As countries across the world grapple with tracking the virus while protecting data and privacy, Ireland’s contact tracing app has had a better reception than most. PrivSec Report looks at the Irish app’s development and privacy journey.

“We got a call back in March from HSE [Ireland’s Health Service Executive] asking if we could help. I think we got the call on a Saturday, we kicked off some design work on the Sunday, we put a development team in place by the Monday, and the project ran from there.”

So begins the story of the development of Ireland’s contact tracing app, designed and executed by Irish software solutions company Nearform. Colm Harte is its Technical Director, and he shared with PrivSec the history of the app’s creation.

“It was an accelerated process – it’s not the standard tender process, and they [HSE] have processes in place for these type of accelerated things in the case of a pandemic, to allow them to make decisions faster, because a typical tender process with a government contract would be a lot slower. We’d probably still be still be in the tender process at this stage,” he says.

Centralised versus decentralised

The potential for privacy violations has featured prominently in the debate over Covid-19 contact tracing systems across the globe, particularly with app-based solutions.

Governments and their partners have wrestled over the appropriate balance between privacy and epidemiological usefulness, and the relative benefits of a “centralised” model, where infected users supply anonymised information about their contacts – including, perhaps, the length of time they were in contact and the proximity – to a public health authority, and a “decentralised” model, where users report sickness on the app, which then periodically collects a list of other infected users for individual devices to cross-reference with their own contacts and then notify the user. In the decentralised version, information is not shared with the public authority, and is therefore often viewed as a better privacy safeguard.

Early on in the process, as with many national approaches, Nearform worked to a centralised model, using Bluetooth as a means of detecting proximity between users. The team had originally planned to use code from the Singaporean (originally centralised) national app but, as the wait time for Singapore to opensource the code grew, the team decided to build their own.

All Covid-19 tracing apps, centralised or decentralised, rely on Bluetooth signals to log when smartphones become near each other. It was this technology that posed early issues, Harte explains.

“The challenge was around the Bluetooth, particularly on IOS. Apple had a certain set of restrictions in place, so typically the app worked fine if it was in the foreground and your phone was unlocked. As soon as the app went to the background or you locked your phone, effectively it stopped working. It wouldn’t transmit and receive at the same time,” Harte recalls.

The Bluetooth issue wasn’t unique to Ireland – every country was encountering the same issue, but not even cross-border collaboration or a direct line to Apple managed to solve it. Development had reached an impasse: launch an imperfect system – or nothing at all?

It was at that very point that Apple and Google launched their joint Exposure Notification Service (ENS), a tool that mitigated the Bluetooth on smartphone operating systems, but it required a “privacy-preserving”, decentralised infrastructure.

“The HSE had to go live with what they had or delay the project and switch across to the Exposure Notification Service. So they made the choice to go with the Exposure Notification Service, because it fixed the Bluetooth issue, and really you did want something that worked on people’s phones. You didn’t want to have to do a load of marketing message around: don’t lock your phone, keep the app open. It wouldn’t work, no matter what message you put out there,” says Harte.

“So that, effectively, was not far off a restart of the project – to reorganise everything into a decentralised model, integrate the app with Google APIs. And that’s the version that went live in the end.”

Many other countries also opted to make that switch in their tracing app development.

Effectiveness

Of course, a contact tracing app is not a panacea for tracking a pandemic, and there are factors other than technical wizardry that deem any technology a success or failure. The app’s accuracy is difficult to assess, given the limitations of Bluetooth as a tool for measuring distance – something for which the technology was not designed. But testing conducted by the Irish team suggested an accuracy rate of 72%.

In June 2020, Chief Information Officer (CIO) of the HSE, Fran Thompson said:

“The design of Covid Tracker App has been informed by a robust development and testing programme. The app development process here in Ireland has been led by the HSE and the Department of Health, in collaboration with the Government Chief Information Officer and An Garda Síochána, together with technical partners from the Irish private sector (Expleo, Nearform, Information Security Assurance Services Ltd. (ISAS), and EdgeScan) and scientific partners from Science Foundation Ireland. Results from our testing programme have shown that the app was able to accurately detect 72% of close contacts using the Google Apple API.”

Says Harte: “What you can balance is your preference for false negatives versus false positives. Our view would be that it’s better to err on the side of false positives – so you get a notification but you aren’t really within the right distance to somebody, but worst-case scenario, you get a test and you’re told you’re negative. As opposed to false negatives where you potentially are a positive, and we don’t tell you.”

