The Department of Health and Social Care (DHSC) have announced* the next stage of the development of the NHS COVID-19 virus-tracing app.
Prof Nello Cristianini, Professor of Artificial Intelligence, University of Bristol, said:
“The NHS has abandoned its plans to develop its own app for contact tracing in favour of one that uses the same decentralised system as most of Europe. Even though this was only abandoned for technical issues, the different in the two apps means that there will no longer be a central database to record all social contacts of anonymised users, leaving instead social contacts information within the device of users, until they are found to be infected. This is positive news, as it puts more control in the hands of citizens and allows us time to have an open debate about the role of data during a public health emergency. We need to debate and discuss important questions including: what is a proportionate way to help the work of human contact tracers? Do we really need a central facility recording all social contacts? How do we make sure that its lifetime is not constantly extended, that ever more information is not appended to it, and that various de-anonymisation methods are not tried, in a new situation of crisis?
“The lesson to learn from this situation is: let us have these conversations when there is no impending threat, so we can strike the right balance. It is good that we have the European / Apple-Google solution to help contact tracers, but let us still have this conversation now, or even after the emergency phase. The Parliament is the right place for this decision.”
Dr Scott McLachlan, Postdoctoral Research Assistant, Queen Mary University of London, said:
“While it was necessary for the government to change tack on their first app, at present they are really telling us nothing useful about how the ‘new’ app will work. It cannot be assumed that a switch to the Apple/Google model will resolve every issue experienced with the first app. The primary issues including compatibility, accuracy and privacy.
“The first app was only compatible with current/recent model Android phones. Because an app still needs to be developed which is compatible with many phone models, changing to the Apple/Google approach does nothing to change this factor. It is a factor of how the new app is developed (its architecture) that decides which devices it will be compatible with. We have been given no information by the government on this factor.
“The first app was prone to false alarms (that is, it would alert that you had been exposed to COVID if it sensed your neighbour’s phone through the separating/dividing wall of your houses, even though you may have never been in close enough contact to actually have been exposed to the disease). This is an issue of the technical solution being employed – Bluetooth. Bluetooth is prone to issues that may either see false contacts registered, or even legitimate contacts not being registered. While being better than many other options, Bluetooth is not a guaranteed reliable technology for this solution.
“The new approach described as ‘only alerting when a person is tested positive’ means that, as the math in our recent papers1,2,3 show, one infected person can potentially go on to create more than 300 new infections in only 20 days. Another method for dealing with people ‘gaming the system’ needs to be found.
“The first app was claimed to be a privacy-eroding solution due to the use of a centralised server to collect, store and forward contact and alert information. Use of a decentralised interface or application architecture still requires a centralised server that receives your so-called ‘anonymous but unique ID’ and to issue a database list of contacts for your device to ‘contact match’ with and do risk analysis on to decide if you might have had contact with an infected person. Many researchers have shown that anonymous data, even using anonymous IDs, is not a privacy-guaranteed approach. With information collected from other sources (including the fact that your phone receives the Bluetooth mac address and name of the other persons device when you make ‘the contact’) it may still be possible to put together a list of all of the contacts that a particular device has seen, and re-identify some of them. Further, as we point out in our recent papers1,2,3, the registration details you provide when downloading, installing and registering the app, along with metadata collected by your ISP and the central (even though we are calling it decentralised) server means that those operating the server may still be able to identify you, your contacts, where you have been (location) and when. The argument between centralised and decentralised is therefore largely a moot point to give appearance to appeasing the ‘great unwashed’.
“Other examples using the Apple/Google model have shown that use of the Apple/Google API is no guarantee to success, with millions being invested by governments in CTA development where the uptake achieved was less than 1.5% of the population4, and CTA being used to share user location data with commercial organisations, alerting users when they are near the paying organisation’s stores5.”
1) McLachlan, S., Lucas, P., Dube, K., Hitman, G., Osman, M., Kyrimi, E., Neil, M., & Fenton, N. (2020). Bluetooth smartphone apps: Are they the most private and effective solution for COVID-19 contact tracing? Manuscript currently in review with the BMC Public Health Journal. ArXiv Preprint: https://arxiv.org/abs/2005.06621
2) Osman, M., Fenton, N., McLachlan, S., Lucas, P., Dube, K., Hitman, G., Kyrimi, E., & Neil, M. (2020) The thorny problems of Covid-19 Contact Tracing Apps: The need for a holistic approach. Manuscript accepted for publication in the Journal of Behavioural Economics for Policy.
3) McLachlan, S., Lucas, P., Dube, K., Hitman, G., Osman, M., Kyrimi, E., Neil, M., & Fenton, N. (2020). The fundamental limitations of COVID-19 contact tracing methods and how to resolve them with a Bayesian network approach. http://dx.doi.org/10.13140/RG.2.2.27042.66243
4) Woo, K. (2020). Apple and Google contact tracing already looks like a failure. Tom’s Guide. Last accessed: May 24th, 2020. Sourced from: https://www.tomsguide.com/news/apple-and-google-contract-tracing-already-looks-like-a-failure
5) Hesse, B. (2020) Be extra cautious with Contact Tracing Apps. Lifehacker. Last accessed: 24th May, 2020. Sourced from: https://lifehacker.com/be-extra-cautious-with-contact-tracing-apps-1843611802
All our previous output on this subject can be seen at this weblink: