A peace agreement nearly a quarter-century ago helped transform Northern Ireland after decades of bitter conflict. But new issues are reawakening old feuds.
Brussels says Britain has broken its legal agreement governing trade with Northern Ireland. Britain has denied breaking the deal, saying its move is a temporary measure to relieve bottlenecks.
TechCrunch is embarking on a major project to survey the venture capital investors of Europe, and their cities.
Our <a href=”https://forms.gle/k4Ji2Ch7zdrn7o2p6”>survey of VCs in Belfast and Northern Ireland will capture how things are faring, and what changes are being wrought amongst investors by the coronavirus pandemic.
We’d like to know how Northern Ireland’s startup scene is evolving, how the tech sector is being impacted by COVID-19, and, generally, how your thinking will evolve from here.
Our survey will only be about investors, and only the contributions of VC investors will be included. More than one partner is welcome to fill out the survey. (Please note, if you have filled the survey out already, there is no need to do it again).
The shortlist of questions will require only brief responses, but the more you can add, the better.
Obviously, investors who contribute will be featured in the final surveys, with links to their companies and profiles.
What kinds of things do we want to know? Questions include: Which trends are you most excited by? What startup do you wish someone would create? Where are the overlooked opportunities? What are you looking for in your next investment, in general? How is your local ecosystem going? And how has COVID-19 impacted your investment strategy?
This survey is part of a broader series of surveys we’re doing to help founders find the right investors.
For example, here is the recent survey of London.
You are not in Northern Ireland, but would like to take part? That’s fine! Any European VC investor can STILL fill out the survey, as we probably will be putting a call out to you next anyway! And we will use the data for future surveys on vertical topics.
The survey is covering almost every city and country on in the Union for the Mediterranean, so just look for your country and city on the survey and please participate (if you’re a venture capital investor).
Thank you for participating. If you have questions you can email email@example.com
(Please note: Filling out the survey is not a guarantee of inclusion in the final published piece).
Buoyed by Britain’s vaccination procurement and rollout success, Prime Minister Boris Johnson is threatening to reverse a deal signed with the bloc over the territory’s trading arrangements.
A human rights group says the government’s inaction has left a health care void in a country where the procedure was legalized in 2019, but remains largely unavailable.
As Britain adjusts to life outside of the European Union, businesses are contending with delays, service cancellations and piles of paperwork.
After weeks of hardball, the British prime minister has dropped a threat to break international law. The move could help Britain’s talks on a trade deal with the European Union.
With negotiators at impasse, the prime minister hopes he and European leaders can hammer out a trade deal to replace the one that expires on Dec. 31.
Advancements in the tech and the cyber threat landscape are creating vast job opportunities. The global cyber security market is projected to reach £210 billion by 2026. But in the UK, out of 952,000 working aged (16-64) UK military veterans and 15,000 service leavers a year, only 4% of them are working in tech and cyber. This is 20% lower than the non-veteran population. The cost to the UK economy of underemployed or unemployed veterans has been estimated at £1.5 billion over 5 years. This means all this talent – talent which has literally been trained to adapt to fast-moving situations like the one the world finds itself in now – is going to waste, just when the era of massive digitization of business and society is upon us.
So it’s significant that the UK’s RFEA, the Forces Employment charity, is launching a new partnership with TechVets, the non-profit set up to build a bridge for veterans into cyber security and the technology sector.
With the RFEA’s support, TechVets will create extensive new free upskilling and job opportunities for ‘tech-curious’ service leavers and veterans, through its offering of networking, mentoring, signposting and training services, via its new TechVets Academy.
The initiative is timely. It’s estimated that over 173,000 UK military veterans are at risk due to the economic impact of COVID and the ending of the government’s furlough scheme in March 2021.
Since its launch in 2018, TechVets has grown to a community of over 6,000 members and several ‘chapters’ around the UK.
TechVets uses a blend of open-source resources, partner training, and community support, to empower those new to cyber/tech to choose the pathway that is best for them. And it’s all free to veterans and service leavers.
TechVets Programme Director, James Murphy (pictured), is an Army Veteran of 19 years. He joined the 1st Battalion Royal Anglian Regiment in 2000, before transferring to the Intelligence Corps in 2013 after sustaining life-long injuries in Helmand Province, Afghanistan.
In a statement, he said: “Anyone who has held a role in the Forces comes armed with an understanding of the sensitivities of working in security. Ex-Services also possess an innate ability to learn new skills and are natural problem solvers, who can work quickly and fit into a team with ease. Ex-military personnel are also the kind of people who thrive in pressurized, or time-sensitive, situations. These soft skills are incredible assets in the security and technology industries, which can be used to fill the current skills shortage in this area.”
RFEA’s Chief Executive Officer, Alistair Halliday, added: “The TechVets Programme is a fantastic new addition to RFEA’s services that will, no doubt, encourage talented veterans to consider tech and security-based roles that may have otherwise overlooked. It will also help veterans to upskill digitally to help them get into wider roles too.”
TechVets member Gareth Paterson, joined the Army in 1994. He started out as a Tank crewman and then transferred to the Royal Electrical and Mechanical Engineers as an instructor in 2001. He left in 2018, having completed operational tours of Northern Ireland, Former Yugoslavia and Afghanistan. He says his life has been changed by TechVets: “I left the Army as I was at the end of my 24-year career… I did not have a clue what career to move into, then I was introduced to offensive cybersecurity and penetration testing. I joined TechVets and it gave me my first insight into the tools and techniques of penetration testing. After that, I was hooked! The support of everyone at TechVets, and its community, has helped me to gain confidence and push harder. I was able to gain qualifications in penetration testing which improved my job prospects in the sector. By November 2018 I started working as a cybersecurity consultant.”
The 1974 bombings of two pubs, killing 21 people, have become a case of justice long delayed and an enduring symbol of The Troubles.
A Downing Street feud could indicate the prime minister is ready to make the compromises needed to strike a deal with the European Union.
The British prime minister made the A team, with Emmanuel Macron and Angela Merkel, though pesky Ireland also sneaked in.
Lord Kilclooney, a member of the House of Lords, claimed not to know the vice president-elect’s name when he wrote the offending Twitter post.
He wove together history, personal demons and quiet contemplation in works that could be dark but also spoke of renewal.
When you start to think of clothes as things that can be altered, the way you see them changes.
As Britain endures a second wave of coronavirus, experts fear much worse is yet to come. But critics argue that restrictions damage the economy and threaten liberties.
Dominic Raab is arriving just as his government is taking steps in Brexit talks that could jeopardize a free-trade deal with the United States.
The British prime minister’s move to rewrite a treaty that settled Northern Ireland’s post-Brexit status raised fears that trade negotiations with the European Union could be impaired.
Even by the British prime minister’s lofty standards, his reversals this week on the two dominant issues facing his country were breathtaking.
The government’s top lawyer has quit, and even a government minister admits the prime minister’s effort to rewrite the treaty violates international law.
Scottish polling shows a majority favor independence. The prime minister is concerned.
What’s going on with the UK’s coronavirus contacts tracing app? Reports in the national press today suggest a launch of the much delayed software will happen this month but also that the app will no longer be able to automatically carry out contacts tracing.
The Times reports that a repackaged version of the app will only provide users with information about infection levels in their local area. The newspaper also suggests the app will let users provide personal data in order to calculate a personal risk score.
The Mail also reports that the scaled back software will not be able to carry out automated contacts tracing.
We’ve reached out to the Department for Health and Social Care (DHSC) with questions and will update this report with any response. DHSC is the government department leading development of the software, after the NHS’s digital division handed the app off.
As the coronavirus pandemic spread around the world this year, digital contacts tracing has been looked to as a modern tool to COVID-19 by leveraging the near ubiquity of smartphones to try to understand individual infection risk based on device proximity.
In the UK, an earlier attempt to launch an NHS COVID-19 app to support efforts to contain the virus by automating exposure notifications using Bluetooth signals faltered after the government opted for a model that centralized exposure data. This triggered privacy concerns and meant it could not plug into an API offered by Apple and Google — whose tech supports decentralized coronavirus contacts tracing apps.
At the same time, multiple countries and regions in Europe have launched decentralized contacts tracing apps this year. These apps use Bluetooth signals as a proxy for calculating exposure risk — crunching data on device for privacy reasons — including, most recently, Northern Ireland, which is part of the UK.
However in the UK’s case, after initially heavily publicizing the forthcoming app — and urging the public to download it in its daily coronavirus briefings (despite the app not being available nationwide) — the government appears to have stepped almost entirely away from digital contacts tracing, claiming the Apple –Google API does not provide enough data to accurately calculate exposure risk via Bluetooth.
Decentralized Bluetooth coronavirus contacts tracing apps that are up and running elsewhere Europe have reported total downloads and sometimes other bits of data. But there’s been no comprehensive assessment of how well they’re functioning as a COVID-fighting tool.
There have been some reports of bugs impacting operation in some cases, too. So it’s tricky to measure efficacy. Although the bald fact remains that having an app means there’s at least a chance it could identify contacts otherwise unknown to users, vs having no app and so no chance of that.
The Republic of Ireland is one of the European countries with a decentralized coronavirus contacts tracing app (which means it can interoperate with Northern Ireland’s app) — and it has defended how well the software is functioning, telling the BBC last month that 91 people had received a “close contact exposure alert” since launch. Although it’s not clear how many of them wouldn’t have been picked up via manual contacts tracing methods.
A government policy paper published at the end of last month which discussed the forthcoming DHSC app said it would allow citizens to: identify symptoms; order a test; and “feel supported” if they needed to self isolate. It would also let people scan a QR codes at venues they’ve visited “to aid contact tracing and help understand the spread of the virus”.
The government paper also claimed the app would let users “quickly identify when they have been exposed to people who have COVID-19 or locations that may have been the source of multiple infections” — but without providing details of how that would be achieved.
“Any services that require more information from a citizen will be provided only on the basis of explicit consent,” it added.
Ahead of the launch of this repackaged app it’s notable that DHSC disbanded an ethics committee which had been put in place to advise the NHS on the app. Once development was handed over to the government, the committee was thanked for its time and sent on its way.
Speaking to BBC Radio 4’s World at One program today, professor Lilian Edwards — who was a member of the ethics committee — expressed concern at the reports of the government’s latest plans for the app.
“Although the data collection is being presented as voluntary it’s completely non-privacy preserving,” she told the program, discussing The Times’ report which suggests users will be nudged to provide personal data with the carrot of a ‘personal risk score’. “It’s going to involve the collection of a lot of personal, sensitive data — perhaps your health status, your retirement status, your occupation etc.
“This seems, again, an odd approach given that we know one of the reasons why the previous app didn’t really take off was because there was rather a loss of public trust and confidence in it, because of the worries partly about privacy and about data collection — it not being this privacy-preserving decentralized approach.”
“To mix the two up seems a strange way to go forward to me in terms of restoring and embedding that trust and confidence that your data won’t be shared with people you don’t want it to be,” Edwards added. “Like maybe insurers. Or repurposed in ways that you don’t know about. So it seems rather contrary to the mission of restoring trust and confidence in the whole test and trace endeavour.”
Concerns have also been raised about another element of the government’s digital response to the coronavirus — after it rushed to ink contracts with a number of tech giants, including Palantir and Google, granting them access to NHS data.
