Euro Security Watch with Mathew J. Schwartz

COVID-19 , Device Identification , Endpoint Security

Britain Makes U-Turn on Digital Contact-Tracing App

Centralized Approach Dropped, Allowing Rebuilt App to Use Apple and Google APIs
Britain Makes U-Turn on Digital Contact-Tracing App
Prime Minister Boris Johnson speaks at an April 30 press conference (Photo: Prime Minister's Office)

To the triple failures of Britain's inability to prevent a massive number of deaths due to COVID-19, effectively contact-trace infected individuals in England, or track recovered cases, add a fourth: Following months of development and testing, the U.K. has ditched its custom-built, centralized digital contact-tracing app.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

"We have growing confidence that we will have a test, track and trace operation that will be world-beating and, yes, it will be in place by June 1," Prime Minister Boris Johnson declared on May 20. Likewise, Health Secretary Matt Hancock had continued to promise that the digital contact-tracing app would be debuted nationally by mid-May, following trials that began on the Isle of Wight on May 8.

One month later, those plans are in tatters. As the BBC first reported Thursday, the government's digital contact-tracing app, which gathered and stored data in a centralized repository, only successfully detected iPhones 4% of the time and Android phones 75% of the time.

Now, in what Johnson has tried to spin as the country's "next phase" of digital contact-tracing app development, the government has ditched that app. Instead, it says that the U.K. National Health Service's NHSX technology group, which has been building the app, will create a new one, potentially by the winter.

Johnson's administration will now embrace the approach that has long been advocated by numerous leading scientists and researchers: Building an app that stores data in a decentralized, privacy-preserving manner. By doing so, the government will also meet privacy criteria laid down by Apple and Google, allowing the U.K.'s app to work with both companies' contact-tracing application programming interfaces, which they built to maximize interoperability, battery life and privacy.

Apps built using those APIs have been found to correctly detect iPhones and Android devices 99% of the time. One challenge identified by the NHSX team, which is testing the functionality, has been estimating distance: Apparently the APIs alone often cannot distinguish when users are three feet apart, as opposed to 10 feet.

Other countries have also switched from a centralized to a decentralized approach, including Germany, Italy and Denmark. Germany, after switching its approach in April, this week launched its contact-tracing app.

'World Beating'

The degree to which the British government continues to fail at COVID-19 containment continues to astonish. Government officials in London continue to trumpet their response as being "world beating." But as a New York Times report this week notes, it's anything but that, as the government continues to overpromise and underdeliver.

The result: British residents, especially in England, are more likely to die from COVID-19 than in almost any other country in the world, except for Brazil, Chile, Peru, Sweden and the United States.

New Deaths Attributed to COVID-19

Here's a seven-day rolling average of new deaths (per million), by number of days since 0.1 average deaths (per million) first recorded. (Source: Financial Times analysis of data from the European Centre for Disease Prevention and Control and the Covid Tracking Project. Data updated June 18 2020 2.44pm BST.)

Do Contact-Tracing Apps Work?

Britain's digital contact-tracing app U-turn still doesn't resolve another outstanding question: Will these apps even help? In fact, that remains to be seen, and even if they're effective, it will only be a small part of the bigger picture (see: Digital Contact-Tracing Apps: Hype or Helpful?).

How such apps are meant to help is by alerting users if they've come into sustained contact with someone who later tests positive for the virus.

Apple and Google say their APIs are meant to help public health authorities' apps work more effectively. "We have developed an Exposure Notification API with Apple based on consultation with public health experts around the world, including in the U.K., to ensure that our efforts are useful to authorities as they build their own apps to limit the spread of COVID-19, while ensuring privacy and security are central to the design," a Google spokesman tells me, adding that the company has welcomed the U.K. government's plans to adopt their APIs.

How a public health authority's contact-tracing app that uses Apple and Google's APIs might look (Mockup: Apple and Google)

Even so, digital contact-tracing apps are only meant to help automate manual, labor-intensive contact-tracing efforts, which can involve researchers working the phones and reviewing airline manifests, CCTV footage and more to try to identify everyone who might have come into contact with someone who later tested positive for COVID-19.

No Silver Bullet

Public health experts have been clearly saying the following for months: Without robust, manual contact-tracing efforts, arresting the spread of COVID-19 will be difficult.

