Ned Stratton: 12th June 2020
(Note from the author: The blog post is a 10-minute read. To skip straight to the survey – click here.)
The next phase of COVID-19 recovery centres around Track and Trace. It is a strategy to re-open the economy and social life in the UK - while also controlling the infection rate - by pinpointing individuals who have the virus and people who they have come into contact with.
Critical to this strategy is the NHS COVID-19 mobile phone app, currently in testing on the Isle of Wight and due to launch later this month.
Cue the usual derision and mistrust from the media, perhaps rightly so because of its lateness and self-proclaimed “world-beating” status, but also – and this is much more contentious - because of data privacy concerns.
Is this just the visceral unease about scary computers and big data that frustrates many a data scientist and lies behind those infuriating "WE VALUE YOUR PRIVACY" pop ups on websites? Or should we be legitimately concerned that the government is using a crisis as a smokescreen to stealthily grab more information about us than they should? .
First, some detail on how the NHS app works.
It uses Bluetooth to generate anonymous "keys" that are exchanged between mobile devices when in close proximity with each other. If one person uses the app to report that they have Coronavirus, they upload the latest 14-days worth of these said keys to the app's cloud database, so that it can match the keys to the other devices associated with them, then notify their owners to self-isolate.
The keys are only held on the phone for 28 days before deletion. The only other information the app requires from a user is "postcode stem" (SW9 – South London, M1 - Central Manchester etc), for the purpose of aggregating the data to detect flare-ups of COVID transmission in local areas. The NHS hasn't ruled out using geo-data from devices in future for the response to the pandemic, but this would be voluntary and beyond the scope of this app.
So for now, the app doesn't use location data or PII such as name or email address; collecting anonymous, minimal data purely for the purpose in hand. It's been transparent about the technology and code behind the app, even publishing it on a GitHub repository.
Yet even for minimal data collection for an urgent public health crisis, you'd sense palpable unease among the general public and civil liberties groups. Open Rights Group is taking legal action taken against it. An article and poll in Digital Health last month shows that "Data, privacy and security" was people's biggest concern about the app with 30% of the vote versus "Other" – 27%, "Low uptake" 9%, and "Private company involvement" – 5%, with the other 29% saying they weren't concerned.*
I find this very revealing about our attitudes to the trade off between data privacy and innovation using data. Here we are, in the middle of a deadly and livelihood-destroying global health pandemic, and three times as many people were more concerned about ePrivacy than they were about people not using it and thereby prolonging the pandemic!
Perhaps this reflects distrust of the government. But could it be that the British public are by tendency risk averse when it comes to sharing their data? Perhaps most of us genuinely see our data as an inviolable part of our property and human rights that we have every right not to surrender, rather than as a necessary by product of the modern world that we should see as a duty to share to make our lives better, safer and healthier?
It’s like the left-right political spectrum, but instead of Left and Right it's Protector (my data is my property) and Liberator (data is the new oil – an abundant resource for innovation that is undermined if people are allowed to opt out from sharing it).
In 2017, the Science Museum in London ran an exhibition called Our Lives in Data which tackled this issue. One of its exhibits was a digital polling booth called "The Big Data Debate", which asked visitors for their opinions on real and theoretical uses of mass-collected personal data. It used a person's answers to categorise them into one of four groups - Data Liberator, Savvy Sharer, Data Regulator, and Privacy Protector - representing a sliding scale of attitudes to big data sharing from liberal and very open to sharing on one end to very protective and pro-regulation on the other.
The Science Museum very kindly agreed to share with UCOVI some of the questions that were asked so that we can re-incarnate the survey and allow people to find out if they are Liberators or Protectors.
To take the quiz, follow this link.
You might find some of the data collection scenarios in the questions – some real, and all at least inspired by what is currently real and possible – to be far more controversial than what the NHS is proposing with the COVID-19 app...
*Poll stats accurate as of yesterday. For the stats nerds among us, this also shows why you should never include "Other" as a multiple-choice option in a poll.