Contact Tracing in the UK — what went wrong?

17 min readJun 11, 2020

The government is in the first few weeks of easing its three month lockdown on Covid-19. The easing of restrictions is being undertaken essentially blind, with no digital contact tracing app in place at all and a manual contact tracing solution that is widely considered to be unfit for purpose. Given these shortcomings and our government’s record with the Covid crisis to date, it’s hard to muster confidence in the government’s latest idea — to contain local flare-ups with regional lockdowns.

Students of ancient and modern history, as the proponents of this idea mostly seem to be, may not have noticed but, since the Spanish flu outbreak of 1918, the effectiveness of regional separation has been somewhat hobbled by the invention of the motor car. These days, of course, we mostly use motor cars for testing our eyesight, though even then, they do have the downside of moving us from region to region, thereby reducing the effectiveness of this otherwise brilliant plan.

Dominic Cummings reading excerpts from his new book about his battle with blindness

So how exactly did we get here? An article outlining how a contact tracing app could be built for the UK was sent to a number of government representatives and advisors in late February. The idea was picked up in the private sector and a working contact tracing system with Android and iOS apps and a scalable server-side component was designed and built in a hectic couple of weeks in March.

How, then, did the UK get from being one of the first countries to have access to digital contact tracing technology to where we are now, more than three months later, where we are coming out of lockdown with no effective contact tracing system at all?

This article sets out the series of government blunders that stopped digital contact tracing from getting off the ground in the UK.

Feb 28: The above article on contact tracing is sent to a handful of government representatives and advisors, including the office of Dominic Cummings. Most don’t reply at all but local MP, Bim Afolami, at least takes the trouble to reply:

“I’ll take a look and ask the Health Secretary to consider your advice if prudent”.

If any of the people we contacted had tried to advance the idea at this stage we can be fairly confident that it would have been rejected. As we now know, this was the time when Dominic Cummings was advising the PM to pursue a strategy of ‘herd immunity’, for which you do not need contact tracing — or any other technique that might reduce transmission rates.

Backing up this assessment, a subsequent presentation made to a Commons Select Committee on contact tracing apps by Prof Christophe Fraser of the Oxford Big Data Institute, was rejected by the government’s Chief Scientific Officer, Patrick Vallance, on the grounds that such apps would only be useful at the start of a pandemic or at the end. This really just isn’t true; if one aims to contain an epidemic, preventing transmission is worthwhile whenever you do it.

The real reason for rejecting contact tracing apps throughout early March was that the government was simply not planning to try to contain Covid-19 at all.

mid-March: The Domascene conversion. Until now, Dominic Cummings had been working with the assumption that around 100K people in the UK would die from Covid-19, but the simulations made public on March 16 by Prof Neil Ferguson of Imperial College now put the figure at around 500K. This makes Dominic Cummings change his mind — and the search is now on for methods to reduce transmission. Digital contact tracing suddenly seems like a really good idea.

Dominic Cummings is, at this point, actually sitting on SAGE, the government’s Scientific Advisory Group for Emergencies, which is supposed to provide scientific advice that is free of political influence. As Dominic Cummings has no scientific training or qualifications at all and a great deal of political influence, it is hard to imagine a less appropriate appointment. Had group chair Patrick Vallance restricted his inclusion to ‘observer’ status, less damage might well have been done, but instead Dominic Cummings is permitted to fully participate in meetings and even to recommend new members. Dominic Cummings then arranges for Ben Warner, a Data Science PhD who worked with Mr Cummings on Vote leave, to join him on SAGE.

Ben Warner, flanked by two of Dominic Cummings’s aides

Ben’s brother is Marc Warner, CEO of the AI Company and government contractor Faculty. It is unclear why Dr Warner’s inclusion in SAGE is not blocked by the clear conflict of interest that arises as a result of his association with Faculty. Whatever the reason, with neither of these appointments restricted to observer status, SAGE is moving away from scientific independence at an alarming clip. As the government’s often repeated phrase “we’re following the science” is a metaphor for following the advice of SAGE, these procedural oversights are critical and will prove fatal to the deployment of a viable containment strategy in the UK.

Faculty’s droid, the Marc 1, attempting to strike up a conversation with a human

It is decided that the production of a contact tracing app will be put in the hands of NHSX, the ‘research and technology’ arm of the NHS. This NHSX group were already working with Faculty, after Faculty had been awarded a series of government contracts which were signed shortly after Mr Cummings arrived in Downing Street.

Centralised or de-centralised?

The designs of digital contract tracing apps fall into two basic categories: centralised and de-centralised. Briefly, the de-centralised approach keeps the sensitive data about whom you have bumped in to on your phone, where the centralised approach sends the data to a central server.

