In their recent statement on digital contact tracing, NHSX, the NHS Unit leading digital transformation of the NHS, acknowledge that the public will need to trust this new technology for it to be effective in tackling COVID-19, and that NHSX will seek to earn that trust by working with ‘transparent standards of privacy, security and ethics’.
This app has the potential to transform lives, but its development and use raises a range of questions, some of which are outlined below:
The organisations involved and their interests
1. How much is the development of the app going to cost the NHS?
2. Apple and Google have been involved in the development of the app. Are any other tech companies involved? How did they become involved? Why are they participating? Will they make a profit from participation?
3. Which companies and government agencies will come into contact with what kinds of data collected by the app and what will they do with that data? How will the data be used for research, who by, how will profits arising from the commercialisation of research be shared?
4. Will the development team at the University of Oxford receive any funding for their work on the app? What was the process through which they became involved alongside the other participants in development? Was there a tendering process?
Experts and representatives consulted on ethical and social issues
5. The NHSX is ‘committed to listening to [our] ideas and concerns’. How will the developers access a broad range of ideas, including from beyond traditional areas of expertise to inform their work? Will their listening be ‘active’ i.e. result in meaningful change?
6. Who has been consulted about the social and ethical implications of the app? What disciplines and personal backgrounds do these experts come from? Are they diverse?
7. Have experts on the social and ethical aspects of contact tracing apps from other countries where these have been used (e.g. South Korea) been consulted in the development of the UK app?
8. Security and privacy designs and source code will be published so experts can check this. How will these experts be identified? How will their findings be used? Will details of ethical protocols, oversight and considerations also be released for external scrutiny by which kind of experts and how will their conclusions be taken forward?
9. Have patients and publics have been consulted? What were they told about the app and what did they say? What kinds of patients and publics were involved? Were they diverse, what voices were missing and how will this be addressed? Will this group be able to have further involvement in oversight as the app is rolled out? How will representatives of communities where uptake is likely to be or turns out to be low be included in these processes of evaluation?
Other evidence & learning from other areas
10. Has the performance and social and ethical aspects of digital contact tracing apps in other countries (e.g. South Korea) been considered and plans put in place to mitigate relevant risks and negative consequences?
11. How has learning from previous NHS data breaches and failures with roll out of new technologies/infrastructure, including PPE distribution, been applied in the development of this app?
Integration with existing arrangements
12. How will the app integrate with other forms of contact tracing? Will information be shared between them?
13. If physical testing infrastructure is not optimal, which is has not been since the start of this crisis, how will the app be effective?
14. What counselling and support from appropriate professionals will be available to participants identified as ‘at risk’? How will these professionals be involved in monitoring and reporting breaches of compliance, to whom?
Mitigating risks and negative effects
15. How many people will have to download the app for it to be effective? How will the benefits of participation be realised without the creation of unreasonable social pressures to participate which would undermine the voluntariness of participation?
16. What though has been given to the dangers of discrimination arising from the use of the app and how will this be mitigated? What information, evidence and analysis has this involved?
17. How will errors in data, connections or risks identified by the app be identified and rectified?
18. The app will ‘advise [individuals] to self-isolate if necessary’. What will happen if individuals choose to flout this advice, how will the app collect and share data about non-compliance, will any actions be taken by the authorities?
19. The statement ‘Millions of us are going to have to trust the app and follow the advice it provides’ suggests individuals will have to put doubts to one side and to be compliant with advice for the app to be effective. How will developers and providers of the app ensure injunctions that we ‘have to trust’ and ‘follow the advice’ do not precipitate forms of social censorship, denouncement and condemnation of those who do not act as required, particularly already marginalised groups?
20. How will the app reach areas/communities where uptake is likely to be poor? Will this involve targeted communications and/or any particular inducements? Will rates of participation be published and subject to scrutiny/comment in the public domain and might this lead to stigmatisation of particular areas/ communities?
Being transparent involves answering questions as part of dialogue and engagement with interested others. On matters of privacy, security and ethics there are many different kinds of patients, publics and other experts with a stake in these discussions.
The Nuffield Council on Bioethics is working with a range of partners on this and related topics. We recently held a joint webinar with the Ada Lovelace Institute - Beyond the exit strategy: ethical uses of data-driven technology in the fight against COVID-19 and the Institute recently published a rapid evidence review of the technical considerations and societal implications of using technology to transition from the COVID-19 crisis.
I live in a block of flats. How does the app distinguish between genuine interactions between people vs phones sat in neighbouring flats where there is no interaction?
I think these points miss a few things. I am very much in favour of contact tracing in principle, but this app has been a public relations mess. The privacy concerns in the UK are worse than on the continent, and there have been mixed messages throughout the tool's development.
