It appears the UK government have decided to scrap their NHS contact tracing app in favour of a model based on Google and Apple’s technology. In doing so, it joins a host of other countries (including Germany, Italy and Denmark) to favour a decentralised system developed by the Silicon Valley giants, rather than a centralised model developed locally. A step in the right direction ?

There has been much debate and concern about the need and function of contact tracing apps to fight the current global pandemic. Indeed, the Ada Lovelace Institute has previously questioned whether any such system was needed and would be safe, fair and equitable stating:

There is currently insufficient evidence to support the use of digital contact tracing as an effective technology to support the pandemic response - Ada Lovelace Institute

Other points of note from their rapid evidence review highlight that effective deployment of technology to support the transition from the crisis will be contingent on public trust and confidence. Also, that legislation should be advanced to regulate data processing to impose strict purpose, access and time limitations. Finally, until a robust and credible means of immunity testing is developed, focus should be on considering the deep societal implications of any immunity certification regime, rather than on developing digital immunity certificates.

The debate continued when a number of leading scientists and researchers in the field of security and privacy also raised concerns about the original plans of NHSX to deploy a contact tracing application. They produced a joint statement raising concerns about the proposal to record centrally the de-anonymised IDs of infected people and also the IDs of all those with whom the infected person has been in contact. They highlighted that the facility could (via mission creep) lead to a form of future surveillance unless the usual data protection principle is applied: collect the minimum data necessary to achieve the objective of the application.

We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a “nice to have”, given the dangers involved and invasive nature of the technology

Finally, they sought assurance from the NHSX regarding how it planned to phase out the application after the pandemic has passed to prevent mission creep.

This joint statement came hot on the heels of a previous wider joint statement by a group of international scientists and researchers who raised similar concerns and provided a set of principles which they feel should be followed, namely:

  • Contact tracing Apps must only be used to support public health measures for the containment of COVID-19. The system must not be capable of collecting, processing, or transmitting any more data than what is necessary to achieve this purpose.
  • Any considered solution must be fully transparent. The protocols and their implementations, including any sub-components provided by companies, must be available for public analysis. The processed data and if, how, where, and for how long they are stored must be documented unambiguously. Such data collected should be minimal for the given purpose.
  • When multiple possible options to implement a certain component or functionality of the app exist, then the most privacy-preserving option must be chosen. Deviations from this principle are only permissible if this is necessary to achieve the purpose of the app more effectively, and must be clearly justified with sunset provisions.
  • The use of contact tracing Apps and the systems that support them must be voluntary, used with the explicit consent of the user and the systems must be designed to be able to be switched off, and all data deleted, when the current crisis is over.

They urged all countries to respect users’ privacy by relying only on systems that are subject to public scrutiny and that are design specifically with privacy in mind (instead of there being an expectation that they will be managed by a trustworthy party), as a means to ensure that the data protection rights are upheld

Critical thinking around this subject is required and the principle guidelines outlined by my scientific brethren is probably a good place to start.

What do you think ? Do you agree with Matt Hancock that engaging in Test and Trace is our civic duty or do you lean more towards the Canadian approach of being completely voluntary ?

Let me know by join my mailing and contributing to the discussion.