The NHS’ track-and-trace app considered vital to getting the UK out of coronavirus lockdown will be tested on the Isle of Wight from today onwards – but there are growing concerns about its privacy setting and its inability to work abroad.
Health Secretary Matt Hancock has decided the first public tests would begin on the self-contained island of 140,000 people, with NHS and council staff the first to be given access.
All Isle of Wight residents will be able to download the software on to their smartphones from Thursday.
If the tests are successful it could be rolled out across the country within weeks as ministers seek to shape a strategy to allow some economic activity to resume, with the long-awaited ‘roadmap’ for easing lockdown being published on Sunday.
Users will input into the app when they have symptoms linked to Covid-19. Developed by NHSX, the health service’s tech innovation arm, the software will then use Bluetooth to anonymously monitor and log when app users come into contact with each other.
The software will alert people if they have been in close contact with someone who later fell ill with coronavirus, which has killed 28,734 in the UK so far, so they can self-isolate and be tested if necessary.
Some MPs have raised concerns about privacy and the amount of data it will gather – but the NHS insists it is vital to stop further outbreaks of the virus and to prevent people from spreading the virus without realising they have it, as well as alerting authorities to local clusters of cases.
Lawyers have also suggested that it may also breach human rights and data protection laws – and the NHS is now facing questions about the decision to develop an app when other countries are plumping for the more privacy-centric approach.
Google and Apple have managed to develop software which serves the same function but in a way that contains all the necessary data inside someone’s phone and doesn’t need a server. Other countries including Germany and Switzerland are using this approach.
Because no movement or tracking information is stored on a central server, it would be invisible to Google, Apple and the NHS and there would be nothing to hack.
Health Secretary Matt Hancock said today there is ‘high privacy’ in the coronavirus contact-tracing app.
He said a user’s phone will store anonymously the information about all the phones it has been within two metres of for more than 15 minutes in the previous few days.
He said one of the aspects being tested in the trial on the Isle of Wight is whether the best thing is for someone who gets a message saying they have been in contact with someone with symptoms should self-isolate ‘in case you develop the symptoms’.
He told BBC Breakfast: ‘This is one of the reasons that we want to test it to ensure that we get the rules right around what we advise people to do as soon as the contact tracing pings you.’
Mr Hancock said the app would allow the Government to have a picture of where there might be virus hotspots.
He said: ‘The more people who have the app the better.’
He said human contact tracing is important alongside technology.
He said: ‘Of course we use the technology but we’re going to be using people too in this test, track and trace system.’
Mr Hancock was asked why the UK app is different to the Google and Apple app being used elsewhere.
He said: ‘Other countries don’t have the NHS, they have private healthcare, and it doesn’t work in quite the same way, and that means that we’ve got additional features on ours, but of course we’re working with Apple and Google and it may be that if you go abroad you might need to download the app of a different country.
‘Fine, that’s not a problem, but of course very few people are travelling at the moment, so that really is an issue for the future rather than for now.
‘The system that we’re building is all about trying to make sure we do everything we can to control the spread of the virus because that will then help us to be able to release more of the social distancing measures that are impacting on everybody.’
People eligible for the app will be sent a download link when it is available for them to start using. It will rely on people accurately reporting whether they are ill or not, or have tested positive. Contacts will be advised to self-isolate while someone is tested
Mr Hancock said it was being used on the Isle of Wight because the fact that the population is small and cut off from the mainland meant the experiment could be carried out in ‘proper scientifically-controlled conditions’.
If the island trial is successful the Government plans to roll out the app to everyone across the UK as a crucial element of its ‘test, track and trace’ plan for keeping the country out of lockdown in future as it adapts to life with the virus.
Deputy chief medical officer, Professor Jonathan Van-Tam, said today: ‘It’s highly unlikely that the COVID-19 virus is going to go away… therefore, testing and contact tracing is going to have to become part of our daily lives for the future’.
Experts say 60 per cent of the population or more will need to download the app for it to work well. Government figures have not put a target on uptake but will urge everybody who can to download the app when it becomes available, adopting the mantra ‘download the app, protect the NHS, save lives’.
The app will rely on people being honest about when they feel ill – data must be put into the app by the user. It is not clear what will constitute close enough contact for someone to be alerted that they are at risk. The World Health Organization’s rule is 15 minutes within six-and-a-half feet (2m), but the Department of Health said a ‘complex risk algorithm’ would dictate who would be warned.
The programme on the Isle of Wight will carry on for around two weeks to check whether the system works and whether people actually download and use it properly. If successful, the app will start to be used on mainland Britain from mid-May, the Department of Health said, while continuing on the Isle of Wight.
