Jagvinder Singh Kang, as part of the debate on contact tracing apps, takes a more positive look at the technology and privacy issues surrounding the Government’s proposed centralised approach.
Introduction
Ahead of the proposed national roll-out of the NHSX COVID-19 contact tracing app, there has been criticism of it by privacy advocates and others. In this article I will adopt a unified view from a collective technology law, data protection law, as well as technical perspective, and hopefully address some of those concerns, to guard against undermining the tremendous effort which is being invested into a life-saving solution.
Is the NHSX App even necessary?
The importance of contact tracing was apparent as soon as the virus manifested itself in the UK, as well as other parts of the world. The objective was that those who had been exposed to it, would be quarantined to guard against spreading the infection, especially considering the exponential rate of the contagion.
However, contact tracing through manual means is resource intensive. Furthermore, although an individual can identify some of those people with whom he or she has been in contact, this becomes much more difficult to do:
We only have to consider the following recent news from South Korea, to note the importance of contact tracing to guard against a second wave of infections after lockdown measures are relaxed. In early May, one individual, who subsequently tested positive for COVID-19, visited five nightclubs and bars during one night, leading to a new wave of infections. Over 2,000 establishments were subsequently ordered to be closed for a month, and several thousand individuals were urged to be tested. This scare occurred after the government had relaxed social distancing measures with the virus seemingly under control.
This shows that, alongside the rapid spread of the virus in the UK and other countries, manual contact tracing will not curb the spread of the virus. Hence the need for an automated way of undertaking contact tracing to save lives.
Is the NHSX App going to be privacy intrusive?
Privacy concerns regarding the NHSX App seem to have generated adverse publicity – with some suggestions of the NHSX App potentially leading to a ‘surveillance state’. However, it is important to rebut concerns such as these, by focusing on the reality of the NHSX App, and taking into account the requirements mandated by the Government’s Joint Committee on Human Rights.
The amount of data that is collected
The NHSX App only collects a limited amount of personal data; in fact, much less than many of the apps which individuals use these days. We only have to consider how much information users share through the use of other commercial app services (viewing the privacy policy for such apps will make the large scale of data collection and processing apparent), to see the stark comparison with the NHSX App. Yet, millions of individuals adopt a ‘care-free’ approach to installing such commercial apps, due to their perceived utility or entertainment value, without expressing any privacy concerns.
In contrast, the NHSX App collects a much more limited subset of information for safeguarding public health and lives. Furthermore, no GPS location data is gathered. Instead, Bluetooth Low Energy (BLE) signal strength connection to other devices running the NHSX App, is collected to provide relational proximity, rather than actual location information (that is the NHSX App is not tracking a user’s specific location). This is achieved by the BLE signal strength providing an approximation of the distance between different devices, and therefore individuals. BLE has the advantage of being a power conserving variant of Bluetooth, to guard against unnecessary battery drain, and is commonly used in smart watches and proximity sensors.
Phone model data is also collected, to allow adjustments to be applied to the BLE signal strength information which is collected, to seek to provide a truer measure of proximity, to take into account that different phone models behave differently with regard to BLE signal strengths. This ties in with the data protection law requirements of processing data accurately.
Users of the NHSX App are also able to choose whether to provide the first part of their postcode to the NHSX systems (this again, does not identify a user’s address, nor specific location). This allows trend analysis and local hospital resourcing, as mentioned in the section below.
Furthermore, the NHSX App does not gather any information about a user’s name. Instead, a unique random identification number is automatically generated for each user of the NHSX App (the NHSX refers to this as the “Sonar ID”). An encrypted form of the Sonar ID (which the NHSX refers to as the “Transmitted ID”) is exchanged between devices which come into each other’s proximity. The NHSX App also refreshes each user's Transmitted ID on a daily basis, with a new randomly generated identification number to further safeguard privacy. Cryptography is also used by the NHSX App to ensure encrypted authorisation and transmission of data.
A user’s device’s IP address is also captured by the NHSX App. This is for purposes such as load balancing and guarding against DDos types of cyber attacks. Organisational and technical measures are also implemented to segregate the IP addresses visible to the front end systems from the NHSX back end systems, to further protect privacy.
Centralised versus decentralised approach
There has been much debate about the centralised versus decentralised approach.
The NHSX App is using BLE to build a list of contacts which a user has encountered, by way of the Transmitted IDs mentioned above (the “Transmitted ID List”). This will therefore constitute ‘pseudonymised’ personal data in data protection legislation terms: the personal data cannot be attributed to a particular individual, without the use of additional information which is kept separate, and which is subject to technical and organisational measures to keep it separate. This information is automatically deleted from the user’s phone after 28 days.
With the decentralised approach, the Transmitted ID List remains locally on a user’s device. Any matches of close proximity between an infected individual on the Transmitted ID List and the user of the device, are detected locally on the user’s device. With the centralised approach, the Transmitted ID List, as well as the other details which the NHSX App is collecting, are securely transmitted to the NHSX’s systems for matching and detection purposes, after a user uploads them; this will be after the user self-diagnoses that he or she is suffering from virus symptoms.
Although from a privacy perspective, storing data locally on a device is more privacy positive, it does not mean that having a centralised approach cannot have appropriate privacy safeguards applied to it. In order to understand why a centralised approach has been advocated by NHSX, one has to understand the benefits of doing so.
Centralising the data allows a number of advantages, which NHSX believes are unavailable with the decentralised approach, including the following:
It is also important to understand that there are numerous safeguards implemented within the NHSX centralised approach. The device identifier cryptographic information is stored on iPhones within the Secure Enclave Processor. This secure co-processor, isolated from the main processor, provides an extra layer of security as the cryptographic integrity of its operations is maintained, even if other aspects of the phone are compromised. Android devices are not standardised; so this information is stored in hardware secure storage on the handsets, or using software measures where this is not possible due to the handset models. Data is also transmitted from the user’s device to NHSX systems in a batch encrypted process using Transport Layer Security (“TLS”) (the TLS protocol provides secure data transmission).
There is of course, always the risk of security breaches. However, this is no different to any other system in the world. It does not mean that systems should not be deployed, it just means that security measures need to be implemented and continually monitored and updated.
However, there are certain issues associated with a centralised approach, such as interoperability issues with apps of other countries which have taken a decentralised approach (particularly with Ireland). Therefore, it remains to be seen as to whether the final NHSX App rollout will adopt a centralised or decentralised approach. Matthew Gould, the CEO of NHSX, has acknowledged that it would be technically possible to move to developing a decentralised system in place of the existing centralised approach, if required; albeit, that this will then suffer from the associated deficiencies with that approach, as outlined above.
Do you really need to install the NHSX App?
People around the world are becoming frustrated with the lockdown measures which are severely constraining their day-to-day lives. The Government has stressed the importance of the R-Number remaining well below one, if we want to see restrictions lifted; as a R-Number above one risks exponential contagion. The South Korean example cited earlier, illustrates how a second exponential wave could commence from the relaxing of lockdown measures. This can only be addressed through urgent contact tracing.
A report to NHSX on effective configurations for a contact tracing app, shows that the virus can be suppressed if at least 56% of the UK population use the NHSX App. This translates into at least 80% of all UK smartphone users using the NHSX App (to take into account that not all of the UK population have a smartphone). The Isle of Wight beta testing of the NHSX App is encouraging. It showed that 65% of all smartphone users who could download the NHSX App, had done so by mid-May. Undoubtedly, huge public confidence is required for a successful roll-out of the NHSX App. This is why the Government’s Joint Committee on Human Rights has called for independent oversight and additional legislative footing, as a pre-condition. This will also help ensure compliance with Article 8 of the European Convention on Human Rights (‘Right to respect for private and family life’).
It is therefore, imperative that maximum uptake of the NHSX App occurs, to safeguard individuals, their loved ones and the NHS.
The Joint Committee on Human Rights’ Pre-conditions
As with any project, there are issues which arise from the initial design and testing phase. The Data Protection Impact Assessment which is required for projects such as the NHSX App, is useful to highlight risk areas and concerns, so that they can be addressed.
The DPIA produced by the NHSX has shown that there are some areas which require further focus by the NHSX. These include: ensuring the deletion of data from back end systems (rather than just the NHSX App itself), when it is no longer required; ensuring that purpose limitation in respect of processing of personal data is maintained (to avoid ‘scope creep’); ensuring that the rights of data subjects can be properly exercised; and that there are clear privacy notices addressing the processing of personal data). Consequently, it is reassuring for the general public, that the Government’s Joint Committee on Human Rights has stipulated that, prior to the national roll-out of the NHSX App, the following conditions must be addressed in new legislation (a number of which simply reinforce specifics in respect of existing data protection legislation requirements):
All of this should, therefore: alleviate some of the concerns about the forthcoming national roll-out of the NHSX App; and help the UK in its objective to overcome the virus and its adverse effects, as soon as possible.
Jagvinder Singh Kang is a leading specialist technology lawyer, data protection lawyer and qualified software engineer. He is also the International Head of IT Law at the leading law firm, Mills & Reeve.
Published: 2020-05-22T14:00:00