More details have emerged about a coronavirus contacts tracing app being developed by UK authorities. NHSX CEO, Matthew Gould, said today that future versions of the app could ask users to share location data to help authorities learn more about how the virus propagates.
Gould, who heads up the digital transformation unit of the UK's National Health Service, was giving evidence to the UK parliament's Science & Technology Committee today.
At the same time, ongoing questions about the precise role of the UK's domestic spy agency in key decisions about the NHSX's choice of a centralized app architecture means privacy concerns are unlikely to go away -- with Gould dodging the committee's about GCHQ's role.
A basic version of the NHSX's coronavirus contacts tracing app is set to be tested in a small geographical region in the next 1-2 weeks, per Gould -- who said "technically" it would be ready for a wider rollout in 2-3 weeks' time.
Although he emphasized that any launch would need to be part of a wider government strategy which includes extensive testing and manual contacts tracing, along with a major effort to communicate to the public about the purpose and importance of the app as part of a combined response to fighting the virus.
In future versions of the app, Gould suggested users could be asked to contribute additional data -- such as their location -- in order to help epidemiologists identify infection hot spots, while emphasizing that such extra contributions would be voluntary.
"The app will iterate. We've been developing it at speed since the very start of the situation but the first version that we put out won't have everything in it that we would like," he said. "We're quite keen, though, that subsequent versions should give people the opportunity to offer more data if they wish to do so.
"So, for example, it would be very useful, epidemiologically, if people were willing to offer us not just the anonymous proximity contacts but also the location of where those contacts took place -- because that would allow us to know that certain places or certain sectors or whatever were a particular source of proximity contacts that subsequently became problematic."
"If people were willing to do that -- and I suspect a significant proportion of people would be willing to do that -- then I think that would be very important data because that would allow us to have an important insight into how the virus was propagated," he added.
For now, the basic version of the contacts tracing app the NHSX is devising is not being designed to track location. Instead, it will use Bluetooth as a proxy for infection risk, with phones that come into proximity swapping pseudonymized identifiers that may later be uploaded to a central server to calculate infection risk related to a person's contacts.
Bluetooth proximity tracking is now being baked into national contacts tracing apps across Europe and elsewhere, although app architectures can vary considerably.
The UK is notable for being one of now relatively few European countries that have opted for a centralized model for coronavirus contacts tracing, after Germany switched its choice earlier this week.
France is also currently planning to use a centralized protocol. But countries including Estonia, Switzerland and Spain have said they will deploy decentralized apps -- meaning infection risk calculations will be performed locally, on device, and social graph data will not be uploaded to a central authority.
Centralized approaches to coronavirus contact tracing have raised substantial privacy concerns as social graph data stored on a central server could be accessed and re-identified by the central authority controlling the server.
Apple and Google's joint effort on a cross-platform API for national coronavirus contacts tracing apps is also being designed to work with decentralized approaches -- meaning countries that want to go against the smartphone platform grain may face technically challenges such as battery drain and usability.
The committee asked Gould about the NHSX's decision to develop its own app architecture, which means having to come up with workarounds to minimize issues such as battery drain because it won't just be able to plug into the Apple -Google API . Yesterday the unit told the BBC how it's planning to do this, while conceding its workaround won't be as energy efficient as being able to use the API.
"We are co-operating very closely with a range of other countries. We're sharing code, we're sharing technical solutions and there's a lot of co-operation but a really key part of how this works is not just the core Bluetooth technology -- which is an important part of it -- it's the backend and how it ties in with testing, with tracing, with everything else. So a certain amount of it necessarily has to be embedded in the national approach," said Gould, when asked why NHSX is going to the relative effort and hassle of developing its own bespoke centralized system rather than making use of protocols developed elsewhere.
"I would say we are sensibly trying to learn international best practice and share it -- and we've shared quite a lot of the technological progress we've made in certain areas -- but this has to embed in the wider UK strategy. So there's an irreducible amount that has to be done nationally."
On not aligning with Apple and Google's decentralized approach specifically, he suggested that waiting for their system-wide contact tracing product to be released -- due next month -- would "slow us down quite considerably". (During the committee hearing it was confirmed the first meeting relating to the NHSX app took place on March 7.)
While on the wider decision not to adopt a decentralized architecture for the app, Gould argued there's a "false dichotomy" that decentralized is privacy secure and centralized isn't. "We firmly believe that both our approach -- though it has a measure of centralization in as much as your uploading the anonymized identifiers in order to run the cascades -- nonetheless preserves people's privacy in doing so," he said.
"We don't believe that's a privacy endangering step. But also by doing so it allows you to see the contact graph of how this is propagating and how the contacts are working across a number of individuals, without knowing who they are, that allows you to do certain important things that you couldn't do if it was just phone to phone propagation."
He gave the example of detecting malicious use of contacts tracing being helped by being able to acquire social graph data. "One of the ways you can do that is looking for anomalous patterns even if you don't know who the individuals are you can see anomalous propagation which the approach we've taken allows," he said. "We're not clear that a decentralized approach allows."
Another example he gave was a person declaring themselves symptomatic and a cascade being run to notify their contacts and then that person subsequently testing negative.
