With traditional public health contact-tracing methods unable to keep up with the pace of the pandemic, the UK government has been working on a tool to digitally track and warn people who have been around someone who is showing symptoms of the coronavirus.
Apple and Google are expected to release their contact tracing technology to developers tomorrow. But the UK’s National Health Service (NHS) says it won’t use the Apple-Google model, BBC reports. While the two tech companies are working on a “decentralized” approach, in which the contact tracing matches will happen on users’ devices, the NHS is opting for a “centralized” model, in which the matching and alerts happen via a computer server.
Despite the performance and privacy concerns that have emerged at the prospect of departing from the model proposed by the tech giants, a spokesperson for NHSX said that the organization’s engineers have developed an app using standard Google and Apple published API, while adhering to the Bluetooth Low Energy (LE) standard.
The technology uses Bluetooth LE to register all the smartphones that a given phone has come into close proximity with over a few days, and sends an anonymous warning to all users who are at risk if one of the phone owners finds that they are infected with COVID-19.
Bluetooth has been put forward as a solution because, unlike GPS or Wi-Fi data, the technology only tracks which devices have been near one another, instead of registering users’ locations.
Apple and Google have promoted the decentralized approach as a way to protect users’ privacy from authorities and hackers. According to the BBC, the NHS believes the centralized approach will allow it to more easily audit the system and adapt it as new scientific evidence comes in.
Another potential drawback, is that the centralized approach may eat up more power. Apple’s solution lets the contact tracing happen in the background, but the UK’s app has to be woken up every time the device detects another nearby device running the same app.
By choosing the centralized approach, the NHS is aligning more with Australia than some of its EU counterparts. Australia’s app, which was released over the weekend, uses a mix of Bluetooth and stored contact data on both the app and servers. Germany, on the other hand, has switched its stance and is now pursuing a decentralized architecture, as are Austria, Estonia and Switzerland.
So far, the European Commission and the EU’s data protection watchdog support both models but note that the differences aren’t entirely clear, EUobserver reports. In either case, the challenge will be getting enough widespread adoption for the apps to be effective.
The joint Apple and Google contact-tracing API is based on Bluetooth, which never collects any geographic data in order to protect individual privacy.
One of the main drawbacks of an app built on a different model from the one pushed by Apple and Google is technical. The option put forward by the tech giants lets the app run in the background without hindrance, while the NHSX’s service would have to be woken up every time the phone detects another device running the same software. This could cause significantly more strain on battery life.”Engineers have met several core challenges for the app to meet public health needs and support detection of contact events sufficiently well, including when the app is in the background, without excessively affecting battery life,” said the NHSX spokesperson.
The UK government’s homegrown app is also likely to come under public scrutiny as a result of privacy concerns. The new tool follows a centralized model, which means that when a user reports symptoms of the coronavirus, the warning is sent to a central computer server, which then works out who to send an alert to among the contacts that the infected person’s phone has registered.
We all know that the UK has a very poor record in developing central applications. Especially in the NHS who spend the best part of £12 Billion on electronic care records before pulling the plug in 2011 after 10 years going nowhere.
On the other hand, Apple and Google’s model is decentralized: users who have come into prolonged contact exchange their respective anonymous key codes, and if one of the users then reports feeling ill, their key code is sent to a central database. Meanwhile, the second user’s phone regularly checks the database for matching key codes and sends a warning when it recognizes the code of a user who has been infected. The matching, therefore, happens on user’s devices, rather than through a centralized database.
A decentralized approach is arguably more privacy-friendly, as it eliminates the risk of log data being de-anonymized and used by the authorities to track individuals for other purposes than reducing the spread of the pandemic. A central database is also potentially more at risk of hacking.
“It obviously seems, on the surface, a better approach to use Google and Apple’s system of contact-matching on the phone, as opposed to centrally. If the NHS have said that they don’t wish to follow that model, they need to give a really clear explanation of why they couldn’t do this in a more privacy-friendly way.”
Jim Killock, the executive director of Open Rights Group
The main driver of a centralized approach is that it lets the health services run analytics on data to send warnings only if they are legitimate, and only to those who are most at risk of having got infected.
Bluetooth-based contact-tracing apps come with the risk of over-reporting some interactions between individuals, because the of a Bluetooth range can vary depending on how the device is held or whether the user is indoors or outdoors.
In other words, a huge amount of false-positives can be generated via Bluetooth. A centralized approach is the only way to make sure that if someone reports being sick, a warning will be sent only to the app users that have come into epidemiologically significant contact with the infected person – and not to the person waiting for the bus on the other side of the road from them.
The European Commission has already indicated that both centralized and decentralized models are acceptable. NHSX has also been consulting with the Information Commissioner’s Office (ICO) to develop the app in an ethical and lawful manner.
Open Right Group’s Jim Killock, says that the UK government has lacked transparency throughout the process. “Assuming their approach is the only way to reach legitimate goals, then at the very least we need much stronger, firmer guarantees around the use of privacy,” he said.
“The NHS has a fairly bad record on the use of personal data. We need legally enforceable guarantees that data will not be re-used.”
“We are sharing the same goals and want the same thing: for the app to have a serious chance of usability and effectiveness. The lack of transparency isn’t aiding that.”
The Big Data Institute estimates that over 60% of the UK population would have to be using the app for digital tracing to reach enough people as they become infected. In other countries that have implemented a centralized solution, like Singapore, uptake has stagnated around 12%.
Killock maintained that the app is unlikely to be anything more than a tool, and that other kinds of contact-tracing will be far more effective. “But given that it’s being tried, we want it to have a chance of success,” he said. That can only happen if the app earns the public’s trust.