It was far less keen to publish details of these contracts — requiring a legal challenge by Open Democracy, which is warning over the impact of “Silicon Valley thinking” applied to public health services.
In another concerning development, privacy experts warned recently that the UK’s test and trace program as a whole breaches national data protection laws, after it emerged last month that the government failed to carry out a legally required privacy impact assessment ahead of launch.
The politician’s campaign for peace was seen as a driving force behind an end to 25 years of sectarian conflict in the territory.
The UK has given up building a centralized coronavirus contacts tracing app and will instead switch to a decentralized app architecture, the BBC has reported. This means its future app will be capable of plugging into the joint ‘exposure notification’ API which has been developed in recent weeks by Apple and Google.
The UK’s decision to abandon a bespoke app architecture comes more than a month after ministers had been reported to be eyeing such a switch. They went on to award a contract to an IT supplier develop a decentralized tracing app in parallel as a backup but continued to test the centralized app, called NHS COVID-19.
A number of European countries have now successfully launched contracts tracing apps with a decentralized app architecture that’s able to plug into the ‘Gapple’ API — including Denmark, Germany, Italy, Latvia and Switzerland. Several more such apps remain in testing. While EU Member States just agreed on a technical framework to enable cross-border interoperability of apps based on the same architecture.
Germany — which launched its ‘Corona Warning App’ this week — announced the software had been downloaded 6.5M times in the first 24 hours.
The UK’s NHS COVID-19 app, meanwhile, has faced a plethora of technical barriers and privacy challenges as a direct consequence of the government’s decision to opt for a proprietary system which uploads proximity data to a central server, rather than processing exposure notifications locally on device.
Apple and Google’s API, which is being used by all Europe’s decentralized apps, does not support centralized app architectures — meaning the UK app faced challenges related to accessing Bluetooth in the background.
The centralized choice also raised big questions around cross-border interoperability, as we’ve explained before. So the UK’s move to abandon the approach and adopt a decentralized model is hardly surprising — although the time it’s taken the government to arrive at the obvious conclusion does raise some major questions over its competence at handling technology projects.
Perhaps unsurprisingly, ministers are now heavily de-emphasizing the importance of having an app in the fight against the coronavirus at all. The Department for Health and Social Care’s, Lord Bethell, told the Science and Technology Committee yesterday the app will not now be ready until the winter. “We’re seeking to get something going for the winter, but it isn’t a priority for us,” he said.
Yet the centralized version of the NHS COVID-19 app has been in testing in a limited geographical pilot on the Isle of Wight since early May — and up until the middle of last month health minister, Matt Hancock, had said it would be rolled out nationally in mid May.
Of course that timeframe came and went without launch. And now the launch is being booted right into the back end of the year. Compare and contrast that with government messaging at its daily coronavirus briefings back in May — when Hancock made “download the app” one of the key slogans.
Michael Veale, a lecturer in digital rights and regulation at UCL — who has been involved in the development of the DP3T decentralized contacts tracing standard, which influenced Apple and Google’s choice of API — welcomed the UK’s decision to ditch a centralized app architecture but questioned why the government has wasted so much time.
“This is a welcome, if a heavily and unnecessarily delayed, move by NHSX,” Veale told TechCrunch. “The Google-Apple system in a way is home-grown: Originating with research at a large consortium of universities led by Switzerland and including UCL in the UK. NHSX has no end of options and no reasonable excuse to not get the app out quickly now. Germany and Switzerland both have high quality open source code that can be easily adapted. The NHS England app will now be compatible with Northern Ireland, the Republic of Ireland, and also the many destinations for holidaymakers in and out of the UK.”
NHSX relayed our request for comment on the switch to a decentralized system and the new timeframe for an app launch to the Department of Health and Social Care — but the department had not responded to us at the time of publication.
Earlier this week the BBC reported that a former Apple executive, Simon Thompson, was taking charge of the delayed app project — while the two lead managers, the NHSX’s Matthew Gould and Geraint Lewis — were reported to be stepping back.
Government briefings to the press today have included suggestions that app testers on the Isle of Wight told it they were not comfortable receiving COVID-19 notifications via text message — and that the human touch of a phone call is preferred.
However none of the European countries that have already deployed contacts tracing apps has promoted the software as a one-stop panacea for tackling COVID-19. Rather tracing apps are intended to supplement manual contacts tracing methods — the latter involving the use of trained humans making phone calls to people who have been diagnosed with COVID-19 to ask who they might have been in contact with over the infectious period.
Even with major resource put into manual contacts tracing, apps — which use Bluetooth signals to estimate proximity between smartphone users in order to calculate virus expose risk — could still play an important role by, for example, being able to trace strangers who are sat near an infected person on public transport.
Those who want to remake a police model that has set off unrest and despair would do well to look at the experiences of Asia, Africa and Europe.
A major question mark attached to national coronavirus contacts tracing apps is whether they will function when citizens of one country travel to another. Or will people be asked to download and use multiple apps if they’re traveling across borders?
Having to use multiple apps when travelling would further complicate an unproven technology which seeks to repurpose standard smartphone components for estimating viral exposure — a task for which our mobile devices were never intended.
In Europe, where a number of countries are working on smartphone apps that use Bluetooth radios to try to automate some contacts tracing by detecting device proximity, the interoperability challenge is particularly pressing, given the region is criss-crossed with borders. Although, in normal times, European Union citizens can all but forget they exist thanks to agreements intended to facilitate the free movement of EU people in the Schengen Area.
Currently, with many EU countries still in degrees of lockdown, there’s relatively little cross border travel going on. But the European Commission has been focusing attention on supporting the tourism sector during the coronavirus crisis — proposing a tourism & transport package this week which sets out recommendations for a gradual and phased lifting of restrictions.
