By Attila Tomaschek
The solution to decelerating the spread of covid and easing lockdown restrictions in the UK may be on the horizon. That solution could come in the form of the contact tracing app currently in development by the NHSX, the digital transformation unit of the NHS.
The contact tracing app, due to be available in the UK in the coming weeks, will be offered for users to download on a voluntary basis. The app will use Bluetooth signals on a user's phone to communicate anonymously with other users' phones nearby and maintain a record of which users were within close proximity to one another for a set period of time. If a user experiences symptoms and suspects potentially being infected with the virus, or if the user tests positive, he or she can indicate as such into their app. The app will then send an alert to other users who were recently within the vicinity of the anonymous infected user for a sustained amount of time and encourage them to self-isolate to limit their potential of spreading the virus further.
Experts have indicated that at least 60% of the adult population will need to download the app and participate in order for it to be effective in slowing the spread of the virus. Apart from the questions surrounding the likely rate of adoption, and therefore viability, its potential for abuse and trolling, and other inherent functional issues, there are very serious concerns regarding data privacy well past the lifetime of the crisis.
In the short term, relaxing some of our expectations for personal privacy in the name of the public good and navigating us safely out of this health crisis might be necessary, but it is crucial that these measures are temporary.
The application is being offered on a completely voluntary basis, however that shouldn't give the app developers license to collect any more user data than what is absolutely necessary. Nor should it give government authorities the jurisdiction to de-anonymise the data collected from the app, or repurpose any of its functionality for any other objectives beyond the scope of its original intent.
Health secretary Matt Hancock announced that the data collected from the app will be "handled according to the highest ethical and security standards". However, an alarming draft government memo leaked to the Guardian indicates that the NHS privately considered giving ministers the authority to de-anonymise the data and identify individual users if necessary under "proportionate" circumstances.
Granted, the memo was just a draft and NHSX representatives deny it was ever on the cards, but if the mere notion of de-anonymisation was discussed, even incidentally, it presents a very worrying illustration of how government authorities contemplate stretching their powers into highly questionable territories.
The reality is that anonymised data broadcast via a Bluetooth signal can never be truly 100% anonymous. The app might not record the user's MAC address – a unique identifier – and restrict itself to a regularly re-generated Universally Unique Identifier (UUID), transmitted from a user's phone via Bluetooth. But that doesn't stop the NHS linking that identifier to a specific user, regardless of how often it is re-generated.
As authorities in the UK scramble to combat the spread of covid, they must not lose sight of their duty to protect UK residents' fundamental right to personal privacy.
The NHS contact tracing app absolutely has the potential to be a game-changer in helping the UK effectively navigate the crisis and slow the spread of the virus. At the same time, it does also have the potential to be misused. It is therefore imperative that the application is deployed with care and appropriate transparency. It must also be limited in scope and only collect data expressly necessary for its purpose and only for the duration of time absolutely necessary in addressing the crisis.
If the government can provide users with an assurance of proper privacy safeguards and appropriate transparency regarding the scope of the data collected and the extent to which it will be used, it could go a long way in encouraging adoption of the app. In turn, this could significantly enhance its viability in addressing the pandemic.
Attila Tomaschek is digital privacy expert at ProPrivacy.com.
The opinions in Politics.co.uk's Comment and Analysis section are those of the author and are no reflection of the views of the website or its owners.
