Health Sec Hancock says UK will use Apple-Google API for virus contact-tracing app after all (even though Apple were right rotters)

It's The Reg wot warned it

Updated The UK government last night confirmed it has aborted its ill-conceived coronavirus contact-tracing phone app – blaming protections and battery-saving restrictions in Apple’s iOS for its failure.

Rather than use its own controversial home-brewed techniques for detecting nearby people via Bluetooth, Blighty will instead build iOS and Android mobile apps that use the decentralized Apple-Google system like most of the rest of the world.

As The Register warned in May, the British government's original approach was on a collision course with various technical, legal, and privacy hurdles. For one thing, it was forced to use not-entirely-reliable unofficial workarounds to perform the wireless contact tracing.

Now, in a dramatic U-turn, the UK will use the Apple-Google interface after all, which is more reliable because it's specifically designed for contact tracing, and is built into and sanctioned by iOS and Android. It is also designed to perform all the contact testing within people's handhelds for privacy reasons, rather than beam people's whereabouts to a centralized database, and no data goes to either tech giant.

In a Thursday evening press conference, Matt Hancock, Secretary of State for Health and Social Care, claimed that back in May he ordered the head of the country’s Test and Trace programme Dido Harding – of TalkTalk fame – and the National Health Service's IT arm, aka NHSX, to start work on producing smartphone applications that used the Google-Apple interface as an alternative to the home-grown effort.

Months before that intervention, in March, NHSX issued contracts to various companies to build COVID-19 contact-tracing applications for the nation; a trial was held in the Isle of Wight at the start of May; and 54,000 people downloaded the software. It was due to be rolled out across the UK this month. Prime Minister Boris Johnson promised a “world-beating app.” Meanwhile, in April, Google and Apple announced they were working on an official interface together for health organizations and nations to use, a system that the UK turned its back on – until now.

The effects of that shortsighted snub are now clear. At the press conference, Hancock said NHSX had “rigorously tested” its home-grown applications, and “discovered a technical barrier that every other country building their own app is also now hitting. We found that our app works well on Android devices, but Apple software prevents iPhones being used effectively for contact tracing unless you are using Apple’s own technology.”

Man in office flippantly throws balls of paper in bin

No surprise: Britain ditches central database model for virus contact-tracing apps in favour of Apple-Google API


As we explained weeks and weeks ago, to preserve battery power and prevent the abuse of the Bluetooth subsystem, iOS limits what apps can do in the background, including sending out pings via Bluetooth radio to detect nearby smartphones, as required by the NHSX contact-tracing app. As a workaround, the NHSX approach involved setting up a timer to keep the code awake every few seconds. This was not recommended by Apple, which instead preferred the use of the official Google-Apple API for background Bluetooth activity.

In May, NHSX boss Matthew Gould told a parliamentary committee that the health service would ditch the home-grown software if “it becomes clear that a different approach is a better one… We are not particularly wedded to a single approach.”

Last night, however, Hancock was unconvinced the Apple-Google interface was entirely up to scratch. One beef is that the Apple-Google system approximates how close you got to someone who was infected. Hancock wants to know those distances more precisely, partly, we presume, to figure out how well people are socially distancing and how far the virus travels, and partly, perhaps, to save face. Fine, we'll do what Apple says, but we don't like it.

You can judge for yourself whether the Gabble API is up to snuff from the specification [PDF] and documentation.

"Measuring distance of course is mission critical to any contact-tracing app," Hancock insisted. What is likely to happen now is NHSX will build apps that use the official interface, and then maybe add in its own distance estimation code, which, like the Gabble method, relies on measuring Bluetooth signal strength.

“We have agreed to join forces with Google and Apple, to bring the best bits of both systems together," Hancock continued, "we’ll share our algorithm and the work that we’ve done on distance calculation and combine that with their work to deliver a new solution. What we’ve done in really rigorously testing both our own COVID-19 app, and the Google-Apple version is demonstrate that none of them are working sufficiently well enough to actually be reliable to determine whether any of us should self isolate for two weeks.”

The contact-tracing apps were considered central to the fight against COVID-19, though as the weeks and months passed, the role of the software was relegated by Harding to the “cherry on the cake.” Hancock maintained this somewhat dubious narrative, saying the track-and-trace system launched at the end of last month is “based on good old fashioned humans” and is “working well.”

By the way, when told a fraction of the estimated 10,000 people in the UK showing symptoms of COVID-19 each week were actually tested, Harding said: “I'm not pretending that it is perfect.”

As for when applications based on Apple and Google’s interface will be ready, Hancock said: “We are not going to put as date on it.” Based on the track record, that's entirely understandable. PS, Matt, Google released some template frontend and backend code for governments and organizations to use as the basis of their applications. You might need it. ®


Hancock engaged in some mild revisionism, claiming officials "kept our options open" after Apple and Google pitched their approach in April, while Blighty was a month into building its doomed home-grown apps. When The Register sounded the alarm in May, the spin from central government to the BBC and other mass media was clear: El Reg was wrong, the home-grown apps work "sufficiently well," and the UK was full-steam ahead with the software. Not exactly what we'd call keeping "options open."

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Workers win vote to form first-ever US Apple Store union
    Results set to be ratified by labor board by end of the week

    Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.

    Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).

    "I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading

Biting the hand that feeds IT © 1998–2022