It appears that the United Kingdom is now past the peak of the COVID-19 infection curve, and the Government’s attention has now shifted to avoiding a second peak. In order to do this, it is necessary to ensure that anyone who tests positive for COVID-19 places themselves in self-isolation. It is also necessary to ensure that everyone who has been in contact with them does the same, and then everyone who has been in contact with them, and so on. Clearly, this will be no easy feat, and will require thousands of dedicated “contact tracers”, whose job is to establish exactly who COVID-19 sufferers have come into contact with, and to take appropriate action.
To make this challenge easier, the Government is preparing to supplement manual contact tracing with automatic contact tracing via a smartphone app to be downloaded by as many of the population as possible.
This blog post looks into how the proposed app works, the issues associated with it, and how the Government proposes to address these issues.
How do they work?
In short, these apps work by detecting when a user’s mobile device comes with a given distance of another user’s mobile device. This detection is performed using Bluetooth® technology, where two users are said to have been in “contact” when their devices are able to communicate via the Bluetooth® link between them. As anyone trying to connect to their car’s speakers will know, this requires both that the users are in close proximity, and for a long enough period of time that a connection can be established. While this is plainly not a perfect model, the ubiquity of Bluetooth®-enabled devices means that a certain degree of “contact” can be identified without users having to make any complicated modifications to their smartphones or tablets.
What next? When a user either tests positive for COVID-19, or makes a self-diagnosis (guided by an in-app questionnaire), they are invited to report this in the app. Then, if the app determines that the user has been in sufficiently close contact with any other users, a notification is sent to those users to inform them that they are at risk of infection, pointing them to the appropriate NHS guidance. There are two broad types of models by which this reporting and notifying process may take place: centralized and decentralized models.
The difference between these two approaches relates to how data collected by an individual’s device is used:
- In a decentralized app, when a user is diagnosed with COVID-19, and reports this via the app, the relevant public health authority receives only the anonymized identity of the user that has reported symptoms. The public health authority then sends out information about the infected users to all app users, and it is determined by the app, at the device level, whether a user is at risk of being infected.
- In a centralized app, when a user is diagnosed, the anonymized identify of the user is reported to the public health authority, along with information relating to all of their contacts. This allows the public health authority then to determine which of those contacts are most at risk, and to decide (at a central level) whether to warn those users. This is the approach on which the Government’s app is based.
It is noteworthy here that there is no law or requirement which says that an infected individual must report their infection via the app. The reasons for this are discussed below.
What are the issues facing the Government at this time?
The effectiveness of a contact tracing app is virtually entirely contingent on the number of people who download and use it. Estimates of course vary, but the head of the Oxford University team charged with developing the app suggest that 60% of the population will need to use the app in order for it to be a useful measure.
The two main concerns facing the Government at present are privacy and security. It has been suggested that people may be willing to relax their privacy expectations out of a sense of civic duty during these troubled times, but even so the Government are obliged to obey various human rights, privacy and data security regulations. So, security and privacy still represent a significant hurdle for the government to cross.
How is the Government proposing to address these issues?
The Government have published a technical paper here which outlines eight key privacy and security criteria which must be met by any contact tracing app to be rolled out to the general population, and explains how they are met by the current proposed designs.
For example, the first and second criteria require that the collection of personal data is minimized, and that active user consent is required or any action involving collected data. The first of these criteria is met trivially by ensuring that minimal personal data is collected. The second criterion is met by requiring that users of two devices both consent to proximity data being (automatically) collected when they two come into contact, and also by requiring positive action on the part of the user to submit the data to a central authority.
The third and fourth criteria relate to the Bluetooth® transmissions, requiring that it should not be possible to track individual users of the app over time, nor for an external observer to associate a given Bluetooth® transmission with any device-specific information above and beyond identifying that a given user is nearby. The third criterion is met using cryptographic techniques, and the fourth criterion is met because no device-specific information enters the system at any point.
Of course, the technical paper by the Government seeks only to reassure individuals that the app is safe and secure, rather than highlighting any potential flaws in the system. As in any situation such as this which has inevitably become highly-politicized, public opinion remains polarized. There are numerous commentators who remain concerned that the NHS’s proposed centralized approach is fundamentally at odds with data protection and human rights laws, and equal numbers of commentators with exactly the opposite view.
What’s next?
Given the urgent need for contact tracing, both manual and automatic, to begin as soon as possible, it seems unlikely that it is in the public interest for the Courts to determine the legality of any app rollout. Rather, whether or not an individual elects to download and use the app will depend on whether their sense of civic duty outweighs their concerns (legitimate or not) about the privacy and security of the data which is collected.
A pilot scheme of the NHS’s app launched in the Isle of Wight in the middle of May, and its effectiveness remains to be seen. Watch this space for more information about the UK’s automated contact tracing system.
