Application Security , COVID-19 , Governance & Risk Management

Coronavirus: UK Government Promises App for Contact Tracing

But Cybersecurity Adviser Dismisses Plans as Misplaced 'Do-Something-Itis'
Coronavirus: UK Government Promises App for Contact Tracing
British Health Secretary Matt Hancock speaks at a recent government COVID-19 press conference.

The U.K. government says it's prepping a contact-tracing app in an attempt to help contain the COVID-19 outbreak. But one of the country's leading cybersecurity experts argues that the proposal amounts to little more than "do-something-itis" and urges a focus, instead, on expanded testing, ventilator production, training more nurses and producing more protective equipment to safeguard medical workers.

See Also: How To Cut Through The Web Of Insurance Fraud

The British government's contact-tracing app is being developed by the National Health Service's NHSX unit, which sets digital policies and develops NHS technology and data guidelines.

"If you become unwell with the symptoms of coronavirus, you can securely tell this new NHS app, and the app will then send an alert anonymously to other app users that you've been in significant contact with over the past few days, even before you had symptoms, so that they know and can act accordingly," Health Secretary Matt Hancock said on Sunday at the government's daily COVID-19 press briefing.

The Conservative U.K. government, led by Prime Minister Boris Johnson, has been criticized for its efforts to contain the disease. Johnson remains off work after apparently failing to practice social distancing and subsequently testing positive for COVID-19.

On Monday, the U.K. Department of Health said: "As of 5 p.m. on April 12, of those hospitalized in the U.K. who tested positive for coronavirus, 11,329 have died." (Note: The published figures therefore do not include anyone who had not previously tested positive for COVID-19 or who died outside of a hospital. Of the country's population of 67.8 million, only 290,720 individuals, or 0.42 percent of the population, have been tested at least once for the disease.)

The Financial Times reports that based on a seven-day rolling average, the U.K. has the world's second-worst increase in daily deaths due to the disease; the U.S. has the worst increase.

Is UK Pursuing Herd Immunity?

Early on, rather than pursuing rigorous, mass testing and contact tracing, Johnson appears to have opted for an untested "herd immunity" approach. Herd immunity describes the phenomenon that at-risk individuals are protected from infection because they are surrounded by immune individuals. Many public health policy experts say that until a COVID-19 vaccine gets developed, such a strategy would not be effective; they also argue it could overwhelm the NHS and lead to a massive number of deaths.

While the government says this is not the approach it's pursuing, Johnson's failure to meaningfully pursue other options in a transparent manner may mean it is the de facto approach.

Hancock at the Sunday press conference did not promise that the forthcoming NHSX app would be accompanied by a massive increase in blood tests to determine whether an individual with symptoms of COVID-19 actually has the disease. Nor did he promise that the U.K. would build out its manual contact-tracing capabilities, as has been done in other countries that have seen markedly fewer deaths, including South Korea and New Zealand.

Hancock also attempted to downplay privacy questions about the extent to which personally identifiable information might be exposed via the NHSX app.

"All data will be handled according to the highest ethical and security standards and would only be used for NHS care and research, and we won't hold it any longer than it's needed," he said.

"As part of our commitment to transparency, we'll be publishing the source code too. We're already testing this app, and as we do this, we're working closely with the world's leading tech companies and renowned experts in digital safety and ethics."

NHSX says it believes that at least half of the population who go outside would need to use its app for it to be effective.

Apple, Google Announce Initiative

The NHSX unit was launched by Hancock in February 2019 to develop "new digital, data and technology capabilities" for the nation's health service. It has never before fielded this type of app, intended for mass adoption, nor has the wider U.K. government. But development of the app was outsourced this year to Pivotal, a subsidiary of Palo Alto, California-based VMware, Sky News has reported.

The NHSX effort is separate from an initiative announced on Friday by Apple and Google, which are hoping to build contact-tracing tools that would run on both Apple and Google devices.

By mid-May, Apple and Google are promising to give APIs to public health officials to make it easier to build apps that interoperate with both of their mobile operating systems.

Then in the next few months, the two companies are hoping to update their respective iOS and Android operating systems to include, built in, "a broader Bluetooth-based contact tracing platform" to which users could opt in.

