To earn the trust of the public, privacy will be fundamental to the building the coronavirus contact-tracing app that the UK government is working on, NHSX boss Matthew Gould has said in a new post detailing the organization’s commitment to confidentiality – even amid the extreme circumstances imposed by the coronavirus pandemic.
Gould, whose team within NHSX is leading the development of the new tool, insisted that security and privacy have been prioritized “in all stages” of the app’s production, from initial design to user testing. The organization will be publishing key security and privacy designs alongside the source code for the app, so that third-party experts can scrutinize the inner workings of the tool.
Last week, the UK health secretary Matt Hancock announced plans for an app to track and warn people who have been around someone who is showing symptoms of the coronavirus, without providing much further detail.
The NHSX boss has confirmed that the technology would be based on the model for a mobile app concept developed by a team of medical researchers from the University of Oxford, which uses Bluetooth Low Energy to register all the smartphones that a given phone has come into close proximity with over a few days. If one of the phone owners then finds they are infected with COVID-19, a warning is anonymously sent to all users who are at risk, in some cases to advise them to go home and self-isolate.
The app will log, via Bluetooth, the distance between a phone and all other phones nearby who also have the app installed – a log which will be both anonymous and “stored securely on your phone,” said Gould. Data relating to patient symptoms, whether self-diagnosed or confirmed by a medical test, will also be anonymized.
“The data will only ever be used for NHS care, management, evaluation and research,” said Gould. “We will always comply with the law around the use of your data, including the Data Protection Act and will explain how we intend to use it.”
Users will be able to delete the app and all associated data whenever they want, and any changes to the way the tool works will be explained and made clear on the platform.
The NHSX boss said that developers have partnered with experts from both government and industry to review the app privacy designs, and in particular mentioned working with Apple and Google. The tech giants are soon to release the first version of a joint contact-tracing API based on Bluetooth, which never collects any geographic data in order to protect individual privacy.
Apple and Google’s model lets two users exchange their respective anonymous key codes whenever their phones’ Bluetooth signals register a prolonged contact. If one of the users then fell ill, their anonymous key code would be recognized by the other person’s phone, and a warning would be triggered.
Bluetooth has come out as the preferred option for many advocates of contact-tracing apps, because unlike GPS or Wi-Fi, the technology doesn’t register users’ locations but merely tracks which devices have been near one another. A recent report by Privacy International concluded that Bluetooth is a far less intrusive tracking method than alternatives like GPS or cell-tower data.
NHSX has been consulting with the Information Commissioner’s Office (ICO) to develop the app in a transparent, ethical, and lawful manner. The ICO has already established that Google and Apple’s joint work on contact-tracing aligns with principles of data protection.
“We are working with Apple and Google on their welcome support for tracing apps around the world,” said Gould, suggesting that the NHSX app might well be built on the companies’ API. NHSX has not confirmed to ZDNet whether this will be the case at the time of writing.
The lack of clarity on the app’s technicalities has led some groups to condemn the organization’s lack of transparency about the way that the tool will work. Jim Killock, the executive director of digital rights organization Open Rights Group, has called on NHSX to clarify whether it will be using Apple and Google’s protocols.
“The NHSX project claims a commitment to transparency, but we know next to nothing about how the app will work,” said Killock. “As we understand matters, without using the Apple-Google method the NHS App would end up draining battery and causing screen locks to be disabled. Yet the blog makes no mention of how this problem is resolved, nor explains when protocols and code will be released.”
As a result, the public is having to resort to “speculation” and “guesswork”, rather than an informed debate, continued Killock.
Looking at the broader landscape of contact-tracing apps, Information Commissioner Elizabeth Denham recently stressed the importance of constantly questioning whether the collection of data is proportionate, what control users have over their data and what happens when data processing is no longer necessary.
According to the NHSX’s blog, these issues are being addressed. “Just as the NHS strives at all times to keep your health records confidential, so it will keep the app data secure,” said the organization. “Patient confidentiality is built in to the NHS. It is one of our key values.”
The statement is unlikely to win all critics over, because Bluetooth data is not entirely safe from the possibility of de-anonymization. Ross Anderson, professor of security engineering at the University of Cambridge, who is one of a group of people being consulted by the NHS on the privacy and security of contact-tracing apps, has advised caution contact-tracing apps.
With a few privacy scandals in the NHS’s recent history collecting lightly-anonymized data in response to the pandemic is unlikely to be without some problems.
The NHSX recognized, however, that building public trust through strong privacy assurances will be the only way to ensure a higher uptake of the app across the country. The Big Data Institute estimates that over 60% of the UK population would have to be using the app for digital tracing to reach enough people as they become infected.
“Millions of us are going to need to trust the app and follow the advice it provides,” concluded Gould. “To earn that trust, we will continue to work based on transparent standards of privacy, security and ethics.”
Open Rights Groups’ Jim Killock, for his part, has argued that the NHSX needs to do “more than a blog” to secure trust and a better chance of take-up.
The tool has already started testing in alpha mode at a Royal Air Force base in North Rorkshire, and the health secretary has said that trials are “going well”.