People are fed up of lockdown. Families want to get out, people need to earn money, and employers want their teams back at work. Contact tracing apps are being floated as the solution to easing the current lockdown - but will they work?
NCSC (the partnership arm of GCHQ) has been busy reassuring people that the NHSX app is secure, useful, and that everyone should do their part and install it. But is that actually the case?
The first problem is that the development team have decided to not use the application programming interface (API) that Apple and Google have made available in their mobile operating systems. APIs are designed to hide the underlying complexity of an operating system: rather than having to understand all the issues around Bluetooth communication, power management, and battery drain, we just talk to the relevant API, which then handles all these complexities for us.
NHSX have chosen not to use these APIs. This means that unless our phone is constantly unlocked, with the app in the foreground, the app will not work. Worse, it means that the app will have inefficient ways of using Bluetooth, which will lead to excessive battery drain.
The next problem is adoption: even in Singapore, take-up of the official app has been poor. Currently only around 20 per cent of the population there have downloaded the government's mobile app - far too few to make the data effective in tracking spread of the virus. It's difficult to see how or why the UK would achieve a high enough percentage of installations to make the collected data usable.
We have another issue, with false alerts.
Any app will have a specific definition of a contact - let's say another signal within three feet, for greater than 5 mins. Bluetooth is not particularly accurate - it's going to fail to measure that distance accurately. Additionally, the app won't be able to understand that there's a wall or a window between us and a contact. On top of that, not every contact with someone carrying the virus results in infection.
This all means there will be lots of false positives - times when the app tells us we've been exposed to someone with the virus, when in reality we haven't.
This is the opposite side of the coin - times when the app doesn't alert us to exposure, when in reality we were. Again, the inaccuracy of Bluetooth means the app could report us as being 10 foot from another contact, when in reality we are sitting next to them. This also assumes that everybody has the app installed and running. We also know that not every transmission of the virus is due to direct contact, or even limited proximity.
What if the app alerts us saying we’ve been exposed to an infected contact? With these issues, the app isn't accurate enough to justify a fortnight of quarantine. Equally, what if the app doesn't alert us? That doesn't mean we’re in the clear: we actually will have no idea if we’ve been infected or not.
If we can’t trust the app to accurately alert us, why would we install it? Public complaints about battery drain (due to not using Apple and Google's API) will give further reasons not to install it.
Ian Levy, Director at GCHQ, has stressing the privacy friendly nature of the app in his blog posts. He says the app “doesn’t have any personal information about you, it doesn't collect your location and the design works hard to ensure that you can’t work out who has become symptomatic,”.
The app itself, though, shows this to not be true. When we install it, the first thing it asks for is our postcode, and the app then logs the exact make and model of our phone.
Once we press the button on the app saying we feel unwell, the last 28 days’ worth of data collected is uploaded - where it becomes the property of NCSC (part of GCHQ). We won't be able to get it deleted, and they can keep that data indefinitely, for whatever research they want to carry out.
NHSX's Chief Executive, Matthew Gould, was reluctantly forced to confirm this when grilled by MPs concerned about the privacy implications.
We've seen from other companies how trivial it is to build a complete picture of a person and their movements from such small data points. Indeed, Facebook has built a multi-billion-dollar global business around this sort of data collation.
Then we come to the legality of all this: lawyers from a number of firms took a look and raised issues around the app and its data collection. In a release from Matrix Chambers, they said "a centralised smartphone system – which is the current UK Government proposal – is a greater interference with fundamental rights and would require significantly greater justification to be lawful. That justification has not yet been forthcoming."
Not only that, but the involvement of third party, private sector companies, with a history of data mining and behavioural analysis (like Faculty AI), has raised eyebrows as well: “the UK Government’s announcements for sharing health data between the private and public sector appear to be flawed. This means such data sharing is potentially not in compliance with legal requirements.”
The Government needs to focus on building trust in contract tracing apps, to get the adoption needed to provide accurate and actionable data. NHSX need to adopt Apple and Google’s APIs, as well as publishing the Data Privacy Impact Assessment (DPIA) and source code, before enough people will trust the application enough to install it.
Tom Kranz, Cyber Security consultant