Covid-19 contact tracing app: government u-turns to adopt decentralised Apple - Google API model

After a series of delays and warnings from cyber security and privacy experts, the government is abandoning its centralised approach to Covid-19 data collection

The government is to abandon the centralised contact tracing app it has been testing on the Isle of Wight in favour of one that uses the decentralised mobile API created by Apple and Google.

Former Apple executive, Simon Thompson, is to take the reins of the troubled contact tracing app project.

The move, first reported by the BBC, has been welcomed by privacy experts who had been dismayed by the earlier adoption of a system that stored data in a centralised NHS database. In April an open letter was sent to government from 117 academics who spelled out the dangers to data security, personal privacy and scope creep of a centralised approach to data collection.

The government had argued it would be more helpful to epidemiologists, making it easier to pinpoint geographically sudden upsurges in infections as well as enabling updates to the software in real time to reduce false negatives and false positives, and also that retained data would be useful for further research.

After a series of missteps and delays, the importance of the Covid-19 contact tracing app, which uses Bluetooth to alert people if they have been in proximity to an infected person, has been gradually downgraded in government communications and they have now abandoned their chosen centralised approach altogether.

A decentralised app, where the data is kept encrypted on the smartphone, provides the user much stronger guarantees of privacy and anonymity and should, therefore, allay many trust issues and lead to improved rates of uptake. The Apple-Google API would also make the app more compatible with the approach taken by most neighbouring countries.

Germany, Switzerland, Italy and Denmark have all made a similar switch to a decentralised app. Norway recently abandoned its centralised app due to data protection concerns. France, by contrast has chosen to retain a centralised approach.

The BBC reports that the app's user interface will remain the same, with the changes occurring in the back end. The Google - Apple API is integrated with iOS and Android at a low level, which should reduce compatibility problems.

"A decentralised app will allow consumers across the UK to download the app without fears that their data could be exploited for secondary purposes," said Ray Walsh, digital privacy expert at advocacy groupProPrivacy.

"The good news is that the UK will now shift its efforts towards a secure app that gives people contact tracing as well as privacy. It is a shame that it took so long for the NHS and the government to come to the same realisation privacy experts had months ago - that in order for an app to be effective it is going to need to be accepted by the general public.

"While this is good news, the reality is that we could have had this app up and running weeks if not months ago; which could have greatly reduced the rate of infection and potentially saved lives."