HEQ explores the failure to launch the NHS Track and Trace app.
One key challenge for policymakers and healthcare authorities in countries affected by the rapid spread of COVID-19 has been the implementation of contact tracing and symptom tracking technologies. An April 2020 briefing by the European Parliament stated: ‘About half of the EU’s Member States have taken location-tracking measures in response to the spread of the coronavirus disease, mainly by working with telecommunications companies to map population movements using anonymised and aggregate location data and by developing applications (apps) for tracking people who are at risk. The European Commission has called for a common EU approach to the use of mobile apps and mobile data to assess social distancing measures, support contact tracing efforts, and contribute to limiting the spread of the virus.’
Test, track and trace
Planned tracking programmes in the UK encountered a number of significant issues throughout development and implementation. The Isle of Wight acted as a testbed for the beta stage of the official NHS ‘Track and Trace’ app; while the relative isolation of the island was theoretically beneficial from a perspective of data purity, researchers immediately encountered three key challenges:
- The demographics of the Isle of Wight skew disproportionately older, meaning potential users were less likely to adopt the new technology, with many lacking access to a smartphone at all;
- The trial app relied on Bluetooth connectivity – this led to an array of errors in data gathering and analysis, as the range of the app’s Bluetooth connection led it to report close contact between users in adjacent buildings; and
- The app was only truly effective at registering the presence of mobile devices powered by Android, recognising 75% of nearby Android headsets, compared to only 4% of Apple phones.
The £11.8m app was abandoned in June; and the government agreed to partner with Apple and Google to develop new tracking and tracing software.
In a joint statement, NHSX CEO Matthew Gould and Test and Trace Chair Baroness Dido Harding said: “Our response to this virus has and will continue to be as part of an international effort. That is why as part of a collaborative approach we have agreed to share our own innovative work on estimating distance between app users with Google and Apple, work that we hope will benefit others, while using their solution to address some of the specific technical challenges identified through our rigorous testing.
“We will also draw on the invaluable insight from all of those who trialled the app on the Isle of Wight – and the brilliant teams who have worked on it to date – to build an app that can form part of the end-to-end NHS Test and Trace service and this insight will be integral to the next phase of development.”
Data protection and privacy
Contact tracing technology as a whole has come under scrutiny from both the health and digital sectors over issues of data security. An open letter published in late April by healthcare researchers and professors from 26 countries cautioned: ‘In some situations, so-called “contact tracing apps” on peoples’ smartphones may improve the effectiveness of the manual contact tracing technique. These apps would allow the persons with whom an infected person had physical interaction to be notified, thus enabling them to go into quarantine. The apps would work by using Bluetooth or geolocation data present in smartphones. Though the effectiveness of contact tracing apps is controversial, we need to ensure that those implemented preserve the privacy of their users, thus safeguarding against many other issues, noting that such apps can otherwise be repurposed to enable unwarranted discrimination and surveillance.’
The health academics’ concern was mirrored by a similar open letter a week later, signed by 177 UK-based privacy and cybersecurity experts and academics, which said: ‘It has been reported that NHSX is discussing an approach which records centrally the de-anonymised ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact. This facility would enable (via mission creep) a form of surveillance. Echoing the letter signed by 300 international leading researchers, we note that it is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance. Thus, solutions which allow reconstructing invasive information about individuals must be fully justified. Such invasive information can include the “social graph” of who[m] someone has physically met over a period of time. With access to the social graph, a bad actor (state, private sector, or hacker) could spy on citizens’ real world activities. We are particularly unnerved by a declaration that such a social graph is indeed aimed for by NHSX.’
Centralised and decentralised data approaches
Concerns over the data privacy implications of the NHS app focused particularly on the decision of developers to centralise data storage, holding the data gathered from users on a remote central server which would carry out contact matching. The Apple/Google model, by contrast, performed contact matching directly on the user’s mobile handset, thereby averting the risk of data harvesting, deanonymisation and reuse by authorities or malign actors.
Speaking in the early stages of development of the NHS app, Gould stated that the centralised approach afforded ‘profound benefits’ for patients and healthcare providers, saying: “We firmly believe that our approach, though it has a measure of centralisation in as much as you’re uploading the anonymised identifiers, none the less preserves people’s privacy in doing so…one of the concerns around contact tracing is the ability to detect malicious use. One of the ways you can do that is look for anomalous patterns, even if you don’t know who the individuals are…which the approach we have taken allows and we’re not sure if a decentralised approach allows.”
No longer a priority
To date, the partnership between NHSX, Apple and Google has yet to result in a functional mobile technology capable of effectively tracking and assessing patient symptoms and contact histories. Issues of connectivity, reliability and the overarching challenge posed by the need to protect patient data appear to have become essentially insurmountable; and Minister for Innovation at the Department of Health and Social Care Lord Bethell told the Science and Technology Committee in June: “We’re seeking to get something before the winter, but it isn’t the priority for us at the moment.”
This article is from issue 14 of Health Europa. Click here to get your free subscription today.