The key advantage of the decentralised approach is that it provides users with the comfort of knowing that their contact data never leaves their phones.

When engineers and technologists design something new, they are typically driven by one recurring theme “what’s the most likely thing that will stop this from working?”. For contact tracing apps, that obstacle is very well understood: it’s insufficient adoption.

Adoption

If 50% of the population have a smartphone with the UK’s contact tracing app on it, and everything works as it’s supposed to, what is the chance of the app detecting an actual transmission of Covid-19? 50%? Sadly not — it’s actually 25%. That’s because, to detect a transmission from someone else to you, you need to have the app — and so do they. The chance of both of the people involved in this transmission having the app is like flipping two coins and getting two heads — on average it happens one time in four, or 25%.

The government of Singapore was the first to release a proximity based contact tracer, which reached an adoption level of around 20% after a month or so. That meant that the chances of the Singapore app detecting an actual infection was 20% times 20% — which is 4%. The Singapore team have rightly garnered widespread praise for their technology, yet it is probably still fair to say that their app offered little meaningful protection— simply because not enough of the people of Singapore downloaded it.

So how many people could we expect to download such an app in the UK? Well, the most downloaded app in the UK is WhatsApp and that has a penetration of 60–80% (depending on exactly what you measure). That’s really good — but it took over 10 years to get to that point. A contact tracing app is considerably less compelling and would need to be downloaded around as much in a few months. Generally, the effectiveness of a contact tracing app is said to go with the square of its level of adoption. So it is only by getting both the design and messaging right that you stand any chance at all of making it effective.

There are other factors that affect the success of a contact tracing system but none have the double-whammy effect that adoption has, and a sensible policy must therefore prioritise adoption above everything else.

For this reason, the question of whether to go with a de-centralised or centralised approach is actually pretty simple to answer:

Insufficient adoption is by far the biggest barrier to success.
Greater privacy improves adoption.
De-centralised solutions improve privacy.

A de-centralised solution is therefore the only sensible choice.

Q.E.D.

This argument is entirely independent of whether or not the reader cares about privacy. What is important is that some people care about privacy, and all those who care about privacy want more privacy, not less.

So which system did the UK go for?

The UK government made the only choice that makes no sense at all — it went for a centralised solution.

Why?

The stated advantage of the centralised approach is that it brings all the data about our society’s movements into the hands of a central ‘health authority’. From there, so the story goes, epidemiologists can use the data to better control and manage of the spread of the disease. As any engineer knows full-well, however, you do not need to centralise data to bring processing and data together, and it is normally much more secure to move processing to data than the other way around. Added to which, mobile platforms offer the perfect infrastructure for moving processing to data, in the form of apps that can be distributed to phones via their app stores.

But more critically, what does ‘health authority’ mean in the above? If epidemiologists have access to the data, what stops others gaining access to it? If nothing, where does this stop — can intelligence services, law enforcement, other parts of government and their contractors gain access to the data about whom we are meeting?

Funny you should ask.

Faculty, like every AI company, makes its money by processing data. The more data it is given and the more value it can extract from it, the more money it can make. The opportunity to be able to deploy an app that can spy on the interactions of a significant proportion of the UK population is dreamy stuff for an AI company — whilst being the stuff of nightmares for almost everyone else.

But the data gathered by the NHSX system was for the NHS — right? Surely procedures could be put in place to stop it being shared?

It could have been — but it wasn’t just Faculty that had other plans...

Secrecy

We had offered to provide pro bono assistance, code and know-how on the fiddly Bluetooth code to the developers on the NHSX project throughout late March. But the NHSX project was secret and, like most journalists trying to report on this at this time, our attempts to contact them were mostly rebuffed or ignored.

March 31st. The NHSX team are given the go-ahead to lift the veil of secrecy on the project and we arrange to ‘meet’ in a series of video calls over the coming days. It soon becomes clear, not only that NHSX are already set on a centralised approach, but that their design has very serious flaws in its use of Bluetooth that leave it open to far worse abuse than could be attributed to the centralised approach itself. The way they had used Bluetooth would leave users open to surveillance — not just by the UK government but by anyone with a Bluetooth device.

When questioned on their design, their response was memorable:

“GCHQ said it was OK”.

We are very lucky indeed in the UK to have some extraordinarily talented people working in our intelligence services and are all generally much the safer for the work they do on our behalf. But on the question of whether to use a design for a contact tracing app that could easily be ‘repurposed’ for mass surveillance, GCHQ is clearly the wrong institution from which to seek independent advice.

