Matt Hancock
Auto Added by WPeMatico
Auto Added by WPeMatico
The UK has given up building a centralized coronavirus contacts-tracing app and will instead switch to a decentralized app architecture, the BBC has reported. This suggests its any future app will be capable of plugging into the joint ‘exposure notification’ API which has been developed in recent weeks by Apple and Google.
The UK’s decision to abandon a bespoke app architecture comes more than a month after ministers had been reported to be eyeing such a switch. They went on to award a contract to an IT supplier to develop a decentralized tracing app in parallel as a backup — while continuing to test the centralized app, which is called NHS COVID-19.
At the same time, a number of European countries have now successfully launched contracts-tracing apps with a decentralized app architecture that’s able to plug into the ‘Gapple’ API — including Denmark, Germany, Italy, Latvia and Switzerland. Several more such apps remain in testing. While EU Member States just agreed on a technical framework to enable cross-border interoperability of apps based on the same architecture.
Germany — which launched the decentralized ‘Corona Warning App’ this week — announced its software had been downloaded 6.5M times in the first 24 hours. The country had initially appeared to favor a centralized approach but switched to a decentralized model back in April in the face of pushback from privacy and security experts.
The UK’s NHS COVID-19 app, meanwhile, has not progressed past field tests, after facing a plethora of technical barriers and privacy challenges — as a direct consequence of the government’s decision to opt for a proprietary system which uploads proximity data to a central server, rather than processing exposure notifications locally on device.
Apple and Google’s API, which is being used by all Europe’s decentralized apps, does not support centralized app architectures — meaning the UK app faced technical hurdles related to accessing Bluetooth in the background. The centralized choice also raised big questions around cross-border interoperability, as we’ve explained before. Questions had also been raised over the risk of mission creep and a lack of transparency and legal certainty over what would be done with people’s data.
So the UK’s move to abandon the approach and adopt a decentralized model is hardly surprising — although the time it’s taken the government to arrive at the obvious conclusion does raise some major questions over its competence at handling technology projects.
Michael Veale, a lecturer in digital rights and regulation at UCL — who has been involved in the development of the DP3T decentralized contacts-tracing standard, which influenced Apple and Google’s choice of API — welcomed the UK’s decision to ditch a centralized app architecture but questioned why the government has wasted so much time.
“This is a welcome, if a heavily and unnecessarily delayed, move by NHSX,” Veale told TechCrunch. “The Google -Apple system in a way is home-grown: Originating with research at a large consortium of universities led by Switzerland and including UCL in the UK. NHSX has no end of options and no reasonable excuse to not get the app out quickly now. Germany and Switzerland both have high quality open source code that can be easily adapted. The NHS England app will now be compatible with Northern Ireland, the Republic of Ireland, and also the many destinations for holidaymakers in and out of the UK.”
Perhaps unsurprisingly, UK ministers are now heavily de-emphasizing the importance of having an app in the fight against the coronavirus at all.
The Department for Health and Social Care’s, Lord Bethell, told the Science and Technology Committee yesterday the app will not now be ready until the winter. “We’re seeking to get something going for the winter, but it isn’t a priority for us,” he said.
Yet the centralized version of the NHS COVID-19 app has been in testing in a limited geographical pilot on the Isle of Wight since early May — and up until the middle of last month health minister, Matt Hancock, had said it would be rolled out nationally in mid May.
Of course that timeframe came and went without launch. And now the prospect of the UK having an app at all is being booted right into the back end of the year.
Compare and contrast that with government messaging at its daily coronavirus briefings back in May — when Hancock made “download the app” one of the key slogans — and the word ‘omnishambles‘ springs to mind…
NHSX relayed our request for comment on the switch to a decentralized system and the new timeframe for an app launch to the Department of Health and Social Care (DHSC) — but the department had not responded to us at the time of publication.
Earlier this week the BBC reported that a former Apple executive, Simon Thompson, was taking charge of the delayed app project — while the two lead managers, the NHSX’s Matthew Gould and Geraint Lewis — were reported to be stepping back.
Back in April, Gould told the Science and Technology Committee the app would “technically” be ready to launch in 2-3 weeks’ time, though he also said any national launch would depend on the preparedness of a wider government program of coronavirus testing and manual contacts tracing. He also emphasized the need for a major PR campaign to educate the public on downloading and using the app.
Government briefings to the press today have included suggestions that app testers on the Isle of Wight told it they were not comfortable receiving COVID-19 notifications via text message — and that the human touch of a phone call is preferred.
However none of the European countries that have already deployed contacts-tracing apps has promoted the software as a one-stop panacea for tackling COVID-19. Rather tracing apps are intended to supplement manual contacts-tracing methods — the latter involving the use of trained humans making phone calls to people who have been diagnosed with COVID-19 to ask who they might have been in contact with over the infectious period.
Even with major resource put into manual contacts-tracing, apps — which use Bluetooth signals to estimate proximity between smartphone users in order to calculate virus expose risk — could still play an important role by, for example, being able to trace strangers who are sat near an infected person on public transport.
