The UK has started trialling an app to help contain the spread of COVID-19 by alerting people if they have come into contact with an infected person. Before the trial taking place in the Isle of Wight even began, the government came under fire for the way the app was designed, with questions over its effectiveness and impact on privacy.
We’ll need to wait until we have the results of the trial – but, as engineers who research mobile technology and cyber security, we believe there are good reasons to think the app will both be useful and provide a reasonable level of privacy protection.
The UK’s app uses Bluetooth to work out when you come into close contact with other app users, each of whom are recorded anonymously on your phone as a large random set of numbers. If you use the app to report experiencing COVID-19 symptoms, it sends your anonymised list of recent contacts to an NHS server, which can then privately alert these people that they may have been exposed and should self-isolate.
This centralised approach is similar to that used by equivalent apps in countries such as Australia. Other countries such as Germany are planning to use a decentralised system. With this approach, the app regularly downloads a list of anonymous codes of people who have reported symptoms and checks if any of them match those it has come into contact with.
Contact tracing apps won’t be able to end the lockdown on their own, as the government healthcare technology agency behind the UK’s app, NHSX, has made clear. For one thing, not everyone has a smartphone or will install the app. Instead, an app augments social distancing measures and traditional contact tracing, which involves interviewing patients and manually contacting everyone they have recently interacted with.
But many people have expressed concerns about how – or even whether – the app will work. The iPhone version of the app needs to be active on a user’s phone to send and receive the Bluetooth signals that let it communicate with other devices. When the app hasn’t been used for a while, the operating system normally shuts it down to save power. Apple has designed a workaround for this as part of a contract tracing collaboration with Google, but is only allowing the system to be used for decentralised apps.
The Australian app uses a “background refresh” feature to keep reactivating the app, plus push notifications to ask the user to manually restart it. Although authorities have admitted that this currently isn’t working properly, researchers have demonstrated a fix that appears to resolve the issue.
The UK app is taking a similar approach, and researchers have found that the iPhone app seems to regularly reactivate provided there are other devices (including Android phones) nearby running the app. Part of the reason for the trial is to ensure that these workarounds are effective and reliable.
The other major fear is that the app will violate privacy by giving the authorities data on users’ locations, which could then be stored and misused. First, it is worth highlighting that the UK app doesn’t trace contacts using a phone’s location. Users are asked for the first half of their postcode as a way of helping the NHS understand how many people are ill within a relatively wide area and plan resources accordingly.
On iPhones, the app will not access the device’s location via GPS. On Android phones, the app will ask for permission to access the phone’s location for technical reasons related to how the operating system works. But it will be possible to check that the app doesn’t access or transmit location data. The NHS has said that in future they will let people opt-in to sharing more data, and this might include location data.
The centralised model does mean health authorities have access to a list of devices you have recently been in contact with. But it also avoids needing to broadcast an anonymised list of people who have reported symptoms. This makes it almost impossible for others to tell if you are ill by using the data sent to their app.
Re-identifying people from anonymised data is a valid concern. But this still needs several pieces of information about an individual to work – and at present the server does not store or see any contextual information that would be useful for re-identification.
Trade-offs
It’s also worth considering that manual contact tracing involves someone interviewing you to find out the names and contact details of everyone you’ve interacted with. This arguably invades privacy much more than an app using anonymised codes.
Nonetheless, NHSX should take people’s privacy concerns seriously and allow them to request that their data be deleted, rather retained indefinitely for research. The NHS app’s website currently appears to provide contradictory information on whether this will be made possible.
The centralised model also has the benefit of being able to follow the spread of reported symptoms between contacts. This allows the system to work out who might be at a higher risk of the disease simply from having been around a large number of people who had contact with an infected person.
Following these patterns also means the system can predict whether reported symptoms represent a real infection or not, and should help to identify false reports. It can also let people who have been told to self-isolate know if they should continue, stop or report for testing. It would be hard to do this in a private way in a decentralised system.
As with all complex systems, there are a series of trade-offs to be made. But the privacy protections built into the UK’s app are robust, and the barriers to breaking them or misusing the data are high. Problems may still emerge and the app’s current version may not be as effective as hoped – but that’s what the trial is for.