Contact-tracing app: How did the UK go so badly wrong?

The UK government has just U-turned on its own plans for a contact-tracing app after months of development. This is what went wrong.

Why the NHS snubbed Google and Apple's API for contact tracing

A couple of years back, in very different circumstances, Matt Hancock gave app development a shot. Back then, Hancock was the culture secretary, and the social network he came up with, dubbed Matt Hancock MP, was intended to communicate with members of his constituency, post news and updates, and live-stream to his followers.

At the time, some users picked up on potential privacy issues as the app gained apparently unauthorized access to their photo libraries; while laughing at the awkward notifications prompted by the name of the app, which resulted in them being told that "Matt Hancock would like to access your camera".

It was all relatively tongue-in-cheek. But fast-forward into 2020, and Hancock is now the country's health secretary while a pandemic unrolls on the global stage. And when Hancock pitches an app again, but this time one that could help fight back the spread of a deadly virus, the stakes are higher.

SEE: Digital transformation: A cheat sheet (TechRepublic)

In April this year, the health secretary announced that NHSX was developing a contact-tracing app. Leveraging smartphone technology, the app would be able to register contacts between users and rapidly track down those who might have interacted with someone who had subsequently tested positive for the coronavirus.

After three months of development, delays, weeks of trials on the Isle of Wight with no official results, and contradictory official statements on the matter, it appears that the UK is, essentially, axing the contact-tracing app – at least in the format it had initially planned for. 

In an official statement this week, the Department for Health and Social Care (DHSC) admitted that a number of technical challenges had now been discovered, which can't be resolved with the app in its current form. 

Rather than committing to a contact-tracing app per se, the executive chair of the NHS Test and Trace Baroness Dido Harding and Matthew Gould, the CEO of NHSX, said: "Our ambition is to develop an app which will enable anyone with a smartphone to engage with every aspect of the NHS Test and Trace service, from ordering a test through to accessing the right guidance and advice."

While neighboring European countries are all launching their own contact-tracing apps, the UK government has not committed a specific date for the release of its own technology – that is, if it is to launch at all. And now, the question on many lips is: what went wrong?

The first decision that raised some eyebrows was the UK's decision to go solo. Early on, Apple and Google announced that they would make available a Bluetooth-enabled contact-tracing API to let developers create apps that would seamlessly integrate with iOS and Android.

Snubbing Apple and Google's project turned out to be too the wrong choice for the UK. However the future app turns out to be, and whatever tasks it will complete, the government has now admitted that it will, in the end, be using the model pushed by Apple and Google. 

"At this stage an app based on the Google/Apple API appears most likely to address some of the specific limitations identified through our field testing," said the DHSC.

The UK government's initial decision to work independently from Apple and Google's technology back in April can be partly attributed to timing. The API was only to be made available with Apple's iOS 13.5, which was still almost a couple of months away. In other words, Apple and Google weren't offering a product at this stage – they were only offering a promise.

Aidan Fitzpatrick, the CEO of technology company Reincubate, who took a deep technical dive into the contact-tracing app's specs, tells ZDNet that NHSX's move at the time was justified.

"It generally takes three to four months before 70% people get on the latest version of iOS – in this case, the version required for the app to work," he says. "The UK launched their own app because they hoped their technology would work before then. Unfortunately, it didn't."

Not everyone, however, agreed that the government's decision to turn down Google and Apple's offer was entirely motivated by time optimization concerns. That's because the tech giants' technology also came with a caveat: those following Apple and Google's protocol would also have to abide by their privacy preserving rules. 

Often identified as a "decentralized" approach, the tech giants' API effectively enables warnings to be triggered automatically and locally, on users' phones, to avoid data being processed through a central database.

On the other hand, the UK's health services pushed for a centralized approach. In this model, user data would have been stored and processed through a central database, in theory to better manage how warnings are generated to users, in addition to letting experts run analytics on the data to understand how the epidemic is unfolding.

SEE: COVID-19: A guide and checklist for restarting your business (TechRepublic Premium)

In fact, NHS boss Matthew Gould said from the start that future releases of the app would let users voluntarily provide extra information about themselves to help identify hotspots and trends. The data, assured Gould, would have been used exclusively by the NHS for care, management, evaluation and research.

Paul Bernal, researcher in media and information technology at the University of East Anglia School of Law, tells ZDNet that NHSX's ambition raised alarm bells from the very start. "The app failed because they had the wrong agenda from the start, and that meant they made bad decisions," he says.

