Why the NHS snubbed Google and Apple's API for contact tracing Watch Now

With traditional public health contact-tracing methods unable to keep up with the pace of the pandemic, the UK government has been working on a tool to digitally track and warn people who have been around someone who is showing symptoms of the coronavirus.

But the health service's innovation agency NHSX has now confirmed that it will not be following the approach jointly put forward by Apple and Google to help governments and health agencies reduce the spread of the virus, and will be taking a different approach.

Despite the performance and privacy concerns that have emerged at the prospect of departing from the model proposed by the tech giants, a spokesperson for NHSX told ZDNet that the organization's engineers have developed an app using standard Google and Apple published API, while adhering to the Bluetooth Low Energy (LE) standard.

SEE: 60 ways to get the most value from your big data initiatives (free PDF)

The technology uses Bluetooth LE to register all the smartphones that a given phone has come into close proximity with over a few days, and sends an anonymous warning to all users who are at risk if one of the phone owners finds that they are infected with COVID-19.

Bluetooth has been put forward as a solution because, unlike GPS or Wi-Fi data, the technology only tracks which devices have been near one another, instead of registering users' locations.

Apple and Google are releasing a joint contact-tracing API based on Bluetooth, which never collects any geographic data in order to protect individual privacy. Last week, NHSX bosses said that they were collaborating with the two companies, without clearly confirming whether or not the UK's contact-tracing app would be built on Apple and Google's new API.

One of the main drawbacks of an app built on a different model from the one pushed by Apple and Google is technical. The option put forward by the tech giants lets the app run in the background without hindrance, while the NHSX's service would have to be woken up every time the phone detects another device running the same software. This could cause significantly more strain on battery life.

"Engineers have met several core challenges for the app to meet public health needs and support detection of contact events sufficiently well, including when the app is in the background, without excessively affecting battery life," said the NHSX spokesperson.

The UK government's homegrown app is also likely to come under public scrutiny as a result of privacy concerns. The new tool follows a centralized model, which means that when a user reports symptoms of the coronavirus, the warning is sent to a central computer server, which then works out who to send an alert to among the contacts that the infected person's phone has registered.

On the other hand, Apple and Google's model is decentralized: users who have come into prolonged contact exchange their respective anonymous key codes, and if one of the users then reports feeling ill, their key code is sent to a central database. Meanwhile, the second user's phone regularly checks the database for matching key codes and sends a warning when it recognizes the code of a user who has been infected. The matching, therefore, happens on user's devices, rather than through a centralized database.

A decentralized approach is arguably more privacy-friendly, as it eliminates the risk of log data being de-anonymized and used by the authorities to track individuals for other purposes than reducing the spread of the pandemic. A central database is also potentially more at risk of hacking.

Jim Killock, the executive director of Open Rights Group, told ZDNet: "It obviously seems, on the surface, a better approach to use Google and Apple's system of contact-matching on the phone, as opposed to centrally. If the NHS have said that they don't wish to follow that model, they need to give a really clear explanation of why they couldn't do this in a more privacy-friendly way."

The main driver of a centralized approach is that it lets the health services run analytics on data to send warnings only if they are legitimate, and only to those who are most at risk of having got infected.

ebook Coronavirus and its impact on the enterprise This TechRepublic Premium ebook compiles the latest on cancelled conferences, cybersecurity attacks, remote work tips, and the impact this pandemic is having on the tech industry. Read More

Bluetooth-based contact-tracing apps come with the risk of over-reporting some interactions between individuals, because the range of a Bluetooth device can vary depending on how the device is held or whether the user is indoors or outdoors.

SEE: Coronavirus: Business and technology in a pandemic

In other words, a huge amount of false-positives can be generated via Bluetooth. A centralized approach is the only way to make sure that if someone reports being sick, a warning will be sent only to the app users that have come into epidemiologically significant contact with the infected person – and not to the person waiting for the bus on the other side of the road from them.

Ross Anderson, professor of security engineering at the University of Cambridge, told ZDNet: "You can't do that kind of analytics if you take the Google and Apple approach, which will broadcast a warning to everybody that has been registered as soon as someone calls in sick. The problem is that you'll end up getting an alert every so often, advising you to go home and self-isolate, and 99% of the time it's going to be a false positive."

With the country already fed up with sitting at home, he continued, it is highly unlikely that people will listen to the advice if there is a solid chance that the alert is not serious enough. Contact-tracing, therefore, can only work if signals are targeted intelligently.

The issue isn't only on the receiving side of the alerts. Leaving a decentralized system unsupervised is also likely to generate warnings from self-diagnosed individuals who haven't actually contracted the virus, whether they are genuinely worried about a cough, or actively seeking to cause harmful trolling.

"A Google and Apple app is a huge opportunity for abuse," said Anderson. "Anybody could run this app and then go hang out near some people they want to cause trouble for."

If the report of symptoms goes through a central database first, however, the app can take the user through a Q&A to find out if the cough is new and persistent, and if other symptoms have emerged, before assessing whether an alert is worth broadcasting.

Therefore, it "absolutely makes sense", according to Anderson, that NHSX decided to drop Apple and Google's API, even if the decision worries some privacy advocates. "We need to avoid getting into a fight between different camps, because it is a sheer distraction from the real task at hand, which is saving lives," he said. "A small amount of privacy exposure is entirely acceptable in the context of a pandemic."

What does need to be ensured, argued Anderson, is that all data gets destroyed once the crisis has passed, and the context doesn't justify collecting the information anymore. The health services have already agreed, however, that they would not keep the data for longer than necessary. Anderson argued that the NHSX app won't, therefore, be a large-scale privacy compromise.

The European Commission has already indicated that both centralized and decentralized models are acceptable. NHSX has also been consulting with the Information Commissioner's Office (ICO) to develop the app in an ethical and lawful manner.

SEE: Coronavirus contact-tracing app: Here's how we'll protect your privacy, says NHS

Still, for Open Right Group's Jim Killock, the UK government has lacked transparency throughout the process. "Assuming their approach is the only way to reach legitimate goals, then at the very least we need much stronger, firmer guarantees around the use of privacy," he said.

"The NHS has a fairly bad record on the use of personal data. We need legally enforceable guarantees that data will not be re-used. We are sharing the same goals and want the same thing: for the app to have a serious chance of usability and effectiveness. The lack of transparency isn't aiding that."

The Big Data Institute estimates that over 60% of the UK population would have to be using the app for digital tracing to reach enough people as they become infected. In other countries that have implemented a centralized solution, like Singapore, uptake has stagnated around 12%.

Killock maintained that the app is unlikely to be anything more than a tool, and that other kinds of contact-tracing will be far more effective. "But given that it's being tried, we want it to have a chance of success," he said. That can only happen if the app earns the public's trust.