How will the NHS contact-tracing app work and how could it affect my privacy?

NHSX are developing an app that will tell you if you have been in contact with anyone who has shown symptoms of COVID-19, but at what cost?

Published: April 21, 2020 at 10:27 am

As the coronavirus pandemic continues to keep many of us on lockdown, a number of governments and tech firms, including the NHS, are developing apps that use your smartphones to let you know if you have been in contact with anybody who has shown symptoms of COVID-19.

These 'contact tracing' apps could help restrict the spread of the virus if enough people use them, but concerns have been raised over how they'll work, privacy and what happens to your data.

What is contact tracing?

COVID-19 is contagious before symptoms emerge. To reduce the spread of the virus, contact tracing finds people the patient may have been infected before knowing they were ill. In South Korea and Singapore, for example, contact-tracers work with patients to retrace their movements, using extra data including CCTV footage, cellphone location data, and even credit card records. Individuals at risk are then contacted to tell them to self-isolate and get tested.

Countries already using apps for contact tracing use two main methods; location or proximity.

Israel’s Hamagen app, for example, uses mobile phone location data from GPS and network connection towers. From these records, the app can reconstruct where an infected person has been, and which other phones were there at the same time.

A commuter wearing a protective facemask studies a smartphone as he sits with others in the carriage of a metro in Paris © Alain Jocard/AFP via Getty Images
People using their smartphones in public could soon be warned if they are in the proximity of someone showing COVID-19 symptoms © Alain Jocard/AFP via Getty Images

Singapore’s TraceTogether app doesn’t track locations. It uses Bluetooth Low Energy to exchange anonymous codes directly with other phones nearby. If somebody is diagnosed with COVID-19, those signal codes can be used to find the other devices that were recently within a few metres of that person, and warn the owners to get tested.

How would an NHSX contact-tracing app work?

The coronavirus app proposed by NHSX, the digital arm of the NHS, will also use Bluetooth to exchange signal codes between app users.

If you develop symptoms and are diagnosed as having COVID-19, you share your recent data by uploading a copy of the codes from your “sent” folder to the NHSX database. Those codes can then be cross-checked by all the other phones running the app, to see if they have a code from an infectious person’s phone in their “received” folder.

But there are some differences from TraceTogether. Bluetooth makes it easy for other devices to get data from your phone, so Apple and newer Android phones don’t allow it to run when you’re not actively using the relevant app. TraceTogether only works if you leave the app running and the phone unlocked all the time (even in your pocket).

This is clearly a privacy problem, as any pickpocket has instant access to everything on your phone.

Read how to stay safe during the coronavirus pandemic:

Apple and Google recently announced imminent changes to their operating systems, designed to make contact-tracing apps work better. The new Apple/Google API (Application Programming Interface) will allow Bluetooth to run in the background, even when the phone is locked or when you’re doing something else, but only to exchange signal codes with nearby phones.

However, it will only work for contact-tracing apps approved by the two tech giants. If they don’t approve an app, users would still have to leave their phone unlocked all the time to run it.

Will the government know everything about me?

The original idea for the NHSX app was that all the codes from all the phones would be uploaded to one central database, and the cross-checking would be done there. Any matches would be notified to the app user, with instructions to quarantine themselves, or get tested, or whatever public health authorities deem appropriate. That would also mean a database of connections between identifiable human beings.

But Google and Apple have made that more difficult. They have announced that they will only approve contact-tracing apps that follow a very specific protocol, similar to a project called DP-3T (Decentralized Privacy-Preserving Proximity Tracing).

Google and Apple © Jaap Arriens/NurPhoto via Getty Images
Google and Apple will only approve contact-tracing apps that follow a very specific protocol © Jaap Arriens/NurPhoto via Getty Images

Devised by scientists from eight European universities, DP-3T changes the anonymous codes regularly, which makes it impossible to associate one code with one phone, or person. It also keeps all the codes, sent and received, on the users’ phones, unless an infectious person’s “sent” codes need to be uploaded for cross-checking, via encrypted channels. The cross-checking also takes place on users’ phones, not in the central database.

This means that nobody, not even NHSX, has the whole picture. NHSX may know that you have COVID-19 and have uploaded this set of codes, but won’t know the identities of the people whose codes match yours.

Read the latest coronavirus news:

Of course, none of this prevents NHSX from designing an app that also asks for other information, such as location data. But Apple and Google have made sure that decentralised, privacy-preserving apps will run better on Apple and Android phones from May onwards.

That should also encourage more people to download and run the app without worrying about giving up lots of personal data to NHSX and their partners.

Visit the BBC's Reality Check website at bit.ly/reality_check_ or follow them on Twitter@BBCRealityCheck