The Government confirmed at the beginning of May that a new contact-tracing app for managing the coronavirus outbreak would be piloted on the Isle of Wight. The purpose of the app is to alert users if they have been close to someone with the COVID-19 virus. The app will, reportedly, use Bluetooth technology to register a ‘contact’ when people come within 6 ft of each other for at least 15 minutes. If someone develops symptoms akin to the COVID-19 virus, they inform the app and an alert will be sent to other people they have been in close contact with. The user who experiences symptoms and alerts the app will then be offered a test.

Once the Isle of Wight trial is complete, the app will be referred back to NHS digital for further assessment. There are reports that the app has so far failed the tests needed to be included in the NHS app library, including cyber security, performance and clinical safety. It was reported that as of 14 May, just over half of the island’s 140,000 residents (reportedly 72,300) had downloaded the app. The app developers have said it must be downloaded and used by 60 per cent of Britons if it is to prove effective. The early reports suggest the app’s usage has not met this target during its testing on the Isle of Wight. It is envisaged that the app will form part of the Government’s contract tracing system, which is due to launch on 28 May 2020.

What is contract tracing?

Contact tracing is a system used to slow the spread of infectious diseases like coronavirus. It has already been used in places like Hong Kong, Singapore and Germany. It usually involves asking coronavirus patients to list all the people with whom they’ve recently been in prolonged contact. Those people will then be tracked down and potentially asked to self-isolate. This is sometimes complemented by a location-tracking mobile app, which monitors when users come into contact with each other.

Naturally, like with any app that tracks our movements and records our data, concerns regarding the app’s privacy and information governance have been discussed nationally. This approach involves the transmission by a central server of random identifiers by an individual’s smartphone. What follows is that other smartphones in proximity to the individual’s phone recognise the identifiers and transmit this information back to the central server. In the event of an individual testing positive for COVID-19, the identifiers that their phone has received from other phones can be loaded together with the times and duration of contact.

While a centralised design would share data directly with public health professionals that may aid in their manual contact tracing efforts, the NHS’s decision to pursue  an approach that provides a tool to identify and reach out to other potentially infected people has been criticised by internet experts. Alan Davidson and Marshall Erwin of the non-for-profit Internet organisation Mozilla, have said that the Government’s current approach is problematic because it expands government access to what is known as the “social graph”, this being data about an individual, the individual’s relationships and links with others. Since the pilot launched, it has been found that app does indeed have security flaws, which include weaknesses in the registration process that could allow attackers to steal encryption keys, (which would allow them to prevent users being notified if a contact tested positive for Covid-19 and/or generate spoof transmissions to create logs of bogus contact events) and the storing of unencrypted data on handsets that could potentially be used by law enforcement agencies to determine when two or more people met.

The alternative to a centralised approach would be a decentralised model. The feature of this model is that identifiers are generated on an individual’s device and cannot be matched by any central server. When an individual is diagnosed positive for COVID-19, they tell the system that they are ill and give no extra information. The system periodically collects a list of everyone who has said they’re ill and sends it out to all users of the app. Individual devices look to see if any of its local contacts are on the list. This model ensures that the proximity of persons to COVID-19 patients is not known to any central server or authority.

To read the full article go here.

If you have any questions around this article please get in touch.