5th October 2020
NHS Test and Trace: The development behind the COVID-19 app
The day after the release of the NHS England and Wales COVID-19 contact tracing app, Ian Bolland spoke to Wolfgang Emmerich, CEO, Zühlke Engineering, the developer behind the app.
After its release, Emmerich was quoted in The Times saying the app was “arguably the best in the world,” something which he says he does not say lightly. He outlined the app has the largest number of features compared those used in countries, and points towards the app’s ‘Me features’ that are targeted to individuals, allowing them to provide feedback about their situation surrounding the virus.
Emmerich says: “The risk score the app exhibits that not many other apps have where we daily update the postcode district based location with the infection rates in that particular postcode districts and then we calculate a risk score and convey that to people in the front screen of the app.”
Zühlke worked closely with a company called Rush in New Zealand who built the app there, and have re-used some of its code to build the venue check-in feature for the UK app – which allows people to check into a particular venue, recording their attendance at that particular date and time.
“That effectively collects a diary of visits that you collect yourself,” Emmerich explains, “if you go to ‘About this app’ and ‘manage my data’ you’ll see the check-ins that you’ve done. The IDs and the names and places of these locations are only stored in the app, but we’ve also given the Test and Trace teams both in Public Health England and Public Health Wales, and also at council level, user interfaces so that they can then notify people once they have traced an infection to a particular venue.”
As an example, Emmerich alluded to the possibility of an outbreak occurring in a local pub and what users would experience if they had visited that particular establishment.
“If a particular pub has been caught several times in these traces then they can notify everyone who was in that pub at, or after, that time on that particular day by pushing that ID out to all the apps in the country and then the apps compare ‘have I been?’ or ‘has my user been at any of those venues at any of those given times?’
“That’s, in fact, an integration of the manual contact tracing we do in this country very well with the digital contact tracing that an app can do. To the best of my knowledge not many apps in Europe have that feature.
“We’ve built a feature so you can go through a dialogue so you can see whether you might have been infected. After giving your symptoms it might direct you to ordering a test which is effectively a leap to the Test and Trace booking system. What we do is we pass the personalised key along in that request which allows us to match a positive test result and convey it to the app user. We are then also able, in the app, to suggest the user should self-isolate for if they’ve had a positive test.”
An app roll-out has been a long time coming. The first app was trialled on the Isle of Wight but didn’t get national roll-out. Zühlke Engineering was first approached in March when NHSX asked the company to provide independent assurance and technical oversight of the first app project, but concluded that it was not possible to develop a reliable app using the approach pursued the first time around, and recommended a change in tack.
From the third week in June, the company began working on the current app and finished development in the first week of September. It is classed a medical device having received the CE mark and ISO 13485 certification.
Emmerich explained the first app was similar to those designed in Singapore and France, and without the involvement of Apple and Google, which he said worked well as long as the operating system permitted Bluetooth communication.
“For very good reason Apple has decided that Bluetooth communication would not be possible for apps that run in the background or when the phone is in a sleep mode. The operating system of iOS shuts down Bluetooth communication of any apps that are in that status which effectively meant that the app would work fine if it’s in the foreground, if you’re looking at the user interface. But the moment the phone goes to sleep, or you choose a different app, then the Bluetooth communication would stop.
“We found on the first trial on the Isle of Wight that the iPhone app only detected a very small percentage of users and it was decided that wasn’t good enough.”
Fundamentally the app just needs low-powered Bluetooth switched on and does not require either a mobile phone signal or a GPS log. There have been some issues with people unable to download using older versions of the iOS, with iOS 13.5 required on Apple handsets. Android devices require at least version 6.0.
However, Emmerich explained what is being explored for those who own older mobile devices in order to participate.
“We are looking at making some parts of the app available for older handsets so that they can at least use some of the features if they can’t use the Bluetooth contact tracing that requires this exposure API. They might still be able to use QR check-in features and check the risk level in their postcode and order a test. We are working on making that available, but this has not made it into the first release.”
A concern among those who may be reluctant to download the app is data privacy and security.
Emmerich explains the app doesn’t know the identity of the user as they are not requested to register an account – meaning email address and phone numbers are not shared, and the work that has gone into it has been praised by researchers at the University of Oxford.
“The amount of personal information that is being connected is actually very, very small. It’s just the first half of the postcode, that is such a large population. It is therefore not possible to reverse engineer identity.
“All of the communication that does occur between the server, which is controlled by the government fundamentally, and the phone is only about encryption keys, which identify the user. The Apple Google API changes those keys every day. Again, it is not possible to conclude as to who anybody is because the keys are changed so frequently.
“No contact information or no location information leaves the user’s phone. All the contact traces are stored on the phone only and the phone decides when it gets keys of infected users. It then decides ‘is that key amongst the users that I have seen and have been close to for sufficiently long enough?’
“Likewise, the identity of locations and venues is only stored on the phone and when Public Health England send out details of an infection that occurred in a venue, the app looks up the venues where the user has been and checks whether or not they were in any of these venues where outbreaks occurred at the time when these outbreaks occurred. That really sensitive information never leaves the users phone.”
Another factor that was considered was whether QR codes could be cloned – also known as atagging, but Emmerich dismisses this as “not possible.”
“The work that we’ve done has been supervised by the National Cybersecurity Centre. We encrypt the data that is encoded in the QR code, so we effectively digitally sign the data that is included in the QR code when it is generated, and we check in the app that the digital signature is valid.
With England and Wales using different apps to Northern Ireland and Scotland, Zühlke is now in the process of building a repository so information can be exchanged between the three apps and the four nations.