UK Government Building Second Contact-Tracing App to Work with Apple and Google’s Framework

The NHS has already begun building a second smartphone app to trace the spread of the coronavirus, after criticism of the first app it launched this week on the Isle of Wight.

The UK said in late April it would be rejecting Apple and Google’s new API because the tech companies stipulate that all apps built using their framework must be “decentralized.” This means all the data processing takes place on a user’s handset, and can’t be stored externally on a database.

Google and Apple say this is because decentralized apps are more private and a central database is more vulnerable to large-scale hacking. Cybersecurity experts also believe decentralized apps mitigate the possibility of that data later being used for government surveillance.

Until now, the UK has been firm in its commitment to develop its own contact tracing app away from Apple and Google’s efforts, despite the fact that it will have limited access to the Bluetooth notifications necessary for it to work properly. James Vincent breaks it down for The Verge:

Both Google and Apple restrict how apps can use Bluetooth in iOS and Android. They don’t allow developers to constantly broadcast Bluetooth signals, as that sort of background broadcast has been exploited in the past for targeted advertising. As The Register reports, iOS apps can only send Bluetooth signals when the app is running in the foreground. If your iPhone is locked or you’re not looking at the app, then there’s no signal. The latest versions of Android have similar restrictions, only allowing Bluetooth signals to be sent out for a few minutes after an app has closed. Such restrictions will block devices from pinging one another in close quarters, drastically reducing the effectiveness of any contact-tracing app.

Google and Apple can rewrite these rules for their own contact-tracing API because they control the operating systems. But for countries trying to go it alone, like the UK, the restrictions could literally be fatal. iPhone users with the app installed could interact with someone who is later diagnosed with COVID-19 and never know it, if their phone doesn’t keep a log of their interaction.

Now, however, the UK the government has left open the prospect of ditching its own contact-tracing app in favour of the “decentralised” model favoured by Apple and Google after it was revealed that a feasibility study into such a change is under way. A new report in The Guardian explains:

With growing questions over that approach, it emerged that the Swiss-based consultancy Zühlke Engineering has been hired to undertake a two-week “technical spike” to investigate implementing Apple and Google’s system “within the existing proximity mobile application and platform”. […]

The prime minister’s official spokesman left open the possibility that a change could be made, telling reporters: “We’ve set out our plans for a centralised model and that’s what we are taking forwards but we will keep all options under review to make sure the app is as effective as possible.”

Documents spotted this week showed the government recently employed an IT firm to investigate the possibility of integrating with the Apple-Google API, after having initially said it would do without it.

It’s not clear at this stage which of the two apps the NHS will select, or whether it could end up launching both. France also appears to have run into technical difficulties developing its app without the API, as its digital minister attacked Apple saying the company could have helped France’s app run more smoothly on iPhones.

“Right now, it’s unclear how an app that only works when every citizen in England has the app downloaded, open, and running in the foreground at all times is going to be ‘as effective as possible,'” writes Casey Newton for The Verge. “As of today, I’d be surprised if England hadn’t adopted the Apple-Google approach by the end of this month.”

Apple and Google have said that they expect to release the first version of their contact tracing system for public use, via a software update to the iOS and Android operating systems, in mid-May.