The NHS Covid-19 contact tracing app is advancing through testing and towards possible release. As it does, more issues and worries about the well-intended app have become apparent. These fall, largely, into two camps and, in concert, lead most experts to believe that the app won’t beat Covid-19. Key concerns are:
- Technical issues relating to the app’s design, execution and how it interacts with Apple and Google’s operating systems
- Users’ worries about how their personal data is collected, stored and used.
A recent survey by BCS (of 1,716 BCS members), put these two concerns under the microscope and found:
- Just 24% of respondents believe the app will contribute to curbing the disease
- 32% feel it will make no contribution and 45% undecided
Some 42% of IT experts said they would be downloading the app for themselves, with 36% saying they would not install it and 21% undecided.
Critically, members told BCS that data security and privacy were their top concerns, followed by doubts around the app’s ability to work effectively.
Dr Bill Mitchell OBE, Director of Policy at BCS, The Chartered Institute for IT said: ‘BCS is clear that if done ethically and competently a tracing app can make a huge contribution to stopping the spread of COVID-19; but a majority of our members don’t believe the current model will work and are worried about the reliance on a centralised database.’
As an organisation, BCS has three overarching concerns about the app:
- Is the app going to solve the right problem?
- Is it going to function well enough technically to make a difference?
- How competently and ethically will this app be managed?
Choosing to install the app or avoid the app is an important decision. For the app to work effectively 60% of the UK population will need to use it. If enough of us make ill-informed decisions we’ll be dooming the app to failure, irrespective of its positives and negatives.
1. Risk and reward
Bill Mitchell, Director of Policy at BCS, says: ‘A lot of debate focuses on the NHS app’s ability to do good… its ability to help prevent the spread of coronavirus versus its potential for compromising users’ privacy. The key consideration is, how much data might the app reveal? What sort of data is it? Is this data of any actual intrinsic value? Is data with a theoretical value worth more than the opportunity to slow the virus’ spread?’
Continuing, Mitchell says: ‘And remember, however much data the NHS app may reveal it will be inconsequential relative to the huge amounts of personal data we gladly - and willingly - reveal about ourselves to the internet and social media giants as we consume their services.'
2. Contact tracing apps: the theory
When it comes to fighting COVID-19, experts agree on one point: preventing transmission is a priority. The problem is, the virus is spreading too quickly for manual contact tracing to be effective. A technical solution is needed.
Most contact tracing apps work on a similar theory: they record information about your closeness to other people and how long you were near to them. As closeness increases and the duration of that closeness rises, so the probability of potential infection will go up.
Such apps try to do this anonymously and by using the very minimum amount of data. Anonymously, in this context, is generally taken to mean: without revealing much, if anything, about the user’s identity and location.
Of the different app models in development and deployment around the world, most then require the user to tell the app when they are feeling poorly. This self-identification then triggers several different responses - both at the level of the app’s interface and in the app’s back end infrastructure. It’s what happens after self-identification we’ll focus our efforts.
3. Part of a wider web
It’s important to note that the NHS COVID-19 app isn’t the only government response to the virus’ spread. It’s not the only data point being drawn into the pool of information being used to model and understand the contagion and its spread. Rather, the up-and-coming app is just one of many pieces of information used by public health scientists.
4. The user’s perspective: how the NHS app works
The NHS’ app is currently on test in the Isle of Wight, where only council and NHS workers can download it. The BBC’s Rory Cellan-Jones was given early access.
It works like this:
- Download the app from Apple’s App Store or Google Play Store
- Install and enter your post code’s first four characters
- Allow the app to use your phone’s Bluetooth Low Energy radios
As you walk around, your phone will shake hands with other phones running the app. The contact is very thin: a tiny amount of information is exchanged (more about that in a moment). The key point is, however, it happens over Bluetooth. And, as such, the app and Bluetooth need to be running at all times.
If you’re feeling ill, you tell the app. It will then tell the system’s back end that somebody, potentially, has coronavirus and then a chain of in-app events takes place. This includes giving you health advice and, critically, suggesting to people you’ve been near that they might need to take steps.
On the surface level, many similarly tasked apps will look and do the same: you get advice, your contacts get advice. It’s what happens behind the scenes where the story gets interesting…
5. The backend: how it works
There are two key types of contact tracking app architectures: centralised and decentralised - more about those in a moment.
