No fewer than 177 different academics and online security experts have signed an open letter raising concerns about the UK government’s plans for a coronavirus contact-tracing app and concerns they have over mission creep on the project.
The letters in the wake of concerns raised by the EU over a similar project being driven by Google and Apple and another letter with 300+ signatories which urged caution when applying tech to try and solve the coronavirus crisis.
The latest letter urges governments to ensure that any tech solutions are assessed in detail by academics and experts from all relevant fields to determine the benefits of the project and ensure that these outweigh any risks that may be involved.
In particular, the letter raises concerns about the privacy and medical confidentiality of users of the Bluetooth-powered contact-tracing app that is currently being developed. This may ring bells to any familiar with the similar app being used in Singapore, which has provoked plenty of controversy.
The experts claim in their letter that NHSX, the UK Government unit responsible for the digital transformation of the health service, which is driving the contact-tracing app project is considering a model which will involve the central storage of deanonymised information about both individuals who contract coronavirus and those they have been in contact with.
This would appear to be a deeply concerning develop as it would not only allow the data to easily be used for other unintended purposes, but it would also leave it vulnerable to hackers or malicious state actors potentially accessing the data and using it for malign purposes.
Speaking to the UK Parliaments Science and Technology Committee yesterday, Matthew Gould, the CEO of NHSX refused to deny this claim and instead defended the approach in typically vague terms.
Gould said the app uses “a degree of centralisation” before defending that by arguing that it is a false dichotomy to argue that decentralised in secure and centralised is not.
At least 177 experts on this area appear to disagree with Gould though. In their letter, they make an extremely strong case for the app collecting a minimal amount of data in order to perform its key functions.
“We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a ‘nice to have’, given the dangers involved and invasive nature of the technology,” they wrote.
The role of GCHQ
Another concern about the centralised approach is the role that UK’s intelligence agencies and in particular GCHQ has played in influencing that decision.
It is known that they have been involved in advising on the architecture of the app Gould pointedly dodged a question on their involvement in choosing a centralised model, which rather implies that they might support the move for other reasons.
By backing a centralized approach, the UK appears to be going against the flow in comparison to other countries. As TechCrunch has reported, Germany has shifted its plans from a centralised to a decentralised model in recent days joining a long list of countries that includes Spain, Switzerland, and Estonia, in taking this approach.
The question of mission creep is also an important one, especially given Gould’s evidence to the Science and Technology Committee.
He admitted under questioning that it was possible for future iterations of the contact-tracing app to request people to give up even more data, with things such as location data a possibility.
The GCHQ link is another mission-creep worry. Matt Hancock, the UK’s Health Secretary, has recently granted intelligence agencies new powers to require the NHS to disclose any information that relates to “the security” of the health service’s networks and information systems, which will only reemphasise these.
One thing Gould did promise to the Committee was that a data protection impact assessments (DPIA) would be published for each version of the app. This has not happened to data and, in their letter, the 177 academics urged Gould and NHSX to make this public now.
In a statement to TechCrunch, NHSX said this would happen “in due course”. They also promised that “Users of the app will remain anonymous up to the point where they volunteer their own details, and there will be no database that allows the de-anonymisation of users.”
It remains to be seen if the app itself lives up to these high standards but having made that commitment, there is no doubt that experts will seek to hold them to it.
In some countries, the government has already promised that any contact-tracing app will balance the rights of the people to privacy with tackling the coronavirus pandemic.
Canadian Prime Minister Justin Trudeau stated plainly that “we're going to keep in mind that Canadians put a very high value on their privacy, on their data security… Getting that balance right will be extremely important.”
Let’s hope the UK government shares those sentiments. Unfortunately, given the concerns raised in this letter and the evidence given by Matthew Gould, there is plenty of reasons to doubt this.