COVID-19 Crowdsourced data. Track & Trace apps. Alibaba & WeChat. Apple, Google & the NHS.
During the last few months everybody became familiar with the visualisation of the spread of COVID-19 around the world.
Although news channels around the world were producing their own infographics to visualise the spread, it was John Hopkins University (JHU) that became the first reliable source of public dissemination of such data.
JHU had been sourcing from day one, data on confirmed cases, deaths and recoveries, from every country (where possible) and were constantly processing, analysing and visualising those data.
Then came the realisation that each country would need more detailed data sets; localised information that would allow them to constantly track the disease, its spread and growth, especially in the large crowded cities, with packed public transport and poorer hygiene.
China’s compulsory data sharing
In China, the government implemented a compulsory scheme were people’s Alipay or WeChat apps provide you with what is essentially a health passport. Each mobile user gets a QR code, colour coded, to indicate the risk the pose to others. Green means all clear, yellow is possible risk, and red means you are an immediate risk. Not surprising, in China, with a totally different culture and government, most people found this reassuring, as it meant they felt safer going to work or shopping.
The QR code is assigned to you, and it includes several parameters, that include where have you been in the last 2 weeks. Once at the entrance of the building you need to scan another QR code that registers their presence. So a permanent record is created of when one entered or exited a building.
Another interesting fact is that existing platforms are used to provide users with the health code (like Alibaba) but the implementation schemes are up to the local authorities. So the cities that participate in the scheme are responsible for its implementation and enforcement.
The media had already dubbed the QR code as an “Alipay Health Code”.
Alibaba responded to state that : “It is marketing language used for promoting usage. In reality, these are not Alipay-issued health codes, but rather are issued by governments.”
Each time a user is entering a building, a market, the subway or a bus, they must scan their code. The understanding is that the more you scan the code outside your home, the more of a risk you become. So the app had started changing people’s behaviours who would avoid going very far for shopping when they could do it closer to home, by walking or biking, avoiding public transport.
Although people were not forbidden from doing so, they were changing their habits in a manner that meant that the coronavirus spread could get under control.
Collection of people’s movements is not something new, and today for the most part of it we have directly or indirectly consented to large corporates to collect and analyse our travel history, patterns and behaviours.
In the west by using Google Maps you are (anonymously tracked) if you have the app installed on a mobile device. In China you will be using Baidu.
Baidu is famously creating detailed heat maps and travel maps of the largest human migration that occurs every year: the Chinese New Year.
During the pandemic similar data are important to governments and health authorities. These data can be anonymised or not, and they can serve different purposes in studying the spread of a virus. The non-anonymised data can track and trace the movements of confirmed sick individuals, and can be used to alert others that are not reported sick, to instruct them to self-isolate. This is micro-management of the data, as it creates correlations amongst smaller subsets. The anonymised data can help create correlations between commuting and travel data and the increase or decrease of cases in a city or other locality. This is the macro management of track and trace.
Crowdsourcing data
Crowdsourcing medical and health data is not something new. Websites and apps pre-existed the COVID-19 pandemic. Some very good examples of crowdsourcing and aggregating data are these of Flu Near You (https://flunearyou.org/ ) and Health Map (https://www.healthmap.org/).
Interestingly the numbers collected over the last 8 years by FNY match to a significant degree those published by the CDC
Meanwhile … at home …
On the 27th April 2020, the NHS declared that they rejected the Apple/Google plan, for a Coronavirus app, and decided to go for a centralised solution that included the support of the GCHQ and the advisory role of the NCSC.
The app had been delayed, deployed for a trial at the Isle of Wight , but not with any success.
The process was problematic from the start.
Developers who checked the Beta version of the code on GitHub found that there were many privacy concerns, mainly that the NHSX could not properly secure personally identifying data, and could not guarantee their promise that the data collected would not be used by the police.
Yesterday the NHS announced that they were dropping the plan and going for the Apple/Google solution. The government said that there is no date set for launching the new app and that will probably be this Fall. (remember that Fall actually starts 22nd September and last until 21st December!)
So what went wrong with the NHS tracking app and how did we end up here?
In my personal opinion it was a series of systematic failures by politicians in government and civil servants at the NHS. Amazing, selfless and heroic as the front-line staff are in the NHS, the organisation does not have a reputation for managing change and managing data well. Previous experience as an Expert Witness with NHS, and information of a recent incident of unauthorised access of medical records that has been kept quiet for months, make me believe that although the NHS should be the recipient and user of collected track and trace data, they should not be involved in its implementation.
The appointment of Baroness Harding and the contracts for the development of the app do not do any good with the public’s trust on the app and its usage. In the Cybersecurity circles, most people I spoke to, saw this appointment as a joke, that can only compromise public trust in the government and the NHS.
Not as much as three weeks later, we are where we are; time lost and no outlook for a solution.
Privacy & Public Health. Are there any lessons learned?
Like it usually happens, lessons like that are learned but easily forgotten.
One of the major issues in the sourcing of data and tracking was privacy. And all opposing voices just confused our governing masters. It was like Sir Humphrey saying “very courageous Prime Minister” to Jim Hacker, everytime he want the PM to change his mind about something.
I am an advocate of privacy and safety of data (and people). But for me, if you are faced with the binary choice of Privacy -v- Public Health, the latter is the only choice. At least during a crisis.
The problem with all this, is that we are trying to fix things during the crisis, instead of being prepared for it. There was not an Incident Response Plan, and let’s face it, we were acting instinctively instead of having planned ahead and act on the right Playbook. Now, we are trying to address privacy issues when we should only focus on people dying.
The pandemic will be over one day, all previous ones did. But what we should take out of this ordeal (with regards to data gathering) is that we need to build a robust system, and legislate for it. Legislate on how data will be used during a state of emergency, instal failsafe processes, and ensure what happens when the emergency ends. That, is the only way forward. We need to have these processes in place before the next pandemic. So when the next one comes along (and it will come along) we shall not waste time debating abstract privacy issues that the majority of the country does not even comprehend or can put into context.
And for those of you who are concerned about who knows your whereabouts… just go to Google Timeline, login with your Gmail account and find out how much Google remembers about where you have been and when. And if you are wondering why they know about you … you consented on them knowing when you installed Google Maps on your mobile phone.