Here's a few more questions:
1. Why did NHSX decide to make a new contact tracing app in the first place and not collaborate with other countries? Is there a specific business case or use case, that warranted a different design to the implementations that already exist? Why are you not using DP3-T, MIT PACT, or PEPP-PT?
2. Are there or are there not two versions (not platforms) of the app being developed concurrently?
3. Will NHSX be explicit about what data is collected (the minimum should be nothing more than a collection of guids) and maintain this as a design policy, by committing not to collect other data, to develop trust that the project does not become subject to scope creep.
4. How will plans to make the tracer interoperable with other apps in other countries affect the security of the tracer? Will the dissemination of infected keys be offered to servers of other implementations in foreign hospitals?
5. What is the scope of Palantir's contract(s) with NHSX? Has Palantir been assigned to work on data obtained by the Sonar Service, or otherwise from the tracer?
In the DPIA you write: "Data in the central database (the Sonar Backend) will not be available to those developing in the App apart from in exceptional circumstances". Does this include Palantir, and what are exceptional circumstances?
6. Are you or are you not planning to follow the Apple-Google model in the future?
7. What precautions has NHSX taken as an organisation to prevent vendor lock-in?
8. Is the public-facing source code for the tracer actually being maintained, and do you plan to keep it maintained for the duration of the project?
9. Will the server-side source code be made open source?
10. What algorithm is used to generate the "app user id", "messaging service id" as mentioned in the DPIA?
Who is actually writing the final release app? Is it being written in house by NHSX or a contracted outside company? It seems to be hard to find this information and there is a lot of unhealthy speculation about it.
.... Additional, a LOT of people are stating on Social media that the app is being developed by an associate of Dominic Cummings and for that reason alone people aren't trusting it, if this isn't the case then that has to be clarified quickly or you will have lost a lot of public support that will be very hard to regain.
The app requires Bluetooth to be turned on. I think this is a problem as many people including myself find that bluetooth is a severe drain on the battery, and we only selectively turn it on when absolutely required.
It uses BLE (Bluetooth Low Energy) which as the name suggests is designed to have extremely low battery usage. A bigger problem is that both iOs and Android disable beacon transmitting a short time after the app/phone has gone to sleep so if your phone is in your pocket then it's likely other tracer app users won't see it. Also many older/lower spec. phones don't have BLE.
I wont be using it, this app will never be recalled it will be perpetual, because it is a national identity card in disguise, once it is initiated it will be increasingly expanded.
I will never live in a Nazi Britain and i will never comply with one.
im at ZERO trust with government and commerce complicity and have been for several years now.
So, if you contract the virus, you will probably be responsible for passing on the virus to others without them knowing. Likewise you would not know that you contracted the virus before it's possibly too late.
I believe that tracing technology along with testing is going to be mandatory, unless you want to be in self isolation for a long time.
We are not living in ordinary times.
Thank you for this post - it's a really helpful summary of questions Government needs to address. I'm from Understanding Patient Data and I'm writing to clarify our involvement in this work so far.
We have given feedback on NHSX's plans and a month ago we facilitated a call with a small group of stakeholders who work in the health data space, to provide feedback and ask NHSX questions. However, we have not run a consultation or engagement exercise with patients and publics - would it be possible to edit that reference to us?
We are keen to be clear and open about the stakeholder call we facilitated, so Natalie Banner who leads Understanding Patient Data has written up some reflections, which are published on our blog (I don't seem to be able to include a link here).
If do you have any questions, please don't hesitate to get in touch.
Thanks Grace, this is really helpful information. We will edit as you suggest.
These questions are a really good way to start to unpack the high-level announcements and statements and get 'under the hood' to work through the issues which a contact tracing app raises.
There is another question which is also relevant to the organisations involved and their interests;
21. If additional functionalities are built on top of the google/apple API which do collect and store personal data centrally, will NHSX ensure that consent for such functionalities is distinct from the core functions of the app and how will they guarantee the necessary transparency and explanation to ensure public understanding?
I think there is also an additional question in terms of mitigating risks and negative effects;
22. How will the app deal with the potential for the intentional spreading of disinformation through the self-notification process? If, as a partial solution, voluntary self-notification resulted in mandatory testing it would likely reduce overall uptake of the app, reducing its efficacy.
These are very good questions too.
Let’s hope we get some answers.
21 The app is not using the exposure notification Apple/Google API whilst they were consulted at an early stage the government chose not to go forwards with the approach. The Apple/Google API specifically does not use centralised data whereas this app does. Additionally the Apple/Google API forbids using location data when using the API, the NHSX app doesn't currently collect location, but has mentioned may be added.