Once Europeans start traveling again, the effectiveness of any national contacts tracing apps could be undermined if systems aren’t able to talk to each other. In the EU, this could mean, for example, a French citizen who travels to Germany for a business trip — where they spend time with a person who subsequently tests positive for COVID — may not be warned of the exposure risk. Or indeed, vice versa.
In the UK, which remains an EU member until the end of this year (during the Brexit transition period), the issue is even more pressing — given Ireland’s decision to opt for a decentralized app architecture for its national app. Over the land border in Northern Ireland, which is part of the UK, the national app would presumably be the centralized system that’s being devised by the UK’s NHSX. And the NHSX’s CEO has admitted this technical division presents a specific challenge for the NHS COVID-19 app.
There are much broader questions over how useful (or useless) digital contacts tracing will prove to be in the fight against the coronavirus. But it’s clear that if such apps don’t interoperate smoothly in a multi-country region such as Europe there will be additional, unhelpful gaps opening up in the data.
Any lack of cross-border interoperability will, inexorably, undermine functionality — unless people given up travelling outside their own countries for good.
EU interoperability as agreed goal
EU Member States recognize this, and this week agreed to a set of interoperability guidelines for national apps — writing that: “Users should be able to rely on a single app independently of the region or Member State they are in at a certain moment.”
The full technical detail of interoperability is yet to be figured out — “to ensure the operationalisation of interoperability as soon as possible”, as they put it.
But the intent is to work together so that different apps can share a minimum of data to enable exposure notifications to keep flowing as Europeans travel around the region, as (or once) restrictions are lifted.
“Whatever the approach taken with approved apps, all Member States and the Commission consider that interoperability between these apps and between backend systems is essential for these tools to enable the tracing of cross-border infection chains,” they write. “This is particularly important for cross-border workers and neighbouring countries. Ultimately, this effort will support the gradual lifting of border controls within the EU and the restoration of freedom of movement. These tools should be integrated with other tools contemplated in the COVID-19 contact tracing strategy of each Member State.”
European users should be able to expect interoperability. But whether smooth cross-border working will happen in practice remains a major question mark. Getting multiple different health systems and apps that might be calculating risk exposure in slightly different ways to interface and share the relevant bits of data in a secure way is itself a major operational and technical challenge.
However this is made even more of a headache given ongoing differences between countries over the core choice of app architecture for their national coronavirus contacts tracing.
This boils down to a choice of either a decentralized or centralized approach — with decentralized protocols storing and processing data locally on smartphones (i.e. the matching is done on device); and centralized protocols that upload exposure data and perform matching on a central server which is controlled by a national authority, such as a health service.
While there looks to be clear paths for interoperability between different decentralized protocols — here, for example, is a detailed discussion document written by backers of different decentralized protocols on how proximity tracing systems might interoperate across regions — interoperability between decentralized and centralized protocols, which are really polar opposite approaches, looks difficult and messy to say the least.
And that’s a big problem if we want digital contacts tracing to smoothly take place across borders.
(Additionally, some might say that if Europe can’t agree on a common way forward vis-a-vis a threat that affects all the region’s citizens it does not reflect well on the wider ‘European project’; aka the Union to which many of the region’s countries belong. But health is a Member State competence, meaning the Commission has limited powers in this area.)
In the eHealth Network ‘Interoperability guidelines’ document Member States agree that interoperability should happen regardless of which app architecture a European country has chosen.
But a section on cross-border transmission chains can’t see a way forward on how exactly to do that yet [emphasis ours] — i.e. beyond general talk of the need for “trusted and secure” mechanisms:
Solutions should allow Member States’ servers to communicate and receive relevant keys between themselves using a trusted and secure mechanism.
Roaming users should upload their relevant proximity encounter information to the home country backend. The other Member State(s) should be informed about possible infected or exposed users*.
*For roaming users, the question of to which servers the relevant proximity contacts details should be sent will be further explored during technical discussions. Interoperability questions will also be explored in relation to how a users’ app should behave after confirmed as COVID-19 positive and the possible need for a confirmation of infection free.
Conversely, the 19 academics behind the proposal for interoperability of different decentralized contacts tracing protocols, do include a section at the end of the document discussing how, in theory, such systems could plug into ‘alternatives’: aka centralized systems.
But it’s thick with privacy caveats.
Privacy risks of crossing system streams
The academics warn that while interoperability between decentralized and centralized systems “is possible in principle, it introduces substantial privacy concerns” — writing that, on the one hand, decentralized systems have been designed specifically to avoid the ability of an central authority being able to recover the identity of users; and “consequently, centralized risk calculation cannot be used without severely weakening the privacy of users of the decentralized system”.
While, on the other, if decentralized risk calculation is used as the ‘bridge’ to achieve interoperability between the two philosophically opposed approaches — by having centralized systems “publish a list of all decentralized ephemeral identifiers it believes to be at risk of infection due to close proximity with positive-tested users of the centralized system” — then it would make it easier for attackers to target centralized systems with reidentification attacks of any positive-tested users. So, again, you get additional privacy risks.
“In particular, each user of the decentralized system would be able to recover the exact time and place they were exposed to the positive-tested individual by comparing their list of recorded ephemeral identifiers which they emitted with the list of ephemeral identifiers published by the server,” they write, specifying that the attack would reveal in which “15 minute” an app user was exposed to a COVID-positive person.
And while they concede there’s a similar risk of reidentification attacks against all forms of decentralized systems, they contend this is more limited — given that decentralized protocol design is being used to mitigate this risk “by only recording coarse timing information”, such as six-hour intervals.
So, basically, the argument is there’s a greater chance that you might only encounter one other person in a 15 minute interval (and therefore could easily guess who might have given you COVID) vs a six-hour window. Albeit, with populations likely to continue to be encouraged to stay at home as much as possible for the foreseeable future, there is still a chance a user of a decentralized system might only pass one other person over a larger time interval too.