"We want to be able to release all the people that have been given an instruction to isolate previously on the basis of [the false positive person] being symptomatic. If it was done in an entirely decentalized way that becomes very difficult," he suggested. "Because it's all been done phone to phone you can't go back to those individuals to say you don't have to be locked down because your index case turned out to be negative. So we really believe there are big advantages the way we're doing it. But we don't believe it's privacy endangering."
Responding to the latter claim, Dr Michael Veale -- a lecturer in digital rights and regulation at UCL who is also one of the authors of a decentalized protocol for contacts tracing, called DP-3T, that's being adopted by a number of European governments -- told us: "It is trivial to extend a decentralised system to allow individuals to upload 'all clear' keys too, although not something that DP-3T focussed on building in because to my knowledge, it is only the UK that wishes to allow these cascades to trigger instructions to self-isolate based on unverified self-reporting."
In the decentralized scenario, "individuals would simply upload their identifiers again, flagging them as 'false alarm', they would be downloaded by everyone, and the phones of those who had been told to quarantine would notify the individual that they no longer needed to isolate", Veale added -- explaining how a 'false alarm' notification could indeed be sent without a government needing to centralize social graph data.
The committee also asked Gould directly whether UK spy agency, GCHQ, was involved in the decision to choose a centralized approach for the app. The BBC reported yesterday that experts from the cyber security arm of the spy agency, the National Cyber Security Centre (NCSC), had aided the effort.
At first pass Gould dodged the question. Pressed a second time he dodged a direct answer, saying only that the NCSC was "part of the discussions in which we decided to take the approach that we've taken".
"[The NCSC] have, along with a number of others -- the Information Commission's Office, the National Data Guardian, the NHS -- been advising us. And as the technical authority for cyber security I'm very glad to have had the NCSC's advice," he also said.
"We have said will will open source the software, we have said we will publish the privacy model and the security model that's underpinning what we're going to do," he added. "The whole model rests on people having randomized IDs so the only point in the process at which they need to say to us who they are is when they need to order a test having become symptomatic because it's impossible to do that otherwise.
"They will have the choice both to download the app and turn it on but also to upload the list of randomized IDs of people they've been in touch with. They will also have the choice at any point to delete the app and all the data that they haven't shared with us up to that point with it. So I do believe that what we've done is respectful of people's privacy but at the same time effective in terms of being able to keep people safe."
Gould was unable to tell the committee when the app's code will be open sourced, or even confirm it would happen before the app was made available. But he did say the unit is committed to publishing data protection impact assessments -- claiming this would be done "for each iteration" of the app.
"At every stage we will do a data protection impact assessment, at every stage we'll make sure the information commission know's what we're doing and is comfortable with what we're doing so we will proceed carefully and make sure what we do is compliant," he said.
At another point in the hearing, Lillian Edwards, a professor of law, innovation and society at Newcastle Law School who was also giving evidence, pointed out that the Information Commissioner's Office's executive director, Simon McDougall, told a public forum last week that the agency had not in fact seen details of the app plan.
"There has been a slight information gap there," she suggested. "This is normally a situation with an app that is high risk stakes involving very sensitive personal data -- where there is clearly a GDPR [General Data Protection Regulation] obligation to prepare a Data Protection Impact Assessment -- where one might have thought that prior consultation and a formal sign off by the ICO might have been desirable."
"But I'm very gratified to hear that a Data Protection Impact Assessment is being prepared and will be published and I think it would be very important to have a schedule on that -- at least at some draft level -- as obviously the technical details of the app are changing from day to day," Edwards added.
We've reached out to the ICO to ask if it's seen plans for the app or any data protection impact assessment now. Update: A spokesperson did not answer our questions -- instead sending this statement:
The ICO is supporting organisations looking to innovate in response to COVID-19. We are encouraging organisations to consider privacy aspects including what data they need to collect, what control they can give users over their data, and how much data needs to be gathered and processed centrally. Data protection law allows for flexibility to prioritise people’s health and safety, as long as privacy is considered at an early stage.
We’ve been working with NHSX to help them ensure a high level of transparency and governance. We will continue to offer that support during the life of the app as it is developed, rolled out and when it is no longer needed.
During the committee hearing, Gould was also pressed on what will happen to data sets uploaded to the central server once the app has been required. He said such data sets could be used for "research purposes".
"There is the possibility of being able to use the data subsequently for research purposes," he said. "We've said all along that the data from the app -- the app will only be used for controlling the epidemic, for helping the NHS, public health and for research purposes. If we're going to use data to ask people if we can keep their data for research purposes we will make that abundantly clear and they'll have the choice on whether to do so."
Gould followed up later in the session by adding that he didn't envisage such data-sets being shared with the private sector. "This is data that will be probably under the joint data controllership of DHSC and NHS England and Improvement. I see no context in which it would be shared with the private sector," he said, adding that UK law does already criminalize the reidentification of anonymized data.
"There are a series of protections that are in place and I would be very sorry if people started talking about sharing this data with the private sector as if it was a possibility. I don't see it as a possibility."
In another exchange during the session Gould told the committee the app will not include any facial recognition technology. Although he was unable to entirely rule out some role for the tech in future public health-related digital coronavirus interventions, such as related to certification of immunity.