The NHSX contact tracing app: unresolved civil liberties and privacy issues
8 May 2020
SUGGESTED
Healthcare
7 May 2020
Society and Culture
Government and Institutions
The contact tracing app being developed by NHSX (the technology wing of Our NHS) has been subject to scrutiny in the past days. As it is being trialled on the Isle of Wight, the House of Commons Science and Technology Committee and the Joint Committee on Human Rights both heard evidence from NHSX’s CEO Matthew Gould, and other experts. The solution (described here in detail by Dr Ian Levy of the National Cybersecurity Centre) has been widely criticised across the media, for departing from international good practice, for technical flaws that might cause it to simply not work and, above all, for adopting an approach that is unduly intrusive on user privacy. There are also serious questions of legal compliance.
The NHSX app will use a centralised system. A user’s device will record all of its contacts with other devices running the app using Bluetooth. If that user then experiences symptoms, they can report them to the app which will take them through a questionnaire. If the answers indicate that they are likely to be infected, they can then upload all of their recent contacts to the NHS system, which will work out which contacts were sufficiently proximate and for a long enough duration to indicate that those users should be alerted and advised to isolate.
This has been contrasted with the alternative, decentralised model developed by the DP-3T project and the API framework devised by Apple and Google. Under this model, contacts between users will not be shared with a central authority – they will only be stored on the users’ devices. When a user is diagnosed, they can upload this information to the app server and then the devices of all of their contacts will be able to find a match on the server, without the match being shared with the central authority.
Much of the criticism has suggested that the UK is pursuing its own model out of bloody-minded exceptionalism, or a nefarious desire by the government to collect data. It seems to me that this is unfair. I have serious reservations about contact tracing at scale in any form, and the risk of function creep as authorities find more uses for the data they collect (personal or anonymous) and more reasons to collect ever more detailed personal data. But aside from these concerns, the reasons that the UK is pursuing this centralised model are quite plausible. By obtaining the (pseudonymous) identifiers of users, the NHS will be able to establish patterns in the spread of the virus, which will be useful for research and planning. One compelling reason for the centralised approach is that it allows users to self-report symptoms and trigger alerts on that basis, without having to wait for test results. Allowing users to do this in a decentralised system, without oversight or filtering, runs a high risk of bad actors making fake reports (of course such risk cannot be eliminated in the centralised system either). Most countries that will use a decentralised system will therefore not allow self- reporting – a diagnosis can only be uploaded once verified by a healthcare professional after a test. NHSX considers that this will waste valuable time, waiting for test results before contacts will be notified. It could mean that many cases will not be caught at all, as even with the progress in recent weeks, we do not have the capacity to test enough people quickly enough to enable the app to keep pace with transmission of the virus.
So, in many ways the two systems are seeking to do different things. One can still criticise the government for the choice they have made, because it is certainly true that this approach is more intrusive and involves gathering data that seems likely to be re-identifiable to individuals. There are clearly risks that government and police could use such data in ways that threaten civil liberties – for example to identify people breaching social distancing requirements. But is this risk outweighed by the benefits of having an app that might work better? The Apple/Google framework also raises privacy concerns – for example it will probably be possible for users to work out which of their contacts was infectious and triggered a notification, and the public health authorities that run the app may be able to collect more personal data from users through their interface; this data will end up being centralised in much the same way as the NHSX system. Of course if the technical flaws that have been identified cannot be resolved then all of this is academic as the app will simply not work, or no-one will use it because it will seep the battery life out of their device.
But is this debate distracting from potentially more troubling aspects of contact tracing per se? Is the real issue less whether it is centralised or decentralised and more to do with wider uses/expectations associated with the app? For example, will it be purely voluntary and advisory or will compliance with isolation if a contact is triggered be monitored through the app and enforced by authorities? Will having the app become (even de facto if not by law) a requirement of going to a workplace, shop, on public transport – becoming like a ‘health passport’? As noted by the Information Commissioner in her opinion on the Google/Apple framework, “Contact tracing has the potential to be used effectively as part of a package of measures and policies to manage social distancing and social or professional gatekeeping. It may therefore enable any potential measures that would support the easing of lockdown or other restrictions (e.g. immunity verification or immunity passport proposals).” It is little comfort to know that the authorities do not have a central database of your contacts if the police can demand to see your app status to ensure that you haven’t been instructed to isolate. It is also notable that a voluntary app in Singapore hasn’t really worked and they have moved to mandatory swiping of QR codes (logging national identity numbers and phone numbers) when entering premises, so the assurances from NHSX that the app will be voluntary may not hold.