But there are concerns that the data the NHS app collects might be vulnerable because officials have elected to store it on a central database on NHS servers.
Some other countries including Switzerland and Germany are using technology which stores all data on someone’s own phone and never submits it to authorities.
The CEO of NHSX, the digital arm of the health service, today said he could not confirm exactly who would have access to data collected by the NHS app, saying only that an organisation must have a valid public health reason to access it. He insisted that the app will never upload private, identifying information such as someone’s name or address.
The app has also failed the tests it must pass to be officially listed on the NHS app store, including cyber-security measures, according to claims made by an NHS official in the Health Service Journal.
It is reported to be below the normal standards the NHS requires to officially publish an app for mobile users, and has not lived up to expectations set on cyber-security, performance and its ‘clinical safety’. Exactly how it failed those measures is unclear.
The Department of Health disputed the reports and called them ‘factually untrue’, insisting the app is being fast-tracked, has not failed any tests and will go through normal approval channels after it is rolled out on the Isle of Wight.
Downloading and using the app will be voluntary but officials hope huge numbers of people will be persuaded to take part in the hope of lifting movement restrictions.
NHS and council staff on the Isle of Wight will be sent a download link by email today, and residents on the island will receive letters in the post with instructions on how to get the app on Thursday.
It is being trialled on the Isle of Wight because it is a small, self-contained community which is easier to control, Mr Hancock said. Initial testing was carried out on an even smaller self-contained community at RAF Leeming, an air base in North Yorkshire, and it is now being scaled up.
Mr Hancock claimed that on the Isle of Wight it could be tested in ‘scientific’ conditions because people cannot come and go freely – there is no bridge or tunnel between the Isle and mainland Britain.
It will be easier for officials to get a clear idea of what proportion of the population has downloaded the app, and to get tests for large parts of communities quickly.
But privacy concerns have been raised about the way the app works.
Dr Michael Veale, a lecturer in digital rights at University College London, said on BBC Radio 4 this morning: ‘One thing people need to do is have deep trust that this data will not be misused or that the system will not turn slowly into something that starts to identify people more individually.’
The NHSX app focuses on a centralised approach in which any interactions between people are recorded by the phone and then, if someone is flagged as a coronavirus patient, sent back to a server run by the NHS.
NHSX is on an offensive to assuage people’s concerns about privacy and insists that no personal information will be collected. People will be identified by codes which are not linked to their name or address.
Instead, the app will keep a log of Bluetooth connections between codes and, when one of the codes is upgraded to signify that the patient attached to it has tested positive or become ill (this will be done by the user via the app), other codes which had been in contact with that one will be alerted anonymously.
All the connections – which will look to the human eye like a series of pairs of numbers, with one number in common – will then be uploaded to a central NHS database and stored.
NHSX chief executive, Matthew Gould, confirmed the app will collect no specific personal data from users such as their name or address.
He said: ‘The app is designed so you don’t have to give it your personal details to use it – it does ask for the first half of your postcode but only that.
‘You can use it without giving any other personal details at all – it doesn’t know who you are, it doesn’t know who you’ve been near, it doesn’t know where you’ve been.’
But experts say this level of data collection – tracking the movements of one unchanging number and linking it to others – is fraught with hazards.
It is possible that if the data was hacked, one of the codes – each person’s identifying code remains the same over time – could be linked to a person if the hacker could pinpoint the code and person in the same place. This could then be used to track them repeatedly as their Bluetooth checked in at other places.
The NHS is now facing questions as to why it needs to develop the app in this manner when other countries are plumping for the more privacy-centric approach.
Google and Apple have managed to develop software which serves the same function but in a way that contains all the necessary data inside someone’s phone and doesn’t need a server. Other countries including Germany and Switzerland are using this approach.
Because no movement or tracking information is stored on a central server, it would be invisible to Google, Apple and the NHS and there would be nothing to hack.
That technology works by exchanging a digital ‘token’ with every phone someone comes within Bluetooth range of over a fixed period.
If one person develops symptoms of the coronavirus or tests positive, they will be able to enter this information into the app.
The phone will then send out a notification to all the devices they have exchanged tokens with during the infection window, to make people aware they may have been exposed to COVID-19.
The process is confined to the individual’s handset and the scope of the information sent to the NHS is strictly limited.
Experts fear that the system could be used to label people as infected or at-risk in a way that other people would be able to see, meaning they could face discrimination.
