Protecting Data or “Saving Lives; Saving Livelihoods”: Which comes first in a post Covid World?

The Government’s “Plan to Rebuild” , including reducing the length of the lockdown, depends heavily on test, track and trace. We are beginning to see articles (like that from Wharton Business Schools) which juxtapose the cost in lives against the cost in jobs from delaying the lifting of lockdown, with the use of mobile phone data seen as central to reconciling the two objectives. We are also beginning to see studies like that from the Lancet on the cost in lives of the global lockdown. Articles on the intra-UK cost are, as yet, separated between those on the economic cost and those on the excess deaths (e.g. from cancer) resulting from the focussing of NHS resources on Covid.

According to the Edelman Trust barometer more than half the world (59% in the UK, 53% in Germany, 50% in the USA) “is willing to give up more of my personal data and tracking information to the Government than I normally would in order to help track and contain the spread of the virus.” Meanwhile Apple and Google have reportedly worked with Civil Liberties campaigners around the world to attack, as a threat to privacy, centralised symptom reporting and tracking systems linked to response planning and research programmes.

In consequence debate on how to implement large scale testing, track and trace in the UK is ill-informed, unbalanced and muddled.

Anyone trying to make sense of that muddle should begin by reading Ross Anderson’s blog on Contact Tracing in the Real World . Then they should look at recent YouGov market research indicating that support for a  blue tooth app depends more on its affect on battery life than on the effect on privacy.

Market research for Politico, indicated that around 2/3rds of Britons support the idea of a track and trace app, but half of these are concerned over how government will use their data and most of these favour a decentralised approach. Few appreciate that the latter, on its own, does not aid track and trace. Many articles attacking the NHSX app as “insecure” or an “invasion of privacy” imply that a decentralised approach, based on blue tooth contacts is an alternative. It is not. The promotion material for the Singaporean app, Trace Together describes it as merely an aide memoire to assist responses to the main tracing programme.

The use of blue tooth contacts as a proxy for physical contact likely to lead to infection has serious limitations, from the proportion of the population that does not regularly carry suitable, always on phones through false positives (e.g. signals passing through “covid-proof” screens or windows) to false negatives (e.g. surfaces previously infected by those not currently in blue tooth range). The South Korean approach, which enabled rapid texts and calls to 21,000 mobile phones known to have been be in the vicinity of a handful of infected individuals in a cluster of gay nightclubs and adjacent food stalls or cafes, or on their routes home, bypassed such problems. But the press cover illustrates why a significant community regards the risk of helping spread Covid as less important than the risk of being “outed”.

Meanwhile the vulnerability of “morally compulsory” blue-tooth apps (as in India) has been well exposed. The potential super-spreaders who wish to keep their private lives private, while demonstrating public compliance, with fake certificates as necessary, have been shown the way.

By contrast over 3.5 million have now signed up for the Kings College symptom tracking app joinzoe  to aid research and understanding.

We need a change of message to: “Help us beat Covid: join the Team”.

The Society of Conservative lawyers has produced a very thorough paper, “Contract tracing: what government must do to achieve take-up and secure privacy” for the current approach.  The opposite approach might, however, be more effective. Invite the public to join a large scale “clinical trial”, giving informed consent for the use of their data, in return for …..

The aim would be to encourage the population at large to join symptom reporting and advice giving programmes, linked (if they wish) to their other health conditions, at the same time as facilitating  track and trace. Such a programme might include the use of Bluetooth by those who wish, but need not be constrained by its limitations. It could also (again if participants wish and give the necessary consents) help address what may well become an endemic problem with similar infections.

The approach could morph into the heart of a  unique, mass-market epidemiological database and research tool, based on granular informed consent. As a sometime Corporate Planner for the Wellcome Foundation I am well aware of the limitations of research programmes based on panels of self-selected volunteers. We have a unique opportunity to create a database that excludes only the 30% or so who trust neither State nor NHS with their data but often appear happy to sign up to VPNs and PETs (Privacy Enhancing Technologies) from who knows  who.

But no-one should have any illusions about security or anonymity. Both have been all but destroyed by our failure to sort the vulnerabilities of the Internet and the tools we commonly use to access it. The best we can do is to better identify and take action against those who are careless with, or actively abuse, the information we give them permission to use.

In the UK we might call it “Joining Team NHS” but we lose if we do not also treat it as part of the UK contribution to a global effort.

The rest of this blog is structured as follows:

1) A muddled debate comparing chalk and cheese while mixing in other agendas
2) Unpacking the agendas: academic, commercial, political, professional etc.
3) The need for a balanced risk assessment: people as well as technology
4) Towards a new message: “Help us beat Covid: join the team.”

1) A muddled debate comparing chalk and cheese while mixing in other agendas

It is meaningless to compare the decentralised Apple/Google approach, (which enables the user to know their phone has been in recent blue tooth contact with the phone of a self-identified carrier), with centralised apps (like that being piloted by NHSX) designed to help identity, track and trace possible carriers, provide epidemiological data to locate and address pockets of infection and help support research to address future problems as the virus mutates.

The UK Parliamentary Joint Committee on Human Rights has recommended that the NHSX bluetooth-based app, intended to do the “heavy lifting”,  should not go ahead without various guarantees,. Some of these appear to require primary legislation. This reflects arguments in the technical press that the NHSX apps and databases should meet higher security and data protection standards than are common for most commercial apps , government on-line services and/or research programmes. There has been no argument as to why this is so, let alone admission of the inherent vulnerability of blue-tooth apps in general (because of the way they work). The arguments are instead linked to claims that the NHSX app is insecure and/or fails to protect human rights plus attacks on its practical value in the tabloid press .

There are attacks on the NHSX code, which (unlike other apps) has been examined by NCSC (itself a cause for suspicion on the part of privacy paranoids) and released for peer review. There are attacks on the Data Protection Impact Assessment for the Isle Wight pilot. The risk register has been also criticised as insufficient. The overall approach has also been attacked as “illegal”  because the data is pseudonymous rather than anonymous. I am not sure what difference this makes. Almost any routine can now be reversed using suitable AI-driven “big data mashup” using tools and files  in the public domain and/or available on the dark web. The question should be whether anyone has the incentive to make the effort and what would be the consequences if they did.

The advent of AI assisted, big data mashups has left Data Protection legislation well behind. Mashups across credit/debit card transaction, mobile phone records and public sector files lie behind the successful track and trace programmes of Singapore, South Korea and Taiwan.

Meanwhile there is an absence of debate over the personal liabilities (including under both civil and criminal law) of those given access to the data in order to identify contacts and ensure they are tested and/or quarantined as necessary (see section 3 of this blog).

Claims  that claims that the centralised approach will be abandoned can be equated to claims that track and trace will be abandoned. Given the limited value of decentralised apps which only work on a subset of the recent mobile phones and are designed for personal protection rather than collective value, we are more likely to see an evolution which bridges the gap – probably using voluntary symptom reporting apps to aid epidemiological research, like joinzoe , which already has 3.5 million participants. This approach has already been shown, in a peer reviewed journal to have value as a predictive tool for outbreaks leading to a rise in hospital admissions. it is also throwing up invaluable research material indicating the incidence of different symptoms as the virus affects those with different underlying conditions.

In short, there is a diversity of approaches around the world and the Chinese/Korean/Taiwanese concept of using the Cell and/or GSM location of the mobile phone plus digital transaction data and public records to support rigorous track and trace has been shown to be very much more rapid and effective in tracing contacts in time to control outbreaks.

The big question is whether we are more concerned about the freedom to roam or the ability to keep our roaming habits private. Most existing UK track and trace experience is with sexually transmitted diseases. That should put us in a good position to handle the stigma issues that made voluntary compliance impractical in South Korea. But it also helps explain the concerns of those who place privacy above controlling Covid.

2) Unpacking the agendas: political, academic, commercial, political, professional etc.

There are three broad agendas:

  • Preserve the right to privacy over the Internet at all costs

This is the agenda of those whose believe in an over-arching and inalienable “human right” to anonymity and privacy over the Internet. For the group track and trace apps are another round in a war that began with attempt to update legislation on the interception of communications, was fought through the various stages of RIPA (the regulation of investigatory powers) and had reached the battlefield of “on line harms” when the Covid-19 outbreak began. This group includes much of the Internet community, whose values were formed when Silicon Valley was a centre of opposition to the Vietnam war. plus others who do not wish their locations or life styles known to law enforcement or their neighbours.

Just as they have fought to prevent other “traditional” legislation from being applied to the on-line world, so the members of this group are fighting to prevent that regarding the control of infectious diseases being applied.

  •  The same laws should apply on-line and off-line

This group includes those who believe the Internet giants should face the same taxes as the High Street and that we have a “right” to “know” who we dealing/communicating with, even if we do not know their names, only their face, voice and/or an identity they have chosen to trust. This group also tends to believe that those who “aid and abet” fraud, abuse or criminal behaviour on-line should be liable as they would in the “real” world.

They would probably support full access to mobile phone location data as in South Korea or Taiwan – as part of the implementation of traditional track and trace to control infectious diseases.

  • Freedom of Choice

The third group, probably the majority, believe that “we” not “them” (whether Government or Google) should be in control of our personal data (including the location of our mobile phones). Most of this group are, in practice, happy to exchange some or all of that control in return for cheap/free services, but resent that they are not given genuine choice.

Most of this group probably sees no reason why we should not be able (on a voluntary basis) to put our NHS numbers into a mobile phone app, together with permission to use our GSM or CDMA location. They would then reserve the “right” to leave their phone behind, or use another one, if they wish to “go where we do not know others to know”.

For any mobile phone “app” to be successful, it needs to be used by a large proportion of the population – including of those who do not carry up-to-date bluetooth-enabled mobile phones in areas with a good signal. That means that Government needs to know the balance of public opinion between the three views.

The first group, battle-hardened from decades of combat against the FBI, NSA and GCHQ, got its act together while Governments without off-the-shelf systems to provide automated support for trace were struggling. The result cost a months delay (including a double “U” turn”) in getting the German app working. The French refused to back down and are producing their own, without co-operation from Apple and Google. in the UK NHSX is an evolving compromise.

But mobile phone apps are only one of the battlefields on which war is being waged.

Behind the headlines many other agendas are being progressed:

  • by politicians with positions to protect,
  • interest groups with axes to grind and
  • regulators seeking to justify their existence, through
  • academics seeking attention (and/or funding) for their research programmes and
  • professional bodies/trades unions looking out for their members interests, to
  • commercial players with products/service to promote or protect.

Almost every nation except for those which already had them as a legacy of SARS (e.g. Singapore, South Korea and Taiwan) has had to move fast to produce computer systems that will help support a track and trace operation. Most begin with big data mash-ups to produce national solutions while Apple and Google used the opportunity to cement their joint position as dominant players in the mobile phone market.

Belatedly the European Union got into the act, about the time that national boundaries are being re-opened, with a call for inter-operability standards . ETSI, the European standards body is therefore looking at creating a standard for inter-operability  with “a primary challenge” being “collecting, processing and acting on information about citizens’ proximity at scale, potentially tens or hundreds of millions of people. This must also be achieved without compromising users’ anonymity and privacy, and while safeguarding them against exposure to potential cyber attacks.

But why “must” inter-operability be achieved without “compromising …”.

The Internet has no inherent security. Global trade in everything else is built on compromises. And the obsession with privacy and anonymity is one of the reasons for the scale and nature of on-line abuse, extortion and fraud.

And why only inter-operability between mobile phone standards?

There is a bigger issue to do with clashes between the other processes being used locally and nationally to track and trace contacts beginning with the identities and sources of information that will used by those being recruited to implement track and trace (in the UK this began with the sexual health professionals in BASHH), in the infection control processes of national health care system and in those of business, including for travelling staff.

Here we can see a new round of “games”, particularly with regard to digital identities and “trusted” information sharing.

In the UK Verify was put back onto life support before DWP realised it could not cope (its many functional flaws have still not been fixed) and allowed millions of new claimants to use their existing HMRC identities and Gateway accounts. Some are trying to use the opportunity to give Verify a new lease of life – even though only two providers are left: Digidentity, (a US-owned Dutch company) and the Post Office. Meanwhile DWP has stopped new claimants from asking for their benefits payments to be paid into Post Office Card Accounts, although Post Offices are open (to withdraw cash) and banks are not. The decade old agenda of herding the sheep on-line to be fleeced takes priority over helping those living from hand to mouth.

Part of the small print of the Google/Apple smart phone app is the inability to turn-off Google Analytics – the world’s largest general purpose track and trace operation. It ties to the IP address of the phone although PC users with browser like Firefox can hinder its use. The governance of IP addresses, currently under the aegis of ICANN has come under unexpected scrutiny as result of the controversy over the sale, now blocked, of the Public Interest Registry to a consortium organised by Goldman Sachs. Meanwhile  ID2020   the initiative to give legal identities to the billions without them, involving players like Microsoft and Accenture, has been rubbished by conspiracy theorists.

A large and growing number of local and global digital identity and authorisation initiatives are vying for attention and, more importantly, trust. Most see the changes brought about by Covid-19, (the move on-line by most of the world and the need to identify, test, track and trace large numbers of potential carriers) as an opportunity.

All organisations delivering public digital services within the European Union are required to recognise electronic “signatures” which meet the eIDAS requirements. The ICO website provides UK guidance and links . Gov.UK was responsible for UK implementation and created the Verify programme. But this is still not capable of issuing an “advanced” electronic signature. Hence part of the reason that HMRC, NHS, DfE and others do not use it. Move-over an eIDAS signatures say nothing about the probity of the holder.

Private sector markets therefore remain dominated by the “digital identities” issued via organisations like SWIFT, Visa, Mastercard, RELX, Experian and GS1 (which also looks after bar code system). Their digital identities/signatures are “recognised” by the world’s local, national and international transaction, payment and product clearing services. Meanwhile most of the mobile phone operators and most of the  members of the Internet Association (from Amazon, through Google and Paypal to Uber) have attempted to enter this market, singly or in partnerships, with varying success.

The way ahead begins with open frameworks for identity and information arbitrage between players with known processes 

The membership of the Digital Policy Alliance Internet Safety and Policy Group includes those (from some of the world’s large credit reference agencies to start-ups serving those paranoid about personal privacy) interested in working together to fund and test standards like PAS 1296 (for Age Checking) which enable the verification of authorisation attributes (e.g. age) to be separated from the need for the service provider to hold personal information.  Such processes are no longer theory. They are operational. There is even a trade association of representing providers whose processes have been independently audited against the standard.

Alongside the work to turn such processes into global standards, some of the members  have begun looking at the wider issues of trusted information exchange, as with the Yoti call for collaboration on a global code of practice for sharing personal health credentials .

Government departments will need to work together very much better as we begin to emerge from lockdown and try to get millions of children and students back into education and millions of  those furloughed, and/or with no job to go back to, into work with the skills of the future. Where is the code of practice for sharing educational credentials? Why do we have separate identity systems for funding (let alone performance recording) in the UK for schools, colleges and universities?

Do we want the way forward to be dominated by those whose files are held under US or Chinese legislation and/or available to those on the Dark Web?

Hence also the current fashion for events on Internet Governance (? an oxymoron). These are increasingly being linked to overlapping events on the governance of AI and Big Data.

Covid-19 has brought forward many conflicting agendas.

3) The need for a balanced risk assessment: reliability, resilience and abuse as well as data protection, people as well as technology

The Data Protection risk register for the Isle of Wight pilot raises more questions that it asks. The most significant to most users  are those with regard to the “misuse of information by those with access”, other forms of malicious and mischievous use, the possible implicit identification of infected individuals and the uncertain length of retention of data to aid epidemiological research.

The answer given to the risk of misuse of information reveals the weakness of the UK implementation of the EU General Data Protection Directive. It lacks effective sanctions for abuse by individuals as opposed to carelessness by organisations. Custodial sentences to help enforce existing Data Protections were recommended by House of Commons Culture Media and Sport Select Committee in 2016 . The precise recommendation (para 36 and 37 of the report) was that section 77 and 78 of the Criminal Justice and Immigration Act 2008 be implemented. Unfortunately Section 55 of the Data Protection Act 1998, to which these clauses refer, was effectively repealed by Section 170 of the Data Protection Act 2018

In consequence there is no effective sanction for individuals involved with track and trace who may be more concerned about the “honour” of their communities than keeping confidentiality when they learn who might have been in contact with who.

This is particularly important given the need to expand the staffing levels of Public Health track and trace teams from hundreds (usually handling sexually transmitted diseases with a high degree of confidentiality) to thousands . Concerns have been raised about the training to be given to those who will needed to be added to the experienced team leaders and call handlers originally targeted . The specified skills for team leaders are non-trivial.

The bigger risk is, however, with the call centre support staff.

I was specialist advisor to the Culture Media and Sport Select Committee Cybersecurity enquiry and given clearance by the chairman to speak on the issues afterwards. I did a time line on the incident and the consequent reported frauds. It quickly became apparent that the latter had used data from an earlier leak from a call centre in India shared by all (i.e. not just Talk Talk) who resold unbundled telephone circuits – but the resultant court cases were still sub judice. I do not know what has happened since. I note, however, that the relevant operation is now based in the UK. Leaks from call centres are not confined to India but the legislation to enable effective sanctions against those responsible in the UK is still missing.

There is a need for rapid action, including primary legislation to bring in custodial sentences, as previously legislated for by Parliament. 

The way in which cyber-criminals and on-line abusers are exploiting the opportunities, as the sheep are not only herded on-line but penned in their homes and bedrooms, makes it all the more urgent to apply the same law on-line as off-line in much broader context, including aiding and abetting and going equipped .

Both organised and opportunist criminals have amended traditional scams for a Covid environment and invented new ones, both on-line and on the doorstep . Imitation track and test services are one of the most common. Some of the most heartless are against charities – see here for the latest advice from the Charity Commission.

4) A new message: “Help us beat Covid: join the team.”

The Imperial/IPSOS Mori home testing programme to track the level of infection in the community and the use of the UK Biobank to support a large scale, long term study into antibodies and their duration indicate the scale of anonymised research under way. Meanwhile the willingness of over 3.5 million to sign up for the joinzoe symptom tracker, giving simple informed consent under GDPR, show the willingness of a significant proportion of the population to provide personal information in the common good.

If it is correct that the NHSX app was downloaded by nearly 40% of the population of the Isle of Wight (and nearly 60% of those with mobile phones that can run it) within a week of launch, then that is evidence of significantly greater willingness to participate in a centralised app, widely criticised for lack of privacy, than to use decentralised apps, like Singapore’s Track and Trace, promoted only as an aide memoire for the use and taken up by barely 20%.

That willingness calls in question the pre-conditions for success summarised in the Imperial white paper and repeated as a mantra by many across the Data Protection industry.

The NHS “brand” is far more trusted than those of Apple or Google.

Nearly a decade ago the Digital Policy Alliance ran an exercise to improve mutual understanding between Data Protection professionals and Clinicians on the actions necessary to improve the  provision of accurate, timely, relevant and secure (in that order) patient information at the point of need. The exercise was a failure because the data protection professionals would not stop talking long enough to let the clinicians explain why their priorities were as they were.

I did, however, get sight of interesting but unpublished (too embarrassing) surveys of patient opinion.

They repeated what my staff at the NCC Microsystems Centre learned (35 years ago), when we had a contract to evaluate first generation on-line practice systems. The early systems were commonly specified by GPs concerned with, inter alia, practical patient privacy, drug interactions and side effect reporting. They were not driven by consultancies concerned about data protection, cost saving or performance reports.

Central to the acceptability of automated systems to help track, trace and medical research is acceptance of the limitations of that “trust”.

Past surveys of the willingness of NHS patients to provide personal information or take part in clinical trials indicate the power of an invitation from a nurse or clinician looking after their health care to participate in a study that might help improve that care (70 – 80% with no need for persuasion). That was commonly accompanied by a reluctance to provide data to help “improve efficiency” (barely 30 – 40% unless accompanied by a juicy carrot).

Today we also know that trust will evaporate with any suggestion that information will be passed outside the UK, for whatever reason.

Hence the importance of building on initiatives like the UK biobank , of a code of practice as proposed by Yoti and of using intra-UK cloud services for shared data under clear UK control. These need to be policed by NCSC, but to use the NHS (not NCSC) brand name.

There is also a need for sanctions, under criminal law, as recommended four years ago by the CMS Select Committee, for those who breach that trust. 


Data Center
Data Management