FT: NHS Exploring Shift to Native Exposure Notification API Built by Apple and Google ⇥ ft.com

Tim Bradshaw, Sarah Neville, and Helen Warrell, Financial Times:

Contract documents obtained by Tussell, a data provider on UK government contracts and expenditure, and shared with the Financial Times, show that the London office of Zuhlke Engineering, a Switzerland-based IT development firm, has been awarded a new multimillion pound contract by NHSX, the state-funded health service’s digital innovation arm. The six-month contract to develop and support the Covid-19 contact tracing app is worth £3.8m and was due to begin on Wednesday, the documents show. 

The contract includes a requirement to “investigate the complexity, performance and feasibility of implementing native Apple and Google contact tracing APIs [application programming interfaces] within the existing proximity mobile application and platform”. The work is described as a “two week timeboxed technical spike”, suggesting it is still at a preliminary phase, but with a deadline of mid-May. An application programming interface is the means by which software developers access certain functions of a device’s operating system.

This comes just days after the NHS revealed how its contact tracing app will work and attempted to alleviate privacy concerns about its centralized design.

Given that Apple and Google’s API isn’t available yet, it is unsurprising that jurisdictions around the world have built their own contact tracing apps. Many, including Alberta’s, are forks of Singapore’s open source TraceTogether app. France and the U.K., meanwhile, opted to create their own from scratch, and that has tradeoffs. Apps that do not use the system exposure notification API have limited functionality — for example, the FAQ for Alberta’s app says:

The app has been developed to disable the automatic screen lock timer. This means your phone will not automatically lock while the app is open. If you need to use other apps, just remember to switch back to the ABTraceTogether app once you’re done.

Requiring that users remember to foreground an app which kills their battery is not an effective strategy. The NHS says that its own app must exchange a token with another user at least every thirty minutes for it to remain running in the background. Among the many questions facing Apple and Google about their API is how many regions will switch their apps to it when it becomes widely available later this month.

Joseph Cox, Vice:

“The app is ‘working’ for tens of thousands of people,” Tim Brookins, CEO of Proud Crowd, which designed the app called Care19 on behalf of North and South Dakota, told Motherboard in an email. “There are some cases, many in early versions of the app, where we missed more visited places,” he added. Brookins also works at Microsoft.

[…]

Brookins explained that the phone decides what sort of location data to gather, be that cell tower or otherwise, based on what is available. “It heavily favors cell tower and wifi sniffing as those are the lowest power options by far.”

“However, there is no way the phone will wake up every five minutes and spin up the GPS. It would drain your battery. So this is a good example of where we could miss a visit. If a farmer in the country drives to visit his neighbor farmer and neither has wifi, we will likely miss it. However, most commercial places you would visit would be in a place where there is some wifi spots, etc… so it isn’t very common,” he added.

[…] The North Dakota page announcing the app reads, “It will incorporate the joint Bluetooth proximity tracking technology that Apple/Google announced to be released mid-May.”

Beyond an app that may miss some data points, experts argue that an application by itself will not be enough for effective contact tracing. That will also require a large amount of human labor alongside a technological solution.

Contact tracing apps can be a useful tool, but only if they are accurate and consistent, and allow further action to be taken by human contact tracers. For privacy, performance, and efficacy, it is far preferable to use Apple and Google’s implementation — but even that can only be of assistance to a human being.