What App? Where?

Su and Roger look at Track and Trace, and Exposure Notification Apps (there's a difference) a couple of months on.

It's not often my superstitious intuition trumps the Head of the Geekforce's rational brain, but on this occasion, it turns out that Tinfoil Millinery IS this season's hot new look.

I may be enjoying this entirely too much, so I made him a nice cup of tea, and asked him, sweetly, what went wrong?

Now he's a Software Developer, and one of the things Software Developers get used to is occasionally being wrong. Recognising when you are wrong and fixing it before you dig yourself too big a hole is, a desirable trait in a Software Developer!

So,let's look at why his tea-fuelled analysis of the workaround to allow I-Phones to participate in the scheme was erroneous, as the Testing data from the Isle of Wight Trials has revealed.

Now before we all join in blaming "The Government" it's not just the UK's App that is running into trouble. Most of them are.

As he explained, it turns out Bluetooth is not as good as the developers hoped at proximity sensing, and that the much-vaunted "workarounds" to allow centrally controlled apps to function as intended, don't.

Or, as the Telegraph reported, "Technical problems included an audit that found it could detect only one in 25 contacts on Apple phones. The app also did not work on Android phones that were more than four years old... ...These limitations meant that when iPhones went idle, they would stop registering Bluetooth matches, making the technology ineffective." [1] With the UK market for smartphones last year shared pretty much fifty-fifty, between Google and Apple, give or take the odd .9 or so of a percent, that is a problem.

Now, to be fair, this is why you test. In Software development terms, these Apps were put together in record time, to do something that had not been done before, with the technology available. Unsurprisingly, the Apps from other nations who made a feature of centrally held data are also in trouble. The reasons for these Apps failure are two-fold, one technical, and the other political. with a small p.

"...Contact-tracing apps around the world have been hit by technical and privacy challenges. Norway announced it would be deleting app data gathered by its contact-tracing app amid privacy concerns. Australia’s app, meanwhile, was found to have a bug that meant it stopped working on iPhones when they were locked." [1]

So I asked him, giving him time for some extra caffeine in the form of two good-sized cups of coffee, why that is, and why the Google/Apple API which many of our European Neighbours are using in their Apps does not have that problem?

Apparently, it's all to do with how your phone helpfully turns off battery-draining apps or those which might cause a risk to your privacy, when you're not using them. So if I wander off from the silly Wizards game I play on my phone to make a cup of tea then remember that I haven't put the laundry out, then get drawn into editing a blog post, I find out that my phone has shut it all down to save my battery, and stop logging where I am, using GPS. Same thing with Bluetooth, which is required to be on for the App to work, or any other App you have on your phone. They turn off when you are not using them, which is normally pretty convenient.

The reason this is less of a problem for the Google/Apple API, which reports 99% success rate in logging proximity (though the exact proximity itself may not be that accurate) is that the two big companies can send updates to the operating system of the phone itself, telling it to make an exception for Apps using their shared API. And it turns out, that having done all that, they are not prepared to make an exception for the UK or any other Government, who think their idea is more "world-beating".

Now, this isn't the only problem. Despite Ministerial and other assurances, a LOT of people had a problem trusting in the security of Centrally held data, in the case of Apps from other nations that were rolled out more widely such as Norway, sometimes with good reason.

An open letter, published on 19 April and signed by hundreds of professors from 26 countries, warned contact-tracing apps could “catastrophically hamper trust” if they become a tool for “large scale data collection on the population”. and the Ada Lovelace Institute published a rapid review of the technical, social, and public health evidence for contact-tracing apps, finding the current “technical limitations” and “social impacts” outweigh the potential benefits of an app [2] .

Track and Trace Apps are a bit like herd immunity. According to Epidemiologists from Oxford University, advising NHSX on the app, 60% of the population would need to download and use the app for it to be effective [3] . As we pointed out in May, even the Health Minister wasn't that optimistic, anticipating a paltry 20% take-up. Even among the rather more compliant than average, affluent small c conservative population of the Isle of Wight, initial figures showed that about 55,000 people downloaded the app – 38% of the population.

Leading to the interesting scenario that people in the UK, (and Norway, and Australia) trust Google and Apple working together rather more than they trust their governments. I'll just leave that there, shall I?

OK, so now we've got that sorted out, we can all join the rest of the world, hop on the Google/Apple Bandwagon, and go about our pre-lockdown lives in the blissful confidence that if ever we can finally download the UK's reconfigured app, sometime in the winter, we will be pinged by our phone, which our data never leaves, when we stand a bit too close to someone with the virus, for a bit too long, right? No news is good news, and we can all get back to normal? Not so much, it turns out!

Now, much of the above, you could have learned for yourself with a quick Google, but to find out why the UK App (had it worked, and people been prepared to download it) might have been considered "World-beating" and the Google/Apple one is less so, I had to submerge myself in some fairly deeply Geeky Blog Posts.

First, we have to look at WHY the NHS decided to go the centralised route.

MIT Technology Review asserted that With Big Data, comes Big ideas. Quite simply, politicians and executives got carried away with the idea of worldbeating performance, (and maybe a gong or two) and tried to develop an App that was all things to all people. Perhaps if the app could also collect information to help track the virus in other ways—looking for patterns in the way the disease spreads, identifying clusters, finding outbreaks early, then its potential could be dramatically increased.

The centralized approach would allow much more data analysis than decentralized models, which give users exposure notifications but don’t allow officials nearly so much access to data.

With (the UK's) limited testing apparatus and the relatively small number of human contact tracers that was attractive, at the time, as it meant that the system might be quickly overwhelmed if it was alerted to every notification of a potential positive case—while a centralized model based on confirmed cases rather than suspected ones would not. When Google and Apple announced their API, they were firmly committed to this idea and pressed on regardless, and here we are.

But, as the Head of the Geekforce said in our previous article.

"The Apple/ Google API is a bit of a blunt instrument. Any phone that comes within x metres of someone who has self-reported as infected, at the time the handshakes happen, will get a warning, from their phone, so everybody worries. The NHS App would have taken more data, and tried to assess the risk... It would have then pinged the phones of those above a certain risk score from the Central database.

Having an individual identifier allows the app to perform some quite fine-grained analysis, and depending on the level of risk you have been exposed to, recommend either self-isolating and/or getting a test. Furthermore, if you test negative, your contacts can be told of this too and can come out of self-isolation.

It also means that the Central database can potentially notify contacts both up and downstream of the person who self-identifies with symptoms, meaning that there is a hope of, in some cases, notifying asymptomatic carriers, or superspreaders, as well as detecting superspreader events."

This made the abandoned UK APP, particularly when used in combination with Human contact Tracers, pretty close to being what it said on the tin, a Track and Trace System. If only it had worked.

To quote Andrew "Bunnie" Huang, "there is a subtle distinction between “contact tracing” and “contact notification”. Apple/Google’s “Exposure Notification” system only performs notifications to the immediate contacts of an infected person. The significance of this subtlety is hinted by the fact that the protocol was originally named a “Privacy-Preserving Contact Tracing Protocol”, but renamed to the more accurate description of “Exposure Notification” in late April."

So, to paraphrase Andrew's blog post say you have an Asymptomatic Carrier (A). He contacts three other people. One, (B) becomes infected, but only shows symptoms after a longer than usual time, One (C) does not, and one (D), who has also been in contact with person B, quickly becomes symptomatic (before person B's symptoms have even developed) and takes a test, but not before contacting E, and F.

An Exposure Notification System would notify the phones of people who had been directly in contact with person D, the first one to show symptoms, so they can all self-isolate, and/or get tested if they choose. This would mean people, B, C, D, E, and F. Meanwhile Person A blames their mild symptoms on hayfever and goes on their merry way spreading the Virus.

A Track and Trace System could identify that Persons B and D, had A in common. It might also pick up that C had contact, but at a lower risk level. The messages sent to different individuals could be customised.

So, here we are. Countries that have gone down the Google/Apple route, such as Germany have found that, while it has a higher adoption rate, Exposure Notification alone is not that useful, whereas countries who have clung to the Centralised Data approach has found that their apps have either plain not worked (the UK and Australia) or, where they used GPS rather than Bluetooth as a workaround, were deemed by regulators to be too intrusive (Norway) or have not made it off the drawing board (France).

I don't know about you but I'm with @Pepys_Diaries on Twitter.

"The taverns are fair full of gadabouts making merry this eve. And though I may press my face against the window like an urchin at a confectioner’s, I am tempted not by the sweetmeats within. A dram in exchange for the pox is an ill bargain indeed."

So the "New Normal" is with us for a while yet.

[1](1, 2) https://www.telegraph.co.uk/technology/2020/07/08/track-trace-app-uk-google-apple-when-download/
[2]https://www.digitalhealth.net/2020/07/timeline-what-happened-to-the-nhs-contact-tracing-app/
[3]https://www.digitalhealth.net/2020/05/nhsx-working-on-second-tracing-app-using-apple-and-google-tech/