And so it was that the simple idea of a contact tracing app suffered ‘mission creep’ on the grandest of scales. The government would not just be getting a solution to the problem of curtailing the spread of Covid-19, they would also be able to ‘harvest’ some excellent data for epidemiologists, AI companies and intelligence agencies — all with one app and a back-end that had been jointly subcontracted to Faculty, Palantir, Google and Microsoft. What could possibly go wrong?

Early April. Google and Apple both reject the NHSX app from their stores on the grounds that the security model is so badly broken that the app could put their customers in danger. Google, who had by now accepted our app on to the Google Play store, offer to assist the NHSX to fix the errors in the NHSX design by recycling the Bluetooth keys — as we had done in our app and advised the NHSX team to do in our meetings with them. But a plan to fix the worst of the problems was put into place, to the relief of us and many others.

Excellent, one fatal problem down for the NHSX app — two to go.

Consipracy Theories

I like the idea of conspiracy theories but have just never found one that was right for me. When several well-meaning relatives advanced theories that the Covid-19 outbreak was the result of the 5G network, or escaped from a Chinese Laboratory experiment, they have always been met with short shrift.

But choosing to go with the centralised design for a contact tracer is such a spectacularly stupid idea that the only alternative to believing in a conspiracy theory would be to believe that the UK government was completely unable to make rational decisions. That scenario has the rare distinction of providing even less comfort than a conspiracy theory.

The main argument against this particular conspiracy theory is that, once Google had helped fix the key recycling problem in the NHSX app, the data generated by the NHSX app could have been held by the NHS in such a way that GCHQ, Faculty, the UK government and its contractors, could not gain access to it. And if the data could have been kept safely by the NHS then it was true that in there somewhere was a plausible route to success. That ray of hope was extinguished as soon as the following document came to light in late April:

April 3rd. Health Secretary, Matt Hancock, approves this granting GCHQ powers to access all NHS IT systems.

April 3. We contact Google and outline the compatibility problem that will arise when contact tracing apps from different countries use different systems, after having put our decentralised contact tracing protocol in the public domain.

April 10th. Apple and Google join forces to produce a standard contact tracing API. It’s actually based on the decentralised DP-3T protocol which was developed independently to ours but is almost identical — in our view the tech firms have made a good choice

April 10th. So with both GCHQ and private firms, like Faculty, who would have favoured centralised solutions influencing the decision on what kind of contact tracing solution the UK would adopt, all the likely routes by which the government could choose a decentralised solution seem blocked.

The decisions that are taken are the only ones that could have been taken given the influence of the parties involved:

The UK’s contact tracing solution will be centralised
It will not use the APIs being developed by Apple and Google

Every other country in Europe eventually decides to go with a decentralised solution, except France. Enough said.

The public furore over privacy starts

As expected, academics and security experts start to voice their concerns.

April 12th. This post, from Professor Ross Anderson, a security specialist at the University of Cambridge, is widely circulated and makes the point that contact tracing is of little epidemiological value and will simply allow the government to avoid the “hard decisions” that it needs make to combat the disease. And what might those hard decisions be? The decision as to whether or not to use the PM’s secret stash of Covid-19 fairy dust to rid the UK of the disease? In the absence of a vaccine, what exactly are the alternatives to contact tracing — continuing with lockdown indefinitely?

April 26th. Meanwhile, Professor Christophe Fraser, an epidemiologist at the University of Oxford, takes the opposite view: that the security of the centralised approach is just fine. In various comments in this interview we hear him explain why:

47:07: “the NHS records patient data already, and we trust the NHS to look after our private data”. Many of us do, but patient data is very different from the proximal contact data that is collected by the phones of people who aren’t sick. In any event, the government had already prevented the NHS from keeping any of this data private, see above.
47:15: “this has been developed [transparently]”. The app was designed and developed in secret. The source code was made public on May 7th after the app had been launched on May 4th. This is precisely why the app had so many flaws when it was released.
47:20: “the NHS has engaged experts in privacy”. True, but Professor Anderson was one of them and he condemned the approach outright, see above.
47:30: “this has been designed with a relatively minimal amount of data, as much as needed to make it work”. This is technically incorrect and is the critical difference between the centralised and decentralised approaches.

Both of these academics are widely respected in their chosen fields, for good reason. The quality of this debate would nevertheless have been much improved if our eminent security expert had focussed on security while our eminent epidemiologist had focussed on epidemiology — rather than the other way around.

April 12th. Matt Hancock unveils the digital contact tracing plan.

Few other politicians have Mr Hancock’s ability to change the minds of so many, in so few words.

Back in March, many of us had worried that panic buying would set in and supermarkets would struggle to cope with demand. Let us not forget that it was Mr Hancock’s reassuring speech, explaining that the government had close ties with supermarket supply chains, that brought this uncertainty to a swift end. Mr Hancock had spoken, people had listened and within a few days supermarket shelves across the country were stripped bare.

