What’s going on with the U.K.’s coronavirus contacts-tracing app? Reports in the national press today suggest a launch of the much-delayed software will happen this month but also that the app will no longer be able to automatically carry out contacts tracing.
The Times reports that a repackaged version of the app will only provide users with information about infection levels in their local area. The newspaper also suggests the app will let users provide personal data in order to calculate a personal risk score.
The Mail also reports that the scaled-back software will not be able to carry out automated contacts tracing.
We’ve reached out to the Department for Health and Social Care (DHSC) with questions and will update this report with any response. DHSC is the government department leading development of the software, after the NHS’s digital division handed off the app.
As the coronavirus pandemic spread around the world this year, digital contacts tracing has been looked to as a modern tool to combat COVID-19 by leveraging the near ubiquity of smartphones to try to understand individual infection risk based on device proximity.
In the U.K., an earlier attempt to launch an NHS COVID-19 app to support efforts to contain the virus by automating exposure notifications using Bluetooth signals faltered after the government opted for a model that centralized exposure data. This triggered privacy concerns and meant it could not plug into an API offered by Apple and Google — whose tech supports decentralized coronavirus contacts-tracing apps.
At the same time, multiple countries and regions in Europe have launched decentralized contacts-tracing apps this year. These apps use Bluetooth signals as a proxy for calculating exposure risk — crunching data on-device for privacy reasons — including, most recently, Northern Ireland, which is part of the U.K.
However, in the U.K.’s case, after initially heavily publicizing the forthcoming app — and urging the public to download it in its daily coronavirus briefings (despite the app not being available nationwide) — the government appears to have stepped almost entirely away from digital contacts tracing, claiming the Apple -Google API does not provide enough data to accurately calculate exposure risk via Bluetooth.
Decentralized Bluetooth coronavirus contacts-tracing apps that are up and running elsewhere in Europe have reported total downloads and sometimes other bits of data. But there’s been no comprehensive assessment of how well they’re functioning as a COVID-fighting tool.
There have been some reports of bugs impacting operation in some cases, too. So it’s tricky to measure efficacy. Although the bald fact remains that having an app means there’s at least a chance it could identify contacts otherwise unknown to users, versus having no app and so no chance of that.
The Republic of Ireland is one of the European countries with a decentralized coronavirus contacts-tracing app (which means it can interoperate with Northern Ireland’s app) — and it has defended how well the software is functioning, telling the BBC last month that 91 people had received a “close contact exposure alert” since launch. Although it’s not clear how many of them wouldn’t have been picked up via manual contacts-tracing methods.
A government policy paper published at the end of last month that discussed the forthcoming DHSC app said it would allow citizens to: identify symptoms; order a test; and “feel supported” if they needed to self isolate. It would also let people scan a QR code at venues they’ve visited “to aid contact tracing and help understand the spread of the virus.”
The government paper also claimed the app would let users “quickly identify when they have been exposed to people who have COVID-19 or locations that may have been the source of multiple infections” — but without providing details of how that would be achieved.
“Any services that require more information from a citizen will be provided only on the basis of explicit consent,” it added.
Ahead of the launch of this repackaged app it’s notable that DHSC disbanded an ethics committee which had been put in place to advise the NHS on the app. Once development was handed over to the government, the committee was thanked for its time and sent on its way.
Speaking to BBC Radio 4’s World at One program today, professor Lilian Edwards — who was a member of the ethics committee — expressed concern at the reports of the government’s latest plans for the app.
“Although the data collection is being presented as voluntary it’s completely non-privacy preserving,” she told the program, discussing The Times’ report which suggests users will be nudged to provide personal data with the carrot of a “personal risk score.” “It’s going to involve the collection of a lot of personal, sensitive data — perhaps your health status, your retirement status, your occupation etc.
“This seems, again, an odd approach given that we know one of the reasons why the previous app didn’t really take off was because there was rather a loss of public trust and confidence in it, because of the worries partly about privacy and about data collection — it not being this privacy-preserving decentralized approach.
“To mix the two up seems a strange way to go forward to me in terms of restoring and embedding that trust and confidence that your data won’t be shared with people you don’t want it to be,” Edwards added. “Like maybe insurers. Or repurposed in ways that you don’t know about. So it seems rather contrary to the mission of restoring trust and confidence in the whole test and trace endeavour.”
Concerns have also been raised about another element of the government’s digital response to the coronavirus — after it rushed to ink contracts with a number of tech giants, including Palantir and Google, granting them access to NHS data.
It was far less keen to publish details of these contracts — requiring a legal challenge by Open Democracy, which is warning over the impact of “Silicon Valley thinking” applied to public health services.
In another concerning development, privacy experts warned recently that the U.K.’s test and trace program as a whole breaches national data protection laws, after it emerged last month that the government failed to carry out a legally required privacy impact assessment ahead of launch.