Dr Veale said: ‘We’ve seen in China the traffic light system of red, yellow, green – ‘are you suitable to come into this building or come into work’ – and a centralised system is really just a few steps away from creating those kind of persistent identifiers that allow you to make that kind of approach.
‘Whereas a decentralised system really does proximity tracing and does not do more than that. People can trust that technically.’
With the NHS’s approach, people will have to trust the health service and therefore the Government with their personal information.
Human rights group Amnesty International raised alarm about the prospect.
Scientists have said they are worried about ‘mission creep’ in which people are told the data will be used for one thing but then the people controlling the data decide to use it for something else.
Amnesty International UK director, Kate Allen, said the Government should be looking at decentralised app models where contact-tracing data stays on a user’s device.
However, officials says they are maintaining strict privacy rules while also gathering anonymous data about the numbers of coronavirus cases in certain areas, which could help hospitals to plan for outbreaks, for example.
Ms Allen said: ‘We’re extremely concerned that the Government may be planning to route private data through a central database, opening the door to pervasive state surveillance and privacy infringement, with potentially discriminatory effects.
‘Ministers should instead be examining decentralised, privacy-preserving models such as those many European governments are pursuing.
‘In these extraordinary times, contact-tracing apps and other technology could potentially be useful tools in responding to COVID-19, but our privacy and rights must not become another casualty of the virus.’
Dr Veale also promoted the benefits of the de-centralised model, adding: ‘In the Apple and Google approach… you don’t need to trust Apple and Google with your data because it never leaves your device.
‘It removes the need to have an identifiable central database of any sort whatsoever. This is being used in Switzerland, Austria, Germany, Estonia and also in Ireland.’
The app will form a crucial part of the Government’s three-point ‘test, track and trace’ plan for helping the country to recover from its current crisis.
This will work by officials closely watching where and when new cases and outbreaks of the virus appear and isolating people to stamp them out.
First, anyone who is suspected of having the virus will be tested – there are still currently limits on who can get a test, but these are expected to be lifted by the time the country moves out of lockdown.
If someone tests positive, they will be told to self-isolate as long as they are otherwise healthy and don’t need hospital treatment.
Their households will have to isolate with them and then Government ‘contact tracers’ will work to establish a social network around the patient.
This will involve working out everyone who has come into close enough contact with the patient that they are at risk of having been infected with COVID-19.
All the people in that social network will then also be told to self-isolate until they can be sure they’re virus free, or until they are diagnosed with a test. If they test positive, the same contact tracing procedure will begin for them.
The app will be a vital part of this contact tracing effort, because it will be able to alert people who the patient may have put at risk without them knowing – at a shop or doctor’s surgery, for example.
Cybersecurity experts and human rights experts are also concerned about ‘mission creep’ in which the app starts off with one purpose but then officials decide to use its data for something else.
Professor Mark Ryan, a computer security lecturer at the University of Birmingham, said: ‘Everyone agrees that proximity tracing is a vital part of combating COVID and ending the lockdown.
‘However, we have to be sure that proximity tracing technology does not lead to unfettered surveillance of people’s movements and activities.
‘To this end, we call upon the government to publish open source code of the apps and server processes that will be used.
‘Remember that, unlike the cases of surveillance to combat terrorism or other crime, there is no requirement of secrecy in what strategies and technologies are being used against COVID.’
Information collected by the app will also give the Government insight into where the virus is spreading.
As officials continue to track the virus in future, they will have to try to work out how many people who have had COVID-19 in the past and recovered.
The roll-out of ‘immunity passports’ is being considered by ministers as part of the government’s attempts to get Britain back to work after the coronavirus lockdown is eased.
Ministers are believed to be in talks with tech firms about developing a form of digital identification which would verify who someone is and show whether they have been tested for the disease.
The passports could either be based on antigen testing which shows if someone currently has coronavirus or on antibody testing which shows if someone has had it.
The digital documents would show if someone has tested negative on an antigen test or if they have shown to have some resistance to coronavirus after an antibody test, demonstrating to an employer they are safe to re-enter the workplace.
Such a scheme could be a game-changer for ministers as they try to figure out how to kickstart the UK economy.
But the World Health Organization has warned against these immunity passports because scientists are not sure whether people actually become immune after illness.
In a statement the WHO said: ‘There is currently no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection.’
Boris Johnson is expected to unveil his lockdown exit strategy in an address to the nation on Sunday, having delayed the announcement from Thursday as frantic work continues in Whitehall.
Today it emerged that reduced hot-desking, the closure of office lifts and canteens, and putting tape on the floor to mark where people should stand are all likely to be proposed by the government under plans to restore office working.