As trade offs go, the argument made by backers of decentralized systems is they’re inherently focused on the risks of reidentification — and actively working on ways to mitigate and limit those risks by system design — whereas centralized systems gloss over that risk entirely by assuming trust in a central authority to properly handle and process device-linked personal data. Which is of course a very big assumption.
While such fine-grained details may seem incredibly technical for the average user to need to digest, the core associated concern for coronavirus apps generally — and interoperability specifically — is that users need to be able to trust apps to use them.
So even if a person trusts their own government to handle their sensitive health data, they may be less inclined to trust another country’s government. Which means there could be some risk that centralized systems operating within a mutli-country region such as Europe might end up polluting the ‘trust well’ for these apps more generally — depending on exactly how they’re made to interoperate with decentralized systems.
The latter are designed so users don’t have to trust an authority to oversee their personal data. The former are absolutely not. So it’s really chalk and cheese.
Ce n’est pas un problème?
At this point, momentum among EU nations has largely shifted behind decentralized protocols for coronavirus contacts tracing apps. As previously reported, there has been a major battle between different EU groups supporting opposing approaches. And — in a key shift — privacy concerns over centralized systems being associated with governmental ‘mission creep’ and/or a lack of citizen trust appear to have encouraged Germany to flip to a decentralized model.
Apple and Google’s decision to support decentralized systems for the contacts tracing API they’re jointly developing, and due to release later this month (sample code is out already), has also undoubtedly weighted the debate in favor of decentralized protocols.
Not all EU countries are aligned at this stage, though. Most notably France remains determined to pursue a centralized system for coronavirus contacts tracing.
As noted above, the UK has also been building an app that’s designed to upload data to a central server. Although it’s reportedly investigating switching to a decentralized model in order to be able to plug into the Apple and Google API — given technical challenges on iOS associated with background Bluetooth access.
Another outlier is Norway — which has already launched a centralized app (which also collects GPS data — against Commission and Member States’ own recommendations that tracing apps should not harvest location data).
High level pressure is clearly being applied, behind the scenes and in public, for EU Member States to agree on a common approach for coronavirus contacts tracing apps. The Commission has been urging this for weeks. Even as French government ministers have preferred to talk in public about the issue as a matter of technological sovereignty — arguing national governments should not have their health policy decisions dictated to them by U.S. tech giants.
“It is for States to chose their architecture and requests were made to Apple to enable both [centralized and decentralized systems],” a French government spokesperson told us late last month.
While there may well be considerable sympathy with that point of view in Europe, there’s also plenty of pragmatism on display. And, sure, some irony — given the region markets itself regionally and globally as a champion of privacy standards. (No shortage of op-eds have been penned in recent weeks on the strange sight of tech giants seemingly schooling EU governments over privacy; while veteran EU privacy advocates have laughed nervously to find themselves fighting in the same camp as data-mining giant Google.)
Commission EVP Margrethe Vestager could also be heard on BBC radio this week suggesting she wouldn’t personally use a coronavirus contacts tracing app that wasn’t built atop a decentralized app architecture. Though the Brexit-focused UK government is unlikely to have an open ear for the views of Commission officials, even piped through establishment radio news channels.
The UK may be forced to listen to technological reality though, if it’s workaround for iOS Bluetooth background access proves as flakey as analysis suggests. And it’s telling that the NHSX is funding parallel work on an app that could plug into the Apple-Google API, per reports in the FT, which would mean abandoning the centralized architecture.
Which leaves France as the highest profile hold-out.
In recent weeks a team at Inria, the government research agency that’s been working on its centralized ROBERT coronavirus contacts tracing protocol, proposed a third way for exposure notifications — called DESIRE — which was billed as an evolution of the approach “leveraging the best of centralized and decentralized systems”.
The new idea is to add a new secret cryptographically generated key to the protocol, called Private Encounter Tokens (PETs), which would encode encounters between users — as a way to provide users with more control over which identifiers they disclose to a central server, and thereby avoid the system harvesting social graph data.
“The role of the server is merely to match PETs generated by diagnosed users with the PETs provided by requesting users. It stores minimal pseudonymous data. Finally, all data that are stored on the server are encrypted using keys that are stored on the mobile devices, protecting against data breach on the server. All these modifications improve the privacy of the scheme against malicious users and authority. However, as in the first version of ROBERT, risk scores and notifications are still managed and controlled by the server of the health authority, which provides high robustness, flexibility, and efficacy,” the Inria team wrote in the proposal.
The DP-3T consortium, backers of an eponymous decentralized protocol that’s gained widespread backing from governments in Europe — including Germany’s, followed up with a “practical assessment” of Inria’s proposal — in which they suggest the concept makes for “a very interesting academic proposal, but not a practical solution”; given limitations in current mobile phone Bluetooth radios and, more generally, questions around scalability and feasibility. (tl;dr this sort of idea could take years to properly implement and the coronavirus crisis hardly involves the luxury of time.)
The DP-3T analysis is also heavily skeptical that DESIRE could be made to interoperate with either existing centralized or decentralized proposals — suggesting a sort of ‘worst of both words’ scenario on the cross-border functionality front. So, er…
One person familiar with EU Member States’ discussions about coronavirus tracing apps and interoperability, who briefed TechCrunch on condition of anonymity, also suggested the DESIRE proposal would not fly given its relative complexity (vs the pressing need to get apps launched soon if they are to be of any use in the current pandemic). This person also pointed to question marks over required bandwidth and impact on device battery life. For DESIRE to work they suggested it would need universal uptake by all Europe’s governments — and every EU nation agreeing to adopt a French proposal would hardly carry the torch for nation state sovereignty.