Another interesting aspect of the debate has been the role of the Information Commissioner, Elizabeth Denham. She wrote in her blog on data protection and Covid 19 that any use of personal data in countering the pandemic needs to be the least privacy intrusive solution possible, but that proportionality will be assessed contextually and “as a regulator we will reflect a society that is, for now, accepting restrictions on liberty to protect public health”. I find this extremely chilling (how is it the role of the Information Commissioner to determine what society will accept? What of those members of society (a growing number) who do not necessarily accept that the restrictions we are currently under are necessary or proportionate? What about those of us who have grudgingly accepted the restrictions as a matter of law and necessity but do not wish to see them extended in scope or in time? What is the use of a fundamental rights watchdog that nods through authoritarian measures when she thinks it is what “society” wants?). It is also inconsistent – “society” is surely strongly in favour of social media and e-commerce, and yet the Information Commissioner has taken many actions that arguably act against innovation and consumer interests in those sectors and seems unwilling to apply equivalent trade-offs.
In fact, if anything, people are more uneasy about personal data being collected and used by government than they are about use of personal data by private organisations. Not unreasonably: Google does not get to send you to prison based on inferences it makes about your search history – it just wants to help people sell you things that you actually want. The government can make you a criminal for being in the park for too long. So it is understandable that people’s privacy concerns are heightened in respect of the state.
As well as publishing the opinion on the Google/Apple framework, the ICO is “working with” NHSX on their app. Several members of the Human Rights Committee were concerned that this would lead to the Information Commissioner marking her own homework. How can she be trusted to monitor and enforce the law in respect of the eventual solution having become invested in it – would she not be being asked to hold herself to account? Ms Denham could only respond that this is the role as established by law. Surely this dual role as advisor on and enforcer of the law is something that the government could review when the UK will no longer be bound by the EU GDPR, which sets out the requirements of the role of data protection authorities in member states.
We have come a long way from those days in late March when the lockdown was first imposed. In accepting the restrictions, and their huge economic and social costs, “society” surely did not expect that the condition for resuming our basic freedoms would be getting half the population to sign up to surveillance with unknown safeguards. Proportionality and necessity in the context of a track and trace app should be judged not only as against what is necessary for the app to work, but against the whole picture of what public health outcomes are being sought and whether there are less intrusive ways of achieving them. A purely voluntary app, with safeguards on the confidentiality and security of any data it obtains may well be proportionate and necessary, but we must beware the normalisation of illiberalism and consider how such tools could be used by governments under constant pressure to take decisive actions.
The NHSX app will use a centralised system. A user’s device will record all of its contacts with other devices running the app using Bluetooth. If that user then experiences symptoms, they can report them to the app which will take them through a questionnaire. If the answers indicate that they are likely to be infected, they can then upload all of their recent contacts to the NHS system, which will work out which contacts were sufficiently proximate and for a long enough duration to indicate that those users should be alerted and advised to isolate.
This has been contrasted with the alternative, decentralised model developed by the DP-3T project and the API framework devised by Apple and Google. Under this model, contacts between users will not be shared with a central authority – they will only be stored on the users’ devices. When a user is diagnosed, they can upload this information to the app server and then the devices of all of their contacts will be able to find a match on the server, without the match being shared with the central authority.
Much of the criticism has suggested that the UK is pursuing its own model out of bloody-minded exceptionalism, or a nefarious desire by the government to collect data. It seems to me that this is unfair. I have serious reservations about contact tracing at scale in any form, and the risk of function creep as authorities find more uses for the data they collect (personal or anonymous) and more reasons to collect ever more detailed personal data. But aside from these concerns, the reasons that the UK is pursuing this centralised model are quite plausible. By obtaining the (pseudonymous) identifiers of users, the NHS will be able to establish patterns in the spread of the virus, which will be useful for research and planning. One compelling reason for the centralised approach is that it allows users to self-report symptoms and trigger alerts on that basis, without having to wait for test results. Allowing users to do this in a decentralised system, without oversight or filtering, runs a high risk of bad actors making fake reports (of course such risk cannot be eliminated in the centralised system either). Most countries that will use a decentralised system will therefore not allow self- reporting – a diagnosis can only be uploaded once verified by a healthcare professional after a test. NHSX considers that this will waste valuable time, waiting for test results before contacts will be notified. It could mean that many cases will not be caught at all, as even with the progress in recent weeks, we do not have the capacity to test enough people quickly enough to enable the app to keep pace with transmission of the virus.