Update: The DHSC has now issued a statement addressing reports of the switch of app architecture for the NHS COVID-19 app — in which it confirms, in between reams of blame-shifting spin, that it’s testing a new app that is able to plug into the Apple and Google API — and which it says it may go on to launch nationally, but without providing any time frame.
It also claims it’s working with Apple and Google to try to enhance how their technology estimates the distance between smartphone users.
“Through the systematic testing, a number of technical challenges were identified — including the reliability of detecting contacts on specific operating systems — which cannot be resolved in isolation with the app in its current form,” DHSC writes of the centralized NHS COVID-19 app.
“While it does not yet present a viable solution, at this stage an app based on the Google / Apple API appears most likely to address some of the specific limitations identified through our field testing. However, there is still more work to do on the Google / Apple solution which does not currently estimate distance in the way required.”
“Based on this, the focus of work will shift from the current app design and to work instead with Google and Apple to understand how using their solution can meet the specific needs of the public,” it adds.
We reached out to Apple and Google for comment. Apple declined to comment.
According to one source, the UK has been pressing for the tech giants’ API to include device model and RSSI info alongside the ephemeral IDs which devices that come into proximity exchange with each other — presumably to try to improve distance calculations via a better understanding of the specific hardware involved.
However introducing additional, fixed pieces of device-linked data would have the effect of undermining the privacy protections baked into the decentralized system — which uses ephemeral, rotating IDs in order to prevent third party tracking of app users. Any fixed data-points being exchanged would risk unpicking the whole anti-tracking approach.
Norway, another European country which opted for a centralized approach for coronavirus contacts tracing — but got an app launched in mid April — made the decision to suspend its operation this week, after an intervention by the national privacy watchdog. In that case the app was collecting both GPS and Bluetooth — posing a massive privacy risk. The watchdog warned the public health agency the tool was no longer a proportionate intervention — owing to what are now low levels of coronavirus risk in the country.
Powered by WPeMatico
A UK parliamentary committee that focuses on human rights issues has called for primary legislation to be put in place to ensure that legal protections wrap around the national coronavirus contact tracing app.
The app, called NHS COVID-19, is being fast tracked for public use — with a test ongoing this week in the Isle of Wight. It’s set to use Bluetooth Low Energy signals to log social interactions between users to try to automate some contacts tracing based on an algorithmic assessment of users’ infection risk.
The NHSX has said the app could be ready for launch within a matter of weeks but the committee says key choices related to the system architecture create huge risks for people’s rights that demand the safeguard of primary legislation.
“Assurances from Ministers about privacy are not enough. The Government has given assurances about protection of privacy so they should have no objection to those assurances being enshrined in law,” said committee chair, Harriet Harman MP, in a statement.
“The contact tracing app involves unprecedented data gathering. There must be robust legal protection for individuals about what that data will be used for, who will have access to it and how it will be safeguarded from hacking.
“Parliament was able quickly to agree to give the Government sweeping powers. It is perfectly possible for parliament to do the same for legislation to protect privacy.”
The NHSX, a digital arm of the country’s National Health Service, is in the process of testing the app — which it’s said could be launched nationally within a few weeks.
The government has opted for a system design that will centralize large amounts of social graph data when users experiencing COVID-19 symptoms (or who have had a formal diagnosis) choose to upload their proximity logs.
Earlier this week we reported on one of the committee hearings — when it took testimony from NHSX CEO Matthew Gould and the UK’s information commissioner, Elizabeth Denham, among other witnesses.
Warning now over a lack of parliamentary scrutiny — around what it describes as an unprecedented expansion of state surveillance — the committee report calls for primary legislation to ensure “necessary legal clarity and certainty as to how data gathered could be used, stored and disposed of”.
The committee also wants to see an independent body set up to carry out oversight monitoring and guard against ‘mission creep’ — a concern that’s also been raised by a number of UK privacy and security experts in an open letter late last month.
“A Digital Contact Tracing Human Rights Commissioner should be responsible for oversight and they should be able to deal with complaints from the Public and report to Parliament,” the committee suggests.
Prior to publishing its report, the committee wrote to health minister Matt Hancock, raising a full spectrum of concerns — receiving a letter in response.
In this letter, dated May 4, Hancock told it: “We do not consider that legislation is necessary in order to build and deliver the contact tracing app. It is consistent with the powers of, and duties imposed on, the Secretary of State at a time of national crisis in the interests of protecting public health.”
The committee’s view is Hancock’s ‘letter of assurance’ is not enough given the huge risks attached to the state tracking citizens’ social graph data.
“The current data protection framework is contained in a number of different documents and it is nearly impossible for the public to understand what it means for their data which may be collected by the digital contact tracing system. Government’s assurances around data protection and privacy standards will not carry any weight unless the Government is prepared to enshrine these assurances in legislation,” it writes in the report, calling for a bill that it says myst include include a number of “provisions and protections”.
