STILL TRACKABLE, STILL TRACEABLE

The Unreliable Foundations of the UK's COVID App

NHS App.jpg

Boris Johnson’s government has recently advanced its plans to introduce a National Health Service-sponsored ‘contact-tracing app’ to help mitigate the spread of COVID-19. It will require those experiencing coronavirus symptoms to enter them into the app, which will then use artificial intelligence to determine whether symptoms match the clinical criteria for the virus. If the person is considered ‘positive’, they will be advised to self-isolate for 14 days and required to arrange a test with the NHS. Significantly, using Bluetooth technology, the app will identify people who have been in close contact with said person and instruct them to self-isolate for 14 days. 

While initially championing a centralised, state controlled app, the government has decided to backtrack on its own attempts at app development. Instead, the app will now be designed by private tech giants Apple and Google and be based on a decentralised data collection system. The government insists this change can further assure the public that their private data will be kept anonymous and confidential, but this claim is not as reassuring as it first appears.

Although this surprising U-turn may seem as though the government has acknowledged the legitimate privacy concerns that arose surrounding the previously proposed centralised system (a decision which Apple themselves declined to support as it guaranteed a clear violation of their privacy policy), the BBC reports that the government has abandoned the centralised, state controlled app because of technical issues and not due to some enlightened sense of respect for individual privacy. This suggests that the government cares less about personal data rights and more about the technical capabilities of these companies which are necessary to design the contact-tracing app. 

"There has already been huge controversy regarding the gathering of location data by Apple and Google which enables these companies to track people’s movements almost anywhere in the world."

Regardless of government motives, it is true that a decentralised system will make it more difficult for governments or hackers to de-anonymise personal data and track individuals, because information will only be stored on singular handsets and not shared with a centralised remote server. However, it is important to note that Apple and Google are still two mega corporations who already collect an extortionate amount of personal user data to benefit their own financial interests. There has already been huge controversy regarding the gathering of location data by Apple and Google which enables these companies to track people’s movements almost anywhere in the world. Allowing Apple and Google to design the new contact-tracing app gives them further access to the personal location data of UK citizens, data which could still be exploited by employees to identify people and share their data without consent. 

Further, the reliability of government claims to protect individual privacy was grossly undermined by the fact that Dominic Cummings (Chief Advisor to the Prime Minister and ex-head of the Vote Leave Brexit campaign) chaired meetings to discuss the development of the app with various private corporations alongside Google such as Facebook and Amazon. As Wired reports, these meetings included conversations outlining the types of technology required to help fight the COVID-19 crisis and Cummings conducting an assessment of each company’s proposals in respect of these issues.

These meetings were concerning because every single one of these companies has, at some point, come under intense scrutiny for data breaches. Facebook, for example, has received criticism for allowing the private information of its users to be harvested by Cambridge Analytica to profile and manipulate US voters.

What’s more, Cummings was also negotiating with an AI company called Faculty, an organisation formerly known as ASI Data Science. This is unnerving because ASI Data Science can also be directly linked to Cambridge Analytica and the alleged illegal exploitation of citizen’s private data, which, in ASI’s case, was harvested to help Cummings orchestrate Brexit Leave’s social media campaign of targeted misinformation. 

"Faculty... is integral to the government’s response to the COVID-19 pandemic and has been processing an unprecedented amount of confidential UK patient data as part of their initiatives."

Wired reports that NHSX (the data specialist unit of the NHS) are in fact already working with Faculty. Not only does this demonstrate a potential disregard for public safety concerning data protection rights, it reveals a worrying reality: private information will be in the hands of companies who already have notorious reputations for exploiting private information for personal profit. The Guardian has recently revealed that Cummings has awarded Faculty seven government contracts in the past 18 months to expand its role in implementing digital technology within public services. This company is integral to the government’s response to the COVID-19 pandemic and has been processing an unprecedented amount of confidential UK patient data as part of their initiatives.

These facts signal that we cannot trust the government’s promise to protect personal information, even in light of their recent decision to adopt a decentralised system of contact-tracing. We must hold the government to account to ensure that our personal data is not unknowingly shared to benefit private corporations, political interest groups or the personal interests of Dominic Cummings. The relationship between the contact-tracing app and Faculty pose a direct risk to our right to privacy and the Data Protection Act (2018): personal data must be used ‘fairly, lawfully and transparently for specified, explicit purposes and kept for no longer than is necessary’.

The UK government must be transparent with the public about exactly what role private corporations are going to play in the development of the contact-tracing app and wider responses to the COVID-19 pandemic. We cannot simply be reassured that our private data will be protected with the recent announcement to switch to a decentralised approach. The government must release details of the contracts it has with companies such as Apple, Google and Faculty to ensure that no data sharing laws are breached and that their claims of discretion can be substantiated.

As it stands, we should have no confidence in what Apple, Google, Faculty or the UK government claim to do with the personal data they collect on British citizens and, given Faculty’s past behaviour, it seems unlikely our private information will be protected. It may well be exploited. Orwellian personal data control always haunts the rhetoric around digital privacy, but we must be especially vigilant and sensitive to it in times of global crisis, times where emergency governmental power might legitimise financial and political gain at the expense of our human rights.