UK government changes tack on contact tracing app

The UK government has announced the contact tracing app is moving from a ‘centralised’ to a ‘de-centralised’ model, but what does this mean for user privacy?

30 June 2020

Contact tracing apps are designed to help prevent a second wave of Covid-19. They work by recognising when a user has been in close proximity with another user for a defined period of time. When a user has been exposed to another user, who is later diagnosed with or presenting symptoms of Covid-19, the app is designed to send an alert to that user who has been exposed, advising them to get tested and/or self-isolate.

The reason for the change and the future of the app

We have previously discussed the differences between 'centralised' and 'de-centralised' models of contact tracing apps. The UK opted for a centralised approach in May; however, the UK government announced last week that it will now replace its 'centralised' contact tracing app for the alternative de-centralised model, based on technology provided by Apple and Google, which has been promoted as being more privacy-focused.

The UK government expects that the app will be launched in the autumn, but potentially only with the basic function to report symptoms, rather than contact tracing.

It was revealed that the NHS has been testing and comparing both models over the past month, including the testing of the centralised version of the app on the Isle of Wight. The centralised version of the app was able to assess the distance between two users, but struggled to recognise nearby iPhones, registering only 4 per cent of iPhones, compared to 75 per cent of nearby Android handsets. By contrast, the Apple-Google version of the app recognised 99 per cent of all phones, although it was weaker at calculating distance in some instances, which could mean that it fails to send out alerts when necessary.

Baroness Dido Harding, who is in charge of the wider Test and Trace programme, noted that the rigorous testing of both models of the contact tracing app ‘demonstrate that none of them are working sufficiently well enough to be actually reliable to determine whether any of us should self-isolate for two weeks’, adding she will only give the green light to deploying the Apple-Google model if she judges it to be fit for purpose, which at present it is not. In any event, the app seems to no longer take centre-stage in the government’s Test and Trace programme, with Baroness Harding describing it as being a 'cherry on top'. Even if Baroness Harding gives the Apple-Google app the final green light, the devolved administrations in Scotland, Wales and Northern Ireland will need to decide whether to commit to the new model independently.

Other countries have also faced problems creating a contact tracing app as well. Singapore previously announced that it would issue each citizen with a wearable device instead, as it struggles to implement a mobile app.

What are the advantages of the switch?

The previous ‘centralised’ model was designed to carry the contact-matches on a central server. This creates a single point of weakness, any vulnerability of which would allow access to significant amount of sensitive personal data. In contrast, the Apple-Google model takes the ‘de-centralised’ approach, carrying out this process on the individual’s handsets instead, and so removing this central weak point. The Apple-Google model also makes it more difficult for authorities or potential hackers to de-anonymise the records, a major concern amongst privacy advocates.

However, a centralised version of the app would have provided other benefits to the UK healthcare system, such as allowing NHSX the opportunity to analyse a large dataset for scientific research, helping them better target the contagion alerts. A centralised app would also not be limited by rules imposed by Apple and Google, such as a ban on being able to gather location data. The UK government evidently now considers that the benefits of centralised model no longer outweigh the privacy and security implications of the de-centralised model. The decentralised approach also now falls more in line with the ICO’s guidance on contact tracing apps.

Adopting the Apple-Google model will also bring the UK in line with the majority of other European countries, such as Italy and Switzerland, increasing the opportunity for collaboration between the UK and other countries, as travel begins to resume. Germany also released a decentralised app recently, showing that there is public appetite for this style of app after reporting 6.5 million downloads within 24 hours of release. According to one BBC News report, one of the developers reported an 80 per cent logging match accuracy which was 'good enough to go with', despite the risk of false alerts. It is expected that the few countries, such as France’s 'StopCovid' app, that have chosen to adopt the centralised model may face challenges in this regard. The French government in particular has also drawn heavy criticism from privacy campaigners for its approach, with academics arguing the app could be repurposed for mass surveillance.

Whether COVID-19 related or not, at Burges Salmon we can assist you with your data protection related queries. For more information, please contact Andrew Dunlop or David Varney in our Data Protection team.

This article was written by David Sherafati and Andrew Wilson.

Key contact

Andrew Dunlop

Andrew Dunlop Partner

  • Head of Outsourcing
  • Head of Technology
  • Head of Data Protection

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more