Thoughts on the NHS Covid-19 App

These are some notes based on browsing the code and reviewing the documentation of the NHS Covid-19 app on the day it was posted to GitHub.

TL;DR: Great to see it’s open sourced, and that there is a good privacy and anonymisation scheme (even though the data is unfortunately centralised). But I have questions around the delay on reporting, the lack of interoperability, and potential false positives. I would personally use the app if asked — I don’t see any harm — but I’m yet to be convinced it will achieve what it sets out to.

These notes assume you have an interest in the app and already have some idea of how it works. If you don’t, read this first before continuing.

My interest

I’ve been working in tech since 2006, as software engineer, tech lead, project manager, and CTO. My experience includes networking, standards for interoperability, and IoT projects. I’ve also followed the political and civic tech scene in recent years, seeing various projects rapidly succeed and fail. I’ve been following contact tracing apps with interest since the start of the pandemic, though I’ve had my hands full with other things and haven’t got involved directly myself.

Impressions of the app

It’s great that the app is open sourced, to give people confidence in the security and allow important discussions to be had around it.

It’s been widely reported that the decision was made to collect data centrally (as opposed to decentralised approaches like DP-3T), but within that limitation there seems to have been good consideration given to security and privacy, including anonymisation. The only limitation is that with a centralised approach, the user has to trust that the central system is implemented the way we’re told it is.

From my first look through the materials I was left with the following questions/concerns.

1. Reporting Delay

It sounds like the system is built around the idea that you would only be marked as infected based on a positive test result — a healthcare official confirms your positive result and gives you a code to confirm it in the app. In their own documentation, it was noted that this meant up to 28 days between getting infected and reporting it to the system.

Based on the speed that the virus spreads, assuming we are to allow people to get back to day-to-day life generally (even with some social distancing measures in place), it’s hard to see how this could be enough to prevent a second wave of infections.

2. False positives on contact events

Initial testing was on the Isle of Wight. I’m not sure how this will fare when the app is used in more densely-populated areas. And if the false positive rate is too high it will make the app ineffective — either because it makes a significant proportion of a population’s area self-isolate, or because it stops being trusted.

When I take my kids to school (or at least when I did before lockdown) we walk past houses which come right up to the pavement. For somebody sitting in their living room, it’s hard to tell how this app could distinguish me standing outside their window from their other half sat at the other end of the room. And that’s to say nothing of a block of flats with thin walls. The NHS app does log the “power” of the bluetooth signal, but I’m yet to be convinced that this will be enough to mitigate the issue.

There is an alternative approach: Some apps use ultrasound to detect or confirm that you are in the same space as another person before recording that you have been in contact with them.

3. Interoperability

There seems to be little evidence that interoperability with other contact tracing apps has been considered. It’s been widely reported that we need to get 80% of UK smartphone users to actively trace their contacts. There’s already evidence this will be a challenge. To have any hope of achieving that figure, surely we need to users who decide not to download the NHS app to have an alternative available.

The framework proposed by Apple and Google includes a standard bluetooth format that any app can implement, and has now been updated with an “Exposure Notification” server API and mechanism. This is a great start to a standard, though at first glance there is still more to do; for example it needs clearer guidance and definition for potential extensions (like ultrasonic distance measurement). And crucially, centralised and decentralised apps can work together perfectly well using these mechanisms.

I hope every contact tracing app developer will engage with the interoperability effort — this will maximise the chances of success by giving users a choice of apps.

Conclusion

Personally, I’m disappointed about the centralised approach. But I’d be happy to download the app if asked, given the potential value to society if it works well. However, the above questions remain, so as yet I’m not convinced it will achieve what it sets out to.

I do think it’s worth investing time in developing alternative apps and services that are interoperable (and encouraging existing app developers to go in that direction), as that seems the only realistic way to get enough coverage.

Note that this is just based on a reading of the documents and poking around the code on the day it was released — if there are any inaccuracies I would be grateful for corrections. So if you have anything to add, please do let me know below!