Trust and COVID-19 contact tracing apps
Yesterday I mentioned trust as the key currency of the COVID-19 crisis. That was done in the context of procurement but it is valid in other Government activities and none more so than the contact tracing apps we will have to rely on as we exit the lockdowns. Even though their concrete usefulness is not known the potential pitfalls in terms of privacy are enormous. We will be walking around with a device which carries part of our medical history and authorised to share it with others. How the sharing is done and what information will be transmitted, is key.
Governments seem to be falling into two camps. Some want an in house, purpose built solution which centralises the information gathered and provides more granularity while others accept a simpler decentralised approached being developed by Apple and Google together.
Either option will entail a significant change from the current paradigm of privacy at least for European countries. But whereas the latter keeps data collection to a minimum as needed to meet the need of contact tracing and flagging, the former is a tempting slippery slope into gathering more data from individuals. How long until that data is deemed too useful not to be used for other purposes?
The UK is going down the route of the centralised approach by means of an app developed by Palantir and Faculty for NHSX. Palantir and Faculty were not awarded a contract to produce this app but instead benefited from a previous contract to develop an AI Lab that was modified to include this new piece of work. Albert has already given a low down on the legal implications of the move and my view based on currently available information is that the modification goes beyond what the law allows.
The reservations about Palantir are not new and no piece of information I managed to gather recently about it provided me with any reassurance. In fact, they made become more worried than previously. Therefore we are trusting the development of a privacy busting app to a company about which there are plenty of unanswered questions.
From a practical perspective I am not convinced either that going centralised is the right approach. If it is followed widely by countries, then it means each one will have its own data silo which won't have any means of communication with the others. Whereas the Apple-Google decentralised approach ensures cross-border compatibility between systems, the centralised approach will be blind to the possibility of exposure to COVID-19 that might have happened in another country. If we assume travellers may be one of the main sources of new infections in the near future, then the centralised approach just looks ineffective.
I am also not convinced about how well a centralised app will work in reality. It is likely that it will rely on the use of Bluetooth (and eventually WiFi) and that is the kind of operation which will sap your battery quickly. How will users react to that? Plus, to maintain an active state it is likely too that the app will have to be invoked by frequently by the user. We all know how useful are backups that need to be done manually...
On the long run, relying on Apple and Google, outsources the development cost of the API into these platforms (that's the upside of the loss of control) whereas all the cost of maintaining the functionality of a centralised app will remain in the shoulders of the Government. This is great news for Palantir and Faculty, but not so much for the NHS of course.
In addition, there are also two long term technical risks in maintaining its own app. The first is that it can be hacked (either the app or the servers collecting the information). The second that Apple and Google will consider these apps as violating their terms of use and either kick them out of the app stores (less likely) or simply change how Android and iOS work to break them (more likely).
It is not often I say this but between trusting the Government to do this well or Apple and Google, for once I'm siding with Big Tech. The centralised approach is a mistake and one which will end in tears.