Impact case study database
Enabling privacy-preserving COVID-19 proximity tracing globally and protecting citizens from surveillance overreach during the COVID-19 pandemic
1. Summary of the impact
As the advent of COVID-19 forced rapid development of contact tracing technology, and created major new questions around digital privacy and rights, UCL Laws research on this technology had two broad impacts:
(i) Globally, analysis of privacy and data protection law underpinned the rapid design of a protocol (DP-3T) for proximity tracing through smartphones which:
- inspired Apple and Google’s approach to building decentralised proximity tracing capability into their operating systems, enabling privacy-preserving ‘contact tracing’ apps developed by national public health authorities around the world to be accessed on over 90% of smartphones;
- has been adopted by at least 65 official national or regional COVID-19 contact tracing apps globally (December 2020); and
- facilitates contact tracing across borders within the EU, covering 372m people.
(ii) Within the UK, analysis of legal and regulatory gaps surrounding contact tracing influenced Parliamentary scrutiny of the UK government’s approach, the outputs of campaigning organisations, and public debates, all of which pressured the UK government to abandon a centralised app for NHS England, and raised the profile of novel issues surrounding contact tracing not addressed by existing law.
2. Underpinning research
Dr Michael Veale joined UCL in September 2019 as Lecturer in Digital Rights and Regulation (following a PhD in UCL Department of Science, Technology, Engineering and Public Policy and Department of Computer Science). In February–May 2020, he was the main legal researcher, contributing expertise on privacy and rights, in a collaborative project that designed, analysed, created, published and iterated a protocol for Bluetooth-based proximity tracing to tackle COVID-19: the Decentralised Privacy Preserving Proximity Tracing Protocol ( DP-3T).
In early 2020, many governments were interested in using mobile phones for tracing people who may have been exposed to a COVID-positive individual. This digital contact tracing would be based simply on individuals’ proximity to each other for a period of time—referred to as ‘contact tracing’ even though the individuals may not be known to each other or traceable through a manual process. Some governments, including the UK government, had started work on designs for digital contact tracing involving communication between smart phones and centralised databases. These were open to abuse and function/mission creep (i.e., subsequent use of data for purposes remote from the original public health purpose). Led by Dr Carmela Troncoso, the Ecole polytechnique de Lausanne (EPFL) and Swiss Federal Institute of Technology (ETH Zürich) had been in discussions with academic and industry experts working on contact tracing. However, differences about the importance of human rights led to a schism as this group explored design directions. At that point, Dr Troncoso approached Veale due to the latter’s expertise in privacy-enhancing technologies, law and power, on which Veale and Troncoso were in the early stages of collaborating when COVID-19 appeared, and Veale joined what became the DP-3T project (involving EPFL, ETH Zürich, KU Leuven, TU Delft, CISPA (Germany), ISI Foundation (Italy), University of Porto, Oxford and UCL).
As the main legal researcher on the interdisciplinary DP-3T project, Dr Veale advocated and implemented the EU General Data Protection Regulation ( GDPR) requirement of ‘data protection by design’ and ‘purpose limitation’. It was clear that all digital contact tracing approaches were vulnerable to privacy threats, but that centralised systems would involve greater risks, coupled with the potential for abuse of power through function and mission creep in their use of data. Dr Veale developed the key insight that, for notification of exposure to a COVID-positive individual, individuals need not be identifiable to any other actor within the legal definition of identifiability; and a technical solution of rotating codes processed on-device achieves this whilst also functioning elegantly within data protection law. These insights shaped the architecture of the DP-3T protocol, as reflected in outputs co-authored by Dr Veale, including:
a detailed ‘White Paper’ (in computer science, a description and analysis of a proposed technology, with updated versions incorporating comments and technological developments) covering three different versions of the DP-3T protocol, published in early April 2020 and updated following iterative development until late May 2020 (R1);
privacy and security framework for understanding contract tracing systems (R2); and
a supplementary law and security paper of the protocol (R3).
Further outputs of the project included detailed analysis of two alternative protocols, illustrating key flaws; and full, open source code for the systems running on Android and iOS.
