As countries prepare to wind down social distancing efforts to prevent the spread of Covid-19, there are hopes that technology will come to our aid, where a medical solution has so far eluded us.
Contact tracing apps are designed to automate the process of tracking those who are likely to have been in contact with the virus. The basic principle is that they allow us to be tagged (or to tag ourselves) if we develop Covid-19 symptoms and test positive. The app then uses some form of positioning data (not necessarily location data), along with what it knows about who we have been in close proximity with, to warn those at risk of being infected that they should self-isolate and test.
Sounds fantastic, right? Well – maybe. The fact is though, that most of us don’t really understand the exact details of what data will be collected, what it will be used for, and who will have access to it.
This means that there is a danger that people may distrust these apps and refuse to use them. If an insufficient number of people decide to take part, the overall effectiveness of the app becomes greatly diminished.
A number of different contact tracing systems are either in deployment or are being trialled around the world. In the UK, the organisation responsible for the app – the NHS – has defended its decision to use a centralised model of data collection and analysis, rather than a decentralised model as favoured in other territories. Centralised models are fundamentally less private – as someone has ultimate control over all of everyone’s data. Their logic is that healthcare needs, in these circumstances, trump the need to maintain privacy. As Dr. Ian Levy, technical director of the UK National Cyber Security Centre says in this very informative blog post, “an app that provides fantastic provable privacy but doesn’t stop the disease isn’t a useful tool.”
This is certainly true – the problem is, it’s equally true that if the app isn’t sufficiently trusted and adopted, it won’t be a useful tool. There’s no getting away from the need to balance the two primary requirements of public safety and information security.
This is the same argument, of course, that’s raged on for decades now. Is it right or necessary for us to give up expectations of privacy in return for data security? The difference today, however, is that as participation in contact tracing apps is entirely voluntary, this is now a decision we all need to take for ourselves – and our own decisions could easily affect the lives of others.
Centralised versus decentralised?
Centralised data aggregation and analytics, as used in the NHS app, gives healthcare services the advantage of better oversight of the data, meaning that connections and insights are made that may not be apparent from a decentralised system. At the same time, there’s a risk, however small, that data could leak or be stolen and end up being used for reasons we didn’t intend, when we agreed to share it.
In the case of the NHS app – where there is a functional necessity that data is shared with healthcare providers as well as other users of the app – its possible, though very unlikely, that someone with access to all of the systems (including NHS patient records) could “join the dots” and use encrypted data to identify individuals. The system is set up so no one person would have access to all of those points of contact. However, as Dr Levy implies in his blog, its not possible to say with 100% certainty that a malicious actor could never take control of them at some point. Additionally, users’ IP addresses are logged by “commercial front end” components of the software stack. Though access to those logs is strictly controlled, again it isn’t possible to say this security will never be breached.
One aspect of this app that does give me cause to feel optimistic is that it is entirely open-source. The code is available in its entirety to be dissected and analysed, so people with more programming knowledge than myself will at least be able to verify that it is doing what it says it does, nothing more and nothing less.
For example, this means that we’ll know for sure that the app does not, as was originally widely assumed, use locational data to track where we go and who we see. Instead, it uses Bluetooth signals to detect your proximity to other people. In other words, all of the positional data collected and transmitted is relational to other app users around you, rather than to your geographic location, which seems like a pretty clever solution.
There’s some other very clever stuff going on. The models that determine risk – whether or not an interaction between two people should warn of a likelihood of infection – are algorithmic and use machine learning. By monitoring the types of interaction experienced by people who later report a positive diagnosis, it learns what interactions are most likely to be dangerous. It is then more likely to alert other people that they should self-isolate or get tested if they display similar patterns of “risky” interaction.
Another feature works as a safeguard against people who might ignore warnings to get tested. If it advises someone to get tested, and they do not record a result (indicating the person did not get tested, or perhaps has stopped using the app), it analyses that person’s recent contacts to see if there is a cluster of symptom reports. If it finds that there is, it notifies all of the non-reporting user’s “risky” contacts as if they had reported a positive result.
The UK is far from the first country to introduce an app to automate the process of contact tracing – Singapore had one deployed by March 20, and Australia, India, China, Colombia, The Czech Republic, Hungary, Iceland, Israel, New Zealand, Norway, and Switzerland are among the list of countries where they are now active.
Many of these countries have opted for a decentralised system. This leaves fewer holes through which privacy could be compromised. However, from a healthcare perspective, the pros and cons of centralised versus decentralised are far from certain. There simply isn’t enough data yet for us to know for sure.
An important choice
If we live in those countries where automated contact tracing is available, we now all have an important decision to make. Do we trust the government with the data they are asking us to hand over? Or – trust or not – is the situation simply so critical that our concerns over data sharing and privacy have to be put aside?