Lifting lockdown: the emerging role of the contact tracing app

The NHSX contact tracing app is currently being trialled on the Isle of Wight, but has the government picked the best approach for privacy and effectiveness?

In his speech on Sunday night, Boris Johnson described "a first sketch of a road map for reopening society".

Details of the planned gradual reopening were not made clear in the announcement, but a key metric in the decision making process will be the R number or R0, the average number of people to whom an infected individual will pass the coronavirus.

Any opening up should occur only when current measures have brought R0 significantly below 1, or there will likely be a new surge in infections and once restrictions are relaxed R must be closely monitored. Some countries such as Germany and South Korea have had to reimpose local restrictions after cases started spiking in some areas.

Effectively tracking R0 requires testing at scale with a rapid turnaround of test results, plus a large-scale targeted effort to find carriers and trace contacts with so they can be isolated.

Unfortunately, testing and contact tracing in the UK has been behind the curve since the start of the outbreak and capacity is currently insufficient to allow for the sort of rigorous test, track and trace regime that will give the confidence to ease restrictions.

Once testing capacity has been 'ramped up' sufficiently and there are human contact tracers in place, one of the technological weapons in health authorities' armoury will be the contact tracing app, a prototype of which is being tested on the Isle of Wight. Such an app will be ineffective in the absence of other measures including those outlined above, but at least its likely shape is becoming clearer.

Which doesn't make it any less controversial. Alongside questions of whether a contact tracing app will actually work plenty of concerns remain over privacy. A long-awaited NHSX data privacy impact statement (DPIA) is notable for having redacted information on app and platform security and muddying the waters on questions of anonymity, according to lecturer on digital rights, Michael Veale.

"The DPIA reads like a fight between PR folk wanting to say it is anonymous, and data protection folk needing to say legally, it is not. DPIAs are no place for PR. This data is not anonymous," he tweeted.

https://twitter.com/mikarv/status/1259127385250824195?ref\\_src=twsrc%5Etfw

And at the end of April more than 100 privacy experts wrote an open letter to the government expressing serious concern about the NHSX Covid-19 contact tracing app.

However, other academics maintain that while deanonymisation would be possible it would not be easy since it would require several pieces of extra information about the individual. In a piece for the Conversation, researchers from the University of Strathclyde argue that human contact tracing will be equally if not more invasive.

The issue of trust is vital here. A recent Observer poll suggested that only 50 per cent of people would download the app, which would limit its effectiveness. One potential issue is that users cannot see their data and cannot request for it to be deleted from the central database.

Centralisation vs decentralisation

Core to the debate is whether the app should take a centralised approach, as the current NHSX prototype does, in which data is stored in an NHS database, or a decentralised one in which it is kept on the device, as the Apple-Google API used by some other countries allows. (NHSX, the cross-departmental digital health body, is also said to be exploring a decentralised alternative.)

Arguments for the centralised approach include the possibility of real-time updates to the software to reduce false negatives and false positives, quicker identification of outbreak hotspots, the ability to identify contacts of contacts, ease of use in conjunction with human contact tracers, and the availability of data for further research.

Meanwhile, a decentralised app is much better at guaranteeing the privacy and anonymity of the user and should, therefore, allay many trust issues. The Apple-Google API would also make it more compatible with the appoach taken by neighbouring states.

See also: Covid-19: the race to create privacy-focused contact tracing tools

The two sides of the debate were crystalised during a roundtable hosted by Acquia on the role of open-source hardware and software in tackling Covid-19.

Databricks CEO Ali Ghodsi argued the governments that have so far been most effective in using data to tackle the problem such as Singapore and South Korea have put centralised efficacy over privacy concerns: "We should not delay implementation while lives are being shattered and people are dying. Do something now, and trust that the governments will do the right thing."

However, since the testing and physical tracing measures are not yet in place, there is no need to rush.

Jim Webber, chief scientist at graph database firm Neo4J feared a slippery slope that could erode further much-needed trust in the authorities. Intrusive social graphs could easily be constructed using the gathered data, he said.

"I don't believe at the moment that the government has figured out how to deal with this response in the long term," said Webber. "We have no guarantees that our data won't be used for other things in the future, and that's worrying because it pits the good data scientist against the long-term stewardship of that data."