- UK’s National Health Service (NHS) is going forward with an iPhone and Android app for coronavirus contact tracing.
- The government has refused to use the Apple-Google solution to track the potential contacts of a COVID-19 patient.
- The Apple-Google app has strong built-in privacy provisions and doesn’t store user data on a central server, as the UK government plans to do.
- Visit BGR’s homepage for more stories.
Knowing where new COVID-19 patients got the novel coronavirus from will be crucial for easing social distancing measures and reopening the economy. That also includes warning all the contacts of a patient they may have been exposed to the virus. And it’s why New Zealand’s announcement that the country doesn’t have coronavirus community spreading is so important. In theory, New Zealand might be in a place where any new COVID-19 patient could be traced back to the person that infected them. In practice, things might be more difficult, and that’s because of the way the virus operates. SARS-CoV-2 is highly infectious, and symptoms may appear only after 14 days from infection if they show up at all. Many people are asymptomatic, but they are still contagious.
That’s why the only way contact tracing can be done with some sort of success is with the help of technology. Apple and Google have devised a Bluetooth-based system that works on iPhone and Android to help authorities track contacts. The COVID-19 API the two giants have developed is also more private than alternatives, but some governments aren’t happy with that. France, Germany, and the UK have voiced concerns about the Apple-Google app, but Germany then decided to ditch its home-grown app in favor of the Apple-Google solution. A response from France on the matter isn’t clear, but the UK is going forward with its own app.
Like Apple and Google, the UK government plans to use Bluetooth to gauge interactions between people, and automate contact tracing. But the UK health service’s innovation agency NHSX has developed an app that’s not as private as Apple and Google’s.
The NHSX told ZDNet that it developed an app using standard Apple and Google published API while adhering to the Bluetooth Low Energy (LE) standard. However, the UK app will still send data to a central service, unlike the Apple-Google app.
The Apple-Google solution works in the background, which means it won’t tax battery life. The NHSX version would have to wake the phone every time it detects another phone close by, which might hurt battery life. “Engineers have met several core challenges for the app to meet public health needs and support detection of contact events sufficiently well, including when the app is in the background, without excessively affecting battery life,” an NHSX spokesperson says.
Moreover, when a user reports COVID-19 symptoms, the app will register the data on a central server, which will then alert potential contacts. The Apple-Google app is decentralized. That means all phones keep a local record of the phones they pinged in the past few weeks, and they keep pinging a server to see if any of those phones show up as COVID-19 positive. Once a person indicates they’ve been confirmed, their phone sends a key to the same server, which the phones will detect once they reconnect to the server. No other information is exchanged, and the user is warned they may have been in the vicinity of a COVID-19 person.
Some may applaud the Apple-Google apps for its built-in privacy protections. Others may not. It’s easy to see why governments would want to centralize COVID-19 data. On the one hand, they could ensure that the notifications sent out to potential contacts aren’t false positives. On the other hand, they would be able to generate statistics and reports.
But it’s unclear what the NHS will do with the data once it’s no longer useful, and when it’ll delete it. The health services already agreed they would not keep the data for longer than necessary, ZDNet says. The European Commission has approved both the centralized and decentralized COVID-19 tracing apps.
Also, it’s unclear whether the government will want additional information from app users. Then, there are concerns about the security of the data.
In May 2017, hackers were able to infect NHS computers with the WannaCry malware. A year before, Alphabet-owned DeepMind received data for around 1.6 million NHS patients. On top of those security and privacy breaches, it’s also well-known that the UK government has long championed the ban of data encryption for chat apps and other services.
That’s not to say that tracing coronavirus contact tracing is less important than user privacy. It’s just a reminder that user security and privacy will always be necessary. And while the UK government will have a clear privacy policy in place for the NHSX app, it’s still good to know that the Apple-Google API hasn’t suffered any modifications to meet the needs of Britain or France. One exception would be enough to allow less-democratic to possibly abuse such APIs for surveillance-related purposes.
As for the Apple-Google approach, it remains to be seen if it actually works. Aside from privacy, there’s another concern about the API, one that the two companies have already started to address in a recent update. Because the entire thing is decentralized, this opens the door to potential abuse. Someone could register themselves as infected, which would generate a wave of warnings for their contacts. A centralized approach might prevent abuse and could reduce the number of false positives by forcing the user to answer a series of questions before sending out a warning to potential contacts.