Critically, the decentralised model is backed by a rare partnership between Apple and Google. As part of this partnership, Google and Apple released ‘draft documentation for an exposure notification system in service of privacy-preserving contact tracing.’
Countries such as Germany, Italy and Estonia have opted for this Google and Apple backed decentralised approach.
The UK, France and Norway stand separate and have adopted a centralised architecture. The UK's app is designed and built by the NHS and GCHQ. Both approaches have supporters and critics. Just over half of professionals interviewed by BCS (51%) said the government should switch to the decentralised Google-Apple API model of storing records.
Only 23% favour the planned centralised model designed into the app currently, and most of the rest had no opinion.
Some commentators are reporting that the NHS is considering shifting development away from its current architecture and rebuilding using a decentralised design.
6. Centralised: The NHS’ approach
The model works as follows:
- As you walk around, your phone broadcasts a randomised ID number and collects similar IDs from other instances of the app running on nearby phones. The app also collects information about the interaction’s time and distance.
- When you report yourself as ill, you can choose to upload your ID to a central database
- The central database uses an NHS clinical algorithm to asses the uploaded interaction data and identify the risk posed by each interaction
- Users who had high-risk interactions with COVID-19 suffers are sent a push notification with targeted health advice Importantly, the app provides the insights the public health professionals need to better manage the virus in the UK.
Here, you tell the app you’re ill but give no more information. Periodically the app collates a list of all the people who have self-reported illness and sends it out to all the app’s users.
Your phone then looks at this list and works out if it has been close to any phones owned by people have self-declared themselves as ill. If your mobile has been close enough – and for long enough – it’ll receive a notification. Most likely you’ll be advised to self-isolate.
The key point here is everybody who uses the app gets an understanding of who has declared themselves ill.
On the downside, the public health authority gets very little information about people being ill.
8. NHS’ The Bluetooth bits
In the NHS’ system, when two phones can see each other, the app samples and records the Bluetooth signal strength every few seconds. Here, the signal strength becomes a proxy for distance - this record represents information about the physical encounter.
The NHS explains: ‘Every time this happens, the record (date and time, package received over BLE, sampled signal strength, total duration of encounter) is securely stored on your phone. If nothing happens, each record is deleted after 28 days. At this point, nothing has been sent back to the NHS.’
Importantly the NHS’ use of Bluetooth isn’t supported by Google and Apple. Particularly, using the radio while your phone is asleep isn’t a natural part of their operating systems’ specification. This had led some critics to theorise that the NHS’ app is fundamentally flawed and won’t work technically.
Further reading about Bluetooth and app security
9. Cryptographic pass-the-parcel
The NHS has published a great deal of information about the app’s cryptographic underpinnings:
- Blog: The security behind the NHS contact tracing app
- NCSC Technical paper: High level privacy and security design for NHS COVID-19 contact tracing app
Ian Levy, Technical Director of the National Cyber Security Centre, explains: ‘There are some downsides to our approach though. For example, the system ends up with a list of devices that have been near each other, even though they're anonymous. It knows that device 123456 and device ABCDEF were near each other on a set of dates (assuming one of them has reported their contacts). In theory, that's a privacy risk, but it's only stored on the NHS app system and there's no way to link device 123456 to 'Ian Levy' or a particular place. If you discover that my app ID is 123456, there are some theoretical things you can do to try to understand my contacts if you've followed me round. But if you've followed me round, you've probably seen my contacts anyway. You can't do this sort of attack remotely and so it really doesn't scale.’
10. Privacy vs lives save: the privacy balance
Critics of the centralised approach suggest that the UK government and even hackers can identify a human user and their location.
The NHS, for its part, acknowledges no system – as Ian Levy observes - is entirely safe from subversion or attack. But, it does claim that it has done much to reduce the risk of unintended data breaches through:
- Being secure by design – it doesn’t capture any personal information about you, nor does it capture your actual geographic location (just your IDs proximity to other IDs)
- Deploying data minimisation – gathering and using just enough data to get its designated job done and no more
- The back end is as secure as it can be – accepting that no system is entirely and absolutely secure.
Given everything above, as professionals and practitioners, we face a question when deciding whether to install the app: ‘Is the data processed and generated by the system worth more than your friends’ and families’ lives?’
11. Read the source code
The NHS COVID-19 app is open source and the project welcomes feedback from developers and security researchers. Participation for Android and iOS / Apple are available.
The project will make the system's back-end code open source 'soon'.