Reacting to NHSX’s Chief Executive’s announcement to Parliament that their contact-tracing app would be released next month, Open Rights Group’s Executive Director said it was still unclear how the app would be both usable, and avoid using new Google-Apple APIs.
The new Google-Apple APIs can only be used by apps that do contact matching on the phone, rather than matching IDs on a central server, as intended by NHSX.
“As we understand matters, without using the Apple-Google method the NHSX App would end up draining batteries and causing screen locks to be disabled for many users.
“If this is the case, take up of the app will be poor, and the project will not work very well. Australia, also using centralised matching, are having to constantly pester users via screen notifications when the app switches off. Battery life will be affected, and users will end up with screens unlocked, increasing security risks. 
“If NHSX do have a clear way to make their app usable without relying on the Google-Apple changes, then NHSX must spell it out. Their silence is perplexing, and worrying.
“The NHSX should tell us whether they have modelled battery life impacts; if they are relying on user notifications to keep the app working; or if any of the workarounds they propose might violate any App store policies, leading to rsks of the app being made unavailable.
“We need to know how cross-border matching will work, if the US, Canada, Germany, Switzerland, Austria, Estonia and Spain operate decentralised matching, while the UK and Australia use a different method. Cross-border risks could be particularly important as time goes on. 
“Parliament are owed explanations. These details really matter.
“The NHSX team also needs to set out its actual aims and objectives so that it is possible to see whether the privacy-friendly, decentralised approach required by Apple and Google could meet their needs.”
Germany, Estonia, Austria Switzerland and Spain are now using the ‘dencentralised’ model of contact matching. [4, 5, 6, 7, 8] ORG believes that the government must create clarity and openness through early release of needs, code and protocols to understand how NHSX’s problems can best be met.
Jim Killock 07894498127 / email@example.com
1 Government contract-tracing app should be ready for deployment next month, MPs toldhttps://www.theguardian.com/world/live/2020/apr/28/uk-coronavirus-live-news-minutes-silence-to-commemorate-key-workers-who-have-died?page=with:block-5ea8022c8f0821d5b0274fc1#block-5ea8022c8f0821d5b0274fc1
2 Digital contact tracing: protecting the NHS and saving lives
3 Australia hits Bluetooth user experience problems using 'centralised' approach to data matching https://twitter.com/bengrubb/status/1254627866462916608
4 Germany using decentralised contact matching: https://www.reuters.com/article/us-health-coronavirus-europe-tech/germany-flips-on-smartphone-contact-tracing-backs-apple-and-google-idUSKCN22807J
5 Estonia using decentralised matching: https://e-estonia.com/trace-covid-19-while-respecting-privacy/
6 Austria using decentralised matching: https://www.ots.at/presseaussendung/OTS20200422OTS0052/stopp-corona-app-weiterentwicklung-mit-hilfe-der-zivilgesellschaft
7 Switzerland using decentralised matching: https://www.swissinfo.ch/eng/digital-solution_contact-tracing-app-could-be-launched-in-switzerland-within-weeks/45706296
9 US and Canada are widely expected to use a decentralised model in any official apps, in line with the Google-Apple method. In the US, CovidSafe and Private Kit: Safe Paths have been developed by the University of Washington and MIT respectively. See https://covidsafe.cs.washington.edu and https://safepaths.mit.edu