The NHS contact-tracing app might let the U.K. government identify users

The National Health Service (NHS) might allow the U.K. government to use its contact-tracing app — meant to curb the spread of COVID-19 — to identify people from their smartphones, according to a draft government memo obtained by The Guardian.

Contact tracing is big tech’s largest collaboration yet in fighting the spread of COVID-19. The technology promises previously unheard of levels of tracking, allowing health agencies and governments to warn users if they’ve come into close contact with someone who has tested positive for the novel coronavirus.

But the technology at the center of the initiative could very easily be misused. When Google and Apple announced their joint initiative to build contact-tracing technology into their operating systems, the companies said the technology will have “user privacy and security central to the design.” The draft NHS memo paints a far less anonymous picture than Google and Apple do.

The contact-tracing technology hasn’t even been finalized yet, and we’re already seeing reports that it could be used to track specific users. Which isn't really a surprise, considering it's nearly impossible to make any user data gleaned from mobile phones truly anonymous. That brings up some big questions about the project’s ability to protect end users. And, given what we know about the initiative now, it’s not yet clear if contact-tracing technology will actually help us all that much in fighting the spread of the coronavirus.

Wait, what is contact tracing? — Contact tracing is not a new concept, but the idea of using it on such a large scale certainly is. The system essentially uses short-range Bluetooth connections to monitor when your phone has come in close contact with another phone. That data is then used for a series of calculations by each user’s phone to determine whether or not they’ve come in close contact with someone who has also been recorded to have tested positive for COVID-19, or who does so down the line.

The service is designed to be voluntary, so users will need to opt in for their data to be collected and utilized. Those who do opt in can report if they’ve been diagnosed with COVID-19. Thereafter the system would, in theory at least, alert people who have recently come in close contact with an infected person so they can take suitable precautionary measures.

Could it compromise my data? — That’s the broader question here, and we don’t really have an answer yet. The Bluetooth technology involved with contact tracing uses anonymous keys to broadcast data, and those keys change every 15 minutes. Also, in ideal versions of the solution, there’s no central database to which the data is compiled.

But the NHS memo leaves open the possibility that this short-term tracing could actually be used to identify users. The memo states that the NHS-specific app could use smartphone device IDs to “enable de-anonymisation if ministers judge that to be proportionate at some stage.”

So while contact-tracing technology is itself not likely to compromise privacy data, apps created by other agencies to use that data could present serious problems for privacy. And getting access revoked after the pandemic could prove difficult, too.

Would contact tracing help fight COVID-19? — That depends on who you ask. The underlying mechanisms of contact tracing make sense for the novel coronavirus, which is spread through close contact. So it could assist in alerting users when they need to self-isolate most. Further, the U.S. government has already been investigating using mobile phone data to help shape it's response to the coronavirus.

But there are a huge number of variables that contact tracing would not address. The technology itself is fairly rudimentary in its mechanisms in that it can only identify proximity — it doesn’t take into consideration variables like, for instance, the protective plexiglass shields that may have recently been put up in front of cashiers at the local grocery store. Contact tracing could also inadvertently flag users in neighboring apartments who haven't actually interacted with one another.

Beyond the potential for false positives, contact tracing is also an inherently reactive system, which doesn’t really align with the way the coronavirus spreads. The technology can’t work unless a user reports that they’ve been infected with COVID-19. That, in turn, can’t happen until the user is presenting symptoms and manages to access a testing facility. If you’ve contracted COVID-19, you won’t actually receive an alert about your proximity until it’s much too late. And that's assuming you can get tested at all, which in the U.S. is proving problematic.

It’s also uncertain how many users will feel comfortable opting into the program. A limited user base could severely undermine the system’s usefulness. Meanwhile, inevitably, some who do choose to opt in will undoubtedly abuse the system — the tech's creators will need some serious spam filters to work out which users actually have COVID-19.

Modern contact tracing is still in its very early stages. We won’t see the fruits of Google and Apple’s combined efforts until at least mid-May. The technology is built with anonymity in mind, according to Google and Apple, but we’re already seeing some controversy over what information can actually be collected by the new system.

For now, we’ll keep on our toes and hope big tech can manage to protect its users while also tracking the spread of the virus. And we’ll stay inside for the foreseeable future, just in case. Because so far that's the only action that's been convincingly shown to work.