NHS contact tracing app: the government

Contact tracing app: Where did it all go wrong?

By Attila Tomaschek

Any system engineered to track and trace Covid-19 infections must gain the trust of the public for it to succeed.

The public needs to trust that the government has citizens’ best interests at heart and that authorities are doing everything possible to protect their privacy. Only then will they participate, and only then will a contact tracing scheme be effective.

This is what makes the contrast between the UK’s approach to Covid-19 contact tracing efforts, and those across the Irish Sea, fascinating to examine. While the Irish have developed a contact tracing app that properly preserves user privacy, the UK has stumbled pretty much every step of the way.

Ireland’s Covid tracker app is set to be released to the public any day now, pending Cabinet approval, and by all accounts ticks all the right boxes when it comes to protecting the privacy of its users.

The app can function properly without the need to collect any location data or any personally identifiable data from users and it makes use of the privacy-preserving digital contact tracing framework developed jointly by Apple and Google.

It relies on Bluetooth Low Energy signals to anonymously record the proximity events between active users of the app, eliminating any need to record the actual physical location of users.

This information is stored locally on the phone itself rather than in a centralised database, minimizing the risk of compromise by an unauthorised party.

Explicit user consent is required every step of the way should any user choose to submit any further information or positive Covid-19 diagnosis to the app.

The Irish authorities have also published an extremely thorough Data Protection Impact Assessment that lays out in great detail how the app works and what data privacy protections are in place to ensure user data remains appropriately secured at all times.

Significantly, they have also committed to decommission the app once the pandemic is over, ensuring none of the data will be used for any purpose beyond the scope of the current health crisis and especially any expanded surveillance objectives by government authorities.         

Though the eventual launch of the app has been delayed, it is apparent that Ireland has taken a prudent approach that comprehensively takes into account the importance of protecting user privacy and limiting the scope of the overall contact tracing efforts and data collection to only what is strictly necessary to appropriately address the pandemic.

All of this has helped to generate a healthy sense of public confidence in the system, so much so that early research has indicated that 82% of the adult population in Ireland would be willing to download the app; above the 60% takeup that has generally been cited as necessary for contact tracing apps to be effective.      

The UK government, by contrast, has bungled its way through the rollout of its test and trace scheme in truly spectacular fashion.

In April, Matt Hancock announced that the NHS had begun working on and testing a new digital contact tracing app to help the UK safely emerge from the lockdown. The expectation was that the application would be fully ready to go for citizens to use by mid-May.

At the time – and indeed until very recently – the Health Secretary was firmly resolute in the intention to build the app based on the centralised approach, despite it being clear that such a system would put user privacy at unnecessary risk, and that other more viable and more privacy-preserving options were available.   

However, following a disastrous trial run on the Isle of Wight where the app didn’t work properly, was riddled with security vulnerabilities, wouldn’t function in the background, and only detected 4% of iPhone proximity events, the government made a dramatic about-face and announced it would be scrapping its initial plan, and instead be developing a new app based on the Apple/Google framework after all.

By that time, however, the UK had already sunk nearly £12 million of taxpayer money and months of development work into an app that wasn’t fit for purpose. So much for Boris Johnson’s promise of a “world-beating” app for UK citizens by June 1st. A month later, and we’re still nowhere. The hope now is that the new app will be ready to go by autumn or winter.  

The entire contact tracing effort by the UK government has been a complete disaster on multiple other fronts. Contact tracers themselves have been woefully undertrained and unprepared for their roles, the contract to lead the test and trace program has been awarded to a company that was recently fined £19.2 million by the Serious Fraud Office, officials are having trouble allaying concerns from citzens regarding how to avoid scammers posing as contact tracers, and the test and trace program has already come under the legal microscope for how it handles data and the intent to hang onto that data for 20 years.

What’s more, the government even launched the program prior to publishing the legally mandated data protection impact assessment, suggesting that authorities had not thoroughly considered the privacy implications prior to launch.

None of what the UK government has done so far in relation to its test and trace scheme is worthy of eliciting the public’s confidence or trust.

Sure, the NHS contact tracing app will utilize the Apple/Google privacy-preserving framework when it is finally released, but it seems the damage has already been done.

Based on how the test and trace effort at large has been handled so far, it will be an uphill climb for the government to successfully establish a level of trust with the public adequate enough for the system to work.

Attila Tomaschek is a digital privacy expert at ProPrivacy.

The opinions in Politics.co.uk's Comment and Analysis section are those of the author and are no reflection of the views of the website or its owners.