UK finds itself almost alone with centralized virus contact-tracing app that probably won't work well, asks for your location, may be illegal
Herd immunity all over again
Updated Britain is sleepwalking into another coronavirus blunder by failing to listen to global consensus and expert analysis with the release of the NHS COVID-19 contact-tracking app.
On Monday, the UK government explained in depth and in clearly written language how its iOS and Android smartphone application – undergoing trials in the Isle of Wight – will work, and why it is a better solution to the one by Apple and Google that other nations have decided to adopt. It has also released a more technical explanation.
Unfortunately for folks in UK, while the explanation is coherent, calm, well-reasoned and plausible, it is likely to be a repeat of the disastrous "herd immunity" approach the government initially backed as a way to explain why it didn't need to go into a national lockdown. That policy was also well-reasoned and well-explained by a small number of very competent doctors and scientists who just happened to be wrong.
Here's what's happening: there are broadly two types of coronavirus contact-tracing apps; those that are centralized and those that are decentralized. The first takes data from people's phones and saves it on a central system where experts are trusted to make the best possible use of the data, including providing advice to people as and when necessary.
The second, decentralized approach, as set out by Apple and Google, puts users in more control of their information, and alerts them automatically with no intervention from a third party. Apple and Google have also banned apps that use their anonymized API from accessing location services to track and identify people, despite pressure to do so. And they have said they will only allow one app per country, or state in the US, to use the interface.
Both types use Bluetooth to detect nearby phones also running the software. Thus, when someone catches the coronavirus, people can be warned if their phone was within 6ft of that patient's phone for more than a few minutes.
Leave it to us
In his post, the technical director of the National Cyber Security Centre (NCSC), Dr Ian Levy, explained in persuasive terms why allowing health service experts to have access to all the data collected from the smartphone software is a good idea for beating back the virus.
"The health authority can use risk modelling to decide which contacts are most at risk, and then notify them to take some action," he noted, adding: "Importantly, the public health authority has anonymous data to help it understand how the disease appears to be spreading, and has the anonymous contact graphs to carry out some analysis.
"So the health authority could discover that a particular anonymous person seems to infect people really well. While the system wouldn't know who they are, encounters with them could be scored as more risky, and adjust the risk of someone being infected by a particular encounter appropriately."
UK COVID-19 contact-tracing app data may be kept for 'research' after crisis ends, MPs toldREAD MORE
He used two famous epidemiological stories to prove the point: Typhoid Mary and John Snow. Mary Mallon was a cook in New York in the early 1900s who had typhoid fever but showed no signs of it, and ended up infecting a number of households who were otherwise separated from the wider population. No one could figure out why they were falling sick until someone figured out Mary was the link.
Likewise John Snow tracked down the source of a cholera outbreak in London in the 1850s down to a water pump in Broadwick Street in Soho and put a stop to it by removing the handle, although later research suggests the outbreak was already dying out by that time. There is, incidentally, a plaque and a pump on the same spot, and the John Snow pub opposite where this reporter whiled away many happy hours.
The argument is that while the Apple-Google decentralized model protects people's privacy, it leaves the authorities blind. It puts a public health disaster outside the reach of those who can help most through analysis of the population. Meanwhile, the undertone of the centralized NHS method, where people's data is collected and analyzed together, is almost explicit: we all know how important privacy is but let's leave this to the experts, shall we? Give up a little bit of data and save lives. Let's not go too European on this.
So, um, a problem...
But there is a concern with the NHS's approach: it requires workarounds to function as advertised, probably won't work as well as expected, and probably won't be terribly accurate at measuring the spread of the virus.
Apple's iOS normally forbids applications from broadcasting via Bluetooth when running in the background. That means you would have to leave a contact-tracing app open in the foreground all the time for it to work properly.
However, the operating system does allow software, such as the NHS tracing app, to run in a special mode so that it can announce itself to nearby iPhones and iPads via Bluetooth, and listen out for copies of itself on other devices, even when in the background. However, there are strict limits to this.
For instance, Apple says the background announcements are designed to work only with other iOS devices, though Android apps could be programmed to work around this. An iOS app's transmissions may be delayed if, for example, the device is busy sending other data over Bluetooth. The app has ten or so seconds at a time to wake up and communicate with nearby phones running the contact-tracing app, or be killed or throttled back.
Apple also warns: "Performing many Bluetooth-related tasks require the active use of an iOS device’s onboard radio — and, in turn, radio usage has an adverse effect on an iOS device’s battery life."
Meanwhile, Google Android versions 8 and later allow contact-tracing applications to announce themselves for only a few minutes after the app falls into the background. The apps could run as a foreground service on Android all the time, with an icon present to say it's active while other programs run in the foreground, though this isn't particularly battery friendly nor recommended by Google, and could lead to people simply not using the app to preserve power.
Thus, compromises have been made to work around iOS and Android, rather than use the decentralized Apple-Google API that has all of this handled automatically in the background by the operating system, which is kinder to battery life and potentially more accurate. Some encounters between people may be missed either due to operating system incompatibilities, limits on execution and transmission, or because the software proves to be such a battery hog that people don't bother with it. Or forget to run the app.
For instance, here is a handy video of an iOS contact-tracing app vanishing from a nearby Android phone when the app is closed, or the iPhone falls asleep. This app is Australia's Bluetooth-based COVIDSafe software, which, like the NHS approach, doesn't use the Apple-Google API.