Among the protections the committee is calling for are limits on who has access to data and for what purpose.
“Data held centrally may not be accessed or processed without specific statutory authorisation, for the purpose of combatting Covid-19 and provided adequate security protections are in place for any systems on which this data may be processed,” it urges.
It also wants legal protections against data reconstruction — by different pieces of data being combined “to reconstruct information about an individual”.
The report takes a very strong line — warning that no app should be released without “strong protections and guarantees” on “efficacy and proportionality”.
“Without clear efficacy and benefits of the app, the level of data being collected will be not be justifiable and it will therefore fall foul of data protection law and human rights protections,” says the committee.
The report also calls for regular reviews of the app — looking at efficacy; data safety; and “how privacy is being protected in the use of any such data”.
It also makes a blanket call for transparency, with the committee writing that the government and health authorities “must at all times be transparent about how the app, and data collected through it, is being used”.
A lack of transparency around the project was another of the concerns raised by the 177 academics who signed the open letter last month.
The government has committed to publishing data protection impact assessments for the app. But the ICO’s Denham still hadn’t had sight of this document as of this Monday.
Another call by the committee is for a time-limit to be attached to any data gathered by or generated via the app. “Any digital contact tracing (and data associated with it) must be permanently deleted when no longer required and in any event may not be kept beyond the duration of the public health emergency,” it writes.
We’ve reached out to the Department of Health and NHSX for comment on the human rights committee’s report.
Let’s go through Matt Hancock’s letter to @HarrietHarman @HumanRightsCtte on the NHSX app and take a closer look at some of these statements 1/ https://t.co/sQe2U8wkiy
— Michael Veale (@mikarv) May 7, 2020
There’s another element to this fast moving story: Yesterday the Financial Times reported that the NHSX has inked a new contract with an IT supplier which suggests it might be looking to change the app architecture — moving away from a centralized database to a decentralized system for contacts tracing. Although NHSX has not confirmed any such switch at this point.
Some other countries have reversed course in their choice of app architecture after running into technical challenges related to Bluetooth. The need to ensure public trust in the system was also cited by Germany for switching to a decentralized model.
The human rights committee report highlights a specific app efficacy issue of relevance to the UK, which it points out is also linked to these system architecture choices, noting that: “The Republic of Ireland has elected to use a decentralised app and if a centralised app is in use in Northern Ireland, there are risks that the two systems will not be interoperable which would be most unfortunate.”
Professor Lilian Edwards, a legal expert from Newcastle University, who has co-authored a draft bill proposing a set of safeguards for coronavirus apps (much of which was subsequently taken up by Australia for a legal instrument that wraps public health contact info during the coronavirus crisis) — and who also now sits as an independent advisor on an ethics committee that’s been set up for the NHSX app — welcomed the committee report.
Speaking in a personal capacity she told TechCrunch: “My team and I welcome this.”
But she flagged a couple of omissions in the report. “They have left out two of the recommendations from my bill — one of which, I totally expected; that there be no compulsion to carry a phone. Because they will just be assumed within our legal system but I don’t think it would have hurt to have said it. But ok.
“The second point — which is important — is the point about there not being compulsion to install the app or to display it. And there not being, therefore, discrimination against you if you don’t. Like not being allowed to go to your workplace is an obvious example. Or not being allowed to go to a football game when they reopen. And that’s the key point where the struggle is.”
The conflict, says Edwards, is on the one hand you could argue what’s the point of doing digital contact tracing at all if you can’t make sure people are able to receive notifications that they might be a contact. But — on the other — if you allow compulsion that then “leaves it open to be very discriminatory” — meaning people could abuse the requirement to target and exclude others from a workplace, for example.
“There are people who’ve got perfectly valid reasons to not want to have this on their phone,” Edwards added. “Particularly if it’s centralized rather than decentralized.”
She also noted that the first version of her draft coronavirus safeguards bill had allowed compulsion re: having the app on the phone but required it to be balanced by a proportionality analysis — meaning any such compulsion must be “proportionate to a legitimate aim”.
But after Australia opted for zero compulsion in its legal instrument she said she and her team decided to revise their bill to also strike out the provision entirely.
Edwards suggested the human rights committee may not have included this particular provision in their recommendations because parliamentary committees are only able to comment on evidence they receive during an inquiry. “So I don’t think it would have been in their remit to recommend on that,” she noted, adding: “It isn’t actually an indication that they’re not interested in these concepts; it’s just procedure I think.”
She also highlighted the issues of so-called ‘immunity passports’ — something the government has reportedly been in discussions with startups about building as part of its digital coronavirus response, but which the committee report also does not touch on.
However, without full clarity on the government’s evolving plans for its digital coronavirus response, and with, inevitably, a high degree of change and flux amid a public health emergency situation, it’s clearly difficult for committees to interrogate so many fast moving pieces.
“The select committees have actually done really, really well,” added Edwards. “But it just shows how the ground has shifted so much in a week.”
This report was updated with additional comment
Powered by WPeMatico