Although the UK government is easing lockdown restrictions across England this week, the central element of its test, track and trace strategy – a COVID-19 contact-tracing app – has yet to be rolled out.
Originally slated to be available in mid-May, the app drew criticism when it was trialled on the Isle of Wight and has been missing from the launch of the government’s manual contact-tracing policy. The app is now expected to be available to the public “in the coming weeks.”
Teething problems
The app has been plagued by difficulties from the start. In April, it was reported that NHSX was engaged in a stand-off with Apple and Google, with the two tech giants refusing to support the centralised way in which the government wanted to build the app, which it claimed was less secure.
Even so, the app was officially launched in its centralised form on the Isle of Wight on May 6. With around 60,000 downloads so far – 40% of the island’s population – the results have been mixed.
The initial version was limited in terms of functionality. Users who logged feeling unwell could only report two symptoms – a continuous cough or a high temperature; the app did not allow users to enter a coronavirus test result, positive or negative. (Government officials say the app has been updated to meet those shortcomings.)
“Contact tracing has clearly been proven to be a valuable tool in managing the pandemic, but only if utilised as part of a larger ecosystem,” said Areiel Wolanow, CTO and Technical Architect at London-based BLOK BioScience. “By itself, it is worthless. You need to have the other parts of the engine for the machine to work properly.”
In addition to contact tracing, Wolanow said, you need to have a “self-sovereign record of someone’s active infection, antibody status, and symptoms.” Without that information, getting ahead of the pandemic will be difficult.
There are also concerns that a large percentage of the public may be unable to use the app. Speaking to a culture, media and sport committee in May, Helen Milner, CEO at the Good Things Foundation, a digital inclusion charity, said two million households in the UK don’t have internet access. And another seven million people “have used the net, but have very basic skills, like not knowing how to open an app.”
The majority of those who lack digital skills are among those most vulnerable to COVID-19, putting constraints on their ability to access information and safeguard their health.
Security concerns
Since the app launched, security professionals have highlighted a number of concerns involving security and data privacy. Specific security flaws were flagged at the beginning of the pilot, many of which stemmed from the centralised model the government decided to back.
In total, seven security issues were flagged by researchers, including weaknesses in the registration process that could allow attackers to steal encryption keys; storage of unencrypted data on handsets; and generation of a new random ID code for users once a day rather than once every 15 minutes.
At the time, GCHQ's National Cyber Security Centre (NCSC) said it was aware of most of the issues and was in the process of addressing them.
More recently, concerns around data privacy have again emerged. On May 28, Public Health England posted a privacy notice that personal data about people with coronavirus, collected by the NHS as part of the test-and-trace programme, will be kept for 20 years.
Along with data about the symptoms of those with coronavirus, information including full name and date of birth, as well as phone numbers and home and email addresses, will be collected and stored.
Those who have been identified as contacts of people with coronavirus will have all but their date of birth collected and stored for five years.
Youngjin Yoo, project lead of Sharetrace, said that while the government claims holding onto data for 20 years will help prevent the spread of coronavirus in the future, the move is likely to discourage people from downloading the app.
“It fails to take into account that user preferences might change over that time,” Yoo said. “They may be happy to offer the data now to support the wider spread of the current pandemic, but why should it be held to prevent a future pandemic that may never happen?”
He argued that users should not have to worry about their data for years just to feel safe now and said there are alternatives where users can keep control over their information, while allowing the NHS to access it when needed.
“Trusting the NHS with this data is not the same as ensuring that users' privacy is protected. We must prioritise the approaches that protect privacy of personal data,” he said.
Will the app be effective?
Due to early negative reviews and the length of time it’s taken to get the app into the public domain, many IT and health professionals are concerned it will see poor download numbers due to a pre-emptive loss of trust.
According to a study by Censuswide on behalf of Anomali, nearly half (48%) of the UK public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep their information safe. Another 33% are concerned that the app might allow the government to track their whereabouts, and 36% fear it could allow the government to collect data on them.
This lack of trust is something Matt Middleton-Leal, General Manager of data security firm Netwrix, is also concerned about. Living on the Isle of Wight, he has been using the app since the trial began. He believes the key issue when the app arrives won’t be technical but the negativity around it.
“I do hope the potential benefits of the app, from easing lockdown and enhancing public health and safety don’t get lost amongst the politics,” he said. “In times of crisis we should be trying all routes to get to a new normal, and the app, while not the final answer is an essential part of the jigsaw. The NHS has stated it’s not a perfect platform, but as long as there is a commitment to continuing to enhance the app, we’ll be moving in the right direction.”
Other countries that have made their contact-tracing apps publicly available already have seen mixed results.
In Australia, one month after its Covidsafe app launched, only one person had been identified using data from it. That app was also plagued by technical issues early on and the government initially refused to answer questions about the issues users were facing. Singapore and Norway also saw low download rates for their contact-tracing apps.
There have been some success stories, however. In Iceland, 40% of the population downloaded its contact-tracing app, the highest rate globally – though senior figures did stress the importance of using it in conjunction with a manual track-and-trace programme.