On June 18, the UK announced an about-face on its approach to developing a national coronavirus contact tracing app.
The old strategy, which would gather data about users’ health status and contact history into a central database, is out the window. Instead, the government said future work will focus on a new design—built on the back of technology developed by Apple and Google—which it initially resisted.
Britain’s decision to scrap its central database follows similar decisions in Norway, Australia, and Colombia. This week, Germany and Italy each debuted their own decentralized apps, which never store information about users’ contact history outside their own devices. “The tide has been turning against centralized apps for a very long time, and indeed there are barely any left,” said Michael Veale, who studies digital privacy and policy at University College London.
Instead, governments are relying on a more privacy-minded strategy prominently adopted by Apple and Google. In April, the companies joined forces to create an API, or application programming interface, that would use Bluetooth to let nearby phones speak to each other and internally log contacts. Public health authorities could use the API to build their own apps, and if a user was later diagnosed with Covid-19, those Bluetooth touchpoints could be used to warn contacts of their potential exposure. Using this method, no central authority needs to monitor anyone’s location or contact history—although there is a database of anonymous pin numbers associated with users who have been infected.
In Europe, the only remaining holdout is France, which has said its decision to collect users’ data in a central database—and reject the framework championed by Apple and Google—is a matter of “technological sovereignty.” EU Commission vice president Margrethe Vestager chided France on Tuesday for sticking to its system, which will make it harder to link the French app with the rest of the continent’s decentralized systems.
Proponents of centralized apps have argued that they will generate a trove of data that epidemiologists can use to track the spread of Covid-19. More detailed information, including GPS location history and a list of everyone a person has come in contact with, could help governments make better public health decisions. Detractors worry about eroding privacy and setting dangerous precedents.
“We’ve seen throughout history that surveillance and data collection programs run by governments almost always have mission creep,” said Evan Greer, deputy director of the digital privacy group Fight for the Future. “Data collected for one purpose can be abused and used for things it was never intended to be used for.”
In South Korea, for example, the government collects and publicizes extensive contact tracing data. That data has been used to identify and shame individual people who have gotten sick, and contributed to the stigma against LGBTQ citizens when a recent outbreak was traced back to specific LGBTQ-friendly bars.
On the other hand, governments also have purely practical reasons for adopting the Bluetooth-based framework built by Apple and Google. The companies, which control virtually all of the smartphone market, have made it very difficult to build an app that doesn’t use their system. During testing in the UK, the government said it discovered “a number of technical challenges…which cannot be resolved,” leading it to abandon its app.
On top of that, public sentiment has begun to turn against centralized contact tracing apps, forcing governments to change their approach to regain citizens’ trust. (For what it’s worth, decentralized apps also have potential privacy issues.) “This app needs a hell of a lot of people to download it for it to work,” said Tom Chivers, a spokesman for the advocacy group ProPrivacy, which tracks the level of privacy in government contact tracing apps. “When it’s constantly reported in the media that it is a privacy issue, people take note of that and think, ‘I don’t want to give my data to these people.’ That, too, plays a big role.”