What France does with its tracing app remains a key unanswered question. (An earlier planned debate on the issue in its parliament was shelved.) It is a major EU economy and, where interoperability is concerned, simple geography makes it a vital piece of the Western European digital puzzle, given it has land borders (and train links into) a large number of other countries.
We reached out to the French government with questions about how it proposes to make its national coronavirus contacts tracing app interoperable with decentralized apps that are being developed elsewhere across the EU — but at the time of writing it had not responded to our email.
This week in a video interview with BFM Business, the president of Inria, Bruno Sportisse, was reported to have expressed hope that the app will be able to interoperate by June — but also said in an interview that if the project is unsuccessful “we will stop it”.
“We’re working on making those protocols interoperable. So it’s not something that is going to be done in a week or two,” Sportisse also told BFM (translated from French by TechCrunch’s Romain Dillet). “First, every country has to develop its own application. That’s what every country is doing with its own set of challenges to solve. But at the same time we’re working on it, and in particular as part of an initiative coordinated by the European Commission to make those protocols interoperable or to define new ones.”
One thing looks clear: Adding more complexity further raises the bar for interoperability. And development timeframes are necessarily tight.
The pressing imperatives of a pandemic crisis also makes talk of technological sovereignty sound a bit of, well, a bourgeois indulgence. So France’s ambition to single-handedly define a whole new protocol for every nation in Europe comes across as simultaneously tone-deaf and flat-footed — perhaps especially in light if Germany’s swift U-turn the other way.
In a pinch and a poke, European governments agreeing to coalesce around a common approach — and accepting a quick, universal API fix which is being made available at the smartphone platform level — would also offer a far clearer message to citizens. Which would likely help engender citizen trust in and adoption of national apps — that would, in turn, given the apps a greater chance of utility. A pan-EU common approach might also feed tracing apps’ utility by yielding fewer gaps in the data. The benefits could be big.
However, for now, Europe’s digital response to the coronavirus crisis looks messier than that — with ongoing wrinkles and questions over how smoothly different nationals apps will be able to work together as countries opt to go their own way.
A UK parliamentary committee that focuses on human rights issues has called for primary legislation to be put in place to ensure that legal protections wrap around the national coronavirus contact tracing app.
The app, called NHS COVID-19, is being fast tracked for public use — with a test ongoing this week in the Isle of Wight. It’s set to use Bluetooth Low Energy signals to log social interactions between users to try to automate some contacts tracing based on an algorithmic assessment of users’ infection risk.
The NHSX has said the app could be ready for launch within a matter of weeks but the committee says key choices related to the system architecture create huge risks for people’s rights that demand the safeguard of primary legislation.
“Assurances from Ministers about privacy are not enough. The Government has given assurances about protection of privacy so they should have no objection to those assurances being enshrined in law,” said committee chair, Harriet Harman MP, in a statement.
“The contact tracing app involves unprecedented data gathering. There must be robust legal protection for individuals about what that data will be used for, who will have access to it and how it will be safeguarded from hacking.
“Parliament was able quickly to agree to give the Government sweeping powers. It is perfectly possible for parliament to do the same for legislation to protect privacy.”
The NHSX, a digital arm of the country’s National Health Service, is in the process of testing the app — which it’s said could be launched nationally within a few weeks.
The government has opted for a system design that will centralize large amounts of social graph data when users experiencing COVID-19 symptoms (or who have had a formal diagnosis) choose to upload their proximity logs.
Earlier this week we reported on one of the committee hearings — when it took testimony from NHSX CEO Matthew Gould and the UK’s information commissioner, Elizabeth Denham, among other witnesses.
Warning now over a lack of parliamentary scrutiny — around what it describes as an unprecedented expansion of state surveillance — the committee report calls for primary legislation to ensure “necessary legal clarity and certainty as to how data gathered could be used, stored and disposed of”.
The committee also wants to see an independent body set up to carry out oversight monitoring and guard against ‘mission creep’ — a concern that’s also been raised by a number of UK privacy and security experts in an open letter late last month.
“A Digital Contact Tracing Human Rights Commissioner should be responsible for oversight and they should be able to deal with complaints from the Public and report to Parliament,” the committee suggests.
In this letter, dated May 4, Hancock told it: “We do not consider that legislation is necessary in order to build and deliver the contact tracing app. It is consistent with the powers of, and duties imposed on, the Secretary of State at a time of national crisis in the interests of protecting public health.”
The committee’s view is Hancock’s ‘letter of assurance’ is not enough given the huge risks attached to the state tracking citizens’ social graph data.
“The current data protection framework is contained in a number of different documents and it is nearly impossible for the public to understand what it means for their data which may be collected by the digital contact tracing system. Government’s assurances around data protection and privacy standards will not carry any weight unless the Government is prepared to enshrine these assurances in legislation,” it writes in the report, calling for a bill that it says myst include include a number of “provisions and protections”.
Among the protections the committee is calling for are limits on who has access to data and for what purpose.
“Data held centrally may not be accessed or processed without specific statutory authorisation, for the purpose of combatting Covid-19 and provided adequate security protections are in place for any systems on which this data may be processed,” it urges.
It also wants legal protections against data reconstruction — by different pieces of data being combined “to reconstruct information about an individual”.
The report takes a very strong line — warning that no app should be released without “strong protections and guarantees” on “efficacy and proportionality”.
“Without clear efficacy and benefits of the app, the level of data being collected will be not be justifiable and it will therefore fall foul of data protection law and human rights protections,” says the committee.
The report also calls for regular reviews of the app — looking at efficacy; data safety; and “how privacy is being protected in the use of any such data”.
It also makes a blanket call for transparency, with the committee writing that the government and health authorities “must at all times be transparent about how the app, and data collected through it, is being used”.
