If two people with the app installed spend a few minutes within a few feet of each other, that ‘encounter’ is logged on each device © FT montage

Be the first to know about every new Coronavirus story

Many countries see contact tracing apps as a vital component of lifting coronavirus lockdowns. The UK is forging ahead with a unique approach, which it began testing this week on the Isle of Wight, off the south coast of England.

Even its creators at NHSX, the state-funded health service’s digital innovation arm, admit they are in uncharted territory. For the system to work, the government must overcome concerns that the app gathers too much data and faces technical limitations by rebuffing an alternative approach from Google and Apple.

How does the app track Covid-19 sufferers?

After downloading the new app and granting it access to Bluetooth connections, a user’s iPhone or Android smartphone begins to listen out for the same wireless signal coming from other nearby devices. If two people with the app installed spend a few minutes within a few feet of each other, that “encounter” is logged on each of their devices.

The app also records the length of time they are in proximity and an estimate of the distance between them, using Bluetooth signal strength.

Data about all such “encounters” are stored for 28 days and then deleted, unless one of the people falls ill during that time. The app asks a series of questions to assess symptoms but, at least to start with, it relies on self-diagnosis rather than a medical test. Once somebody tells the app they are feeling unwell, the system looks at all the logged encounters to assess which are “high-risk”, based on the date and the estimates of time and distance. Those people are then sent a notification suggesting they start to self-isolate.

Information graphic explaining how the National Health Service contact-tracing app works

What data is collected and what is sent to NHS?

The new app asks for the first half of a user’s postcode and also takes the make and model of the smartphone they are using. Each user is then issued a random number or “installation ID”. When someone falls ill, their installation ID and data about all their encounters with other people over the previous month are sent to the central NHS database for analysis.

Data collected on the central database “can’t be linked to other data the NHS holds”, wrote Ian Levy, technical director at the National Cyber Security Centre of GCHQ, who has led the security side of app development, in a blog post this week.

How could the app infringe privacy?

Privacy campaigners have three main concerns: first, that the government will be able to access more information than ever about contact between people, even if it is anonymised. Second, that the government could in theory cross-reference this with other data it has about the population and make connections that have not previously been possible. And third, that there is still too little clarity on what personal data will be collected, how it might be used in future, and when it will be deleted.

Hannah Couchman, an expert in technology and human rights at the campaign group Liberty, voices particular concern about “mission creep”. “This surveillance infrastructure is being created which we, the population, are allowing for now — but will it be put back on the shelf for use in other ways?” she asks.

Why is the UK going its own way?

Apple and Google are developing a very different system for public health authorities around the world to use. New software built into their iOS and Android operating systems will also use Bluetooth but instead of sending data about encounters and infections to one big database, most of the contact information will be held on each person’s individual smartphone — the “decentralised” approach.

The NHS is developing its own “centralised” system because officials believe the data it gathers will give researchers greater insight into how the pandemic spreads and evolves, as well as allowing it to improve the contact-tracing system over time.

Matthew Gould, chief executive of NHSX, said this week that the app allowed it to see “hotspots” and “more easily to optimise the algorithms that we’re using so we can make sure the risk model we’re using is as accurate as possible”.

A decentralised system “won’t know anything about how that [infected] user may have spread the disease”, Mr Levy said, while a centralised system could show if “a particular anonymous person seems to infect people really well”.

What are the security risks?

One of the main justifications for adopting a centralised system rather than a decentralised one is that health authorities analysing the data can “sense-check” malicious use of the app.

Mr Levy gives the example of an attacker sitting outside a hospital with equipment that can amplify Bluetooth signals from their own phone, creating “fake but realistic-looking proximity events for everyone in the hospital”. If this attacker then reported themselves as symptomatic, they could effectively shut down the hospital by setting off alerts requiring all staff inside to self-isolate. According to Mr Levy, the NHSX system has inbuilt risk-modelling that “can catch this sort of attack and mitigate it”.

On the other hand, the weakness of a centralised system is that it makes the NHS server — on which all the data are held — a potential target. Robert Hannigan, former director of GCHQ, said on Tuesday he did not think the central server was vulnerable. “Even those who manage to get into this would find very, very limited personal data,” he told the BBC.

What are the technical limitations?

Both iPhones and more recent Android devices prevent third-party apps from accessing Bluetooth constantly when they are not being used, to avoid draining the phone’s battery as well as for security reasons. The only way to get around these technical limitations is by adopting the contact-tracing technology that Apple and Google began testing last week. Apple and Google representatives said this week that any other system would not be able to use Bluetooth reliably, making the apps unstable and draining battery life quickly.

Without using Apple and Google’s tools, the NHS app will have to find creative ways to keep the app tracking going. If two people spent even several minutes in proximity, but had not opened their apps for a while, they may not register an “encounter”.

One solution could be for the app to send a notification several times a day that “wakes up” the Bluetooth connection, but this could irritate users.

By eschewing the global standard proposed by Google and Apple, the UK’s unique system could also present compatibility problems when travellers start “roaming” abroad.

NHSX officials say they are still talking to Apple and Google, “keeping the door open” to reverting to a decentralised approach if necessary.

A Department of Health spokesperson said: “Our testing has shown the app does run in the background on both iOS and Android.”

However, no technical details have been given for how this is achieved, given the restrictions that Apple and Google build into their operating systems.

NHSX said it would “continue to make adjustments if necessary” following the Isle of Wight trial.

Tell us about what’s happening around you. Are jobs being cut? Are workers being put at risk? Send your tips and stories to coronavirus@ft.com

Get alerts on Coronavirus pandemic when a new story is published

Copyright The Financial Times Limited 2020. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article