Because people seem interested here's some video of the COVIDSafe app failing on iPhone. It is literally impossible to broadcast the UUID needed for the app to work without the screen on and the app in the foreground. pic.twitter.com/X5lpyeKL1A— Joshua Byrd (@phocks) May 1, 2020
The NHS has insisted its engineers have worked around these limits "sufficiently well" by, on iOS at least, running it in the special background mode, and briefly waking the app after it detects itself running on a nearby device. It can also announce itself to nearby iOS devices.
The other concern with the UK approach is that while it insists it will keep data private, and location data will not be stored nor attached to individuals, the truth is that it will only work as promised if that data is not kept private and location data is stored and attached to individuals.
Levy repeatedly tried to square this circle, leading to some ludicrous assertions. He stated boldly in bullet points that the app "doesn't have any personal information about you, it doesn't collect your location and the design works hard to ensure that you can't work out who has become symptomatic" and that "it holds only anonymous data and communicates out to other NHS systems through privacy preserving gateways."
But what is literally the first thing the app does when you install and open it? It asks for your postcode, and logs the exact make of your phone.
Levy explained "a big random number" is also generated, which is tied to the copy of the contact-tracing app on your phone. This 128-bit ID is what the app on one phone exchanges via Bluetooth with itself on a nearby phone when they come in range. This exchange includes when exactly the IDs were encountered, how long the phones were near each other, and the signal strength, allowing the distance apart to be calculated. This is the data that is ultimately shared with the NHS, when you choose to.
The exchanged data is also encrypted in such a way that the NHS can decrypt it but not other users. We understand these ID numbers are generated server-side, and are people's unique fingerprints in the centralized system.
Levy also noted that "currently" only "the first part of your postcode" is taken and stored "for NHS resource planning, mainly." He goes on: "Nothing identifying and no personal data are taken from the device or the user."
Does it matter?
Presumably the goal with this kind of explanation is to comfort the vast majority of UK folk who don't understand how the entire internet economy works by connecting vast databases together.
So long as you can rely on one piece of per-user data – like a "big random number" – everything else can be connected. And if you also have a postcode, that becomes 100 times easier. Ever heard of Facebook? It's worth billions solely because it is able to connect the dots between datasets.
Indeed, it may be possible to work out who is associating with whom from the app's ID numbers. Bear in mind, the Apple-Google decentralized approach produces new ID numbers for each user each day, thwarting identification, especially with the ban on location tracking.
Levy also glossed over the fact that as soon as someone agrees to share their information with UK government – by claiming to feel unwell and hitting a big green button – 28 days of data from the app is given to a central server from where it can never be recovered. That data, featuring all the unique IDs you've encountered in that period and when and how far apart you were, becomes the property of NCSC – as its chief exec Matthew Gould was forced to admit to MPs on Monday. Gould also admitted that the data will not be deleted, UK citizens will not have the right to demand it is deleted, and it can or will be used for "research" in future.
And then there's the not insignificant issue that the entire approach may break privacy and human-rights laws, anyway, as one legal firm has advised:
A de-centralised smartphone contact tracing system – the type contemplated ... by governments across Europe and also Apple and Google – would be likely to comply with both human rights and data protection laws. In contrast, a centralised smartphone system – which is the current UK Government proposal – is a greater interference with fundamental rights and would require significantly greater justification to be lawful. That justification has not yet been forthcoming.
Oh yes, and "the UK Government's announcements for sharing health data between the private and public sector appear to be flawed. This means such data sharing is potentially not in compliance with legal requirements."
Just get it out
What Gould and Levy are not admitting is that they expect the vast majority of UK citizens to opt in, download the app, and share their data anyway, no matter any of these concerns, out of a sense of civic duty.
So long as they can get through the objections and push past the criticisms and get the app launched, they will get what they no doubt honestly believe will be a better end result for the country because the data will be in the hands of the experts. And they might – might – be right. But they might also be completely wrong.
At the heart of this decision by the UK to fall back on the belief that a central authority is going to be a better solution, no matter what compromises have to be made, is that central planning will work better when it comes to COVID-19.
But will it? So far the clear evidence is that greater control of populations has worked better at stopping the coronavirus spread than a more relaxed attitude, The US and UK have notably refused to put limits on their citizens until forced to, and are almost certainly going to end up the worst affected countries on the globe as a result.
But does population control work beyond lockdown? When the economy is opened up, will a centralized approach where hotspots can be identified and dealt with from a command post be more effective than a decentralized approach where individuals are left to decide for themselves?
We may be about to find out. Although if people can't be persuaded to download the app in the first place because they don't want their data to be floating around the government's servers for the next 100 years, then the whole question is moot anyway. The government is continuing to play a giant game of chicken with our lives. ®
Updated on May 6
This comment piece was revised after publication to include details of Android's foreground services. Google recommends developers limit their use of these services to preserve battery life and resources. The section on iOS was also revised in light of testing of the NHS iPhone app, now available as a beta, that revealed the software runs in a background mode that permits it to advertise to other iOS devices, and wake briefly to communicate with other phones, albeit within limits. We are happy to clarify these points.
As an example of these limitations, Financial Times writer Tim Bradshaw noted: "One issue that's come up in testing: if two iPhones are left locked and unused for about 30 minutes, they go into listen-only mode. An Android device coming within 60m can wake them up, though."
The UK government is also considering using the Apple-Google approach after all, given that Australia, which proposed a similar centralized contact-tracing system, is said to be switching to the decentralized API after experiencing technical difficulties.