We are all eager to do what we can to contribute to the battle against Covid-19. As countries start to emerge from lockdown, contact tracing apps carry a huge burden of expectation. In the UK, the "NHSX Coronavirus Contact Tracing App” has been undergoing trails on the Isle of Wight. Soon everyone in the UK will need to decide for themselves whether to install the app, taking into account what the risks are and whether the potential benefits outweigh them. If not enough of us can or want to install it, or if it doesn’t provide the information health professionals need it will be effectively useless. I want to unravel some of the technical issues associated with using our smartphones as a tool in the fight against Covid-19.
What is contact tracing?
The idea behind the use of contact tracing is to slow the spread of the disease by identifying and contacting people who have likely been exposed to someone diagnosed with Covid-19. The first part relies heavily on technology, the second on people. These people are very important. In addition to interviewing the patient about where they may have been in contact with others, the contact tracers should ideally be trained to provide them with advice and guidance in a compassionate manner. The UK has recruited thousands of such contact tracers.
The NHSX app is designed to support the tracing process by using the Bluetooth Low Energy (BLE) radio in our smartphones to keep track of everyone else around us running the app. Each device running the app will broadcast an anonymised identifier that can be logged by other people’s phones. Each phone will, therefore, carry a record of everyone it has been near and for how long. If someone falls ill or exhibits symptoms of Covid-19 they can self-report and the logged phones are notified.
The app on its own does not deliver contact tracing, it is about ‘exposure notification’. It cannot replace the high-quality data gained from human-driven contact tracing, nor can it provide the personal advice and assurance of trained professionals.
Why have an app at all?
The idea behind the app is that it might accelerate the ability to identify potentially exposed individuals. It is also likely to be more accurate than relying on a patient’s memory of where they’ve been and who they might have been in contact with, especially strangers in public places like supermarkets and on public transport.
Additionally, it is very helpful to public health professionals to identify the location of outbreaks. This information can help the authorities to determine whether to relax or re-impose short term restrictive measures and to position and prepare medical personnel for potential flare-ups. The NHSX app asks you to share the first part of your postcode in an attempt to balance privacy concerns with a generalised idea about where new cases are occurring.
What are the privacy concerns?
There have been two primary approaches to developing tracing apps, centralised and decentralised. Both models rely on anonymised IDS, but in a decentralised model,
phones using the app download a daily list to check if they have been in contact with someone who has tested positive for COVID-19 (or is symptomatic). Privacy is maximised but the public health authorities have no visibility into who is using the app or whom they may have been in contact with.
In a centralised model, which the NHSX app currently uses, the app can notify the health authorities that the user has self-identified with COVID-19 symptoms and chosen to upload the anonymised IDs of those it has been in contact with. The health authorities can then send a notification to the devices associated with these IDs that they may have been exposed and advise them to self-isolate or contact the local NHS. Because NHSX app gathers the outward postcode at registration it also provides useful information to identify neighbourhoods where there may be a resurgence of cases.
The centralised model has made some people nervous, and especially so now that the NHSX has granted access to the data by GCHQ. GCHQ has been tasked with helping to ensure the security and integrity of the cryptographic code used to provide anonymity, so it is ironic that its association with the app is making people feel insecure. Perhaps a further irony is that many people don’t seem to have the same privacy concerns when it comes to the vast amount of personal information they voluntarily share with the commercial apps on their phone.
Deanonymisation is a real risk in a centralised model, but the benefits to public health professionals must be balanced with privacy concerns.
What is the issue with Google and Apple’s model?
There is one last problem with these apps. They need to able to broadcast your anonymised identifiers everywhere you go and assess with reasonable accuracy how closely you’ve come into contact with others.
Of the major smartphone platforms, Apple has expressly prohibited apps from broadcasting continuously when not in use, both for privacy and battery usage reasons. This makes apps like the NHSX app less effective on iPhones. Unless a user leaves their iPhone unlocked with the NHSX app on the screen it will drastically reduce or stop broadcasting entirely.
If you exclude iPhone users from those participating, then especially in countries like the UK that have a high number of iPhone users, it negates most, if not all of the benefit in terms of the critical mass of users.
Apple and Google have released new capability that enable exposure notification apps on their devices to be able to use BLE, but only on their terms. Governments and health authorities will not be able to collect identifiable information or location data and must use the Apple/Google privacy-focused decentralised model.
The privacy of the Apple/Google proposal is unrivalled, but also comes with its own problems, most importantly the requirement to blindfold public health experts. This decision should not be left to Silicon Valley, it should be a conversation between the UK’s public health leaders and those they seek to protect. If people trust the NHS and GCHQ to do what’s right, they will load the app and voluntarily disclose information. If they don’t, they won’t.
Chester Wisniewski, principal research scientist, Sophos