The UK is once again bucking the trend in its quest to conquer the coronavirus as it opts not to use the framework created by Apple and Google for its NHS COVID-19 contact-tracing app.
Instead, NHSX — the digital arm of the nation’s health organisation — is creating a centralised app that strays from the Apple-Google model.
NHS officials hope their app will provide better insight into the spread of COVID-19 and help flatten the curve of coronavirus infections.
But security experts warn the method has significant privacy implications, could upset the tech firms, and provide the blueprint for unethical mass-surveillance once the pandemic ends.
Apple and Google, along with GCHQ’s National Cyber Security Centre and the National Cyber Security Centre (NCSC) are still assisting and advising on the NHS app, according to reports.
Scroll down for video
The UK is once again bucking the trend in its quest to conquer coronavirus as it opts not to use the framework created by Apple and Google. NHS officials hope their method will provide better insight into the spread of COVID-19 and improve treatment and diagnostics
Google and Apple joined forces earlier this month and announced they were combining their expertise to turn smartphones into coronavirus-tracking devices.
The unprecedented collaboration comes from two companies that both place a high value on the privacy of users.
As a result, their system, which was designed to work optimally on both iOS and Android, is decentralised. No movement or tracking information will be stored on a central server, meaning it is invisible to Google, Apple and the NHS.
It works by keeping a exchanging a digital ‘token’ with every phone you come within Bluetooth range of over a fixed period.
If one person develops symptoms of the coronavirus or tests positive, they will be able to enter this information into the app.
The phone will then send out a notification to all the devices they have exchanged tokens with during the infection window, to make people aware they may have been exposed to COVID-19.
The process is confined to the individual’s handset and the scope of the information sent to the NHS is strictly limited.
However, the method proposed by NHSX focuses on a centralised scheme.
In it, the data is still collected via Bluetooth but any interactions between people is recorded by the phone and then sent back to a server run by the NHS.
Here, all data on all movements will be kept. This level of data collection on a person’s movements is fraught with hazards, experts claim.
The NHS, unsurprisingly, is facing questions as to why it needs to develop the app in this manner when other countries are plumping for the more privacy-centric approach.
In a weekend blog post, NHSX writes: ‘The data will only ever be used for NHS care, management, evaluation and research.
‘You will always be able to delete the app and all associated data whenever you want. We will always comply with the law around the use of your data, including the Data Protection Act and will explain how we intend to use it.
‘We will be totally open and transparent about your choices in the app and what they mean.
‘If we make any changes to how the app works over time, we will explain in plain English why those changes were made and what they mean for you. Your privacy is crucial to the NHS, and so while these are unusual times, we are acutely aware of our obligations to you.’
The security and privacy issues have been sized up and balanced against potential public health benefits and the officials in charge of the UK’s coronavirus response deem the centralised app a necessary step.
The health gains they expect to come from data analysis could save lives and this, in the eyes of the health officials, outweighs any privacy quandary.
A centralised app run by the NHS with expert assistance may provide invaluable insight into how COVID-19 is spread.
Professor Christopher Fraser, one of the epidemiologists advising NHSX, explained to the BBC: ‘One of the advantages is that it’s easier to audit the system and adapt it more quickly as scientific evidence accumulates.
‘The principal aim is to give notifications to people who are most at risk of having got infected, and not to people who are much lower risk.
‘It’s probably easier to do that with a centralised system.’
At a meeting of the Science and Technology Committee held today, it was revealed the NHS app will likely be rolled out in two to three weeks, but a trial with a small number of people in a very localised, and as yet undisclosed, area will test the app first.
NHSX chief executive Matthew Gould said talks are still being held with Google and Apple, despite the decision to move to a centralised version of the app.
Germany had previously sided with Britain and hoped to create its own centralised app. But on Sunday the German government performed a dramatic U-turn and is now heading towards a decentralised version.
Germany had previously sided with Britain and hoped to create its own centralised app. But on Sunday the German government performed a dramatic U-turn and is now heading towards a decentralised version
It also leaves the UK at odds with Switzerland, Austria, a pan-European group called DP3T and the tech-savvy Estonians who are all backing a decentralised app, as advocated by Google and Apple.
In Europe, only France, and now Britain, have come out as supporters of a centralised system. Australia, it is believed, is also running a centralised app.
Professor Alan Woodward, from the Surrey Centre for Cyber Security at the University of Surrey mentions the fact Apple and Google do not want to assist in developing a system which effectively tracks users as it could later be adopted and tweaked to spy on people en masse.
He told PA news agency: ‘There may be some pushback, I think – the simple way to put it – because what Apple does not want is somebody building a system that could be used as a tracking system, a generalised tracking system.
‘So, repurposing the technology, later on, for example – never mind now in this emergency of the data collected – but could someone, later on, build technology along the same principles just to use Bluetooth to track people?
‘And the whole point was, iOS particularly was built, and Android’s later versions, are built so that you cannot do that.
‘They (Apple and Google) know that their customer base is global, it’s not just the US or the UK or European, it’s all over the world, so they want their users to not think that governments can somehow subvert their operating systems to become trackers.
‘So there is a bit of a danger it might get some pushback.
‘And I think, if the UK Government are going to sell this to the public, they have to have those epidemiologists, the public health people, out, front and centre, justifying why they need that data.’
The invasive nature of the app was acknowledged by the NHS.
Mr Gould said during the meeting of the Science and Technology Committee that ‘a huge communications effort’ would be needed to get the message across of the app’s benefits outweighing any potential concerns.
Other countries that have developed similar apps with the same goal in mind have encountered difficulties when straying away from the Goole-Apple ideal.
The main reason is that the companies have specifically tried to make it as difficult as possible to collect data using Bluetooth.
Performance concerns have also been raised by some, which compound the privacy concerns.
If it is not built within restrictions laid out by Apple and Google, it risks falling foul of more technical glitches than if it were to adhere to the model.
For example, software engineers around the world have had issues getting the app to actively collect data if the app is not active or on-screen.
NHSX claims it has found ways to resolve this issue and is able to make the app perform ‘sufficiently well’.
An NHSX spokesman said: ‘Engineers have met several core challenges for the app to meet public health needs and support detection of contact events sufficiently well, including when the app is in the background, without excessively affecting battery life.
‘This has been achieved using standard Google and Apple published API while adhering to the Bluetooth Low Energy Standard 4.0 and above.’
Experts from GCHQ’s National Cyber Security Centre have assisted in the making of the app where as NCSC claims its involvement has been restricted to advising.