For anyone who opted in, whenever their device came within a specific range - for example, 10 feet - of a device used by another individual who had opted in, the devices would exchange a code unique to their device. If one of the device owners later tested positive for COVID-19, they could tell their app, which would flag their unique code via a cloud-based service that would lead to alerts being sent to other app users who may have been exposed.

"Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders," the companies say in a joint statement. "We will openly publish information about our work for others to analyze."

NHSX says its contact-tracing app efforts are not connected to the Apple and Google initiative. But it tells the BBC that while it wasn't previously aware of the initiative, it will build whatever the two companies produce into its own approach.

The Apple and Google APIs will allow Bluetooth scanning to continue even if the contact-tracing app is not active, NHSX tells the BBC. It says its app is due to be beta tested in the north of England beginning next week.

Belated Alerts: Tracing Contacts

Other contact-tracing efforts are already underway. Singapore has rolled out its open source TraceTogether, which uses Bluetooth to record other app users with which a user comes into close contact, and Australia is considering emulating that approach, which about 10 percent to 15 percent of Singapore's 5.85 million residents have adopted (see: Australia Considers How to Approach Pandemic Contact Tracing).

Numerous other teams are also attempting a privacy-by-design approach to building contact-tracing systems, including MIT's Private Automatic Contact Tracing and Safe Paths, as well as Covid Watch, among others.

But any such system - including what Google and Apple are proposing - will not succeed if it's purely automated, says Jason Bay, senior director of government digital services at Singapore's Government Technology Agency.

"You cannot 'big data' your way out of a 'no data' situation."
—Jason Bay of Singapore's TraceTogether

Bay, who's the product lead for Singapore's TraceTogether, says that at best, such systems can only supplement manual contact tracing. "If you ask me whether any Bluetooth contact tracing system deployed or under development anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is 'no,'" Bay says.

"You cannot 'big data' your way out of a 'no data' situation," he adds. "Any attempt to believe otherwise is an exercise in hubris and technology triumphalism. There are lives at stake. False positives and false negatives have real-life - and death - consequences."

Sticking Point: Voluntary Adoption

Cybersecurity expert Ross Anderson, who's an adviser to the NHSX app project, says that the contact-tracing app would be constrained by poor data and supplemental processes, including a widespread lack of rapid COVID-19 tests, delays in diagnoses - current tests require one to three days to return results - as well as a lack of people working as contact tracers. He also warned about the use of Bluetooth - for example, its ability to travel through walls in unconnected apartments or offices - and the potential that someone might abuse the system, for example, to claim they had been infected.

"We must ... not give policymakers the false hope that techno-magic might let them avoid the hard decisions. ... The response should not be driven by cryptographers but by epidemiologists."
—Professor Ross Anderson, Cambridge University

Furthermore, the U.K. government also has a bad track record when it comes to collecting and retaining personal data, Anderson says.

"I recognize the overwhelming force of the public health arguments for a centralized system, but I also have 25 years' experience of the NHS being incompetent at developing systems and repeatedly breaking their privacy promises when they do manage to collect some data of value to somebody else," writes Anderson, who's a professor of security engineering at the University of Cambridge, in a blog post. "I'm really uneasy about collecting lots of lightly anonymized data in a system that becomes integrated into a whole-of-government response to the pandemic. We might never get rid of it."

The voluntary nature of the government's approach, however, also poses a major problem. "The real killer is likely to be the interaction between privacy and economics," he says. "If the app's voluntary, nobody has an incentive to use it, except tinkerers and people who religiously comply with whatever the government asks." If the app isn't voluntary, he says, then there will be widespread incentive to cheat. In such cases, having a paper-based certificate with serology results might be the best approach, he argues (see: China Builds COVID-19 Recovery on Blockchain).

Who Must Lead? Epidemiologists

For combating COVID-19, Anderson says the government would do well to focus instead on necessities, rather than the NHSX app. "I suspect the tracing apps are really just do-something-itis," he says, noting that what really needs to be done is to build more ventilators, train more nurses and expand blood tests.

"We must call out bullshit when we see it, and must not give policymakers the false hope that techno-magic might let them avoid the hard decisions. Otherwise we can serve best by keeping out of the way," he says. "The response should not be driven by cryptographers but by epidemiologists, and we should learn what we can from the countries that have managed best so far, such as South Korea and Taiwan."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.