Woman leans out of window to use phone in London

Academics voice concerns about UK contact-tracing app plans

Image credit: REUTERS/Hannah McKay

Almost 200 UK academics have put their names to a joint letter expressing concerns about the UK government’s plans for rolling out a centralised coronavirus contract-tracing app.

Contract tracing – in which the potentially infected contacts of a person with a confirmed Covid-19 infection are tracked down and advised to self-isolate – is generally considered an important part of loosening lockdown measures, along with measures such as enhanced hygiene, widespread testing and social distancing. The South Korean and Taiwanese governments used contact tracing alongside other measures to successfully contain the transmission of the virus.

As countries in Europe and other regions consider how to safely loosen lockdown restrictions, many governments have coalesced around the idea of contact-tracing apps, which would use Bluetooth to detect nearby people, to try to minimise the transmission of the novel coronavirus. NHSX has indicated that a contact-tracing app could be ready in two to three weeks. It is expected to begin with a small trial, potentially on the Isle of Wight

Notably, the UK app will use a centralised model in which the tracing process occurs on a central server rather than on users’ phones; the government also hopes that this model could allow for insights about the spread of the virus through communities (with users having the option to provide more details about themselves if they choose).

However, there are growing concerns about the privacy implications of a contact tracing app. Almost 200 UK academics – with areas of expertise ranging from cyber security to law – have put their names to a joint letter [Google Drive] laying out their concerns about the government’s plans for a centralised app.

“It has been reported that NHSX is discussing an approach which records centrally the deanonymized ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact,” the letter said. “This facility would enable (via mission creep) a form of surveillance.

“We note that it is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society for surveillance.”

They state that any models which allow for the reconstruction of individuals’ personal information – such as a “social graph” of real-world interactions – must be fully justified: “With access to the social graph, a bad actor (state, private sector, or hacker) could spy on citizens’ real-world activities. We are particularly unnerved by a declaration that such a social graph is indeed aimed for by NHSX.”

The researchers said that the usual data protection principles should apply; the app should only collect the data absolutely necessary to achieve its objective. They called for NHSX to publicly commit to not creating a database, which would allow unnecessary de-anonymisation of individuals for building social graphs and other models, and to explain how it plans to phase out the app after the pandemic has passed in order to prevent mission creep.

Due to these privacy concerns, most European countries have elected to pursue decentralised models. Apple and Google are collaborating to release an API, which enables interoperability between Android and iOS for contract-tracing apps made by public health bodies, with their model involving a decentralised database and tracing process and ephemeral key codes to prevent users being identified. An open-source European project, DP3T, uses a similar privacy-focused model.

The German government switched from a centralised to decentralised model after a backlash from civil liberties groups and the public, leaving France as the only other major advocate of centralised contact tracing in Europe. Earlier this week, a group of almost 500 French cryptography and security researchers signed a letter expressing their concerns about the potential risks of a centralised contact-tracing app, including dozens affiliated with the French research institute working on the contact-tracing protocol for the app. The researchers concerns are similar to those expressed by UK researchers, particularly regarding the possibility of reconstructing the social graph with data collected by the app.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles