#COVID19 Contact Tracing: The App that Reignited the Privacy Versus Government Debate

Kathryn Pick reflects on the story of the UK governments COVID-19 tracing app, and asks if a global pandemic cannot get Whitehall and Silicon Valley on the same team, what can?

As the world was hit with a global pandemic, it was no surprise that governments of all shapes and sizes looked to technology to tackle the threat. Many countries decided to pursue a mobile app which could track when its citizens had symptoms of the coronavirus and alert people they had come into contact with that they too could potentially be infected too.

However, this seemingly simple idea to monitor outbreaks and keep on top of the spread of the virus led to arguments over models, as well as rows between the public and private sector.

This played out nowhere more so than in the UK where, after months of lockdown and ongoing debate over the legitimacy of introducing such a process, no app is to be seen. Let’s take a look at how the app story unfolded in the British Isles and ask if coronavirus cannot get Whitehall and Silicon Valley on the same team, what can?

The Timeline of the App

Expert teams are reported to have met in March when the outbreak had taken hold in the UK to discuss the creation of a tracking app. By April, England’s health secretary, Matt Hancock, announced the government was working on its own app for contact tracing with its NHSX team – the digital arm of the country’s health service.

He said people could “securely tell this new NHS app” if they had symptoms, which would then send “an alert anonymously to other app users that you’ve been in significant contact with over the past few days, even before you had symptoms, so that they know and can act accordingly.”

Hancock promised that “all data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research, and we won’t hold it any longer than is needed.”

At the time, the health secretary said the government was “working closely with the world’s leading tech companies” on the app, hinting it was collaborating with Apple and Google, who had just announced their own API for contact tracing apps.

However, by the start of May, it was all change. Hancock announced that a trial of the NHS COVID-19 app would be launched on the Isle of Wight – a small island off the coast of southern England, with a population of around 140,000.

As expected, the app would use Bluetooth connections to track when people with symptoms had been in contact with others, and then send alerts to other phones, but it wasn’t based on the Apple/Google API – it was a centralized app built by the government itself.

“The problem with a centralized system is one entity and any of their third parties have an enormous amount of sensitive information at their disposal”

What Were the Concerns With the App?

Going down the centralized route offered the government more detail on users, Ben Kaner, an analyst for Gartner, tells Infosecurity: “Public health authorities can know how many people have reported symptoms to the app, how many have been notified and how they have responded,” he says. “You just cannot do that with a distributed app.”

When it comes to tackling a virus outbreak, you can see how this could appeal to any government, as the more information you have, the better you can understand the spread. However, for others, it raises several significant concerns.

Enza Iannopollo, senior analyst at Forrester, says that while the data would give the “visibility” to make decisions about lockdowns or other actions for tackling coronavirus, it was a “rich data set” for a government to collect. “The problem with a centralized system is one entity and any of their third parties have an enormous amount of sensitive information at their disposal,” she adds.

“The government can connect that data to other data sets, and putting that power in their hands is scary.”

Some of the fears could be allayed with transparency and communication, but Iannopollo points out that the UK government didn’t embrace these two key words.

As well as confusing messages in the government’s daily press briefings – televised for the public – there were background tensions with privacy watchdogs, charged to check any app was being assessed for its impact.

“The Information Commissioner’s Office (ICO) chased the developers of the app to understand if there was any impact assessment that had identified risk in the app,” Iannopollo tells Infosecurity. “However, in most instances, the people working on the app said there was not compliance, and asked ‘why should we comply?’

“It shows the difference between doing the minimum compliance and being unethical. If you are going to collect such rich data, you should use everything at your disposal to be transparent.”

Gartner’s Kaner says it is all about the “test of proportionality” – pointing to the centralized app in Norway that was pulled due to privacy concerns. “The argument was made that the potential risk of getting the disease was low level there, and with only low level downloading of the app, it wasn’t effective,” he explains.

“So, the amount of data the government could access on a user was not in proportion to the low disease risk, meaning they withdrew the app.”

“If you are going to collect such rich data, you should use everything at your disposal to be transparent”

Where is the App Now?

