England and Wales’ contact-tracing app, NHS COVID-19, faced a number of criticisms when it launched last month. Currently, it’s not interoperable with the Protect Scotland contact-tracing app, nor Northern Ireland’s StopCOVID NI. The Bluetooth Low Energy 4 technology required to run the app means it’s incompatible with older smartphone models, and a number of users have reported receiving false alerts.
Implementation issues aside, what is the technology behind the app and how important a role will it play in the UK’s ongoing struggle to bring the coronavirus pandemic under control? Only time will answer the second question, but Zühlke Engineering has been responsible for developing and refining the technical details of the UK’s contact tracing app.
The company worked with NHS X to develop the software, starting with the now-scrapped version from the initial Isle of Wight contact-tracing trial, and Zühlke UK CEO Wolfgang Emmerich says he’s proud of what they’ve achieved.
Medical Device Network caught up with Emmerich to learn more about the app’s development process, interoperability across the four nations and how to help users feel confident that their privacy is being protected.
Chloe Kent: How did Zühlke support the development of the NHS COVID-19 app?
Wolfgang Emmerich: Back in March, we were asked by NHS X to provide independent technical oversight of the development of the first app. We made sure that the app would work as well as it could, but ultimately there were restrictions in the IOS operating system that meant it wasn’t really possible to have that first app out in public as a medical device. It wasn’t really working reliably enough, particularly when the app was running in the background or the phone was asleep, then it wouldn’t pick up any contact-traces. So, we recommended to the Secretary of State that the programme do a pivot and develop a new app based on the then-emergent Google and Apple primitives, and we were then asked to actually undertake that development.
We stood up a team of about 70 consultants and engineers to build the second app toward the end of June and we released it at the end of September. We had about seven weeks or so to build the trial that went out in the Isle of Wight, another week and we added a few languages and put it out in Newham, and then we had two or three weeks to incorporate the feedback that we learned to then prepare for a national launch. There were other companies working on it too, of course. Accenture provided independent assurance of our app and ran the programme office. A New Zealand company called Rush provided the software that produced the venue-based contact-tracing QR codes that people now put up in their venues.
CK: How much of an impact do you think contact-tracing apps could have on the pandemic?
WE: [Alan Turing Institute defence and security programme director] Mark Briers and his team recently published a paper in the Lancet about this. What they did was really, systematically analyse the impact that the first app had on the Isle of Wight trial. They concluded that the app, together with more available testing and manual contact tracing, reduced the R-rate on the Isle of Wight from 1.3 to 0.5, effectively stopping the epidemic on the island.
We have reason to believe that our app that’s out now is more effective than the first app, as we found that the first app had missed a number of exposures, and therefore I think it will make a difference. But it might take some time.
CK: Currently, the UK has three contact tracing apps which aren’t all compatible across borders – what’s being done to help make them work together?
WE: All apps within the four nations are based on the same operating system primitives, so at a network level and a Bluetooth level they are already interoperable. The problem is that in order for us to notify an exposure that happened across the border we would need to know about all the positive test results in Scotland and in Northern Ireland, and that involves different public health authorities. Currently, the Northern Irish test results are actually made interoperable with the Scottish ones through an interoperability server that’s based in Ireland, so it involves crossing multiple GDPR jurisdictions. But technically, it’s actually very easy to make them interoperable.
What we’re doing right now is setting up a repository of all the known test results that services in Northern Ireland, Scotland, England and Wales can read from and write to, where the public health authorities and test labs can deposit their results so that the apps can then notify people of exposures. That process is ongoing and I can’t comment as to when it will be complete, but it won’t be long. But that’s the way it is, it’s basically a result of the direct consequence of devolved administrations.
CK: How is user privacy protected within the app?
WE: The key principle we have applied is privacy by design. What we mean by that is that no sensitive data ever leaves the phone. This is a marked difference to approaches other countries have taken, such as in France and Singapore, where the details about who you’ve been exposed to are stored and managed centrally on a government server – this is also the key difference between the first app and the second app. Instead, we only associate Bluetooth IDs with positive or negative test cases and then tell all the apps that are out there about the new positive cases so that they can then check, ‘is this somebody I’ve seen?’
We do have a little bit of management information, we ask people for their postcode district when they log in, but those postcode districts are so large that it’s not actually possible to individualise people and reverse-engineer who they might have been. We have a little bit of information as to where positive test results are by postcode district level and where exposure notifications occur, but we don’t know individually who has tested positive.
It is important that this assertion is independently verified, so what we’ve done and what we’re continuing to do is upload every release to a public NHS X source code repository, so that it can be independently scrutinised.
CK: What do you think can be done to help people feel confident that their privacy is safe using the app?
WE: We take this very, very seriously. We worked very closely with the Information Commissioner’s Office (ICO), and there is actually a very encouraging blog post from [UK information commissioner] Elizabeth Denham saying that her concerns about the app were all addressed. Now, it’s not very easy to please them.
One of the things that she and her office were concerned about was that if people were in an abusive relationship, the app basically keeps a diary of where you’ve been. If you go to ‘Manage my data’ in the ‘About this app’ section, you’ll see a diary of where you’ve checked in. While that data never leaves the phone, if you are in an abusive relationship it might be that your abuser has access to your phone and then sees where you’ve been. Following her advice, we built features so that people can control what data they keep in their diary and what data they delete, so if there is a person who doesn’t want to show that they’ve checked into a particular bar, for whatever reason, they can delete that information.