The NHS’ original contact tracing app fell foul of privacy concerns, and could not be made to work without Apple and Google’s support. But, Lucie White (Leibniz University Hannover) argues, based on a forthcoming paper with Philippe van Basshuysen (LUH and LSE), the NHS’ strategy could have allowed for faster tracing and thus more effective epidemic mitigation.

Digital contact tracing was initially sold as a crucial means of reopening society safely after the first lockdown. Scalable, able to instantly record contacts, and to provide immediate notifications, it had many advantages over cumbersome and complicated manual contact tracing. Most contact tracing apps use Bluetooth signals to gauge the duration and proximity of contact with others in real time. If you report on the app that you have COVID-19, your close contacts during the period of infection can be instantaneously alerted, replacing “a week’s worth of manual contact tracing” and perhaps even achieving “epidemic control”.

These hopes, however, were not realised. The problems plaguing the rollout of the NHS’s app have been well documented, but apps across Europe — even where development and release ran smoothly — have been similarly disappointing. They certainly did not prevent the need for further lockdowns, as the current situation in Europe shows. Does this serve to reveal the limits of technology in solving complicated societal problems? Or would it have been possible for contact tracing apps to live up to their initial promise?

There is consensus that two factors are essential for the success of a COVID-19 contact-tracing app: uptake and speed. Various suggestions have been proposed to increase uptake: incentives, an opt-out system, to making use of the app mandatory. But could it have been made faster? Individuals become infectious shortly after they are themselves infected with COVID-19, and a substantial amount of virus transmission occurs before symptom onset. This means that any delays in notifying potentially infected individuals puts them well into the period of infectiousness, often with no indication that anything is amiss. Delays of even half a day between symptom onset and notification of contacts can render a COVID-19 app unable to provide an effective means of containing an epidemic.

One obvious way to reduce this delay would be to allow users to report COVID-19 symptoms on the app immediately upon experiencing them, without a confirmed test result. Even if tests had been readily accessible in the early days of the pandemic, it would not have been possible to seek a test and receive the results within this small window. Unfortunately, the problems with allowing self-reporting are just as clear — chief among them, how could we prevent the system from being overrun with false positive reports? If contacts could be directed into isolation on the strength of a self-report, this could lead to conditions approaching a general lockdown.

We could mitigate this by requiring a follow-up test within a few days of reporting — allowing erroneously isolated contacts to be released without a full two week wait — but any shortages or delays in testing would undermine this strategy, as would the failure of users to submit a subsequent report. Another option would be to keep track of “clusters” of infection. Did a positive report result in (a sufficient number of) subsequent infections? If not, it could be identified as a probable false positive, allowing the notification to be rescinded. This strategy would both ease the burden on testing capabilities and deal with the problem of non-reporting users. It would, however, require keeping track of who has been in contact with whom over time — which would require collecting this information (in a pseudonymised form) on a central server.

This is exactly what the NHS had in mind when developing its initial contact tracing app. But this approach was effectively ruled out by Apple and Google in their insistence on only providing support for “decentralised” contact tracing apps. Without it, the NHS’s app could not be made to function effectively, and they were forced to pivot to a decentralised configuration. Apple and Google’s approach was lauded by privacy advocates, as their concerns rapidly began to dominate the debate on digital contact tracing. Developers of decentralised contact tracing apps argued that minimising the amount of information stored on a central server resulted in an app that was both “privacy-preserving” and “abuse-resistant”, and, furthermore, that the central storage of any further information was simply not necessary for the app to achieve its goals. As these arguments captured the public imagination, other countries, such as Germany, quickly switched to a decentralised app configuration. However, both of these contentions are open to challenge. Decentralised contact-tracing apps face their own potential problems with breaches, and the significant advantages that centralised systems can offer in terms of speed — and thus efficacy — did not feature in this debate.

This is not to say that the NHS’s original plans were by any means perfect, or even that they could necessarily have been made to work at all. They would have still led to (albeit short) periods of erroneous isolation, which could have ended up being too numerous and disruptive. Even countries such as France, which managed to develop a functioning centralised app, did not allow for reporting without a positive test. The concerns raised by privacy advocates about possible breaches and misuse of information in centralised systems are legitimate, and thought needs to be given to how they can be mitigated. But in hindsight, following months of disruptive and economically devastating general lockdowns, or confusing and ineffective local measures, it is worth asking whether we should have been more willing to consider radical and experimental pandemic containment strategies rather than half-measures. Certainly, this should serve as a warning against a myopic focus on privacy at the expense of other factors.

This post represents the views of the author and not those of the COVID-19 blog, nor LSE.