There has been much debate about the centralised versus decentralised approach.
The NHSX App is using BLE to build a list of contacts which a user has encountered, by way of the Transmitted IDs mentioned above (the “Transmitted ID List”). This will therefore constitute ‘pseudonymised’ personal data in data protection legislation terms: the personal data cannot be attributed to a particular individual, without the use of additional information which is kept separate, and which is subject to technical and organisational measures to keep it separate. This information is automatically deleted from the user’s phone after 28 days.
With the decentralised approach, the Transmitted ID List remains locally on a user’s device. Any matches of close proximity between an infected individual on the Transmitted ID List and the user of the device, are detected locally on the user’s device. With the centralised approach, the Transmitted ID List, as well as the other details which the NHSX App is collecting, are securely transmitted to the NHSX’s systems for matching and detection purposes, after a user uploads them; this will be after the user self-diagnoses that he or she is suffering from virus symptoms.
Although from a privacy perspective, storing data locally on a device is more privacy positive, it does not mean that having a centralised approach cannot have appropriate privacy safeguards applied to it. In order to understand why a centralised approach has been advocated by NHSX, one has to understand the benefits of doing so.
Centralising the data allows a number of advantages, which NHSX believes are unavailable with the decentralised approach, including the following:
- Trend analysis: This is key in order to understand whether social distancing is working or not. It can also provide more up-to-date information in relation to the R-Number (namely, the effective reproduction number, which shows the average number of people that one individual will pass the virus on to). There are different models used to calculate the R-Number, with Public Health England’s model being based on the number of reported deaths. However, this is based on information which has been provided on the number of deaths within recent weeks, and therefore does not make available infection information in the more dynamic and up-to-date manner that the NHSX App can offer.
- Local hospital support: This allows the ability for proactive resourcing of regional hospitals, in response to the above trend analysis, by using the partial postcode information which is voluntarily provided by users.
- Guarding against false positives and malicious actors: At the moment, the NHSX App is reliant upon self-diagnosis and self-reporting of virus symptoms, for initial alerting purposes. This is due to the lack of large scale and timely virus testing being available. Consequently, there is a real risk of incorrect information being provided by users, which would generate ‘false positive’ alerts to users. The NHSX’s centralised approach allows risk modelling to mitigate against the associated risks. This is something which can only really be undertaken in a decentralised model by removing the self-diagnosis, through the use of definitive test results provided in a timely manner. Unfortunately, this is not currently possible.
It is also important to understand that there are numerous safeguards implemented within the NHSX centralised approach. The device identifier cryptographic information is stored on iPhones within the Secure Enclave Processor. This secure co-processor, isolated from the main processor, provides an extra layer of security as the cryptographic integrity of its operations is maintained, even if other aspects of the phone are compromised. Android devices are not standardised; so this information is stored in hardware secure storage on the handsets, or using software measures where this is not possible due to the handset models. Data is also transmitted from the user’s device to NHSX systems in a batch encrypted process using Transport Layer Security (“TLS”) (the TLS protocol provides secure data transmission).
There is of course, always the risk of security breaches. However, this is no different to any other system in the world. It does not mean that systems should not be deployed, it just means that security measures need to be implemented and continually monitored and updated.
However, there are certain issues associated with a centralised approach, such as interoperability issues with apps of other countries which have taken a decentralised approach (particularly with Ireland). Therefore, it remains to be seen as to whether the final NHSX App rollout will adopt a centralised or decentralised approach. Matthew Gould, the CEO of NHSX, has acknowledged that it would be technically possible to move to developing a decentralised system in place of the existing centralised approach, if required; albeit, that this will then suffer from the associated deficiencies with that approach, as outlined above.