Plans are being announced for the UK‘s contact tracing smarphone app, which will alert people when someone they’ve been near has started showing symptoms of COVID-19.
Apple and Google have both suggested decentralised approaches to this, where you – by updating the app – notify the world that you’re showing symptoms and that message is then relayed to who needs to know it.
However, NHSX have opted for a “centralised” approach – which basically means Government servers will hold of all of our whereabouts data… and anything online is hackable. There would be ways of making this data obscure – such as pseudonymization – but we’re unlikely to hear the details of any Security By Design measures taken (to be fair, the more you reveal about how something’s built, the less secure your plans instantly become).
The argument from the NHS is that the centralised approach will give more thorough data – they’ll be able to not just notify people who need to notifying, but they’ll probably be able to identify patterns across the country, and potentially learn more about it’s spread.
The thing is though, the purpose of the app is to alert people and help them – the people around them – stay safe. By being greedy with the data they’re collecting, and taking the centralised approach, the UK Government face being left with a mountain to climb to get people to use the app.
The BBC says that about 67% of smartphone users in the UK have WhatsApp installed. Meanwhile, for the contact tracing app to be effective, it’ll need to be adopted by about 80% of UK smartphone users. So NHSX expect that many people to let the Government track their whereabouts at every given moment?! Are they going to make it law that you need the app? And if not, wouldn’t a less data intrusive approach mean more people installed it?
This isn’t about having something to hide – most people don’t go anywhere exciting or unsavoury. This is about privacy and about just being about to go about your daily life without knowing that your every step is being recorded on a database somewhere.
Some people would argue that this is the thin edge of the big brother wedge (although not actually that thin) and is a really scary aspect of the whole COVID-19 pandemic. Will the “new normal” involve 24/7 suvelliance?! Other countries in Europe have decided against the centralised approach and have taken Apple and Google’s recommended solution, which apparently also helps battery life.
Perhaps the Government should announce – if they haven’t already – at what point this data will be deleted? Under GDPR, we have a right to know what is stored about us and can ask for it to be deleted at any time. Data should also only be kept for the amount of time it needs to be. Will data be deleted on a rolling basis after 21 days or the longest possible known incubation period for the virus? Or will anything that ties it to a phone – rather than a rough georgraphical region – be deleted so that scientists can still study patterns but without being able to tie the results to any individual? Can the database be designed with that in mind from the offset so it’s easy to delete the personal data but keep anonymous data for analysis? Or can we get a promise that everything will be wiped once there’s a vaccine? Or 6 months after there’s a vaccine to have given people time to get it? If we base it on a % of the population vaccinated, we may find there isn’t uptake on the vaccine for some reason and then the Government will never need to delete the data. Any deadlines put in place around the deleting of the data – unlike with the 100,000 tests a day deadline – need to put laid out now and be unequivocal.
Perhaps the even bigger question is can we get a guarantee on when we can stop using the app? Such as once there’s a vaccine.
Any marketer knows that if quantity is your priority, sign up forms need to be short. You ask people for as little information as possible to get bums on seats. Apple and Google know that well. With their centralised approach, our Government and the NHS have set themselves a battle to win in order to get willing participation with contact tracing efforts in the UK.