The NHS COVID app: what's gone wrong?
Here in the UK, pubs and restaurants are preparing to re-open and two households will soon be able to meet inside. But the NHS Test and Trace system - which should secure these steps against causing another outbreak - was supposed to involve a 'contact tracing' app that has failed to materialise. The app was intended to help find people who have been in close contact with strangers carrying the coronavirus. And now politicians seem to have delayed, U-turned, and entered into new discussions with Apple and Google. So what’s going on? Phil Sansom found out from security engineer Greig Paul…
Greig - Since we last spoke, what's happened here is the UK government's sort of made a bit of change in the direction of what they're looking at doing. They had an app, they were testing it on the Isle of Wight, and it started to hit some teething problems around iOS devices recognising each other. And the reason for this was Apple has some technical restrictions on how Bluetooth works on their devices, that they're not able to work around unless they go down Apple's approved route of contact tracing.
Phil - Oh dear. So iOS being the Apple operating system, right? So they couldn't access Apple phone connections?
Greig - That's right. So on an iPhone, for example, there are a number of rules around Bluetooth access that mean that you can't use Bluetooth in the background very easily, and you can't do lots of scanning and announcing that you're there. Which are both things that you really need to do if you're trying to run a contact tracing app.
Phil - How many phones was it missing?
Greig - One of the estimates was that in some situations it was only capturing about 4% of iPhone to iPhone interactions.
Phil - Oh dear!
Greig - Yeah, it wasn't good. Based on how the app worked, I think that's a worst case, it was 4% it was getting. But the problem is you need public confidence in an app like this to work. So in that case I think, yes, that's not good enough.
Phil - So what have they - the government, NHSX, whoever - done now?
Greig - Right now what they're doing is they started off working on a second app in parallel. And what this app is doing is it's using the Apple and Google recommended approach to contact tracing. And the difference here is that Apple and Google, while they've put a number of restrictions that mean that you can't do some of the things that they were doing in the original app to measure distance between devices, what they are doing is making it possible to run in the background. So the government's hoping now to work with Apple on bringing their distance measuring into the approved way of working.
Phil - Can you explain that? Because I know the app doesn't take location data. So how was it getting distance between two phones?
Greig - As you say there's no location data invoved. It's about the signal strength between two phones. Now between different models of phone you get different types and performance of antenna. So if you know, for example, that you've got an iPhone 10, and someone that you're setting next to has got a Google Pixel 4; if you know that, which the UK NHSX approach had, then that will allow you to work out the amount of signal loss you'll see. And therefore you can approximate the distance between the two users much more accurately by taking into account the two antennas involved.
Phil - Is this something that the designers were really keen on, but that they're now having to give up because of this Apple operating system issue?
Greig - It's not clear if they're going to have to give up on it, but for the moment, yes, they have had to stall on this. They were very keen on it; they've recognised that false positives are a big concern. If people are going around every single day getting told they need to self isolate because of COVID, and then the day after they come out they get told again, people are going to start to tire of it and start to ignore it. So as it stands right now, other than Apple choosing to work with them and help them to do that, it won't really be possible for them to do it otherwise.
Phil - But that sounds like that Apple have the government over a barrel, no?
Greig - Effectively yes, actually. France wanted to do a similar type of contact tracing app and they ended up having to meet the same kind of U-turn there, and actually ended up working with Apple and Google. In the UK we've got just over 50% of the population running an iPhone. So Apple's position on this is, "well, we want you to respect user privacy". The challenge for the UK government is: they are an elected government trying to do what people are wanting, which is to be kept safe. And they're up against Apple, and Apple can actually, and is currently, saying, "no, you can't do that. You have to do it the way we want to."
Phil - It's almost like they're kind of making laws, isn't it?
Greig - Well in a sense, yes actually! If you look at some of the restrictions that are being put in place against these apps by Apple, you're not allowed to use it for enforcing quarantine measures...
Phil - Really! Apple say that?
Greig - Yep. You're not allowed to use the contact tracing API for the purpose specifically of enforcing a quarantine measure.
Phil - That's mental.
Greig - We can be charitable here and try and look at it from their perspective, but at the same time, we're in an unprecedented crisis effectively. There is a risk here in that the company is effectively creating de facto law.
Phil - What about Google as well? Why are they involved in this mess?
Greig - If you want a contact tracing system to work, it needs to work across as many phones as possible. In the UK that really means Apple and Android, because you've got Apple for about 50% of the population and Android for about the other 48-49%. And Apple and Google came together and have put together a joint Bluetooth protocol, so that the phones will be able to speak to each other and make things work. Google isn't quite in the same position in that they don't have as many restrictions in place on what an app can and can't do on the device.
Phil - Where do you come down on all this stuff Greig?
Greig - Some of the rules are understandable and make good sense. People should be transparent, privacy is important, and we do need to take good account of that. I don't think it's necessarily going to be the same concern for countries that broadly respect human rights, compared to countries where, for example, they've declared rule by decree. I think we need to recognise that there are different factors in different countries. And clearly Apple's trying to play to a global audience here, because they want to sell their phones to every country. But I think it's going to become increasingly difficult for them and they could even lose some public support over this.
Phil - And what about more short term for the UK is a contact tracing app?
Greig - The press really latched on to the idea of the app potentially being the saviour from lockdown, the way to get normality started again, etc. In terms of this app itself, it is a significant undertaking. They are doing new things. And I think going down Google and Apple's route, there are still questions to be answered around whether it will actually achieve the outcomes we need.