A lack of transparency around the project was another of the concerns raised by the 177 academics who signed the open letter last month.
The government has committed to publishing data protection impact assessments for the app. But the ICO’s Denham still hadn’t had sight of this document as of this Monday.
Another call by the committee is for a time-limit to be attached to any data gathered by or generated via the app. “Any digital contact tracing (and data associated with it) must be permanently deleted when no longer required and in any event may not be kept beyond the duration of the public health emergency,” it writes.
We’ve reached out to the Department of Health and NHSX for comment on the human rights committee’s report.
There’s another element to this fast moving story: Yesterday the Financial Times reported that the NHSX has inked a new contract with an IT supplier which suggests it might be looking to change the app architecture — moving away from a centralized database to a decentralized system for contacts tracing. Although NHSX has not confirmed any such switch at this point.
Some other countries have reversed course in their choice of app architecture after running into technical challenges related to Bluetooth. The need to ensure public trust in the system was also cited by Germany for switching to a decentralized model.
The human rights committee report highlights a specific app efficacy issue of relevance to the UK, which it points out is also linked to these system architecture choices, noting that: “The Republic of Ireland has elected to use a decentralised app and if a centralised app is in use in Northern Ireland, there are risks that the two systems will not be interoperable which would be most unfortunate.”
The UK has this week started testing a coronavirus contacts-tracing app which NHSX, a digital arm of the country’s National Health Service, has been planning and developing since early March. The test is taking place in the Isle of Wight, a 380km2 island off the south coast of England, with a population of around 140,000.
The NHS COVID-19 app uses Bluetooth Low Energy handshakes to register proximity events (aka ‘contacts’) between smartphone users, with factors such as the duration of the ‘contact event’ and the distance between the devices feeding an NHS clinical algorithm that’s being designed to estimate infection risk and trigger notifications if a user subsequently experiences COVID-19 symptoms.
The government is promoting the app as an essential component of its response to fighting the coronavirus — the health minister’s new mantra being: ‘Protect the NHS, stay home, download the app’ — and the NHSX has said it expects the app to be “technically” ready to deploy two to three weeks after this week’s trial.
However there are major questions over how effective the tool will prove to be, especially given the government’s decision to ‘go it alone’ on the design of its digital contacts-tracing system — which raises some specific technical challenges linked to how modern smartphone platforms operate, as well as around international interoperability with other national apps targeting the same purpose.
In addition, the UK app allows users to self report symptoms of COVID-19 — which could lead to many false alerts being generated. That in turn might trigger notification fatigue and/or encourage users to ignore alerts if the ratio of false alarms exceeds genuine alerts.
Keep calm and download the app?
How users will generally respond to this technology is a major unknown. Yet mainstream adoption will be needed to maximize utility; not just one-time downloads. Dealing with the coronavirus will be a marathon not a sprint — which means sustaining usage will be vital to the app functioning as intended. And that will require users to trust that the app is both useful for the claimed public health purpose, by being effective at shrinking infection risk, and also that using it will not create any kind of disadvantages for them personally or for their friends and family.
The NHSX has said it will publish the code for the app, the DPIA (data protection impact assessment) and the privacy and security models — all of which sounds great, though we’re still waiting to see those key details. Publishing all that before the app launches would clearly be a boon to user trust.
A separate consideration is whether there should be a dedicated legislation wrapper put around the app to ensure clear and firm legal bounds on its use (and to prevent abuse and data misuse).
As it stands the NHS COVID-19 app is being accelerated towards release without this — relying on existing legislative frameworks (with some potential conflicts); and with no specific oversight body to handle any complaints. That too could impact user trust.
The overarching idea behind digital contacts tracing is to leverage uptake of smartphone technology to automate some contacts tracing, with the advantage that such a tool might be able to register fleeting contacts, such as between strangers on the street or public transport, that may more difficult for manual contacts-tracing methods to identify. Though whether these sorts of fleeting contacts create a significant risk of infection with the SARS-CoV-2 virus has not yet been quantified.
All experts are crystal clear on one thing: Digital contacts tracing is only going to be — at very best — a supplement to manual contact tracing. People who do not own or carry smartphones or who do not or cannot use the app obviously won’t register in any captured data. Technical issues may also create barriers and data gaps. It’s certainly not a magic bullet — and may, in the end, turn out to be ill-suited for this use case (we’ve written a general primer on digital contacts tracing here).
One major component of the UK approach is that it’s opted to create a so-called ‘centralized’ system for coronavirus contacts tracing — which leads to a number of specific challenges.
While the NHS COVID-19 app stores contacts events on the user’s device initially, at the point when (or if) a user chooses to report themselves having coronavirus symptoms then all their contacts events data is uploaded to a central server. This means it’s not just a user’s own identifier but a list of any identifiers they have encountered over the past 28 days — so, essentially, a graph of their recent social interactions.
This data cannot be deleted after the fact, according to the NHSX, which has also said it may be used for “research” purposes related to public health — raising further questions around privacy and trust.
Questions around the legal bases for this centralized approach also remain to be answered in detail by the government. UK and EU data protection law emphasize data minimization as a key principle; and while there’s flexibility built into these frameworks for a public health emergency there is still a requirement on the government to detail and justify key data processing decisions.
The UK’s decision to centralize contacts data has another obvious and immediate consequence: It means the NHS COVID-19 app will not be able to plug into an API that’s being jointly developed by Apple and Google to provide technical support for Bluetooth-based national contacts-tracing apps — and due to be release this month.
The tech giants have elected to support decentralized app architectures for these apps — which, conversely, do not centralize social graph data. Instead, infection risk calculations are performed locally on the device.
By design, these approaches avoid providing a central authority with information on who infected whom.
