Support 100 years of independent journalism.

  1. Spotlight
11 May 2020updated 12 May 2020 8:28am

Why contact tracing comes with a cyber security price tag

An argument has been raging about the choice between centralised and decentralised contact tracing apps. What's preferable for privacy?

By Laurie Clarke

A crucial element of the UK’s fledgling lockdown-easing plan is a digital contact-tracing app developed by NHSX, the innovation arm of the health service. It will be ready to launch in a matter of weeks, and will reportedly be used in combination with manual contact tracing and increased testing to help prevent a second spike in Covid-19. The app will work by pinging – via Bluetooth – other phones in the near vicinity, and storing a record of who we’ve been in close contact with over an epidemiologically relevant time frame.

If someone receives a coronavirus diagnosis, everyone who was within their infection range will be notified of the need to self-isolate. But what sounds fairly intuitive has opened up a deeply divisive debate over the best way to design such an app.

An argument that has recently been raging in Europe is whether centralised or decentralised apps are preferable when it comes to privacy. The former means that in the event that the user alerts the app of a positive coronavirus test result, data is sent from the phone of the app user to a centralised database (run by a nation’s health service or government). The central database would then unlock the pseudonymised identities of the infected person and everyone with whom they had been in contact. In a decentralised model, the data is processed on the phone; the government never receives identifying information about app users.

Privacy and security experts have strongly rejected centralised apps, claiming that they are ripe for function creep and could be co-opted for mass or targeted surveillance purposes. A group of more than 300 academics signed a letter arguing this in April. In Europe, Germany flipped from a centralised to decentralised app. Other countries including Switzerland, Austria, Finland and the Czech Republic have also stumped for decentralised versions. France and the UK are still gunning for a centralised approach.

Meanwhile Apple and Google are developing their own decentralised system that will run in the background of their handsets. Together, the two companies control the operating systems of the vast majority of phones in the world. Both have said that they will not allow centralised contact-tracing apps to run in the background on their handsets, due to the greater number of privacy issues associated with this type of app. It’s partly for this reason that Germany decided to switch to a decentralised design.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy

If developers can’t find a way around for this issue, people would need to keep their phones constantly unlocked in their pockets in order for the app to run continuously. This would not only rapidly drain the battery, but would also leave all of the data on the phone insecure if the handset was stolen. Australia – which opted for a centralised approach – said it had found a solution, but officials have since admitted that problems have arisen. The UK also claims to have found a successful workaround, but since the source code is not yet published, it’s unclear what this “hack” is, and how effective it will be.

This article is from Spotlight’s May supplement on cyber security. Click here for the full edition. 

Topics in this article: