Today the HSE launched their long awaited Covid-19 tracking app built on the Google and Apple exposure notification framework.
I'm not going to spend time going over how this works here, because other people have done a much better job at this than I possibly could. If you want to understand how this works technically, Nicky Case has created an excellent comic explaining it.
As a person who is generally data and privacy sensitive, I had my concerns about a "government tracking app". I'm sure many others are naturally skeptical of an app like this. Despite the above link explaining how an app like this could work, I fully expected the Irish app to have issues and collect data it shouldn't.
Thankfully, this isn't the case. The app does not automatically collect location data, or data not necessary for its primary purpose. It does ask for your phone number so you can be contacted by the HSE if you have a confirmed contact, however this is optional. The developers have intentionally chosen privacy over functionality which is great.
Also hugely encouraging is that the app is open source, with the code published on github, therefore the code can be checked to make sure it does what it says it does.
The Irish Council for Civil Liberties has released a report card on the app and appear to not recommend installing it. Having read the report card, I'm disappointed that they feel that they can't recommend it. I don't feel like their concerns should discourage anyone from installing the app, and so I've attempted to address their points below.
- App must have a single purpose - Grade D
The concern here appears to stem from the fact that the app also allows users to optionally input symptom data, even if they don't have symptoms. Users can also choose to self report their location along with this data.
Personally I'm not sure I see much use in this feature, as it relies on self reporting. There's no need to use this feature if you have concerns about it, which immediately makes the app a single purpose app. I'm not sure this warrants a D grade.
- Be necessary and proportionate to the problem - Grade D
The concern here seems to be that the HSE hasn't proved before release that this mechanism to aid contact tracing will be effective in Ireland. This is true. The HSE hasn't proved this.
However, modelling points to this kind of tracing being an effective tool in our arsenal of measures to fight Covid-19, combined with mask wearing and social distancing. This Nature article goes through the specific approach in more detail. Oxford models estimate that it requires ~60% uptake across the population to become effective.
There's a chance that this app based method of contact tracing doesn't turn out to be as effective as we think it is. Like many of the measures we're taking to stop the spread of the virus, we won't know for sure until we have a lot of data to parse and some time to analyse it.
- Be effective - Grade D
The ICCL point to a study carried out by Prof Doug Leith and Dr Stephen Farrell of TCD which found that bluetooth signal can vary quite a bit depending on where people sit, and what environment they're in. Anyone who's ever ran with bluetooth earbuds outdoors will know that this is the case for sure!
It's likely that this app will not work 100% of the time. It's not possible for a bluetooth signal to know that someone was 1.9 metres away, but not 2.1 metres away, in all conditions. There may be some cases where the app thinks it hears a bluetooth signal from a phone more than 2 metres away, or doesn't hear a signal from a phone less than 2 metres away.
However, the app works by prolonged contact. A close contact is considered to be 2 metres or less away for 15 minutes, so occasional inaccuracies or misses should be smoothed out.
And again, as above, we shouldn't let the perfect be the enemy of the good. The early evidence for this approach shows that it helps. That's all we can say of any preventative measure at this point.
False positives are mentioned in this section also. I agree that the HSE should share the data it collects or has collected around testing the app so we know more about the false positive rate and what kinds of issues there may be. Sharing of more data is always a good thing.
- Embrace Transparency and Promote Trust - Grade B
I'm glad to see that the ICCL have recognised the steps that the HSE has taken in this area. Their concerns in this section centre around enabling an issue tracker on Github for more transparency and so that the public can submit issues. I'm neutral on this as I can see pros and cons. It would likely help with transparency.
The remaining concerns in this section are around the use of IP addresses and refresh tokens in logging that could be used for tracing individuals. While it's true that it's possible to get an idea of a user's location, and potentially 'track' a user using their IP address, I'm not sure I can think of a potential attack vector around this data in this situation, given the limited information that's transmitted to the apps servers.
- Subject to statutory oversight & handing of data - Grade C/B
I'm combining the rest of the sections as they deal with similar concerns.
The Google and Apple framework that the app uses is not open source. On this point I absolutely agree with the ICCL. I would much prefer that the code was released for this, so it could be independently audited.
The concern about 'silent updates' is founded, as theoretically Google and Apple could update the API without telling people and change its efficacy or method of operation. However, both companies have been pretty open so far about their work on this, and the framework is being used by several countries for their app, so unannounced changes seem very unlikely. I do however agree that it would be much better if the framework was open sourced so we could all keep an eye on it.
Retention of metrics data about the usage of the app will be anonymous and used for statistical and research purposes. This is taken as a negative, but personally I have no issues with this. None of the metrics data is personally identifiable and may help researchers in years to come.
The ICCL calls out that Google Firebase and Twilio are mentioned but not explored in the DPIA that has been published.
Again, due to the decentralised nature of the app, these are minimal concerns, though it would be great to see more information published about how these services are used.
Conclusion
The ICCL has taken the time to create a measured and detailed review of the HSE Covid app and this is commendable. It's fantastic to have an open discussion about potential issues and more scrutiny can only serve to make the app more trustworthy.
I think there are several well made points around the types of data that are collected and the third party services used. These can be easily clarified by the HSE or the developers that were used to create the app, Nearform and I hope they are.
However, I take issue with their reluctance to recommend the app based on not having concrete large scale data completely confirming its efficacy. Signs point to it being useful, and the app is architected in such a way that there are none or very few tradeoffs to its use.
The worst case scenario is that it ends up not being a very effective tool in fighting Covid-19. However, even if this turns out to be true, we do not sacrifice any privacy or personal information by using the app.
The best case is that it, along with hand washing, mask wearing and social distancing, helps to slow the spread of the virus. For me, there are only upsides and very very limited or no downsides. I'd call for the ICCL to revisit their report card and instead recommend the apps use.