UK snubs Google and Apple privacy warning for contact tracing app

Reports have suggested the UK will pursue a centralised data collection approach for its COVID-19 contact tracing app, despite the well-publicised security and privacy risks.

Last week, the National Health Service (NHS) published a blog entry which pointed towards some element of centralised data collection, though the choice was seemingly been offered to the consumer. It now appears this is not the case.

“This anonymous log of how close you are to others will be stored securely on your phone,” Matthew Gould and Geraint Lewis of NHSX, the technology unit of the NHS, wrote in the blog post.

“If you become unwell with symptoms of COVID-19, you can choose to allow the app to inform the NHS which, subject to sophisticated risk analysis, will trigger an anonymous alert to those other app users with whom you came into significant contact over the previous few days.”

Details are of course still thin on the ground, but the BBC is now reporting the NHS will pursue a centralised approach, collating data on NHS servers for analysis and to send out notifications. There are of course advantages to this approach, models can be adapted quicker and additional analysis can be performed, but the question which remains is whether this outweighs the risk to security and privacy; Google and Apple clearly do not think so.

While a centralised approach proposes the collection and storage of all relevant data on NHS servers, an API created between Google and Apple would do the analysis on devices.

Using Bluetooth once again, the decentralised API would store the interaction between device on the user’s device, only sending a key indicating whether that specific user is infected or not to the cloud. Devices would reference the cloud database regularly and should the on-device logs match an infected key, alerts would be sent to other devices which have been logged as contact traces.

The decentralised approach has been embraced by Germany, though this was a surprise, however French authorities has gone the same direction as the UK is seemingly heading. The one which flies in the face of expert advice.

An open letter from cybersecurity specialists and other data scientists has slammed the centralised approach employed by France and, allegedly, the UK.

“All these applications in fact involve very significant risks with regard to respect for privacy and individual freedoms,” the letter states. “One of them is mass surveillance by private or public actors, against which the International Association for Research in Cryptology (IACR) committed itself through the Copenhagen resolution.

“This mass surveillance can be carried out by collecting the graph of interactions between individuals, the social graph. It can intervene at the level of operating systems (OS) of mobile phones. Not only OS producers could reconstruct the social graph, but also the State, more or less easily depending on the solutions proposed.”

The letter has been signed by hundreds of French cybersecurity experts from a range of academic institutions and private research organisations. Support to this position has also been pledged by hundreds of non-cybersecurity technologists also. It is a very comprehensive list of academic experts all condemning the centralised approach as an unneeded risk and an action which undermines privacy principles.

Although the details of the NHS application have yet to be revealed, it does appear the team is heading down the same route as the French. The pursuit of simplicity and flexibility has been deemed more important that the grave warnings to security and privacy offered by experts in the field.

Hopefully the collection of data on centralised servers does not act as too much of a red flag to the hacker community, most of which do not too many invitations to have a crack at stealing information which can be used for nefarious means. Aside from the risk to privacy, collecting millions of datasets of personal information in a single place could be viewed as somewhat of a treasure trove.

Europe releases guidelines for building COVID-19 apps

The European Commission has unveiled guidelines for member states creating COVID-19 apps, with perhaps an attempt to prevent mission creep from private industry.

The document, which is available here, suggests the national health authorities take the leadership position in developing the applications, while another recommendation is to store data on devices wherever possible. Minimising data analysis, external storage and the role of private organisations are ways and means to maintain privacy principles but also reduce the risk of data breaches.

“This is the first global crisis where we can deploy the full power of technology to offer efficient solutions and support the exit strategies from the pandemic,” said Vice-President for Values and Transparency, Věra Jourová.

“Trust of Europeans will be key to success of the tracing mobile apps. Respecting the EU data protection rules will help ensure that our privacy and fundamental rights will be upheld and that the European approach will be transparent and proportional.”

Although the guidelines are relatively simple, such a tick-box exercise is critical to ensure the largest possible adoption rates. The apps will assist individuals irrelevant as to how many people install, however for the contact tracing features to be the most effective in slowing the spread of COVID-19, downloads would have to meet critical mass. Oxford University researchers suggest this would be at least 60% of the population.

If any of the apps being discussed are to reach 60% penetration, privacy and security fears would have to be addressed, while legislation would have to be introduced to ensure such tracking activities do not become the new normality and data is not retained after the crisis.

In brief, the guidelines are as follows:

  • Downloading the app should be voluntary not compulsory
  • National health services should own the project and be responsible as the Data Controller
  • Data minimisation principles should be applied
  • GDPR principles of right to deletion should be adhered to
  • Data should be stored on user devices wherever possible
  • Consent should be applied to each element of the application not a catch-all opt-in at the beginning
  • Rules should be introduced for the deletion of collected raw data and the subsequent insight

There are of course multiple other nuances and elements included in the 14-page document, though should the above guidelines be adhered to and the role of private industry limited, there could be trust installed in the apps. Irrelevant to how elegant and sophisticated the apps are, the most important aspect is user adoption.