In alignment with Open Science principles, and given the urgent need for robust design to meet public policy needs, all papers were made available under a Creative Commons licence on GitHub, a commonly used collaborative coding platform. This facilitated iterative development of the design solution, building on community feedback (over 300 ‘issues’ raised since inception). Having co-developed a technical approach for privacy-protecting apps, Veale hypothesised that the traditional focus in privacy-enhancing technologies on keeping data confidential is insufficient to protect rights in future development of these technologies, by either tech firms or governments (R4). Veale turned his attention to rights issues associated with app use for which there was no technical solution, concluding that existing regimes, such as the GDPR and EU ePrivacy Directive, did not sufficiently respond to questions of power and coercion. It was unclear that data protection law would prevent venues, employers or law enforcement requiring adoption of the app, nor how associated technologies such as ‘immunity certificates’ would be regulated to avoid discrimination. A suggested model Coronavirus (Safeguards) Bill (R5), co-authored with Professor Lilian Edwards (University of Newcastle) and others, proposed changes to the existing legal framework to meet the gaps identified, emphasizing the need for primary legislation and a new independent Coronavirus Safeguarding Commissioner to monitor these issues.
3. References to the research
R1. Carmela Troncoso and others, ‘Decentralized Privacy-Preserving Proximity Tracing’ (2020) 43 IEEE Data Eng Bull 36.
All other papers (2020) available on https://github.com/DP-3T/documents, authored collectively under ‘The DP-3T Project’, including:
R2. Privacy and Security Attacks on Digital Proximity Tracing Systems (2020).
R3. Decentralised Privacy-Preserving Proximity Tracing: Overview of Data Protection and Security (2020).
R4. Michael Veale, ‘Sovereignty, privacy and contact tracing protocols’ in Linnet Taylor, Gargi Sharma, Aaron Martin and Shazade Jameson (eds.), Data Justice and COVID-19: Global Perspectives (Meatspace Press 2020).
This work is fully open access. Meatspace Press receives support from (inter alia) the Alan Turing Institute, the Global Data Justice Project at the Tilburg Institute for Law, Technology and Society, and the Oxford Internet Institute.
R5. Lilian Edwards, Michael Veale et al, ‘The Coronavirus (Safeguards) Bill 2020’ (2020). https://osf.io/preprints/lawarxiv/yc6xu/.
Following development of the protocol, the DP-3T project was awarded a CHF5,000,000 (GBP4,150,000) grant from the Botnar Foundation, with approximately CHF350,000 (GBP290,000) to Veale for further analysis and development of digital safeguards for future pandemics.
4. Details of the impact
.
(i) Global impact: Design of protocol for privacy-protecting contact tracing
While manual contact tracing relies on COVID-positive individuals being able to name contacts and places they have been, contact tracing through smartphones potentially reaches a larger universe of individuals, anonymous to the infected person but nevertheless near them for long enough to be exposed to the virus (e.g. in public transport and some workplaces). As knowledge about all aspects of COVID-19 has continued to develop, the precise impact of digital contact tracing been subject to ongoing analysis. Early studies have suggested that digital contact tracing has the potential to ‘ meaningfully reduce the number of coronavirus cases, hospitalisations and deaths across the population’ at any level of uptake (S1), and statistical analysis of the NHS COVID-19 app has indicated that for every 1% increase in app users, the number of infections can be reduced by 2.3% (S2). Significantly, the DP-3T protocol allowed the deployment of apps which could achieve such effects in a privacy-protective way.
*Adoption of DP-3T by Apple and Google
On 10 April 2020, days after the DP-3T consortium published the first iteration of its White Paper and legal analysis (R1), Apple and Google announced a partnership to bring contact tracing to smartphones. The influence of DP-3T—and specifically the privacy-protective design advocated by Dr Veale—was publicly recognized:
‘Google’s Burke has acknowledged that his team was specifically inspired by the work of DP-3T, noting that he thought it “gives the best privacy preserving aspects of the contacts tracing service”. *One specific example inspired by DP-3T is the idea of using rotating codes … [which] allows the app to notify people who may have been exposed, without having to know their identities—or allowing those identities to be stored and tracked by any central authority.*’ (S3).
Facilitating deployment of decentralised apps around the world
Apple and Google’s dominance in the global smartphone operating system market meant that, with their adoption, the DP-3T protocol was embedded in the operating systems of approximately 94% of iPhones and 92% of Android devices. This facilitated rapid deployment by national authorities of decentralised apps. As of December 2020, official apps had been released by at least 65 national and regional public health authorities around the world, with many achieving significant uptake: e.g. Germany reporting 24.2m downloads by December 2020 (~45% of adult population); Italy reporting 10.13m downloads in December 2020 (~27% of adult population); Ireland reporting active user base of 1.31m in October 2020 (~34% of adult population) (S4) (generally only adults are permitted/recommended to download the apps).
