User installing NHS Covid-19 app on mobile phone showing privacy violations of contact tracing app

Contact Tracing App Spat: Google and Apple Block NHS App Update Over Privacy Violations

In the early months of the pandemic, Google and Apple partnered to peddle a contact tracing app that was supposed to put user privacy first. It was offered to most of the world, and the United Kingdom eventually ended up being among the nations that made use of it (after initially developing and then scrapping their own app). The Google/Apple app comes with certain terms, and the National Health Service (NHS) appears to have stepped out of line. Each of the tech giants has blocked the most recent update from the NHS, citing privacy violations.

The issue is that NHS added a feature that encouraged users to upload a list of locations they have visited, which would be used to advise of possible exposures. This violates the Google/Apple terms, which specify that governments making use of their contact tracing app may not use it to collect location data.

The troubled NHS contact tracing app

The implementation of the NHS contact tracing app has been somewhat troubled. The UK government’s initial plans to develop its own centralized app were scrapped after three months of work (and an expense of millions of pounds). Meant to use Bluetooth technology, an early test on the Isle of Wight showed that it recognized only 4% of Apple phones due to the way they handle power conservation; experts also warned that public uptake would likely be low if the government was centralizing user data.

On the second try, NHS committed to using the Apple/Google Exposure Notification system just before it was released to the public. The app was released in September 2020, using a QR code system to scan users into venues while anonymizing their identity. It suffered through a series of technical hiccups in late 2020; initial inability to enter positive infection test results conducted outside of the app framework, a configuration error that incorrectly estimated the time spent in contact with an infected person necessary to generate an alert, and an inability to match personal identity with a positive test result in order to claim a special government support payment for those forced to isolate for an extended period.

The contact tracing app appears to have been working relatively well since all of these issues were resolved as of early 2021, but neither Google nor Apple will allow the NHS to roll out further updates so long as they ask users to manually enter a location history. The NHS’s idea with this update appears to be a way to automatically generate “hotspot” notifications based on a number of positive users appearing at a certain location within a set timeframe. Users that had visited a hotspot would be sent an advisory suggesting that they schedule a test due to the heightened risk of exposure.

Google, Apple and the NHS all have yet to comment on the possibility of privacy violations. However, it seems likely that the feature will eventually be removed given that it was a convenience measure for the NHS; local authorities already have the ability to manually flag locations as a hotspot and send out notifications if they observe a large number of positive patients passing through.

Specter of privacy violations continues to hamper contact tracing efforts

Privacy advocates have concerns about the involvement of Google and Apple in handling sensitive medical and location data, but some see the Exposure Notification System as a superior alternative to the sort of centralized state-run database that NHS initially wanted to build. Others have expressed concern over the relative lack of accountability of the arrangement, pointing out that governments can at least be held accountable to their people through democratic processes if privacy violations occur.

The world’s approach to contact tracing apps has been mixed, to say the least. In addition to the UK, about 40 countries are making use of the Exposure Notification System including Russia, Japan, Canada and much of Europe; additionally, about 30 US states are using it (though it is rarely made mandatory in any way). Other countries have opted to create their own apps, and are all over the map in terms of potential privacy violations and overall effectiveness. And some countries, most notably the US, appear to have simply thrown up their hands at the complexity of the issue (and public resistance to potential privacy violations) and have not attempted to have a national-level contact tracing app.

NHS #contacttracing app added a feature that encouraged users to upload a list of locations they have visited, violating the Google/Apple terms about collecting #locationdata. #privacy #respectdata Click to Tweet

The issue becomes even more thorny when travelers cross international borders. They may well be subject to the contact tracing programs of the country they are entering, but that country does not necessarily communicate in any way with health authorities in the country (or countries) the visitor is coming from. Some of the major international airlines have only just begun to roll out a voluntary collection of contact tracing information in February. The answer that some countries have come up with in lieu of contact tracing apps is a mandatory quarantine for all international travelers, but some of those programs have spawned their own issues with privacy violations and safety issues. For example, Canada requires those entering the country by air to stay at an approved “Covid Hotel” for three days while waiting on the results of a test. The program received criticism when it was revealed that travelers can potentially be billed thousands of dollars for the three-day stay, and there have been allegations of sexual assaults at quarantine hotels that had inadequate security measures in place.


Senior Correspondent at CPO Magazine