Hancock pledged a roll-out across England in the middle of May, but the timetable was put back to June by Prime Minister Boris Johnson, who promised the government’s own app would be “world-beating.”

Come June, a manual test and trace system was in place, with call centers getting the details of those who had tested positive for the virus, collecting details of those who had been in contact with them and calling them to tell them to self-isolate.

Yet, there was no app, and the rhetoric from the top of government appeared to change from describing the app as being a critical tool in the fight against coronavirus, to merely providing additional support to the manual system.

Ministers refused to give a date for its launch and Johnson claimed there were no other working apps in the world – despite the recent launch of a seemingly successful app in Germany.

Regardless, perhaps in the biggest U-turn of all, Hancock announced that the government was once again working with Apple and Google, after the Isle of Wight trial had failed to detect 96% of contacts using iPhones.

The Apple/Google API keeps the data collected on the phones, rather than it being collated in a centralized server. Iannopollo says, from a tech perspective, this route can seem more “privacy preserving” as it is “built in a way where you cannot track anything else, fundamentally preserving personal data from being exposed.”

While that may sound good on the tin, it puts a lot of power into the hands of unelected organizations. “It might be privacy preserving,” Iannopollo says, “but seeing two of the most powerful organizations in the world putting the infrastructure together, creating a capability that makes them even more powerful, is also cause for concern. It is really about creating walled garden situations where they have the power, and governments cannot change it, and cannot compel the companies to change it.”

The fact is, “questions will be asked about any app,” says Gartner’s Kaner, “but governments do have concerns around why a Silicon Valley giant is telling them what to do around their populations.”

From the Apple and Google side, he says he believes their “intent” is to make it possible to deliver an app that could operate successfully to provide a level of service without compromising privacy. “Remember, if users lose trust in them, both companies will have an awfully hard time, so they have to preserve that.”

Kaner points out that governments “like to be able to express their mandate to govern,” and using the Apple/Google API would see them “constrained” to the rules of something out of their jurisdiction. “There is a tension between any organization with a democratic mandate and an organization that has operations across multiple jurisdictions and whose future is based on continually increasing the level of communications,” he argues.

“You have to look at the agenda of the party in power in a country and what the large communications companies want, and make your own judgement.”

Ready to Rumble

Despite the government’s change of heart, this exact row between the tech giants and Downing Street was about to play out. Asked in June why the government hadn’t made this move sooner, Hancock accused Apple of putting too many restrictions in place to make it workable and complained about being told what to do.

This led to Apple jumping into the headlines to defend itself, criticizing the government for keeping them in the dark over working with the API. The two sides have continued to take potshots at each other ever since, and all the while, the UK remains app-less.

This is far from the first time governments and Silicon Valley bigwigs have entered the ring in full view of the public. From fights with Facebook over election content through to tussles with Amazon on tax, the balance of power between those voted to rule and those who rule the web is a tense one.

Former digital economy minister in the UK government, Ed Vaizey, says the relationship is complex. “The UK government, like other governments, has always welcomed the investment of Silicon Valley giants into the country and recognized their ancillary benefits, such as jobs and economic growth,” the former Conservative MP explains.

“We want the UK to be their most welcome home in Europe,” he adds, but concedes there will always be “clashes” between the two sides, especially with the pressure of public opinion or “analogue companies” such as newspaper publishers arguing about governance or homegrown firms angry about tax.

“Trying to get US companies to have serious conversations about regulatory behavior that is suitable for UK norms is always difficult, and often frustrating,” he says. “Tensions like that will always occur.”

Iannopollo agrees that when it comes to regulation and the speed at which technology evolves, “sometimes lawmakers are left playing catch up. These tech giants have to be treated almost as governments themselves, with their own rules and practices – acting above the rules of states.”

What’s more, while there has been some progress – such as the implementation of GDPR – she doesn’t see the tensions changing. “It is the nature of things,” she says. “These companies are trying to increase power in a market and get more dominance, while governments and courts are trying to limit that.”

So, while coronavirus is at the front of everyone’s minds, and both governments and tech companies are trying to find ways to fight it, one battle that seemingly cannot be won is the one between the public and private sectors – and it is hard to see that coming to an end anytime soon.

What’s Hot on Infosecurity Magazine?