Adoption

Another factor in determining the success of any contact tracing process is public cooperation and, in the case of a voluntary app, widespread adoption is key.

“There’s no magic number [of downloads] that you have to get. I know there’s been a lot of stuff in the media about the 60% [adoption] figure. A lot of that was taken out of context, so it was 60% if you were doing nothing else. If you had nothing else in terms of trying to stop the pandemic you would need an app that gets 60% or over to be effective,” Harte explains.

The HSE reported a million downloads within 48 hours of the app’s launch – but Harte cautions against any attempt to rely solely on the app for contact tracing.

“It is very much something that augments the manual contact tracing – it was never intended it was something that was going to replace it. It’s the manual contact tracing that actually drives the whole process, because it’s the manual contact tracing that kicks off asking someone to upload their keys when they have tested positive, which then will kick off the close contact notifications for people that are putting down those keys.”

The HSE’s contact tracing process involves a call notifying the person of their results, assessing their health, advising them to restrict their movements and collecting details of anyone they have been in contact with since 48 hours before the onset of symptoms. Each identified contact is called to inform them they have been in contact with a confirmed case, and both they and their household are advised to restrict movements for 14 days after that contact took place.

Privacy

HSE contact tracing is provided for under the Infectious Diseases Regulations, and therefore permitted under the GDPR. The Covid-19 contact tracing process was based on an existing system for the management of notifiable disease.

An HSE spokesperson insists that privacy is therefore no different during the pandemic as it was before.

He says: “Our handling of privacy issues is covered by SOPs [standard operating procedures] developed prior to the introduction of GDPR that have been updated to cover the additional requirements of GDPR. These cover data sharing with other government departments for the purposes of reporting, modelling and planning Covid-19 response and Covid-19-related research. They also cover Data Privacy Impact Assessments for new processing internally and processing joint data controllers (other government departments and other HSE units).”

The spokesperson adds that the app was developed using privacy by design approach.

He says: “This process included working with privacy experts throughout, carrying out a Data Protection Impact Assessment that was submitted to the Data Protection Commissioner for review and feedback, publishing the source code, and designing an app that required users to share the minimum amount of anonymous data with the HSE. The cross-governmental group overseeing the development ensured that the contact tracing functionality of the app could be used without the need for users to share any PII with the HSE.”

Harte describes the importance of building in privacy to the app’s design:

“At the time, there were definitely media articles around the whole privacy aspect: could you trust it, what sort of data are the government going to have, are they going to be able to identify where everybody has been and who they have been in contact with – that would be not good from a privacy perspective,” he says.

Yet for Harte, there was nothing fundamentally troubling from a privacy perspective with the team’s original plan to roll out a centralised system as opposed to a decentralised one:

“It’s not that centralised is inherently wrong or flawed; it’s not. There’s lots of systems out there collecting quite a lot of data. They manage it in a careful manner. But I guess it’s got more potential for data leakage compared to a decentralised system.”

However, he concedes, a decentralised system has been an easier sell.

“The decentralised model was being pushed as: no, this is much better from a privacy perspective, everything stays on the user’s phone, the government doesn’t have any visibility as to who’s in contact with who. So that was a significant factor. We kind of went with the mantra of: collect as little amount of data for as short a time as possible.”

For example, the team avoided third party analytics, “Which is unusual when you’re building an app, because normally you want all those things in your app to actually understand how it’s working, and how it’s behaving, and how people are using it,” he explains.

The app utilises consent to allow users to opt into features – there are multiple points where this can be withheld – and links to the data protection notice are included. No personally identifiable data is stored in the back-end system, and the user’s phone number is optional for onboarding but, if supplied, it’s stored on the device and not a server. There are efforts in place to prevent the user’s IP address from making it all the way through the back-end system, so if the servers were accessed, they would contain nothing to identify individuals.

“It’s not that centralised is inherently wrong or flawed; it’s not”

“Right now, if you had access to the database and could see everything, there’s nothing in the database that would allow you to identify where data came from,” says Harte.

In early July, however, the Irish Council for Civil Liberties (ICCL) and Digital Rights Ireland (DRI) issued a “Pre-Release Report Card” on the app, revealing misgivings about both its clear and limited purpose and statutory oversight. For the former, the app was awarded a “D”, on the grounds that:

“European data protection guidance says Covid-19 apps must pursue a single purpose of contact tracing to alert people potentially exposed to Covid-19. Unfortunately, location data and symptom tracking extend beyond this single purpose,” according to ICCL’s Information Rights Director, Elizabeth Farries.

