve been close to just by looking at the list of identifiers locally recorded. Also it doesn’t send anything to government unless, after having been diagnosed positive with COVID-19, you approve the release of the last 21 days of random contacts. Only then can the government figure out which other phones you have been close to. Given the undoubted pain that economic shutdown is causing for millions, would I take part in this kind of technology if it became evident that it is a key part of a shutdown exit strategy? In a heartbeat. Don’t confuse the egregious behaviour of big tech through our smartphones with a genuine effort from a government that cares about both privacy and health of its citizens.
Good heavens. And I thought I was bonkers !
What about people who do not possess a mobile phone? Do they just remain in lockdown whilst everyone else just get back to normal, my Wife has a mobile which I sometimes share if I really have to, but normally I don’t have a mobile with me.
I doubt the benefits that contact tracing apps can give us. On 1st May Bruce Schneier blogged about the problems of false positives and false negatives, and there don’t seem to have been solutions proposed for the problems he raised then. For example unnecessary quarantining because of false positives when Bluetooth passes through walls or till-screens which prevented transmission of the virus; but also “false negatives” because large numbers don’t have an app running, or when virus transmission occurs without close proximity – e.g. via common surfaces.