Design a site like this with
Get started

COVID contact-tracing app in England and Wales: functionalities, incentives, risks

Unitelma Sapienza invited me and Dr Shaira Thobani to talk about COVID-19 contact tracing apps in Italy, England, and Wales. This was part of the YouKey Talks organised by Dr Roberto Sciarrone and Mr Stefano Oporti’ to better understand the relationship between our countries in the time of Brexit.

How does the app work

The app used in England and Wales has four main functions. Firstly, it uses the Apple Google exposure notification API To notify you if you’ve been near a risky contact. This is the same API that the Italian app Immuni uses. The idea here is that no central database of individuals and their connections to other people is maintained.

The Exposure Notification system is a ‘decentralised’ contact tracing system, based on the DP-3T protocol developed by a consortium of universities including Turin. 

The second function that the app has is a QR code system for checking in to locations. This is also partially centralised, and is based on code from New Zealand.

When you check-in to a location, which had printed a QR code from the government website, Your phone will store that location in memory. Every few hours it will download a list of compromised places, and your phone compares against them.

While over 1 million QR codes have been generated by UK companies and venues, this system is actually not been used in practice, meaning the government has not triggered many venues in the system at all (after a month of operation, only two signals had been sent out, which may not even have corresponded to real places.)

The third service is a way to order a coronavirus test, and receive the results, along with a countdown timer.

The fourth service is a indicator of the risk area that your postcode is currently in.

How is the uptake incentivised?

Uptake is incentivised by the legal requirements around the QR code system. Scanning a code is an alternative to writing details down. As many companies had a very cumbersome login process, the QR code system is ostensibly much easier.

Furthermore, companies offering certain services are obliged to put up QR codes and two have them present as an alternative to written contact tracing details (which must also be possible to do).

There is also an advertising campaign.

In earlier iterations of the app it was hard to claim self isolation compensation when notified by the app as opposed to by manual contact tracers over the phone. This has been fixed. 

Is the app effective?

We are still awaiting full assessment of the effectiveness of an app.

Initially, people thought that you need 80% of smart phone users, but that number has been revised downwards with further modelling. It is a difficult thing to model because you also need people who know each other to have the app, so if it has a high prevalence among young people then that’s okay. The idea of the app is to stop less vulnerable people ever visiting those older vulnerable people, not to Notify those older people when it’s too late. 

The main challenge the app is faced is that the testing system has not been well integrated with the authentication needed to trigger a positive situation in the app for somebody who has tested positive. That is the most difficult part and it hasn’t received the focus it should’ve done from governments.

Privacy risks

•The earliest version of the app used a different protocol which was centralised. This meant that your phone would constantly emit an identifier which would not rotate, meaning anybody could track you across space once they saw you once, and which could be decrypted into your phone’s ID by the central authority with the master key, which was managed by a combination of GCHQ (Government Communications Headquarters) and NHS England/DHSC (Department of Health and Social Care). 

This would also mean that users of the app would find themselves located in a centralised social network of who saw who. This could be used to deduce political groups, affairs, family, or more. Other people would be uploading data about whether or not they were near you, and that would allow very sensitive country level data to be constructed. There is no good reason to believe, given the epidemiological features of the virus, that this data would be useful for tracking the disease. 

Lastly, the government could install small Bluetooth sensors at places like supermarkets or train stations to enforce quarantine for those who had a phone committing such an identifier, as they would know who it was that was walking past. 

However, in June, the government switched to a decentralised model which does not suffer from these problems, as the numbers emitted are random and rotate, and no one ever uploads information about each other. 

The main risk that remains with a decentralised system, which is also present with a centralised system (as it is an inherent feature of any mobile phone powered contact tracing system) is that if you go around and sniff peoples identifiers and work out to who may correspond (e.g. get them alone and know how to identify them in person while also carrying a Bluetooth sensor) you will be able to find out if they have a test positive during that period. This is because the identifiers that you collected will be sent to your phone for checking later on once they test positive. However, this is a difficult attack to do because they’re phones everywhere and they confuse the signal, and it requires specialist hardware. Furthermore, you only learn something which you may have found out anyway given any social interaction with that person.

Risks beyond privacy

While most of the discussion around contact tracing systems has focused on privacy and data protection, their use also has wider implications for individuals and communities, particularly in the case of mobile apps. These concern legality, moral responsibility and community, autonomy, and democracy, which even expansive conceptions of privacy and data protection may not fully accommodate. (Pila 2020)

Datafication (Brown and Duguid 2000) threatens democracy: when people become the object of technology, and everyday life and experience become grist for capitalist and political mills, important questions arise about what is humanly desirable, what it means to be human, and who gets to decide (Jonas 1979).

It is the very nature of advanced technologies to generate new centres of formal and actual power that elude democratic control and remain largely inaccessible to citizens (Somsen 2009). The result is precisely the types of power asymmetries that breed corporate and political authoritarianism and indifference to individuals’ lives.

Covid-19 provides new opportunities for governments and organisations to consolidate their power at the expense of citizens (Pila 2020).

The importance of civic engagement

Winner (1992) argued that, for a mix of intellectual and social reasons, the design and development of new technologies is an insufficiently democratic activity

The proposal for greater civic involvement in each is compelling given the interests and values at stake.

The second version of the Covid-19 app was developed with input from ‘diverse stakeholders’, including public health and data protection authorities, civil society organisations, and ‘volunteers who provided a patient and public point of view.’

By contrast, the development of version 1 was attributed to ‘a team of world-leading scientists and doctors’, drawing ‘on expertise from across the UK government and industry’, and involving ‘experts from the National Cyber Security Centre

Questions that require a different kind of expertise, and wider opportunities for public involvement in social choices regarding technologies


Brexit precluded the app from becoming internationally interoperable As the European commission decided to copy all the data across borders rather than interoperate in a more minimalist way (like we suggested).

Because they are paranoid this might be personal data, or health data, (even though there is a strong argument that it isn’t based on its technical characteristics and inability to identify people) then they did not establish the interoperability agreement through their “gateway” with the United Kingdom. They also did not with Switzerland for the same reason. 

Published by guidonld

I am Associate Professor of Intellectual Property Law and Privacy Law at the University of Stirling, Faculty of Arts and Humanities, where I lead the Media Law and Information Technology Law courses. I am an expert in the legal issues of Internet of Things, Artificial Intelligence, cloud computing, robotics, and blockchain. Holder of a PhD (Unipa), a postdoc (QMUL), and an HEA Fellowship, I have a strong publication and bidding record and my works on Intellectual Property, Data Protection, Information Technology Law, Consumer Protection, and Human Rights have been cited by the EU Court of Justice’s Advocate General, the House of Lords, the European Commission, and the Council of Europe. Outside of the University of Stirling, I am Director of ‘Ital-IoT’ Centre of Multidisciplinary Research on the Internet of Things, Visiting Professor at the University of Macerata, Fellow of the Nexa Center for Internet and Society, Fellow of NINSO Northumbria Internet & Society Research Group, and I serve on the Executive Committee of the Society of Legal Scholars, the oldest and largest society of law academics in the UK and the Republic of Ireland. Most of my publications can be downloaded for free on SSRN, ResearchGate,, and LawArXiv.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: