The UK switches on to mobile contact tracing

Working with major tech companies

In building the app, the digital innovation unit of the NHS (NHSX) worked closely with major tech companies, not just Google and Apple, but also VMware, in addition to teams in countries across the world using similar apps – such as those behind the very popular and successful German app. It also worked with scientists at the Alan Turing Institute and Oxford University, medical experts, privacy groups, at-risk communities, and the UK arm of Swiss software firm Zühlke Engineering.

Zühlke took over the development of the product from VMware in July 2020, when the latter announced the end of work that had begun in March between its VMware Pivotal Labs division in partnership with NHSX when under direction from the innovation unit. VMware began creating an app based on a centralised data model that was supported by a scalable back end that could handle millions of records in a secure and anonymous way.

VMware worked with Zühlke from the beginning of its involvement on all aspects of the technology behind the app, contradicting earlier reports that suggested Zühlke was brought in specifically to work on the decentralised version of the app. Sources close to the project said the plan was always that VMware would spearhead initial development of the app, with Zühlke doing testing and assurance, and the Swiss firm taking over fully when ready to do so. Both firms worked on both the centralised and decentralised versions of the app from the inception of each.

Fast-forward to the launch, and it’s fair to say that Zühlke lead Wolfgang Emmerich is somewhat proud of the app that has been created. Emmerich is co-founder of the Swiss firm which began life 20 years ago, and has worked full-time in the UK since 2009. He is also a professor of computing at University College London.

The company is named after Swiss engineer Gary Zühlke, a consulting engineer by trade whose career has included many projects in the world of medicine, including eye surgery and other medical devices. Such expertise was crucial in Zühlke being taken on-board for the contact-tracing project as the app is officially regarded as a medical device, one for which a CE mark has already been created.

Zühlke has also been a long-time supplier to the UK government, with branches such as HM Revenue & Customs and having carried out alpha and beta testing for the Gov.uk website. As a result, said Emmerich, the company knows how you’re meant to develop digital services for central government and the effect on internal processes.

Another key asset was that the firm also has a long-standing track record in mobile development in mission-critical infrastructure, building, among other products, the UK mobile banking app for HSBC. This product was later spun out to 20 other territories.

Critical infrastructure

Another key element that provided credibility for work on the contact-tracing project was that the HSBC mobile app was regarded legally as critical infrastructure with very stringent security and availability requirements, as well as being able to scale to tens of millions of users.

The Zühlke team was with the NHS right from the start. A former colleague of Emmerich was a chief advisor on cyber security for Patrick Vallance, chief scientific adviser to the UK government, and this led to an introduction with NHSX chief executive Matthew Gould when the project was just about to kick off its first step and [asked if] they wanted help in independent assurance to ascertain that the development was going in the right direction.

This initial input was limited and excluded the initial specifications and timeline. “We basically checked and validated the app, but it would not work in certain circumstances,” said Emmerich. “So we bid for, and won, the support contract for the first app, and we used that contract to build the second app. For that, we very much had input into the product roadmap and what the features of the app looked like.”

The first app has been widely criticised as a failure, but to Emmerich, the original concept of having an app that could support a centralised data structure from which the NHS could leverage insight in the fight against Covid-19 was essentially a good idea. In February 2020, he would have been in favour of it, but he added that there are trade-offs, meaning other people might not necessarily agree.

“A lot of people are concerned about privacy or sensitive information,” he said. “They don’t necessarily think it’s a good idea for the government to collect contact traces. Ultimately, the first app was not successful because of different angles on trade-off decisions in battery consumption versus accuracy and privacy.

“The reason why the first step wasn’t successful is fundamentally because Apple was concerned about battery life, particularly of older phones, so that it would prevent apps from activating the Bluetooth stack in the background. Bluetooth ping sending and receiving Bluetooth beacon messages is an expensive operation as far as power is concerned, and Apple was not willing to give up that restriction. That ultimately meant you had to fight the operating system, and ultimately that fight wasn’t successful in getting the app to work in the background.

“If I was in Apple’s shoes I would have made exactly the same decision, because its products are judged by customers on battery life, and if an app depletes the battery life unduly, even in the background while users are not aware the app is actually doing that, then that ultimately reflects poorly on Apple’s products.”

Ensuring products are fit for purpose

Does this mean the app designers were ultimately working to unfeasible and unfair timelines in the rush to get the app out the door? Emmerich broadly agreed.

“In our experience, development is never in a straight line,” he said. “We are very strong proponents of using lean and agile techniques with the express advantage of failing early and failing quickly. I think we actually failed early, but unlike France, for example, where they knew the app was not really properly functioning, we didn’t still release it. We took our ethos seriously; that is we are engineers who are building products that are fit for purpose, and it was not possible for this first app to be fit for purpose. It was certainly not possible to have it as a medical device. We would have to ascertain that it actually worked in all circumstances. And as a result, it just had to go.”

Zühlke encountered no further bumps in moving to a decentralised model, even though the nature of using the API and switching meant it wasn’t able to re-use much code – mainly because the back end of each model had to be completely different. It did re-use some user experience (UX) designs and styles, but ultimately Zühlke built the new app from scratch in six weeks. Such a timeline, it should be emphasised, is completely out of the ordinary in app design – especially for a medical device.

Emmerich has called the result one of the best contact-tracing apps in the world; the product of working with other developers from around the world, re-using material from NearForm – the creator of the Irish and Scottish apps, along with apps for a number of states in the north-east of the US – the SAP developers involved in the successful German product, as well as material from Russia and from the developers of the New Zealand app.

“That has enabled us to build a very feature-rich app in a very short period of time,” he said. “We’ve done a comparison of all the apps that are out in the world, and I can argue, based on the feature comparison, we will release in England and Wales the feature-richest app in the world.

“And we will not just have the features that they have in Northern Ireland, and in Germany, but it will also have features that actually aimed to give guidance individually to the users of the app. This includes, for example, a risk score based on the infection data broken down by postcode.”

Some of the comparisons seem surprising. The NHSX app’s Bluetooth contract tracing is something the New Zealand app does not have. But it does have, like the UK version, QR code venue check-ins, which have been very successful.

Data security and privacy

One of the key challenges has naturally been data security and privacy, while ensuring optimum accessibility. In this regard, Emmerich emphasised the work his team has undertaken with the National Cyber Security Centre (NCSC), which tested attacks on both the underlying cloud infrastructure and the app. Regarding accessibility, given it is an NHS product, he said the app needs to have higher-than-usual requirements on accessibility.

It had to meet web accessibility requiring a certain amount of rework to ensue voice mechanisms and localisation. The app has been released in 10 languages. In addition to English and Welsh, the NHS felt the app should be usable for people who don’t necessarily speak the two languages, particularly in communities in the north of England.

Looking to future developments, Zühlke is working with the Engineering Institute to improve the accuracy of the estimation of distance, and has even made suggestions to Google and Apple regarding the API, which have since emerged in upgrades to the two companies’ operating systems for devices.

The key, though, is to drive adoption. In this, Emmerich said that even in the Isle of Wight trial of the centralised app, adoption rates were “really, really encouragingly high”, at around 55-60%, and that very important lessons were learned that have been fed back into subsequent development.

Alarming plans

As a key measure of the success of Zühlke, the company’s initial six-month contract that was due to expire in November has been extended for another six months. This will see what is described as a “fairly aggressive” roadmap of further improvements and features, including offering a more personalised risk score, known as a “Geiger counter” feature, based on how many Bluetooth hits a person receives from others.

“You can measure how many different phones you see and how often you see them, and you can feed that back until people are really socially distancing,” said Emmerich. “We can give people various visualisations of how risky a life people lead to influence their behaviour.”

Yet despite the clear benefits of this, the feature has already generated misgivings. BCS, the Chartered Institute for IT, has described plans to use the app to rate users’ lifestyles for risk as “alarming” and needing clarity, adding that such algorithmic scoring approaches are often inaccurate and can have unintended side effects.

Adam Leon Smith, who chairs the Software Testing Group for BCS, said: “Some data is being stored, unencrypted, locally. This isn’t of great concern as it appears to be just system configuration data, with the sensitive data being stored by Google and Apple.

However, as the functionality is expanded to include things like personal risk scores, this needs to be encrypted, and I’m keen to see this isn’t passed to the developer’s servers to establish a centralised tracking system by the backdoor. There are security issues with using Bluetooth in this way. It remains possible for attackers to manipulate the behaviour of the system to give incorrect information to users, however this has been made more challenging through various means.”

What is far less contentious is international interoperability being on the roadmap. This means that if a person travels to Ireland or Germany, for example, the app will notify users if a local person they’ve been exposed to tests positive. The NHSX app is also part of the EU gateway project which, in September 2020, announced trials interconnecting the back-end servers of the official apps from the Czech Republic, Denmark, Germany, Italy, Ireland and Latvia.

Developed and set up by T-Systems and SAP – the two bodies responsible for the development of the German app, which by July 2020, barely a month after initial introduction, had been downloaded 15.8 million times – the gateway is designed to ensure that apps work seamlessly across borders and hence users will only need to install one app, even if they travel abroad. In addition to Zühlke, Ireland’s NearForm is a key player, handling the technical aspects on behalf of the Irish health authorities.

Reflecting on the project to date, Emmerich said he’s proud of what he and his team have achieved, especially given the time constraints. He noted that after seeing the timesheets of some people on the team, he’s actually worried about their health, and when assessing whether he would have done anything differently, he said he would have not let that happen and would have instead increased the team at his disposal.

To date, it looks like the app has been a success, with in excess of 10 million downloads in its first three days of availability. However, early teething troubles were identified in entering test results for hospitals in England, although these issues were dealt with in a matter of days. But while that has been addressed, it exemplifies the success of the app is not just contingent on its technical capabilities, but rather how it fits into and adds value to the Test and Trace programme as a whole. This is where having the most feature-rich app could prove rather handy.