An Ada Lovelace Institute virtual event:
Friday 24 April, 12:00–12:45 (BST)
In the first in a series of webinars exploring the current questions raised by the COVID-19 global health crisis, we asked three speakers with expertise in regulation of emerging technologies, health service delivery, data and privacy to respond to the policy challenges posed to Government by our rapid evidence review, Exit through the App Store.
The discussion centred on the emerging UK context, as Government, regulators and technology providers position themselves in relation to the public health and economic imperatives to transition out of lockdown.
This blog summarises the key points of discussion and debate from the webinar, which you can watch in full below:
The rapid evidence review finds that, while Government is right to explore non-clinical measures for transition, there is insufficient evidence to adopt digital symptom tracking, contact tracing or immunity certification as robust foundations for national policy. Some questions include:
- Can these technologies represent accurate information about infection or immunity?
- Can developers demonstrate technical capabilities to support required functions?
- Can regulators address various practical issues for use, including meeting legal tests?
- How can Government be encouraged to prioritise mitigating social risks and protect against exacerbating inequalities and vulnerabilities?
As Government faces a rising tide of criticism for failing to prioritise the resources needed for a sustained effort to contain the COVID-19 pandemic, will digital contact tracing be advanced as a silver bullet or approached with caution and driven by evidence-based policy?
Simon McDougall, Executive Director – Technology & Innovation, Information Commissioner’s Office
Yves-Alexandre de Montjoye, Assistant Professor, Imperial College
Trish Greenhalgh, Professor of Primary Care Health Sciences, University of Oxford
Carly Kind, Director, Ada Lovelace Institute
Why might we want a contact tracing app?
Trish framed the challenge of contact tracing with her experience as a junior doctor 30 years ago working in sexual health: for a sexually transmitted disease, a doctor would sit someone down to discreetly and professionally ask “could you please give me a list of the people you have slept with in the last three weeks?”. This is relatively easy, because people usually remember who they’ve slept with. The challenge with COVID-19 is that people don’t usually remember who they’ve been in a shopping queue with. It’s clinically a different disease from the conditions we are used to contact tracing for and so there are challenges to a solely manual approach.
Challenges for contact tracing proposals
Need for wide adoption
Trish: At a high level, the proposed app works by your smartphone becoming aware that someone else’s smartphone is within the vicinity and then sending it a message. For this to work, both smartphones need the app installed. If 50% of people have downloaded that app, and two people come into close contact, each person only has a 50% chance of having the app – which means only a 25% chance both have the app and tracing can occur. That suggests a very high proportion of the public would need to have the app in order for the contact tracing to cover a reasonable proportion of the population.
Trish: A paper published yesterday in the Journal of the American Medical Association looks at how South Korea conducted digital contact tracing. They used data from mobile phone carriers, immigration services, police, credit card companies, public transit companies, government agencies, health insurance agencies and hospitals to track the virus and those carrying it. The paper reflects that this approach, although apparently successful, was a heavy price to pay in terms of privacy. We have to ask whether citizens in the UK will be willing to, or should, accept such an infringement of privacy.
Trish: Evidence from existing healthcare messaging systems suggest personalised, non-patronising messaging can elicit patient cooperation in heath data sharing, and patients feeling supported and cared for. For instance, evaluations of the Florence text-based messaging system for helping manage chronic conditions have seen positive evaluations. However, it’s not clear whether more blanket instructions will be effective.
Centralised vs. decentralised protocols
Yves-Alexandre: Academia has been notably focused on the debate between centralised and decentralised protocols for contact tracing apps. Each protocol has a range of risks, possible attacks and mitigation strategies. However, this is not the sole privacy consideration and instead it is worth considering privacy as multidimensional, and evaluate the options based on our priorities. For instance, are we mostly worried about how much data gets sent to the centralised server? Or making sure that people learn they have been in contact with an infected person without the government knowing which individuals are at risk (or indeed, a risk to others)? Or are we worried about people finding out who infected them, or their grandparents?
The French government’s argument against decentralisation is that it will make them blind to what is happening – unable to tell how many people will get a notification saying they have an infection risk, and how many may turn up at hospital for a test – and therefore they would like to have more control. That’s not necessarily to say one protocol is better than the others, but that these are the kind of discussions that need to be having to make that decision.
Simon: The protocol is only part of the picture: Apple and Google have been clear that what they are doing is building a utility to enable a decentralised app to work. That doesn’t stop any public health authority or government building additional functionality into their app, including using other aspects of a mobile device, location tracking, or assigning other identifiers to it, that can work alongside the API. If an app is announced as running on the Apple/Google API or the DP-3T protocol that doesn’t tell us the whole picture: they still could have other functionality which is problematic, or a solution with a lot of utility for fighting the pandemic.
Balancing public interests, individual interests and privacy
Simon: The ICO has recognised that in a time of national crisis decisions need to be made, and that, in doing so, public and individual interests need to be balanced against privacy rights. Privacy is not an absolute right – the fact this discussion happened via Zoom is because we have agreed to restrict freedom of movement for a period of time and privacy is part of that equation.
Lack of transparency
Yves-Alexandre: Without more transparency about how the proposed NHS X contact tracing app works, including an opportunity to scrutinise the code, it can be difficult to have a truly informed discussion. There are many privacy considerations and potential attack vectors – knowing high level features, that it’s only using Bluetooth or relying on public reassurances of privacy-friendly practice is not sufficient. We need to see the protocol and we need to the code ahead of the launch.
Reasons for optimism
Strength of data protection regulations
Simon: The ICO’s experience so far is that data protection regulations – GDPR, the Data Protection Act 2018 – have held up well so far. There are sufficient areas of discretion and public interest exemptions to be flexible for an emergency situation without the need for waiving laws. This is a good test of the regulation to see that the key principles – fairness, security, information rights, retention limits – remain. NHS X and others in central and local government have been actively engaging with the ICO, both on contact tracing and other initiatives.
Privacy by design
Simon: highlighted the ICO’s opinion that the Apple/Google proposal was aligned with the principles of privacy by design and data protection by design and default. They recognise its strong alignment with the DP-3T protocol – both initiatives work on low energy Bluetooth and effectively enable proximity reporting without a centralised database at its core; using the technology layer to provide a level of assurance that there is no centralised location tracking going on. The Apple/Google API represents two large organisations working together more closely than they usually would in an overall positive step.
Yves-Alexandre: thought the quick reaction, both from the privacy community and Apple/Google has averted a nightmare privacy scenario of unbounded, mass data collection and show pathways to contact tracing that are compatible with data protection laws and democracy.
Potential of wider digital technologies
Trish: Digital technologies have a huge potential within healthcare – around 93% of all GP consultations are now happening by telephone or video, whereas fewer than 1% did three months ago two-three months ago.
Simon: also identified progress through information and data sharing within the health sector achieved during this period that people have been trying to achieve for the last 20 years.
NHSX contact tracing commitments
Simon: NHS X is moving very quickly on this app, but it has committed to be publishing both its key security and privacy designs along with the source code for the app so that privacy experts can scrutinise them. It is trying to use stakeholders such as the National Data Guardians Panel, the Centre for Data Ethics and Innovation and advisors to develop mechanisms for scrutiny. This is to be welcomed. If these activities weren’t being conducted, the ICO would be calling for them.
Trust was a recurring theme: the necessity necessity of trust, and the earning of trust.
Simon: Any contact tracing app needs to have significant levels of public trust. That level of trust is only attainable from a real coalition of voices – representing a range of trusted figures for different communities – saying the app is okay.
Trish: identified three kinds of trust:
- Personal trust – in someone you know, such as trusting advice from a family doctor.
- System trust – in the governance and procedures of the wider system, such as the NHS or the welfare state.
- Hegemonic trust – in the dominant narrative; trust we have little option on.
It is important to unpack which forms of trust are at play and how they are changing in this context. With a contact tracing app, when GPs ask patients to use and therefore to trust the app it is asking for a different form of trust than the usual doctor-patient relationship where doctors are the custodian of patient data.
Further reading from the discussion
- Ada Lovelace Institute COVID-19 Rapid Evidence Review: Exit through the App Store?
- Information Technology–Based Tracing Strategy in Response to COVID-19 in South Korea—Privacy Controversies in the Journal of the American Medical Association
- Evaluating COVID-19 contact tracing apps? Here are 8 privacy questions we think you should ask – Yves-Alexandre de Montjoye et al. of the Computational Privacy Group
- On the privacy-conscientious use of mobile phone data – Yves-Alexandre de Montjoye et al. in Nature
- ICO blog: Combatting COVID-19 through data: some considerations for privacy
- Information Commissioner’s Opinion: Apple and Google joint initiative on COVID-19 contact tracing technology
- NHS X blog: Digital contact tracing: protecting the NHS and saving lives