The UK is to stop developing its own Coronavirus contact tracing app and switch to building a new one that is constructed around a different philosophy.
NHSX’s original design, which progressed to the point of being built and tested, took – in international terms – a lonely path.
While many other nations began building their apps around technology jointly designed by Google and Apple, the UK built its system from the ground up.
Critically, the UK chose a centralised model where users’ phones would send contact data back to the NHS. This approach could, it was felt, protect people and also help deepen scientific understanding of the Coronavirus and how it spreads across a population.
The BCS Voice
Ahead of the UK Government’s direction change, BCS, The Chartered Institute for IT issued a policy positioning paper drawing on members’ experience. It recommended extensive testing and a strong communications campaign to increase public confidence in the technical and ethical aspects of the app.
Kathy Farndon, Vice President, BCS, The Chartered Institute for IT, said: ‘The biggest threat to the success of the contact-tracing app is that perceived “Big Brother” elements of the implementation, for example, the use of a centralised database, may have a negative effect on uptake from the public and minimise the chance of reaching the 60% uptake implementation target.’
Dr Bill Mitchell OBE, Director of Policy at BCS, The Chartered Institute for IT, said: ‘BCS is clear that if done ethically and competently a tracing app can make a huge contribution to stopping the spread of COVID-19; but a majority of our members don’t believe the current model will work and are worried about the reliance on a centralised database.’
The other path
By comparison, the Google and Apple approach keeps all necessary data on the users’ phones. This decentralised design provides little or no useful information to health authorities but does protect users’ privacy much more fully.
Though elegantly designed and with a sharp focus on anonymity, privacy researchers found the first NHS app could reveal details about users’ locations.
These genuine technical concerns, coupled with historic worries about government led IT and data gathering projects, caused observers, analysts and the public to be deeply sceptical about the app’s chances of success.
Technical limitations
Beyond privacy worries, the UK app faced another hurdle: Bluetooth. To work, most contact tracing apps used Bluetooth as a means of measuring closeness to other users’ phones.
Critically, the UK app used Bluetooth in ways not naturally supported by Apple and Google’s mobile phone operating systems.
A UK technical workaround saw the app being tested in the Isle of White. But, officials admitted that the first UK app only worked on ‘4% of Apple phones and 75% of Google phones.’ Rumours that the UK was developing a second, decentralised app began to circulate on social media and in the press.
France, another country that chose to design and develop a centralised contact tracing app, is facing difficulties. Though reports suggest it has been downloaded a million times, it is proving hard to link with other European countries’ decentralised apps. This means pan-European Coronavirus protection could be hampered.
The French app has been downloaded by around 2% of the nation’s population. This compares with Germany where 6% of its population has downloaded its Corona-War-App – a decentralised application.
Here are the key steps and talking points that led up to the UK Government’s change of heart.
1. Risk and reward
Bill Mitchell, Director of Policy at BCS, says: ‘A lot of debate focuses on the NHS app’s ability to do good… its ability to help prevent the spread of coronavirus versus its potential for compromising users’ privacy. The key consideration is, how much data might the app reveal? What sort of data is it? Is this data of any actual intrinsic value? Is data with a theoretical value worth more than the opportunity to slow the virus’ spread?’
Continuing, Mitchell says: ‘And remember, however much data the NHS app may reveal will be inconsequential relative to the huge amounts of personal data we gladly - and willingly - reveal about ourselves to the internet and social media giants as we consume their services.'
2. Contact tracing apps: the theory
When it comes to fighting COVID-19, experts agree on one point: preventing transmission is a priority. The problem is, the virus is spreading too quickly for manual contact tracing to be effective. A technical solution is needed.
Most contact tracing apps work on a similar theory: they record information about your closeness to other people and for how long you were near to them. As closeness increases and the duration of that closeness rises, so the probability of potential infection will go up.
Such apps try to do this anonymously and by using the very minimum amount of data. Anonymously, in this context, is generally taken to mean: without revealing much, if anything, about the user’s identity and location.
Of the different app models in development and deployment around the world, most then require the user to tell the app when they are feeling poorly. This self-identification then triggers several different responses - both at the level of the app’s interface and in the app’s back end infrastructure. It’s on what happens after self-identification that we’ll focus our efforts.
