The UK won't use Apple and Google's coronavirus contact-tracing technology for its app, sparking privacy worries about how people's data will be used

• The UK has explicitly rejected Google and Apple's contact-tracing API to develop its own app for tracking the spread of the coronavirus.
• Google and Apple announced a new joint API earlier this month which they would make available to governments to build contact tracing apps allowing their citizens to receive alerts after coming into contact with potential coronavirus patients.
• The UK clashed with Google and Apple over their privacy standards for the joint API — which requires data processing to be de-centralized.
• Visit Business Insider's homepage for more stories.

The UK will not adopt Apple and Google's model for contact-tracing apps, alarming privacy activists who fear the UK will launch an app that risks people's privacy and security.

NHSX, which is leading the app's development, confirmed to Business Insider on Monday that it was pressing ahead with an alternative model for its contact-tracing app, rather than integrating the system devised by Apple and Google.

Similar to other contact-tracing apps which are being developed around the world, the NHS app will use Bluetooth signals to allow people's phones to determine who else they have been in contact with.

If someone with the app develops symptoms, they will be able to mark themselves as a potential coronavirus patient in the app. This will trigger an alert to any other phones which have been in that phone's vicinity within the last two weeks.

We first saw the news via the BBC.

Governments are locked in a power battle with Apple and Google

As multiple countries have moved to launch contact-tracing apps, Apple and Google announced a joint API — a software building block — that governments could use as a basis for their apps.

The API is designed to ensure governments don't roll out apps that hoover up more data than they need, or put people's information at risk. It should also ensure the apps work properly on most iPhones and Android devices.

But the UK, France, and, until recently, Germany have clashed with Apple and Google over the privacy levels required to use their API.

Specifically they have clashed over whether data from people's smartphones is collected centrally on a server or processed in a decentralized way on individual devices — which is the more privacy-conscious method Apple and Google prefer. Germany reversed its position on Sunday saying it would adopt a decentralized system, but France and now the UK appear to be holding firm.

The NHS is favoring a centralized approach on the grounds it will allow for more in-depth analysis and therefore aid in the study and tracking of the pandemic.

"One of the advantages is that it's easier to audit the system and adapt it more quickly as scientific evidence accumulates," epidemiologist Professor Christophe Fraser, who has been advising NHSX, told the BBC.

Cybersecurity expert Eerke Boiten told Business Insider that a centralized system is "inherently less privacy-friendly," as it hoovers up data which could either be improperly accessed or later used for other purposes.

"It means that information is stored centrally that doesn't need to be, leading to security risks both with the storage and the transmission to the central site, and opening up a risk of 'function creep' — people in charge going "you know what, if we have this information anyway, we might as well use it for…"

Boiten highlighted two points from an NHSX blog about its app posted last week which he thinks could increase this risk.

"Before notifying possibly infected people, they want to do a 'sophisticated risk analysis' – this may require information that isn't available on people's phones. They also want the option of people providing additional information, which points at centralization but also massively increases the risk of function creep," said Boiten.

Privacy expert Sam Woodhams added that a centralized system could open users up to the risk of being de-anonymized and tracked.

"By placing a huge amount of highly sensitive data on a centralized server, there is a risk that authorities or a hacker could access the server logs and track individuals," said Woodhams.

Apple and Google aren't the only entities to vaunt a decentralized approach — a European group of cryptography experts has set up a decentralized protocol called DP3T which they say is compatible with Apple and Google's privacy standards, and has already been adopted by a handful of countries including Estonia, Austria, and Switzerland.

There are still questions about how the UK contact-tracing app will work

One reason governments have opted to fall in with Google and Apple's wishes is that Bluetooth scanning, the most common way of doing contact-tracing via an app, doesn't normally back in the background on iPhones. The Apple-Google API makes an exception for apps which comply with their privacy requirements.

This raises questions about how a UK app will work, if the NHS rejects the Apple-Google API but wants the app to run properly on the iPhone. Earlier contact-tracing apps, such as Singapore's TraceTogether app, require leaving a phone screen unlocked and active to work — a battery drain and a privacy risk.

The NHS said on Monday it has devised a way to make its app work "sufficiently well" on iOS, but did not give details.

"Engineers have met several core challenges for the app to meet public health needs and support detection of contact events sufficiently well, including when the app is in the background, without excessively affecting battery life. This has been achieved using standard Google and Apple published API while adhering to the Bluetooth Low Energy Standard 4.0 and above," a spokesperson told the Business Insider.

NHSX CEO Matthew Gould confirmed on Monday that the app would need to be downloaded by 60% of the population to be effective.

He said during a parliamentary committee hearing: "The message needs to be, 'If you want to keep your family and yourselves safe, if you want to protect the NHS and stop it being overwhelmed and at the same time we want to get the country back and moving, then the app is going to an essential part of the strategy for doing that.'

"To be blunt about it, the levels of downloads ... will be tough. It will require us to really get the message over that this is a core part of how we move forward.'"

Apple did not immediately respond to Business Insider's request for comment.

Read the original article on Business Insider