Conflicting Approaches to Covid Contact Tracing App Privacy
Once the COVID-19 lockdown ends, tracing the contacts of people who become infected and telling them to self-isolate will be the only way to stop the disease spreading again, until a vaccine is available. This can be achieved by people going out and trying to find those contacts. But that is expensive and difficult to achieve.
But there is another way, using an app on mobile phones. How would a mobile phone app work?
A mobile phone can potentially detect information about all the smartphones it comes close to. The Bluetooth technology to do this is built into all phones. An app would detect and record some information about all those phones.
Then if the owner of a phone gets the symptoms of COVID-19 or tests positive, he or she tells the phone and it automatically informs the owners of all those other phones that they are at risk and need to self-isolate.
That would be far cheaper and more efficient than hoping people can trace those contacts.
Privacy and Security
But such an app raises questions of privacy and security of data.
One can imagine, for example, some Governments might want to use such a system to track where its citizens are at every minute of every day. Hence a phone must NOT be able to record any personal information about the people it has passed, such as their phone number. So there must be a system for encoding the identity of the phone which nevertheless allows the message to reach the right person.
Data Storage
So then the question arises: where is this encoded information stored?
There are two possible answers to this question.
Centralised Storage
One approach is for phones to send information about the other phones they pass to a centralised database.
This is the system used by NHSX [1], which NHS is planning to trial soon on the Isle of Wight. For the app, to be effective they need 50% to 60% of the population to be using it [11]. If the test is successful, it will be rolled out nationally. As well as the NHS app, the government have promised to employ 18,000 contact-tracers by the middle of May as it pursues a “test, track and trace” strategy with a view to lifting the UK’s lockdown.
Decentralised Storage
The other approach is to store all data on the phone which recorded it. There is no centralise database.
For example, this is the system currently being developed by Apple and Google [2], which will be available for all phones everywhere in the world, although it will require an upgrade to the operating system of the phone, so it may not be available older phones.
This system will avoid having a central database so that no government or other body can possibly abuse the data.
Which system is better?
Some people say that a centralised system such as NHSX poses greater risks to privacy and safety. On 19 April, nearly 300 researchers signed an open letter reminding governments that data stored in many different places, such as individual phones, are more secure, and that data stored in one place are more susceptible to hacking. [13]
But NHSX chief executive Matthew Gould has said that waiting for Apple and Google to release their contact tracing technology would slow the development of the NHS Covid-19 app “quite considerably”. [3]
“I think there is something of a false dichotomy here between centralised equals non-privacy secure and centralised is privacy friendly,” Gould told a UK Parliament’s Science and Technology Committee meeting on 28 April. “We firmly believe that our approach, though it has a measure of centralisation in as much as you’re uploading the anonymised identifiers, none the less preserves people’s privacy in doing so.”
A centralised approach to contact-tracing means alerts sent to users about potential contact with Covid-19 come from a computer server held by the NHS, whereas Apple and Google’s approach sees alerts sent between devices when potential coronavirus symptoms are reported.
Gould argued that a centralised approach offered “profound benefits” for tracing Covid-19 without compromising privacy.
“It allows you to see the contact graph on how this is propagating and how the contacts are working across a number of individuals without knowing who they are. It allows you to do a number of important things that you couldn’t do if it was just phone to phone propagation. For example, one of the concerns around contact tracing is the ability to detect malicious use. One of the ways you can do that is look for anomalous patterns, even if you don’t know who the individuals are… which the approach we have taken allows and we’re not sure if a decentralised approach allows.”
World Divided
Despite COVID-19’s global spread, countries are developing apps independently. There are no global standards which means that, once people start to travel between countries, their apps will not work. Indeed, if NHSX is implemented nationally in the UK, people in Northern Ireland and the Republic of Ireland will be using different systems.
Britain, Australia [4], France and Norway [5] are adopting a centralised system.
Estonia [6], Austria [7], Switzerland [7], Italy [8], Germany [9], Singapore [10] and Spain all have or are developing decentralised matching systems similar to or based on the proposed Apple-Google system.
Note that the app used in Singapore is based on a degree of surveillance that people in many other countries will find hard to accept. [12]
Conclusion
The standardisation of COVID-19 contact tracing app technology is yet another example where the nations of the world need to but are currently failing to work together to solve a global problem.
Perhaps their failure will show our leaders how important is that they work together in future when we will need to solve a far more serious problem, namely climate change.
References
[3] https://www.digitalhealth.net/2020/04/nhsx-differs-with-apple-and-google-over-contact-tracing-app/
[5] https://www.ft.com/content/10f87eb3-87f9-46ea-88ab-8706adefe72d
[6] https://e-estonia.com/trace-covid-19-while-respecting-privacy/
[8] https://www.ft.com/content/10f87eb3-87f9-46ea-88ab-8706adefe72d
[10] https://www.tracetogether.gov.sg/
[11] https://045.medsci.ox.ac.uk/files/files/report-effective-app-configurations.pdf
[12] https://www.nature.com/articles/d41586-020-01264-1
[13] https://drive.google.com/file/d/1OQg2dxPu-x-RZzETlpV3lFa259Nrpk1J/view