Enabling of seamless contact tracing across borders
Decentralised contact tracing systems are, unlike centralised systems, able to interoperate across borders: they can be linked in such a way that individuals using one national app can be alerted if they have been in proximity to an infectious individual, even if the contact which exposed them is using a different national app. This advantage is particularly important for Northern Ireland and Ireland, and in continental Europe. T he decentralised design provided by DP-3T, supported by European Commission Implementing Decision 2020/1023 (establishing digital infrastructure for interoperability), has provided up to 372m people (excluding France and Hungary, which continued with centralised designs) with interoperable privacy-protecting contact tracing, supporting safer trade and personal mobility.
(ii) UK impact: Influencing scrutiny of UK government’s approach to contact tracing
As the DP-3T solution was being developed, Dr Veale, through the press, public events and Parliamentary evidence, stimulated and informed policy debate about legal concerns associated with contact tracing that could not be addressed by technical solutions; and about the desirability of decentralised (versus centralised) app design.
Informing policy debate about rights concerns raised by contact tracing apps
Although the protocol provided a means of privacy-protective digital contact tracing, it did not address other rights concerns associated with use of contact tracing apps and related technologies which might develop in future, particularly ‘immunity certificates’: could individuals be required to use an app or an immunity certificate as a condition of entry to venues, of eligibility for services or benefits? Could even anonymous data about individual movements be used for population-wide surveillance for reasons unconnected to management of COVID-19? The model Coronavirus (Safeguards) Bill 2020 (R5) co-authored by Dr Veale articulated and sketched means of addressing these concerns, adaptable for a centralised or decentralised app. The model Bill became a point of reference in policy discussion, helping raise awareness of the need for a more robust legal framework for digital contact tracing. The Biometrics Commissioner stressed that ‘ it is important that public trust in such [surveillance of COVID-19] is encouraged by regulation approved by Parliament as to the limitations of that surveillance’, and referred to the model Bill as evidence of what a group of lawyers believed would be necessary (S5). The Open Rights Group ( ORG), an NGO working on free expression and privacy issues in the digital age (to which Dr Veale contributes as an advisory council member), publicised the Bill on its blog, with the Executive Director of ORG testifying that the Bill ‘became an important part of our advocacy strategy’ for greater rights protections surrounding use of technology (S6).
In May 2020, Dr Veale was invited to give evidence to the Joint Committee on Human Rights, with Dr Veale and another co-author of the model Bill, Orla Lynskey (LSE), the only witnesses (other than the Information Commissioner) providing oral parliamentary evidence on the need for a legislative framework for the app. The Committee’s report, Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing (S7) referred to the model Bill; and points raised in the model Bill, including the need for an independent commissioner to oversee use of the app, featured in the Committee’s own draft Bill, sent to the Secretary of Health on 7 May 2020. The Committee’s report embraced the point that use of the app ‘ raises issues that go beyond data protection and privacy’ (S7, p. 13). On 22 May 2020, the Secretary of State for Health rejected the immediate need for new legislation, but R5, and evidence drawing from it, shaped the first real policy discussion of questions that remain pressing for the future of contact tracing technology.
Influencing reversal of NHS England’s commitment to centralised contact tracing app
The UK government had initially invested in a centralised app for England and Wales, and continued on this course for months despite many European states opting for decentralised apps. Development of DP-3T provided a foundation for pressure to switch to a decentralised design. In May 2020, the UK Information Commissioner’s Office issued an opinion that the DP-3T model was ‘aligned with the principles of data protection by design and by default’ (S8); and Matrix Chambers published a legal opinion concluding that:
‘*A de-centralised smartphone contact tracing system – the type contemplated by “DP-3T” and being considered by governments across Europe and also Apple and Google – would be likely to comply with both human rights and data protection laws. In contrast, a centralised smartphone system – which is the current UK Government proposal – is a greater interference with fundamental rights and would require significantly greater justification to be lawful.*’ ( S9)
Dr Veale helped maintain pressure on the government to switch to the DP-3T model, giving oral evidence to the Joint Committee of Human Rights on differences between centralised and decentralised approaches (cited in the Committee’s report **(S7, pp. 7, 8)**); addressing groups like Labour Digital and the Society of Conservative Lawyers; and engaging actively with the media to improve understanding of the technology and privacy issues surrounding contact tracing (including BBC Radio 4 Today and PM programmes; Sky News; British Medical Journal; Mail Online; Guardian; New Statesman; Telegraph) (S10). Lord Clement-Jones CBE (Digital Spokesman for the Liberal Democrats in the House of Lords, and former Chair of the Lords Select Committee on Artificial Intelligence) has testified that the existence of the DP-3T protocol was ‘important and influential’ in enhancing understanding of the app possibilities in Parliament and ‘made visible the shortfalls of a centralised system’; it being ‘difficult to criticise fast-moving technological developments where alternatives do not exist’. Dr Veale’s research ‘supported [Lord Clement-Jones’] understanding of the stakes and the options, and directly informed questions asked in Parliament’ by Lord Clement-Jones, Baroness Ludford, Lord Scriven and Daisy Cooper MP (S11).