And with successes like these it could only be to Matt Hancock that the government would turn to extinguish the raging debate over privacy in the NHSX contact tracing app. Mr Hancock didn’t disappoint:

“All data will be handled according to the highest ethical and security standards”

“…and would only be used for NHS care and research”

“…and we won’t hold it any longer than is needed.”

If anything else had been needed to remove the remnants of confidence in digital contact tracing in the UK, this was it. All that remained was proof positive that it wouldn’t work in the wild...

The Isle of Wight Trial

Sparing no expense, a letter was sent to every resident on the Isle of Wight asking them to download the new NHSX app as a matter of “public duty”. Things started slowly but progress was actually far better than most of us expected, eventually surpassing the theoretical limit on the proportion of phones on which the app could actually be installed. This limit is rather low for the NHSX app as fatal flaw number 2 was that the NHSX app couldn’t be installed on old versions of the Android operating system — which were very common amongst the older population of the island.

Luckily this restriction didn’t matter much as the ability to download the app was not restricted to people on the island — you could download it from anywhere in the UK. And as there was no way to distinguish downloads on the island from downloads from anywhere else, there wasn’t actually any way to tell how many people on the island had downloaded it anyway.

All that was known for sure, was that there had been no noticeable change in the transmission rate on the island and that there were mounting reports of ‘glitches’ in the app and phones going flat.

May 20th. For a deep dive on the technical problems that beset the NHSX app, what better place to turn than the House of Lords, where technology expert turned hereditary peer, Lord Bethel, was instructed to break the news about the result of the trial:

“One of the criteria of success is to learn from the pilot, which takes an early version of the app and hopes to develop learnings from it; we now have two or three. One of them, which I have mentioned, is that it is probably a mistake to launch an app before you have got the public used to the idea of tracing.”

The tech-support staple: “it works for me, you must [all] be doing something wrong”. Except that contact tracing apps have a single button that needs to be pressed only when a user gets sick. With this kind of app it’s actually rather difficult to blame the problems on users, as they have almost nothing to do with it.

What Lord Bethel’s commentary was intended to cover up was the fact that the app hadn’t worked.

Many of the causes of the problems would have been avoided if the UK government had agreed to use the free APIs that Google and Apple provided as we and many others had tried to persuade them to do.

June 5th. openDemocracy forces the government to publish the contracts it signed with Faculty et al.

We built our contact tracing app with a team of half a dozen developers in a couple of weeks. Had we had the Apple-Google APIs when we started it would have taken half the time. The government has spent millions of pounds and precious months on a slew of absurd contracts all but one of which were completely unnecessary. Unfortunately, the contract that was necessary was mismanaged and produced something that didn’t work.

How to start getting things right

If changes are not made to the way this government makes decisions, it is not reasonable to expect any improvement in the outcomes of its actions. With no changes, the next three months will likely go as the last three months have gone and we will be in roughly the same position when we tackle the 2nd wave of Covid-19 that is expected to arrive in the Autumn.

An effort has been made to bring some levity to this article though, in reality, this situation is far from funny to the tens of thousands of people who have lost friends and relatives to the disease. While not all of these tragedies can be fairly levelled at the government, some of them certainly can. In the above accounts of the government representatives there are numerous examples of: incompetence, dishonesty, conceit and nepotism — each to a degree that has contributed to the failure of the government to deliver an important tool in the fight against this disease.

At the time of writing, over 40,000 people have died of Covid-19 in the UK, giving us the second highest Covid-19 mortality rate in the world — and that is despite the heroic efforts of our health care workers, who have shown stellar resolve in spite of everything this government has managed to get wrong. With better decision making, including an earlier response to the crisis, many of us believe that a substantial proportion of the these UK deaths could have been avoided. Failing that, greater transparency about the difficult decisions the government makes in these challenging times might allow us all to play a part in making the UK safer while reducing the damage to the economy caused by the lockdown.

Here’s my wish list of concrete practical steps that the government could take to make that next three months better than the last:

Stop breaking rules you ask others to follow
Stop saying you are following the science
Stop allowing unqualified or ineligible people to join SAGE
Stop running Covid meetings in secret — this enemy can’t read
Stop giving critical contracts to your mates
Stop saying you made the right decisions at the right time
Stop saying that it’s too early to make comparisons with other countries

To close on a high note, it is a truly wonderful thing to be able to write freely about the shortcomings of government. It is perhaps even more wonderful that it is in all of our hands to force our government to do better. To that end I hope this article and others like it will provide a record of recent events that can help ensure that the spring of 2020 is not forgotten.