UK snubs Google and Apple privacy warning for contact tracing app

Reports have suggested the UK will pursue a centralised data collection approach for its COVID-19 contact tracing app, despite the well-publicised security and privacy risks.

Last week, the National Health Service (NHS) published a blog entry which pointed towards some element of centralised data collection, though the choice was seemingly been offered to the consumer. It now appears this is not the case.

“This anonymous log of how close you are to others will be stored securely on your phone,” Matthew Gould and Geraint Lewis of NHSX, the technology unit of the NHS, wrote in the blog post.

“If you become unwell with symptoms of COVID-19, you can choose to allow the app to inform the NHS which, subject to sophisticated risk analysis, will trigger an anonymous alert to those other app users with whom you came into significant contact over the previous few days.”

Details are of course still thin on the ground, but the BBC is now reporting the NHS will pursue a centralised approach, collating data on NHS servers for analysis and to send out notifications. There are of course advantages to this approach, models can be adapted quicker and additional analysis can be performed, but the question which remains is whether this outweighs the risk to security and privacy; Google and Apple clearly do not think so.

While a centralised approach proposes the collection and storage of all relevant data on NHS servers, an API created between Google and Apple would do the analysis on devices.

Using Bluetooth once again, the decentralised API would store the interaction between device on the user’s device, only sending a key indicating whether that specific user is infected or not to the cloud. Devices would reference the cloud database regularly and should the on-device logs match an infected key, alerts would be sent to other devices which have been logged as contact traces.

The decentralised approach has been embraced by Germany, though this was a surprise, however French authorities has gone the same direction as the UK is seemingly heading. The one which flies in the face of expert advice.

An open letter from cybersecurity specialists and other data scientists has slammed the centralised approach employed by France and, allegedly, the UK.

“All these applications in fact involve very significant risks with regard to respect for privacy and individual freedoms,” the letter states. “One of them is mass surveillance by private or public actors, against which the International Association for Research in Cryptology (IACR) committed itself through the Copenhagen resolution.

“This mass surveillance can be carried out by collecting the graph of interactions between individuals, the social graph. It can intervene at the level of operating systems (OS) of mobile phones. Not only OS producers could reconstruct the social graph, but also the State, more or less easily depending on the solutions proposed.”

The letter has been signed by hundreds of French cybersecurity experts from a range of academic institutions and private research organisations. Support to this position has also been pledged by hundreds of non-cybersecurity technologists also. It is a very comprehensive list of academic experts all condemning the centralised approach as an unneeded risk and an action which undermines privacy principles.

Although the details of the NHS application have yet to be revealed, it does appear the team is heading down the same route as the French. The pursuit of simplicity and flexibility has been deemed more important that the grave warnings to security and privacy offered by experts in the field.

Hopefully the collection of data on centralised servers does not act as too much of a red flag to the hacker community, most of which do not too many invitations to have a crack at stealing information which can be used for nefarious means. Aside from the risk to privacy, collecting millions of datasets of personal information in a single place could be viewed as somewhat of a treasure trove.

NHS finally heads towards the digital society

Secretary of State for Health and Social Care Matt Hancock has unveiled plans to reinvigorate digital ambitions in the UK’s National Health Service (NHS).

While the concept of the NHS might be the envy of many countries around the world, from a digital and technology perspective, the service is a bit of a disaster. Several attempts have been made to bring the NHS into the 21st century, though any evidence of progress is limited with hand written and ineffective communications between trusts, still littering the service. With the ambition to create a framework of digital service for the UK, the NHS is certainly in need of a technology refresh.

“The tech revolution is coming to the NHS,” said Hancock. “These robust standards will ensure that every part of the NHS can use the best technology to improve patient safety, reduce delays and speed up appointments.

“A modern technical architecture for the health and care service has huge potential to deliver better services and to unlock our innovations. We want this approach to empower the country’s best innovators – inside and outside the NHS – and we want to hear from staff, experts and suppliers to ensure our standards will deliver the most advanced health and care service in the world.”

For those who are not from the UK, the NHS is the publicly funded national healthcare system for the UK, made up from 135 acute non-specialist trusts, 17 acute specialist trusts, 54 mental health trusts and 35 community providers. Although all of these bodies are managed centrally by the Department of Health, they are effectively individual public sector bodies, each with its own organizational structure, budgets, demands and objectives. On the technical side, all trusts use their own computer systems and standards, making patient data transfer incredibly difficult, even if it is allowed with stringent data privacy laws.

The spread of influence and decision making has created a bureaucratic and operational nightmare. Add skill shortages and the UK’s austerity measures into the mix and the NHS is facing one of the biggest crisis’ in its history. With Hancock in charge of the Health Department, it would not be a stretch to see technology playing a more significant role in solving these problems considering his recent transfer from the Department of Digital, Culture, Media and Sport.

The plan is to introduce minimum technical standards that digital services and IT systems in the NHS will have to meet. Having these open standards in place means systems will be able to talk to each other securely and ensure they are upgradable. Outside of these open standards, all trusts and clinical commissioning groups (CCGs) will have freedom to buy what they need. Opening up the procurement process will hopefully introduce competition and encourage innovation.

While both of these ideas would seem almost basic to other organizations, it is a novelty for the NHS. The plan will also introduce an internet-first and cloud-first mentality to decision making and planning. This will provide the resiliency and scalability the service so desperately needs to operate effectively. Systems and providers who are not able to meet these demands will be phased out.

“Greater standardisation of data, infrastructure, platforms and APIs will create a health and care system that is more joined-up, and as a result safer and more efficient,” said Sarah Wilkinson, CEO of NHS Digital.

“Connected systems ensure that clinicians have immediate access to all relevant and appropriate patient data from all care providers and settings, and ensure that data is communicated between systems with absolute fidelity, eliminating misinformation and misunderstandings. In addition, we will increasingly be able to provide citizens and patients with direct and immediate access to their medical records.”

What is worth noting is this is not policy right now. The Department of Health will have to consult all the relevant stakeholders and there is still a lot which can go wrong. The NHS has a culture of plodding on, while previous technology projects in the healthcare system have often failed. Both of these factors will provide some resistance for any alterations to the status quo.

The other massive question which remains is whether the project will receive adequate funding. The Institute for Fiscal Studies recently published a report stating the NHS’ budget would have to increase by 3.3% a year for the next fifteen years to maintain todays level of service. To secure modest improvements in NHS services, funding increases of 4% a year would be required over the medium term, and 5% in the short-term. In July, the Government announced NHS England’s main budget of just over £20bn by 2023/24, an increase of 3.4% a year on average.

There are numerous hurdles and potholes to negotiate, as well as countless scenarios which could knock the project off track, but this is a digital transformation process which the NHS desperately needs.