"They didn't want to do only a contact-tracing app. They wanted to do a whole load of other things at once, most of which surrounds the gathering and using of data. That is a philosophy that exists within certain sections of the NHS all the time, and I think it is what drove their agenda with this technology," adds Bernal. 

The health services spent a great deal of time reassuring the public that NHSX's contact-tracing app would protect user privacy. The technology was being developed together with the Information Commissioner's Office (ICO) to align with ethical and legal standards; and individual researchers even green-lighted the app's source-code, saying that it showed little technical privacy risk. 

One fundamental problem was that Apple's devices are programmed to reduce a given app's functionality when it is running in the background. While the API developed in partnership with Google allows developers to by-pass the restriction, any other third-party app would by default have to be up on the screen to be fully functional. This would hugely hamper the ability of a contact-tracing app to run effectively.

The Cupertino giant resisted calls from other European countries, also working on centralized apps, to relax the procedure. This led Germany, for instance, to pivot from a centralized approach to a decentralized one, after admitting that the technical difficulty of building an app independently from Apple and Google's API was too great.

The UK, on the other hand, pushed through with its original initiative. Initially, when the contact-tracing app's code was open-sourced, experts who scrutinized the technology optimistically found that engineers had developed clever work-arounds to enable the app to "stay alive" on iOS despite the back-grounding restrictions.

Trials duly started on the Isle of Wight, with NHSX bosses anticipating a national roll-out for the app by mid-May. But mid-May quickly became the start of June; and when the technology missed the new release date, ministers said it would be ready by the end of the month. Then, a minister suggested that the tool was no longer a "priority", and that the public could expect to download it by the winter

Fitzpatrick explains that the app was probably at a much earlier stage of development than anticipated, and that the government got its communication message critically wrong at this point. 

"Maybe the message should have been: 'We have a work-around, but it's still complicated and there will be further issues. We we will trial it on the Isle of Wight and see,'" says Fitzpatrick.

"That seems to be what they were actually doing, but it wasn't the message that was broadcast, and they seem to have dug themselves in that message," he adds. "It's difficult to position this well with the public and manage expectations." 

In the meantime, it emerged that the UK government had contracted private company Zuhlke to investigate whether the technology could be switched over to Google and Apple's API, in an agreement worth £3.9 million. 

It seemed that the app was running into some sort of difficulty, therefore, but ministers were crystal clear that the troubles were not technical by nature. Hancock repeated in press conferences that technical glitches were not causing the delays, and was echoed by several government representatives like Lord Bethell who confirmed that the trials were going well.

The government's latest announcement, therefore, is a radical change of rhetoric. Matt Hancock admitted in a press conference that Apple's software prevented iPhones from being used effectively for contact-tracing, unless using the company's own technology. Results from the Isle of Wight showed that NHSX's tool detected 75% of Android devices, but only 4% of iPhones. 

Crucially, the latest official statement also explains that NHSX was testing a parallel app on the Isle of Wight, and one which was based on Apple and Google's API – something thath the government had previously failed to confirm.

SEE: Coronavirus: Business and technology in a pandemic

Failing to admit that the health services were following a dual track approach was a mistake, says Paul Bernal. "They didn't set out what the pilot was doing at all," he argues. "They didn't say how they were doing it, how success would be measured, what the results were, or anything which any normal pilot should have done.

"We didn't know whether they were actually working on a parallel app, and if so, how seriously they were looking at it," he continues. "And that's when the suspicion starts: why are they being so secretive about it?"

The biggest loss out of the contact-tracing app saga, in fact, might not be the technology, but the damage to the public's trust. The lack of transparency, more than the choice of technology, seems to have been the biggest mistake from the government.

For this reason, even if an app is eventually released in the future, and even if it takes a more privacy preserving format, Bernal believes that adoption rates will remain low. With a public now tired of the technology's back-and-forths, NHSX shouldn't expect that the country will be willing to take up any sort of future app.

The best course of action now, according to the researcher? Focus on the manual contact-tracing program. "I think this app was an example of the government engaging in magical thinking," says Bernal. "They thought they could wave a magical technological wand and save the situation. They over-hyped the idea without realizing how difficult it actually is to do this kind of thing."

One positive that has come out of the situation, he continues, is that there will be a renewed focus on improving the manual contact-tracing program: "But again, if they had paid attention to what was going on in other countries, they would have noticed that a long time ago."