In response, some countries, such as Iceland, quickly launched contact-tracing teams in February, staffed by detectives, nurses and criminologists, and scaled them up quickly. Others belatedly launched their programs.

The U.K., for example, launched its program in rushed-out form on May 28, using thousands of poorly trained and low-paid staff. As The New York Times this week reported: "In almost three weeks since the start of the system in England, ... some contact tracers have failed to reach a single person, filling their days instead with internet exercise classes and bookshelf organizing."

The results speak for themselves: Where Iceland has 10 confirmed COVID-19 deaths (3 deaths per 100,000 people), Britain has logged more than 42,000 deaths (630 deaths per 100,000 people) due to the disease.

Save Lives, Rebuild the Economy

While the usefulness of digital contact-tracing apps remains unproven, clearly the imperative is for governments to pull out every possible stop to protect the health of its population. Countries such as New Zealand and others, which have successfully suppressed the virus, are now ending their lockdowns and able to try and rebuild their economies.

The failure of Britain to successfully build and roll out the app envisioned by the government is, unfortunately, no surprise. From the start, global surveys of public opinion found widespread distrust for digital contact-tracing apps, including fears of unchecked government surveillance.

Screens from the first version of the U.K. National Health Service contact-tracing app (Source: NHS, via BBC)

In April, hundreds of scientists and researchers - including many from Britain - issued an open letter calling on governments to build digital contact-tracing apps for combating COVID-19 in an open and transparent manner. They also called on governments to use Bluetooth, because GPS could be used to de-anonymize users, as well as to store data only on a user's device, rather than centrally.

"The motivation is the desire that these apps are effective and that will happen only if people use them, and that trust will happen only if people trust them," Alan Woodward, a professor of computer science at the University of Surrey who signed the open letter, told me at the time. "Unless you are transparent and open, people will assume nefarious uses - it could be an enormous 'own goal,'" he said, meaning that a poorly designed app might be worse than no app at all.

Another potential challenge: Unless the government got its efforts right from the get-go, it might never be able to regain users' trust (see: COVID-19 Contact-Tracing App Must-Haves: Security, Privacy).

Transparency and Trust: Still Essential

Further reasons to be open and transparent and build trust: Researchers at the University of Oxford estimate that for a contact-tracing app to be optimally effective, 60% of a country's population will need to adopt it. In Britain, only 80% of adults, however, have a sufficiently advanced smartphone to run the app. Hence the country would need to embark on a "hearts and minds" campaign to convince the population that the government had an effective COVID-19 response in place, and that the digital contact-tracing app was a core component of its plan, and would save lives (see: Digital Contact-Tracing Apps Must Win Hearts and Minds).

Instead, Prime Minister Boris Johnson has been largely absent from the public eye. In his place, a procession of government ministers have led daily briefings and attempted to spin the dire COVID-19 picture in Britain.

Leadership responsibility for the country's overall test-and-trace program was given to Diana Mary "Dido" Harding, who previously served as CEO of U.K. telecommunications giant TalkTalk. During her tenure, that telecom company suffered a massive series of data breaches. In response, the country's privacy watchdog issued a scathing report into company's information security practices and hit her firm with what was, at the time, the largest privacy fine in the country's history (see: TalkTalk Slammed with Record Fine Over Breach).

Working App: Maybe By Winter

Now that the government is retooling its contact-tracing app approach, when will the U.K. see the results? Government ministers revealed for the first time on Thursday that for the Isle of Wight trials, NHSX teams were testing both the government's own app, as well as a version they had mocked up using the Apple and Google APIs.

On Wednesday, the BBC reported that the two individuals who had been heading the NHSX app-development team for Harding have now been dumped. Instead, Simon Thompson, a former Apple executive who's been serving as British online supermarket Ocado's chief product officer, will be joining Harding's team to take control of the delayed digital contact-tracing app efforts.

But this week, Lord Bethell of Romford, the innovation minister in the Department of Health and Social Care who's responsible for overseeing the digital contact-tracing app, said a working version would not be publicly available for many months.

"We're seeking to get something before the winter, but it isn't the priority for us at the moment," he told Parliament's science and technology committee.

Because really, as the COVID-19 pandemic continues to pummel Britain, what's the rush?



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.