How the British Contact-Tracing App Prioritizes User Privacy

Reuters
August 19, 2020 Topic: Technology Region: Europe Blog Brand: The Reboot Tags: Contact TracingPhone AppTechnologyPrivacyPandemic

How the British Contact-Tracing App Prioritizes User Privacy

This may go some way towards addressing legitimate privacy concerns. But evidence from other countries suggests getting enough people to download and use the app to significantly contribute to England’s contact-tracing efforts will still be a challenge.

 

The UK government has begun a trial of its new, revamped COVID-19 contact-tracing app for England, after its previous attempt failed to work as required and raised concerns over privacy.

Unlike the previous app, the new version stores information about who each user has come into contact with on their phone using a framework provided by Apple and Google, instead of in a centralised database. If a user reports symptoms of COVID-19, the app will alert their recent contacts that they should self-isolate in case they have the disease too.

 

This may go some way towards addressing legitimate privacy concerns. But evidence from other countries suggests getting enough people to download and use the app to significantly contribute to England’s contact-tracing efforts will still be a challenge.

The government initially wanted to use a centralised model so it could gather data about how the virus was spreading. But this raised concerns that enabling a government body to collect information about people’s personal contacts and routines created the possibility for abuse.

The new app gives users better control over their data. To enhance privacy, each phone is assigned a short-term random ID that changes frequently and is deleted after 14 days. While communicating, phones can only see these random IDs, from which it is extremely hard to identify the real user.

To try to retain some of the useful data-gathering function of the app, the NHS has added an ability for users to “check in” to venues they visit such as restaurants and bars by scanning a QR code in each place. This records that the phone, as listed by its random ID, has been in the venue. But government guidance suggests this information will be deleted from the system within 21 days.

By switching to the Apple-Google solution, England has also joined a large group of European countries using similar technology, which is a good step towards enabling the app to keep working if users travel abroad.

If this improvement can be presented effectively, people’s confidence in and willingness to use the app should be greatly improved. The big challenge is still motivating people to be active users, not just downloaders. After downloading the app, people should be motivated to report their symptoms, scan the QR codes at the venues they visit, and self-isolate if advised. And there are several issues that might prevent this.

For one thing, the check-in function creates new potential for the system to be abused. People may not want to use the app if they think they need to record the locations they visit in a government database. And QR codes could even be faked so that someone else could end up capturing your data.

There is also the fact that the app still uses Bluetooth to detect other nearby app users and record them as contacts. Bluetooth has not been used before for this kind of large-scale distance measurement and so it’s not clear how accurate it will be. If the app incorrectly records who counts as having had contact with each user, it could lead to false alerts, which will undermine confidence in the app.

It is also still unclear how the new version of the app would stop people from falsely reporting symptoms, which would also lead to false alerts for other users. Part of the reason the first app used a centralised model was to enable the system look out for and prevent such hoaxes.

 

With a decentralised model, an alternative method is needed. For example, in France and Switzerland, only people who test positive for COVID-19 and are given a special code can record their illness in the app.

There might be ways to address all these issues. But data from other countries shows just how difficult it will be to reach the magic threshold of 60% of the population using the app that research suggests is needed to make it successful without other contact tracing efforts.

International Comparisons

Data from mobile app analytics firm Sensor Tower shows that in most countries where the apps have been made voluntary, the adoption rates have grown slower than expected and reached just 9% of the population on average.

Singapore has had some success and reached 36% of the population whereas France’s centralised app has so far reached just above 3%. Qatar has reached near full coverage but only by making adoption mandatory, which would be politically difficult in more liberal societies.

However, it is important to note that the number of active users can be much lower than the number of downloads. For instance, in France, 1.9 million people downloaded the app in its first three weeks, but only 68 users who tested positive for COVID-19 reported their infection with the app.

An adoption rate lower than 60% won’t necessarily make the app useless, and it can still contribute to encouraging potential virus carriers to self-isolate. But it looks increasingly unlikely that contact tracing apps will ever be able to provide the kind of technological solution to the pandemic that was first touted at the start of the year.

The Conversation

Vinh Thong Ta, Lecturer, Cyber Security Course Leader, University of Central Lancashire; John Dempsey, Senior Lecturer in Computing, University of Central Lancashire, and Max Eiza, Lecturer in Networking & Cybersecurity, University of Central Lancashire

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Image: Reuters