The UK may be rethinking its decision to shun Apple and Google’s API for its national coronavirus contacts tracing app, according to the Financial Times, which reported yesterday that the government is paying an IT supplier to investigate whether it can integrate the tech giants’ approach after all.
As we’ve reported before coronavirus contacts tracing apps are a new technology which aims to repurpose smartphones’ Bluetooth signals and device proximity to try to estimate individuals’ infection risk.
The UK’s forthcoming app, called NHS COVID-19, has faced controversy because it’s being designed to use a centralized app architecture. This means developers are having to come up with workarounds for platform limitations on background access to Bluetooth as the Apple-Google cross-platform API only works with decentralized systems.
The choice of a centralized app architecture has also raised concerns about the impact of such an unprecedented state data grab on citizens’ privacy and human rights, and the risk of state ‘mission creep‘.
The UK also looks increasingly isolated in its choice in Europe after the German government opted to switch to a decentralized model, joining several other European countries that have said they will opt for a p2p approach, including Estonia, Ireland and Switzerland.
In the region, France remains the other major backer of a centralized system for its forthcoming coronavirus contacts tracing app, StopCovid.
Apple and Google, meanwhile, are collaborating on a so-called “exposure notification” API for national coronavirus contacts tracing apps. The API is slated to launch this month and is designed to remove restrictions that could interfere with how contact events are logged. However it’s only available for apps that don’t hold users’ personal data on central servers and prohibits location tracking, with the pair emphasizing that their system is designed to put privacy at the core.
Yesterday the FT reported that NHSX, the digital transformation branch of UK’s National Health Service, has awarded a £3.8M contract to the London office of Zuhlke Engineering, a Switzerland-based IT development firm which was involved in developing the initial version of the NHS COVID-19 app.
The contract includes a requirement to “investigate the complexity, performance and feasibility of implementing native Apple and Google contact tracing APIs within the existing proximity mobile application and platform”, per the newspaper’s report.
The work is also described as a “two week timeboxed technical spike”, which the FT suggests means it’s still at a preliminary phase — thought it also notes the contract includes a deadline of mid-May.
The contracted work was due to begin yesterday, per the report.
We’ve reached out to Zuhlke for comment. Its website describes the company as “a strong solutions partner” that’s focused on projects related to digital product delivery; cloud migration; scaling digital platforms; and the Internet of Things.
We also put questions arising from the FT report to NHSX.
At the time of writing the unit had not responded but yesterday a spokesperson told the newspaper: “We’ve been working with Apple and Google throughout the app’s development and it’s quite right and normal to continue to refine the app.”
The specific technical issue that appears to be causing concern relates to a workaround the developers have devised to try to circumvent platform limitations on Bluetooth that’s intended to wake up phones when the app itself is not being actively used in order that the proximity handshakes can still be carried out (and contacts events properly logged).
Thing is, if any of the devices fail to wake up and emit their identifiers so other nearby devices can log their presence there will be gaps in the data. Which, in plainer language, means the app might miss some close encounters between users — and therefore fail to notify some people of potential infection risk.
Recent reports have suggested the NHSX workaround has a particular problem with iPhones not being able to wake up other iPhones. And while Google’s Android OS is the more dominant platform in the UK (running on circa ~60% of smartphones, per Kantar) there will still be plenty of instances of two or more iPhone users passing near each other. So if their apps fail to wake up they won’t exchange data and those encounters won’t be logged.
On this, the FT quotes one person familiar with the NHS testing process who told it the app was able to work in the background in most cases, except when two iPhones were locked and left unused for around 30 minutes, and without any Android devices coming within 60m of the devices. The source also told it that bringing an Android device running the app close to the iPhone would “wake up” its Bluetooth connection.
Clearly, the government having to tell everyone in the UK to use an Android smartphone not an iPhone wouldn’t be a particularly palatable political message.
This is effectively a form of Android Herd Immunity: for the good of Britain, vaccinate your friends by giving them Androids!
— Michael Veale (@mikarv) May 5, 2020
One source with information about the NHSX testing process told us the unit has this week been asking IT suppliers for facilities or input on testing environments with “50-100 Bluetooth devices of mixed origin”, to help with challenges in testing the Bluetooth exchanges — which raises questions about how extensively this core functionality has been tested up to now. (Again, we’ve put questions to the NHSX about testing and will update this report with any response.)
Work on planning and developing the NHS COVID-19 app began March 7, according to evidence given to a UK parliamentary committee by the NHSX CEO’s, Matthew Gould, last month.
Gould has also previously suggested that the app could be “technically” ready to launch in as little as two or three weeks time from now. While a limited geographical trial of the app kicked off this week in the Isle of Wight. Prior to that, an alpha version of the app was tested at an RAF base involving staff carrying out simulations of people going shopping, per a BBC report last month.
Gould faced questions over the choice of centralized vs decentralized app architecture from the human rights committee earlier this week. He suggested then that the government is not “locked” to the choice — telling the committee: “We are constantly reassessing which approach is the right one — and if it becomes clear that the balance of advantage lies in a different approach then we will take that different approach. We’re not irredeemably wedded to one approach; if we need to shift then we will… It’s a very pragmatic decision about what approach is likely to get the results that we need to get.”
However it’s unclear how quickly such a major change to app architecture could be implemented, given centralized vs decentralized systems work in very different ways.
Additionally, such a big shift — more than two months into the NHSX’s project — seems, at such a late stage, as if it would be more closely characterized as a rebuild, rather than a little finessing (as suggested by the NHSX spokesperson’s remark to the FT vis-a-vis ‘refining’ the app).
In related news today, Reuters reports that Colombia has pulled its own coronavirus contacts tracing app after experiencing glitches and inaccuracies. The app had used alternative technology to power contacts logging via Bluetooth and wi-fi. A government official told the news agency it aims to rebuild the system and may now use the Apple-Google API.
Australia has also reported Bluetooth related problems with its national coronavirus app. And has also been reported to be moving towards adopting the Apple-Google API.
While, Singapore, the first country to launch a Bluetooth app for coronavirus contacts tracing, was also the first to run into technical hitches related to platform limits on background access — likely contributing to low download rates for the app (reportedly below 20%).
