New Times,
New Thinking.

  1. Spotlight on Policy
11 May 2020updated 12 May 2020 8:28am

Why contact tracing comes with a cyber security price tag

An argument has been raging about the choice between centralised and decentralised contact tracing apps. What's preferable for privacy?

By Laurie Clarke

A crucial element of the UK’s fledgling lockdown-easing plan is a digital contact-tracing app developed by NHSX, the innovation arm of the health service. It will be ready to launch in a matter of weeks, and will reportedly be used in combination with manual contact tracing and increased testing to help prevent a second spike in Covid-19. The app will work by pinging – via Bluetooth – other phones in the near vicinity, and storing a record of who we’ve been in close contact with over an epidemiologically relevant time frame.

If someone receives a coronavirus diagnosis, everyone who was within their infection range will be notified of the need to self-isolate. But what sounds fairly intuitive has opened up a deeply divisive debate over the best way to design such an app.

An argument that has recently been raging in Europe is whether centralised or decentralised apps are preferable when it comes to privacy. The former means that in the event that the user alerts the app of a positive coronavirus test result, data is sent from the phone of the app user to a centralised database (run by a nation’s health service or government). The central database would then unlock the pseudonymised identities of the infected person and everyone with whom they had been in contact. In a decentralised model, the data is processed on the phone; the government never receives identifying information about app users.

Privacy and security experts have strongly rejected centralised apps, claiming that they are ripe for function creep and could be co-opted for mass or targeted surveillance purposes. A group of more than 300 academics signed a letter arguing this in April. In Europe, Germany flipped from a centralised to decentralised app. Other countries including Switzerland, Austria, Finland and the Czech Republic have also stumped for decentralised versions. France and the UK are still gunning for a centralised approach.

Meanwhile Apple and Google are developing their own decentralised system that will run in the background of their handsets. Together, the two companies control the operating systems of the vast majority of phones in the world. Both have said that they will not allow centralised contact-tracing apps to run in the background on their handsets, due to the greater number of privacy issues associated with this type of app. It’s partly for this reason that Germany decided to switch to a decentralised design.

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

If developers can’t find a way around for this issue, people would need to keep their phones constantly unlocked in their pockets in order for the app to run continuously. This would not only rapidly drain the battery, but would also leave all of the data on the phone insecure if the handset was stolen. Australia – which opted for a centralised approach – said it had found a solution, but officials have since admitted that problems have arisen. The UK also claims to have found a successful workaround, but since the source code is not yet published, it’s unclear what this “hack” is, and how effective it will be.

This article is from Spotlight’s May supplement on cyber security. Click here for the full edition. 

Content from our partners
An innovative approach to regional equity
ADHD in the criminal justice system: a case for change – with Takeda
The power of place in tackling climate change