On 18 June 2020, the government abandoned the centralised app. An updated ‘NHS Covid-19’ app, using the decentralised design inspired by DP-3T, launched in September 2020. This allowed interoperability that would have been barred by a centralised design, with complete interoperability of apps in England and Wales, Scotland and Northern Ireland achieved by November 2020. It reduced risks of function and mission creep associated with the centralised approach, and assured users’ privacy was protected. In an indication that these features are valuable in inducing uptake, the NHS App Library description makes prominent reference to the fact that the app is ‘ designed so that nobody will know who or where you are’ ( S12). As of 31 December 2020, the app had been downloaded over 21m times (corresponding to ~44% of the adult population of England and Wales), and, on a statistical analysis, its use had averted approximately 594,000 cases of COVID-19 (S2).
5. Sources to corroborate the impact
S1. University of Oxford news, ‘ New research shows tracing apps can save lives at all levels of uptake’ (3 Sep 2020) (citing Abueg et al preprint, ‘Modeling the combined effect of digital exposure notification and non-pharmaceutical interventions on the COVID-19 epidemic in Washington state’, 2 Sep 2020).
S2. Chris Wymant, Luca Ferretti et al, ‘The epidemiological impact of the NHS COVID-19 app’, 9 Feb 2021, https://raw.githubusercontent.com/BDI-pathogens/covid-19_instant_tracing/master/Epidemiological_Impact_of_the_NHS_COVID_19_App_Public_Release_V1.pdf (analysis shared by Department of Health and Social Care press release, 9 Feb 2021, https://www.gov.uk/government/news/nhs-covid-19-app-alerts-17-million-contacts-to-stop-spread-of-covid-19).
S3. CNBC, Christina Farr, 29 Apr 2020, ‘ How a handful of Apple and Google employees came together to help health officials trace coronavirus’.
S4. Germany: statistics from Robert Koch Institute, 18 Dec 2020, at https://www.rki.de/DE/Content/InfAZ/N/Neuartiges_Coronavirus/WarnApp/Archiv_Kennzahlen/Kennzahlen_18122020.pdf?__blob=publicationFile; Italy: statistics from Immuni app, at https://www.immuni.italia.it/dashboard.html; Ireland: Department of Health, ‘ Ireland is one of the first countries to link contact tracing apps with other EU Member States’,19 Oct 2020.
S5. Biometrics Commissioner, statement on the use of symptom tracking applications, 21 Apr 2020, https://www.gov.uk/government/news/biometrics-commissioner-statement-on-the-use-of-symptom-tracking-applications.
S6. Testimonial of Executive Director, Open Rights Group, 3 Dec 2020.
S7. Joint Committee on Human Rights, Human Rights and the Government’s Response to Covid-19: Digital Contact Tracing (7 May 2020), pp. 7, 8, 12–13; citing oral evidence of 4 May 2020, HC (2019–21) 265.
S8. Information Commissioner’s Opinion 2020/01: Apple and Google Joint Initiative on COVID-19 Contact Tracing Technology (17 Apr 2020).
S9. Matthew Ryder QC et al (Matrix Chambers), ‘ COVID-19 & Tech responses: Legal opinion’ (3 May 2020).
S10. Sample of Dr Veale’s engagement with the media.
S11. Testimonial of Lord Clement-Jones, Digital Spokesman for the Liberal Democrats in the House of Lords (29 Nov 2020).
S12. Official NHS Covid-19 app: https://www.nhs.uk/apps-library/nhs-covid-19/.