In the decentralized scenario, an infected user consents to their ephemeral identifier being shared with other users so apps can do matching locally, on the end-user device — meaning exposure notifications are generated without a central authority needing to be in the loop. (It’s also worth noting there are ways for decentralized protocols to feed aggregated contact data back to a central authority for epidemiological research, though the design is intended to prevent users’ social graph being exposed. A system of ‘exposure notification’, as Apple and Google are now branding it, has no need for such data, is their key argument. The NHSX counters that by suggesting social graph data could provide useful epidemiological insights — such as around how the virus is being spread.)
At the point a user of the NHS COVID-19 app experiences symptoms or gets a formal coronavirus diagnosis — and chooses to inform the authorities — the app will upload their recent contacts to a central server where infection risk calculations are performed.
The system will then send exposure notifications to other devices — in instances where the software deems there may be at risk of infection. Users might, for example, be asked to self isolate to see if they develop symptoms after coming into contact with an infected person, or told to seek a test to determine if they have COVID-19 or not.
A key detail here is that users of the NHS COVID-19 app are assigned a fixed identifier — basically a large, random number — which the government calls an “installation ID”. It claims this identifier is ‘anonymous’. However this is where political spin in service of encouraging public uptake of the app is being allowed to obscure a very different legal reality: A fixed identifier linked to a device is in fact pseudonymous data, which remains personal data under UK and EU law. Because, while the user’s identity has been ‘obscured’, there’s still a clear risk of re-identification.
Truly ‘anonymous’ data is a very high bar to achieve when you’re dealing with large data-sets. In the NHS COVID-19 app case there’s no reason beyond spin for the government to claim the data is “anonymous”; given the system design involves a device-linked fixed identifier that’s uploaded to a central authority alongside at least some geographical data (a partial postcode: which the app also asks users to input — so “the NHS can plan your local NHS response”, per the official explainer).
The NHSX has also said future versions of the app may ask users to share even more personal data, including their location. (And location data-sets are notoriously difficult to defend against re-identification.)
Nonetheless the government has maintained that individual users of the app will not be identified. But under such a system architecture this assertion sums to ‘trust us with your data’; the technology itself has not been designed to remove the need for individual users to trust a central authority, as is the case with bona fide decentralized protocols.
This is why Apple and Google are opting to support the latter approach — it cuts the internationally thorny issue of ‘government trust’ out of their equation.
However it also means governments that do want to centralize data face a technical headache to get their apps to function smoothly on the only two smartphone platforms that matter.
Technical and geopolitical headaches
The specific technical issue here relates to how these mainstream platforms manage background access to Bluetooth.
Using Bluetooth as a proxy for measuring coronavirus infection risk is of course a very new and novel technology. Singapore was reported to be the first country to attempt this. Its TraceTogether app, which launched in March, reportedly gained only limited (<20%) uptake — with technical issues on iOS being at least partly blamed for the low uptake.
The problem that the TraceTogether app faced initially is the software needed to be actively running and the iPhone open (not locked) for the tracing function to work. That obviously interferes with the normal multitasking of the average iPhone user — discouraging usage of the app.
It’s worth emphasizing that the UK is doing things a bit differently vs Singapore, though, in that it’s using Bluetooth handshakes rather than a Bluetooth advertising channel to power the contacts logging.
The NHS COVID-19 app has been designed to listen passively for other Bluetooth devices and then wake up in order to perform the handshake. This is intended as a workaround for these platform limits on background Bluetooth access. However it is still a workaround — and there are ongoing questions over how robustly it will perform in practice.
An analysis by The Register suggests the app will face a fresh set of issues in that iPhones specifically will fail to wake each other up to perform the handshakes — unless there’s also an Android device in the vicinity. If correct, it could result in big gaps in the tracing data (around 40% of UK smartphones run iOS vs 60% running Android).
Battery drain may also resurface as an issue with the UK system, though the NHSX has claimed its workaround solves this. (Though it’s not clear if they’ve tested what happens if an iPhone user switches on a battery saving mode which limits background app activity, for example.)
Other Bluetooth-based contract-tracing apps that have tried to workaround platforms limits have also faced issues with interference related to other Bluetooth devices — such as Australia’s recently launched app. So there are a number of potential issues that could trouble performance.
Being outside the Apple-Google API also certainly means the UK app is at the mercy of future platform updates which could derail the specific workaround. Best laid plans that don’t involve using an official interface as your plug are inevitably operating on shaky ground.
Finally, there’s a huge and complex issue that’s essentially being glossed over by government right now: Interoperability with other national apps.
How will the UK app work across borders? What happens when Brits start travelling again? With no obvious route for centralized vs decentralized systems to interface and play nice with each other there’s a major question mark over what happens when UK citizens want to travel to countries with decentralized systems (or indeed vice versa). Mandatory quarantines because the government picked a less interoperable app architecture? Let’s hope not.
Notably, the Republic of Ireland has opted for a decentralized approach for its national app, whereas Northern Ireland, which is part of the UK but shares a land border with the Republic, will — baring any NHSX flip — be saddled with a centralized and thus opposing choice. It’s the Brexit schism all over again in app form.
Earlier this week the NHSX was asked about this cross-border issue by a UK parliamentary committee — and admitted it creates a challenge “we’ll have to work through”, though it did not suggest how it proposes to do that.
And while that’s a very pressing backyard challenge, the same interoperability gremlins arise across the English Channel — where a number of European countries are opting for decentralized apps, including Estonia, Germany and Switzerland. While Apple and Google’s choice at the platform level means future US apps may also be encouraged down a decentralized route. (The two US tech giants are demonstrably flexing their market power to press on and influence governments’ app design choices internationally.)
So countries that fix on a ‘DIY’ approach for the digital component of their domestic pandemic response may find it leads to some unwelcome isolation for their citizens at the international level.