If there existed one thing right now that you’d think the whole world could unite on, it would surely be the need to throw all available scientific resources at trying to combat the spread of the coronavirus. And an essential part of combatting the spread of Covid-19 will be telecommunications, in particular contact-tracing apps that can monitor and mitigate the spread of the virus.
But it is here that there is precisely no unity among countries, nor indeed within them. With few exceptions, the whole idea of contact tracing, while conceptually popular, has proven in practice to be hugely controversial, bringing to the fore issues such as data privacy and security, along with the fundamental efficacy of the apps themselves.
So when looking at contact tracing, it may be best to start with South Korea, a country that appears to have done most on all fronts against the spread of the virus.
In contrast to the approach of other countries, the Korean government got directly involved in the creation of tracking apps, and with its Ministry of the Interior and Safety, launched a smartphone app to monitor citizens on lockdown through GPS to ensure they were not breaking quarantine rules. A tad draconian to some people’s eyes, but added to the rigorous testing campaign the country also embarked on, it cannot be denied that South Korea’s response to stopping the spread of Covid-19 has been impressive.
Similarly, in Singapore, the Government Technology Agency of Singapore (GovTech), the in-house IT agency of the Singapore public service, in collaboration with the Ministry of Health (MOH), launched the TraceTogether contact-tracing app.
The TraceTogether app works by exchanging short-distance Bluetooth signals between phones to detect users who have been in close proximity to one another. The app does not collect or use location data, nor access a user’s phone contact list or address book – it only establishes that a contact has been made, but not where this contact was.
This enables users who have been in close proximity with a TraceTogether user who has tested positive for Covid-19 to take the necessary action sooner, such as monitoring their own health closely for symptoms.
Another country at the vanguard of Covid-19 protection is Germany, where the government up until very recently supported the Pan-European Privacy-Preserving Proximity Tracing (Pepp-PT) protocol developed by organisations including German health agency the Robert Koch Institute. In explaining its aims, the Pepp-PT expressed the worthy mission statement of noting that the virus had spread quickly and knew no political boundaries.
The proposed app works in two modes. First, if a user has not been tested or has tested negative, the anonymous proximity history remains encrypted on their phone and cannot be viewed or transmitted by anybody. At any point in time, only the proximity history that could be relevant for virus transmission is saved, and earlier history is continuously deleted.
In the second mode, if a user has been confirmed as Covid-19 positive, the health authorities will contact the user and provide a transaction authentication number (TAN) code to ensure potential malware cannot inject incorrect infection information into the Pepp-PT system. The user uses this TAN code to voluntarily provide information to the national service that permits the notification of Pepp-PT apps recorded in the proximity history and hence potentially infected. As this history contains anonymous identifiers, neither person can be aware of the other’s identity.
Across the border in France, leading technology firms spanning telecoms, IT, engineering design and heath – Inria, ANSSI, Capgemini, Dassault Systèmes, Inserm, Lunabee Studio, Orange, Santé Publique France and Withings – created the StopCovid project team to provide the French health authorities with a complementary app to help manage the Covid-19 spread and strengthen a national government project to set up a mobile contact-tracing app.
Among the five foundations of the project are the use of the StopCovid app as part of the global strategy for managing the health crisis and epidemiological monitoring; strict compliance with the data protection and privacy framework at national and European level, as defined in particular by French law as well as the toolbox recently defined by the European Commission on proximity monitoring applications; transparency of algorithms, open code, interoperability, auditability, security and reversibility of the solutions; respect for the principles of digital sovereignty of the public health system and control of health choices by French and European society; and the protection and structuring of health data assets to guide the response to the epidemic and accelerate medical research.
At European level, the project is being carried out based on comparable approaches and ensuring interoperability and in close cooperation with national teams developing comparable applications in Germany, Italy, Spain, Norway and the UK.
The UK has only just revealed the basic details of its contract-tracing app, which will also work through Bluetooth. The app will automate the “laborious” process of contact tracing with the goal of reducing transmission by alerting people who may have been exposed to the virus so they can take the appropriate action.
Once installed, the app will log the distance between a user’s smartphone and other phones nearby that also have the app installed using Bluetooth Low Energy. The anonymous log of how close users are to other users of the app will be stored securely on their phones. If a user becomes unwell with symptoms of Covid-19, they can allow the app to inform the NHS, which, subject to sophisticated risk analysis, will trigger an anonymous alert to those other app users with whom the infected user came into significant contact over the previous few days.
Tech giants rock the boat
So far so good, and at face value it would appear there is huge national consensus as to how to beat a common enemy. However, this would be wildly optimistic, and the first real signs of problems came, somewhat ironically, when two of the world’s largest technology firms – Apple and Google – decided to lend their particular heft to contact tracing.
The companies plan to implement their solution in two steps, while maintaining strong protections around user privacy. First, in May, both companies will release application programming interfaces (APIs) that enable interoperability between Android and iOS devices using apps from public health authorities. These official apps will be available for users to download via their respective app stores.
Apple and Google added that they would work to enable a broader Bluetooth-based contact-tracing platform by building this functionality into the underlying platforms. The two companies noted that this would be a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities.
Not the health authority in the UK. The NHS has voiced concerns that the Apple and Google solution would go against its own plans for contact tracing – namely that by only informing an individual that they have been in contact with an infected person, and not informing a central registry, it would not be possible for the health authority to gain a clear picture of the spread of Covid-19 throughout the UK.
The UK government has already contacted the nation’s telcos about the possibility of using location data for this end. The Apple and Google API would strictly limit the information public health authorities could gather and would not allow health authorities to ask a phone to gather a list of every other phone it has been in contact with.
Public trust of paramount importance
The emergence of the privacy issue lit blue touch paper within the UK’s technology community. Taking the lead after fuller details of the UK’s app were released, the UK Information Commissioner’s Office (ICO) stressed that people must have trust and confidence in the way personal data is used to respond to the Covid-19 crisis.
Information commissioner Elizabeth Denham said: “The ICO also recognises the vital role that data can play in tracking the pandemic and the need to act urgently. We have been working with NHSX to help them ensure a high level of transparency and governance. We will continue to offer that support during the life of the app as it is developed, rolled out and when it is no longer needed.”
Reacting to the UK app’s stated commitment to data privacy, Jim Killock, executive director of the Open Rights Group, a UK pressure group for rights in the digital age, noted that transparency over the app was paramount, yet the public at large knew nothing about how the app would work.
Jim Killock, Open Rights Group
“It is especially unclear how the NHS app will function as it appears to rely on being able to leverage new protocols from Apple and Google, while Apple and Google have explicitly ruled out a ‘centralised’ approach to mobile data matching,” he said.
“Public trust is the most important marker of success for this app – without significant take-up from the population, it will fail. To secure that trust, and the best chance of take-up, the NHS needs to do more than a blog and a promise for privacy experts to get ‘under the bonnet’ sometime in the future, when the decisions have all been made.”
The implementation of an app that traces coronavirus contacts is necessary, but must overcome “perceived Big Brother elements” to ensure the public gets on board, added BCS, The Chartered Institute for IT in the UK.
BCS vice-president Kathy Farndon cautioned that the biggest threat to the success of the contact-tracing app was the perceived Big Brother elements of the implementation.
“For example, the use of a centralised database may have a negative effect on uptake from the public and minimise the chance of reaching the 60% uptake implementation target,” she noted. “BCS considers that a sustained campaign to increase public confidence in IT, supported by assurances of real safeguards, open and ethical data governance and protection by design is fundamental.”
Different approaches to data privacy
Public trust has indeed sparked huge concerns around the world.
French parliamentarians have criticised their government of robbing them of a chance to raise privacy concerns about the StopCovid app. MPs and civil liberties groups have raised alarm at what they say is state surveillance and privacy surrounding the app.
Israel’s Supreme Court recently ruled that its government must bring its use of contact tracing under legislation. In March 2020, prime minister Benjamin Netanyahu’s government passed emergency regulations that enabled the country’s internal security service to tap into cellular data to retrace movements of those infected by Covid-19. As a result. Israeli parliamentarians also blocked the use by Israel’s police of mobile phone location data to enforce quarantine because of privacy concerns.
More controversially in Germany, the government of Angela Merkel announced that it would abandon its previously announced plan to launch an app based on the Pepp-PT protocol, and instead introduce a solution based on the API of Google and Apple. The move is said to be partly attributable to worries about privacy of the Pepp-PT approach which uses a centralised data model – as favoured by European health agencies, in particular the NHS in the UK and those in France – and the American companies’ decentralised model of operation. German authorities added that going down the Apple and Google route would lead to a quicker launch.
As the debate in Germany raged about the technological merits of each approach, the chair of the Council of Europe’s data protection Convention 108 committee, Alessandra Pierucci, and the Council of Europe’s Data Protection Commissioner, Jean-Philippe Walter, warned about the possible side effects of digital contact-tracing applications in the prevention of the Covid-19 pandemic and called for adequate safeguards to be put in place to prevent risks to personal data and privacy.
The European bodies added that if apps are deployed, then this should be for a limited duration only and solely on a voluntary basis. They also insisted that such applications should include specificities “by design” to prevent or minimise risks. This could be to ensure that the location data of individuals is not used, that no direct identification is possible or that re-identification is prevented.
Will UK’s contact-tracing app work?
But as well as with privacy, there were also dissenting voices within the UK technology community around more fundamental issues regarding contact-tracing, namely whether the app will actually work in the first place.
Darren Scott, Deane Computer Solutions
Darren Scott, managing director of Deane Computer Solutions in the UK, went as far as writing to prime minister Boris Johnson, warning that the proposed NHS Bluetooth-based approach to contact tracing was fundamentally flawed and its false positives and negatives, coupled with its inability to trace surface transfer risks or work offline, would surpass any concerns regarding security, a factor that alone would reduce uptake.
“In short, we genuinely believe the current NHS approach is destined for failure,” argued Scott.
Furthermore, independent UK research body the Ada Lovelace Institute said it had yet to see any evidence to support the immediate deployment of digital contact tracing or immunity certification. In a wide-reaching report, the institute warned that NHS plans to use technology to help reduce the spread of coronavirus would not be effective unless the government took action to address the technical limitations, barriers to effective deployment and social impacts of the technology. And that, it said, could literally be a matter of life or death.