So, in many ways the two systems are seeking to do different things. One can still criticise the government for the choice they have made, because it is certainly true that this approach is more intrusive and involves gathering data that seems likely to be re-identifiable to individuals. There are clearly risks that government and police could use such data in ways that threaten civil liberties – for example to identify people breaching social distancing requirements. But is this risk outweighed by the benefits of having an app that might work better? The Apple/Google framework also raises privacy concerns – for example it will probably be possible for users to work out which of their contacts was infectious and triggered a notification, and the public health authorities that run the app may be able to collect more personal data from users through their interface; this data will end up being centralised in much the same way as the NHSX system. Of course if the technical flaws that have been identified cannot be resolved then all of this is academic as the app will simply not work, or no-one will use it because it will seep the battery life out of their device.
But is this debate distracting from potentially more troubling aspects of contact tracing per se? Is the real issue less whether it is centralised or decentralised and more to do with wider uses/expectations associated with the app? For example, will it be purely voluntary and advisory or will compliance with isolation if a contact is triggered be monitored through the app and enforced by authorities? Will having the app become (even de facto if not by law) a requirement of going to a workplace, shop, on public transport – becoming like a ‘health passport’? As noted by the Information Commissioner in her opinion on the Google/Apple framework, “Contact tracing has the potential to be used effectively as part of a package of measures and policies to manage social distancing and social or professional gatekeeping. It may therefore enable any potential measures that would support the easing of lockdown or other restrictions (e.g. immunity verification or immunity passport proposals).” It is little comfort to know that the authorities do not have a central database of your contacts if the police can demand to see your app status to ensure that you haven’t been instructed to isolate. It is also notable that a voluntary app in Singapore hasn’t really worked and they have moved to mandatory swiping of QR codes (logging national identity numbers and phone numbers) when entering premises, so the assurances from NHSX that the app will be voluntary may not hold.
Another interesting aspect of the debate has been the role of the Information Commissioner, Elizabeth Denham. She wrote in her blog on data protection and Covid 19 that any use of personal data in countering the pandemic needs to be the least privacy intrusive solution possible, but that proportionality will be assessed contextually and “as a regulator we will reflect a society that is, for now, accepting restrictions on liberty to protect public health”. I find this extremely chilling (how is it the role of the Information Commissioner to determine what society will accept? What of those members of society (a growing number) who do not necessarily accept that the restrictions we are currently under are necessary or proportionate? What about those of us who have grudgingly accepted the restrictions as a matter of law and necessity but do not wish to see them extended in scope or in time? What is the use of a fundamental rights watchdog that nods through authoritarian measures when she thinks it is what “society” wants?). It is also inconsistent – “society” is surely strongly in favour of social media and e-commerce, and yet the Information Commissioner has taken many actions that arguably act against innovation and consumer interests in those sectors and seems unwilling to apply equivalent trade-offs.
In fact, if anything, people are more uneasy about personal data being collected and used by government than they are about use of personal data by private organisations. Not unreasonably: Google does not get to send you to prison based on inferences it makes about your search history – it just wants to help people sell you things that you actually want. The government can make you a criminal for being in the park for too long. So it is understandable that people’s privacy concerns are heightened in respect of the state.
As well as publishing the opinion on the Google/Apple framework, the ICO is “working with” NHSX on their app. Several members of the Human Rights Committee were concerned that this would lead to the Information Commissioner marking her own homework. How can she be trusted to monitor and enforce the law in respect of the eventual solution having become invested in it – would she not be being asked to hold herself to account? Ms Denham could only respond that this is the role as established by law. Surely this dual role as advisor on and enforcer of the law is something that the government could review when the UK will no longer be bound by the EU GDPR, which sets out the requirements of the role of data protection authorities in member states.
We have come a long way from those days in late March when the lockdown was first imposed. In accepting the restrictions, and their huge economic and social costs, “society” surely did not expect that the condition for resuming our basic freedoms would be getting half the population to sign up to surveillance with unknown safeguards. Proportionality and necessity in the context of a track and trace app should be judged not only as against what is necessary for the app to work, but against the whole picture of what public health outcomes are being sought and whether there are less intrusive ways of achieving them. A purely voluntary app, with safeguards on the confidentiality and security of any data it obtains may well be proportionate and necessary, but we must beware the normalisation of illiberalism and consider how such tools could be used by governments under constant pressure to take decisive actions.
SHARE
