Growing storm over UK’s coronavirus tracing app shows how not to do it

Posted on May 6, 2020 by Glyn Moody

As this blog noted a couple of weeks ago, many governments around the world are looking to introduce coronavirus tracing apps to help take their countries out of lockdown. The hope is that such apps can be used by millions of people to pinpoint potential new cases of Covid-19 so that medical interventions can be made quickly and efficiently. Most countries are opting for a decentralized approach, which is better able to protect the highly personal data that is collected. In the EU, France and Germany had both chosen a centralized approach. But Germany has now reversed its position, and said that it will be building a decentralized app using the Apple-Google framework. The French government is under pressure to change its mind too. But the most fervent supporter of the centralized approach is the UK.

The new app is being written by NHSX, part of the UK’s National Health System (NHS). There is a detailed explanation of how it works from the NCSC, an offshoot of UK’s GCHQ spy agency. But the criticisms are mounting. A group of scientists and researchers working in the UK in information and security wrote a joint statement expressing their fears about the UK approach. In particular, the use of a fixed pseudononymous ID for users of the proposed app poses a big privacy risk because it makes it easier to construct a person’s social graph. A report from leading UK lawyers warns that the tracing app will need “detailed justification to satisfy human rights and data protection laws”.

In that context, it’s troubling that the UK’s data protection body, the Information Commissioner’s Office (ICO), hasn’t seen a key document, the Data Protection Impact Assessment (DPIA), of the proposed app. A DPIA is one of the main recommendations of the European Data Protection Board, which has published guidance on how to write coronavirus tracing apps that respect privacy. The head of the ICO had earlier written that decentralized systems should be the default option, unlike the UK approach.

Questioning of the head of NHSX by the UK Parliament’s human rights committee revealed that once uploaded, personal data cannot be deleted, and “can be used for research purposes”. Another UK Parliamentary committee, on science and technology, discovered that users of the app could be asked to share location data, and that the future inclusion of facial recognition technology was not ruled out.

On the plus side, the UK government has said that the app will be released under an open source license. However, the program still has technical problems: “it had thus far failed all of the tests required for inclusion in the app library, including cyber security, performance and clinical safety.” In addition, the approach the UK developers have had to adopt may drain the battery of smartphones much faster than the rival Apple-Google system. There is a larger problem which affects all tracing apps, whether centralized or decentralized: they may not help much. The security and privacy expert Bruce Schneier went further:

“My problem with contact tracing apps is that they have absolutely no value,” Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News. “I’m not even talking about the privacy concerns, I mean the efficacy. Does anybody think this will do something useful? … This is just something governments want to do for the hell of it. To me, it’s just techies doing techie things because they don’t know what else to do.”

There is a danger that people are producing these apps because they can, not because they are known to work. Governments are happy to embrace them, because they can then put the onus on the public to use them. UK’s health minster even went so far as to say: “If you download the app you are doing your duty and you’re helping to save lives” – implying that anyone who refuses to use the app is not doing their duty, and is complicit in future deaths. But an expert in Singapore already deploying such an app says they are no substitute for what is needed above all: manual contact tracing:

“If you ask me whether any Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is, No. Not now and, even with the benefit of AI/ML [artificial intelligence/machine learning] and — God forbid — blockchain (throw whatever buzzword you want), not for the foreseeable future.”

The Scottish government’s clinical director confirmed that apps aren’t necessary to carry out traditional manual tracing: “We don’t require it for contact tracing to work.”

The head of NHSX admits that the app is not optimised for privacy. That being the case, the UK government is essentially saying that the public should trust it on this, and that it’s worth taking the risk that privacy will be adversely affected. Given that discussions have already taken place about giving ministers the power to de-anonymize tracing app users, that seems to be asking a lot. Particularly since a recent survey showed that the majority of British citizens say they want tracing apps to take account of civil liberties and privacy.

With its centralized, go-it-alone approach, the UK government seems to be taking a huge gamble with people’s information, for little or no gain, just as it did when it flirted with the idea of seeking “herd immunity” instead of tackling the pandemic directly. As a result of that initial botched response, the UK now has the highest death toll in Europe. And yet it wants people to trust it once more.

Featured image by ZahariMinchev.