Apple and Google have blocked the NHS Covid-19 app update after it broke the rules. The agreement between the tech giants and the NHS is very clear that the app may not share location data. The latest update, timed to coincide with the UK opening up, asks users to opt in to share that data. Despite this being an opt in, Apple and Google have said it is a clear breach and the update has been blocked.
What is not clear, is how the NHS plans to overcome this. Will it rewrite the update and remove the offending code? It is the option that makes the most sense. Another alternative is to deliver a separate app that did capture location data. The problem here is that it would create confusion as to what app to use and it is questionable as to what level of adoption would occur.
According to Ray Walsh, Digital Privacy Expert at ProPrivacy: “The blocking of the new opt-in location disclosure feature appears to reveal that the government was attempting to deceive the public into believing that location data would still be handled in an appropriately secure and private manner.
“The Department of Health claimed that the UK’s app would continue to handle data in a private and decentralized manner even if users shared their check-ins to protect fellow users, however, it seems that in reality, the feature would require a centralized repository of data to be amassed by the authorities.
“It is now clear that the government either misunderstood how it can leverage the technology provided by Google and Apple, or was hoping to sneak this update in the back door and get people to opt-in to a centralized approach without providing transparency about exactly what they were doing.”
Why has the NHS done this?
The present system knows which devices have checked into locations, but the use of that data is highly restricted. It is only used when there has been an identifiable outbreak traced to a location. At that point, the data can be released to a central database. Devices enrolled into the NHS COVID-19 app poll that central database for alerts. When a device finds an alert for a location, it informs the device owner that they need to take action.
It seems that the current system is considered too slow and unwieldy by the app development team. They decided that using uploaded logs would enable them to automate the notification system. In effect, should there be a peak in infections, it would speed up the notification to device owners telling them what action to take.
Where this gets fuzzy is in the potential correlation of data. If there were three establishments in a town where virus rates peaked, a device would get three alerts. It makes sense. However, any data analysis would show how many people visited all three locations and uploaded their log data. That data could then map where those devices had been and potentially predict further peaks. This level of tracking would make many people uncomfortable.
Should tech giants be able to refuse the update?
The optics here are interesting and complex. On the one hand, the UK Government opted out of building its own system due to complexity, cost and privacy concerns. It went instead for a system used by multiple countries but one with strict rules around privacy. What is happening now is that the platform owners are enforcing those rules. Given that the rules were clear from the outset, there should be no surprise here.
However, the UK Government wants to open up safely and sees a need for a more efficient system. It thought it could escape the platform controls by the NHS COVID-19 app using an opt-in clause for the upload of data. That suggests either a very liberal interpretation of the rules or a belief that they would be allowed to do what they want.
Walsh believes that the NHS must stay within the Apple and Google guidelines. “It is vital that the UK’s test and trace app continues to use a decentralized approach that does not result in the government constantly tracking people’s whereabouts, and it is lucky for consumers that Google and Apple set strict limitations on how the app is permitted to handle data to ensure privacy. “
The question here, is should the NHS be able to change the rules it signed up to if it is for the greater good? If it can’t change the rules, how does it improve the current regime?
Enterprise Times: What does this mean?
It’s almost as if the arguments around the creation of the NHS COVID-19 app never happened. The whole issue over privacy and the UK not writing its own system was thoroughly picked over last year. Revisiting the issue won’t change the underlying platform or how it is delivered.
Apple and Google are not going to create an alternative system for the UK. That’s not how these platforms work. There is no pick and mix option here and never was.
According to Walsh: “It will be interesting to see how the government responds because in Scotland a secondary app that causes data to be harvested to a centralised repository has already been rolled out, and it is vital that consumers are wary of any similar moves in the UK.
“The government agreed not to harvest any location data from consumers in order to gain access to Google and Apple’s privacy-centric contact-tracing tech, and it’s hugely concerning that the government attempted to sidestep those privacy protections without making it clear to the public that this would cause location data to be collected.”
It’s hard to see how the NHS gets around this. An alternative COVID-19 app is a non-starter, as is changing the rules of the game. For now, the NHS team needs to go back to the drawing board. Perhaps the solution lies in fixing how councils engage to get data released. Focusing on that would have saved much embarrassment over the rejection of the update.