The app fared slightly better for statutory oversight, receiving a “C”: For statutory oversight, experts have given the app a “C”:

“We would question the legal basis of consent the government appears to be relying on under the GDPR. Furthermore, long term, we are very concerned that Google/Apple will have ultimate control over most of the EU’s Covid-19 app ecosystem, and not our governments,” said Digital Rights Ireland Director Antóin Ó Lachtnáin.

Of fundamental importance, Harte explains, is transparency. Penetration tests, security audits and code reviews were initially conducted by an external security company, and several organisations across the world have since also looked at the code and system. All the code is open sourced.

“We’re happy to keep doing that as we engage in different places, because if somebody can find an issue we’re more than happy to fix it, and just it makes the system better,” he says.

All HSE documentation related to the app’s privacy – for example the Data Protection Impact Assessment and other compliance assessments – is open sourced on GitHub.

“European data protection guidance says Covid-19 apps must pursue a single purpose of contact tracing to alert people potentially exposed to Covid-19. Unfortunately, location data and symptom tracking extend beyond this single purpose”

“I think that openness around these type of projects does help reassure people that it is taking privacy into account, it’s not doing anything nefarious under the hood that you need to be alarmed about. The app doesn’t do things like track location, so there’s no access to GPS, any of that kind of stuff. It’s as privacy preserving as we can make it. And we’re constantly looking at it to see if there are other things we can do to improve it,” says Harte.

Here, the ICCL and DRI’s Report Card agrees, commending the HSE and Department of Health’s “good faith efforts” towards transparency.

Collaboration

Cross-border collaboration has been central to the app development process; conspicuously so at the pre-Apple/Google ENS stage, where governments were grappling with the Bluetooth issue early on, says Harte.

“Everybody had gone in with Bluetooth pretty much, but we were all hitting the exact same issues, so there was a lot of collaboration and cooperation in terms of: has anybody got this working, what ideas do people have? You get various messages going, oh, such a country thinks they have it figured out and then you realise they haven’t,” he recalls.

With the adoption of the Apple/Google ENS in many jurisdictions, consensus has increased, he says, as interoperability across jurisdictions hit the radar of governments and developers.

“I haven’t come across any countries that are taking a very sort of… oh no we’re not telling anybody what we’re doing or how we’re doing it. Any conversations we’ve been involved with have been very much about sharing information and here’s the approach we took, here’s the issues we have faced, here’s the configurations we’re using. It has been very open and transparent from that perspective.”

The technical side of designing interoperability into an app is not difficult, according to Harte. The challenges arise when agreeing the legal side of the data sharing piece, made simpler by the fact that only anonymous keys and identifiers are shared, and no user data is shared between regions.

“[A concern] potentially would be if you were identifying the fact that you’d had close contact from somebody in Northern Ireland versus the Republic, because that could narrow down the pool of people that potentially may have infected you. We don’t support that – so when you get a notification, the app doesn’t know whether it came from a Republic of Ireland key or a Northern Ireland key. But even from a server perspective, we don’t know. All we know is you got a notification, we don’t know who the source was in terms of which set of keys triggered it,” Harte explains.

“There’s always a balance here, because there’s a certain element of: actually wouldn’t it be useful to know how effective this is, since the fact that it’s interoperable cross-border, wouldn’t it be nice to know how many we were picking up? But you’re balancing that against that case of, but then does that allow you to identify individual people?”

Another challenge with interoperability is ensuring that data received from other countries meets the same criteria. In Ireland and Northern Ireland, for example, only people who test positive for Covid-19 are able to upload their data. But if a jurisdiction allows people to upload data based on self-assessment, then that could pollute the data set.

“There’s things that we can do there technically in terms of, yes you may bring on a country and then decide actually no I don’t want their keys for whatever reason, but other countries may want them. So you have those kind of capabilities,” says Harte.

The ecosystem of Covid-19 data gathering is one of balancing pragmatism with morality; ethics with efficacy. And contact tracing apps across the global display these issues in microcosm.

Says Harte: “The epidemiologists would love to have more information in general because it just helps them in understanding the spread. I think for them probably…. they would have preferred [an app that was] centralised. All the data you get out of knowing the index patient and the people that index patient has affected is all gone in a decentralised model; you don’t have an index patient. So it’s more difficult for them from that data analysis perspective. But again, what you’re balancing that against is the whole privacy piece.