Further reading about digital contact tracing
Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing
The security behind the NHS contact tracing app
3. Part of a wider web
It’s important to note that the NHS COVID-19 app isn’t the only government response to the virus’ spread. It’s not the only data point being drawn into the pool of information being used to model and understand the contagion and its spread. Rather, the up-and-coming app is just one of many pieces of information used by public health scientists.
4. The backend: how it works
There are two key types of contact tracking app architectures: centralised and decentralised - more about those in a moment.
Critically, the decentralised model is backed by a rare partnership between Apple and Google. As part of this partnership, Google and Apple released ‘draft documentation for an exposure notification system in service of privacy-preserving contact tracing.’
Countries such as Germany, Italy and Estonia have opted for this Google and Apple backed decentralised approach.
The UK, France and Norway stand separate and have adopted a centralised architecture. The UK's app is designed and built by the NHS and GCHQ. Both approaches have supporters and critics. Just over half of professionals interviewed by BCS (51%) said the government should switch to the decentralised Google-Apple API model of storing records.
Only 23% favour the planned centralised model designed into the app currently, and most of the rest had no opinion.
Some commentators are reporting that the NHS is considering shifting development away from its current architecture and rebuilding using a decentralised design.
Further reading on how tracing apps work
So how do the coronavirus smartphone tracing apps work and should you download one to help?
5. Centralised: The NHS’ approach
The model works as follows:
- As you walk around, your phone broadcasts a randomised ID number and collects similar IDs from other instances of the app running on nearby phones. The app also collects information about the interaction’s time and distance.
- When you report yourself as ill, you can choose to upload your ID to a central database.
- The central database uses an NHS clinical algorithm to assess the uploaded interaction data and identify the risk posed by each interaction.
- Users who had high-risk interactions with COVID-19 sufferers are sent a push notification with targeted health advice. Importantly, the app provides the insights the public health professionals need to better manage the virus in the UK.
6. Decentralised
Here, you tell the app you are ill but give no more information. Periodically, the app collates a list of all the people who have self-reported illness and sends it out to all the app’s users.
Your phone then looks at this list and works out if it has been close to any phones owned by people who have self-declared themselves as ill. If your mobile has been close enough – and for long enough – it’ll receive a notification. Most likely you’ll be advised to self-isolate.
The key point here is that everybody who uses the app gets an understanding of who has declared themselves ill.
On the downside, the public health authority gets very little information about people being ill.
7. NHS’: The Bluetooth bits
In the NHS’ system, when two phones can see each other, the app samples and records the Bluetooth signal strength every few seconds. Here, the signal strength becomes a proxy for distance - this record represents information about the physical encounter.
The NHS explains: ‘Every time this happens, the record (date and time, package received over BLE, sampled signal strength, total duration of encounter) is securely stored on your phone. If nothing happens, each record is deleted after 28 days. At this point, nothing has been sent back to the NHS.’
Importantly the NHS’ use of Bluetooth isn’t supported by Google and Apple. Particularly, using the radio while your phone is asleep isn’t a natural part of their operating systems’ specifications. This had led some critics to theorise that the NHS’ app is fundamentally flawed and won’t work technically.
Further reading about Bluetooth and app security
Some Huawei phones won't be able to use NHS coronavirus app
Bluetooth: Connecting the future
8. Cryptographic pass-the-parcel
The NHS has published a great deal of information about the app’s cryptographic underpinnings:
- Blog: The security behind the NHS contact tracing app.
- NCSC Technical paper: High level privacy and security design for NHS COVID-19 contact tracing app.
Ian Levy, Technical Director of the National Cyber Security Centre, explains: ‘There are some downsides to our approach, though. For example, the system ends up with a list of devices that have been near each other, even though they're anonymous. It knows that device 123456 and device ABCDEF were near each other on a set of dates (assuming one of them has reported their contacts). In theory, that's a privacy risk, but it's only stored on the NHS app system and there's no way to link device 123456 to 'Ian Levy' or a particular place. If you discover that my app ID is 123456, there are some theoretical things you can do to try to understand my contacts if you've followed me round. But if you've followed me round, you've probably seen my contacts anyway. You can't do this sort of attack remotely and so it really doesn't scale.’
Further reading about the COVID-19 app
The Crypto on the NHSX COVID-19 App is a Thing of Maths Beauty
9. Read the source code
The NHS COVID-19 app is open source and the project welcomes feedback from developers and security researchers. Participation for Android and iOS / Apple is available.
The project will make the system's back-end code open source 'soon'.