This is not the first time the world has faced a pandemic to this degree, but technology and insight are tools which we have never had at our disposal before. The contact tracing apps, to warn individuals of potential infection and educate on how to further prevent the spread, should be adopted by every nation. However, privacy and security concerns should not be ignored.

The technology and telecoms industry has a pretty poor record when it comes to privacy and security. Executives might point to policies and features to improve resilience, however these are almost always reactionary additions not proactive. Considering the sensitive nature of the data which is being discussed in relation to these apps, this is the time to be overly cautious in applying privacy and security principles.

New COVID-19 app does not have to track location – Oxford University

A team of researchers at Oxford University have suggested a Bluetooth tracing app, which doesn’t track location, could combat COVID-19, but you would want 60% adoption.

The team, led by Professor Christophe Fraser, is now sharing an epidemiological model which should help configure applications designed to combat the spread of the coronavirus. While many countries have proposed the introduction of an app to help track the spread of the virus and safeguard citizens, progress has been slow.

However, the findings coming out of Oxford University demonstrate why there is enthusiasm for the idea.

“We’ve simulated coronavirus in a model city of 1 million inhabitants with a wide range of realistic epidemiological configurations to explore options for controlling transmission,” Fraser said. “Our results suggest a digital contact tracing app, if carefully implemented alongside other measures, has the potential to substantially reduce the number of new coronavirus cases, hospitalisations and ICU admissions.

“Our models show we can stop the epidemic if approximately 60% of the population use the app, and even with lower numbers of app users, we still estimate a reduction in the number of coronavirus cases and deaths.”

Most importantly, however, is such an application as envisioned by the team at Oxford University would not have to rely on location tracking.

While the European Data Protection Supervisor has already said such applications would be compliant under GDPR, there are still some who are raising the red flag on the grounds of privacy. If smartphones were being constantly tracked, there is of course a significant risk. The privacy concerns are warranted, however you don’t necessarily have to track location is a critical mass of individuals have downloaded the application.

Using the Bluetooth features on smartphones, the app would log memory of all the other app users with whom a given user has come into close proximity. When a user becomes infected, a message is sent out to all others who have come into close contact to that individual. The location of the smartphones would not have to factor into the equation, just which smartphones have been in close proximity.

This does should like a perfectly good theory, however there are two important things to bear in mind if such a strategy is to work:

  1. Testing would have to continue at the current pace or accelerate to ensure than cases are being identified
  2. A high percentage of the population would have to download the application

If lower percentages of the population were to download the app, it would of course still work, but it would not be anywhere near as effective. Users could come into contact with an infected individual and not be notified for example. As this is a virus which does not present symptoms for the first 5-7 days, self-isolation measures are never going to be a perfect solution as spread can still occur in the first week.

Privacy concerns should not be ignored because of current events, and this does look to be a very effective concept to make use of the technology available today to combat the coronavirus outbreak.

The next generation of Bluetooth audio looks good

At CES 2020 the people who run the short range Bluetooth wireless standard unveiled a new version of its audio technology that promises a lot of new features.

The Bluetooth SIG (special interest group) is calling its next generation LE Audio as it is an evolution of Bluetooth Low Energy. Indeed LE Audio uses a new codec called LC3 that promises to improve sound quality while significantly reducing the power requirement. This in turn should enable even smaller wireless earbuds and that sort of thing.

“Extensive listening tests have shown that LC3 will provide improvements in audio quality over the SBC codec included with Classic Audio, even at a 50% lower bit rate,” said Manfred Lutzky, Head of Audio for Communications at Fraunhofer IIS. “Developers will be able to leverage this power savings to create products that can provide longer battery life or, in cases where current battery life is enough, reduce the form factor by using a smaller battery.”

On top of that this new tech comes with multi-stream audio for the first time. “Developers will be able to use the Multi-Stream Audio feature to improve the performance of products like truly wireless earbuds,” said Nick Hunn, CTO of WiFore Consulting and Chair of the Bluetooth SIG Hearing Aid Working Group. “For example, they can provide a better stereo imaging experience, make the use of voice assistant services more seamless, and make switching between multiple audio source devices smoother.”

Similarly another new feature enables multiple BT peripherals to access a singe audio source. This is handy not just as another way of sharing audio content, but also for location based audio that could intrude upon your listening, presumably with permission. The low power aspect also allows better support for hearing aids, which could also benefit from the broadcast feature for things like safety announcements.

“Location based Audio Sharing holds the potential to change the way we experience the world around us,” said Peter Liu of Bose Corporation and member of the Bluetooth SIG Board of Directors. “For example, people will be able to select the audio being broadcast by silent TVs in public venues, and places like theaters and lecture halls will be able to share audio to assist visitors with hearing loss as well as provide audio in multiple languages.”

It seems safe to assume that the Bluetooth chip in devices and peripherals will support this next generation from now on. Assuming it delivers as advertised there’s nothing to dislike about Bluetooth LE Audio. It seems to be a solid evolution of the technology that should improve the digital audio experience for people with nearly all levels of hearing capacity.