 Pretty much everyone now seems to be agreed that the best way to exit lockdown is mass testing and contact tracing so that cases of COVID-19 can be isolated. It's also a given that the only way to do this on a large enough scale will be some kind of automated phone app. There is however controversy about what kind of app that should be and over the past couple of days this seems to have really kicked off on tech Twitter as I'm a bit out of my depth with anything more technical than doing a PowerPoint presentation or finding a hookup on Grindr. I'm delighted to have on the show someone who understands the back end of phone apps not just how to download them and why the government's choice of test and trace application has proven controversial. Alex Hearn is technology editor at The Guardian. Welcome to the show. Hello. Thank you for having me on. A real pleasure to have you on. I want to start with first principles for the basic among us like myself. How does a contact tracing app work? The way we're going with most apps these days, the current state of the art uses Bluetooth. It uses the same signal that my headphones are connected to the computer with. It uses the same signal that we use for most wireless accessories. Your phone under any of these contact tracing apps begins constantly transmitting a random identifier basically yelling into the for hi, I'm me, I'm here, remember me. Hi, I'm me, I'm here, remember me. Every other phone is listening out for those same random identifiers. This part so far is in common with every contact tracing app. Where things start to differ is what happens if you get COVID-19 and if you say I'm infected under one model, you tell the NHS, hey, I have COVID-19. Here's all of the signals I heard. Here's all of the other phones going, hey, I'm me. Here are their random identifiers. The NHS gets that list of numbers and then pings each of them going, oh, hey, we were told you might have been exposed to COVID-19. That model is called the centralized model because it involves the NHS having a centralized data, a centralized repository of the data of who's been exposed to COVID. The decentralized model is slightly different. Rather than my phone telling the NHS, hey, here's everyone I've heard, my phone tells the NHS, hey, here's all the random identifiers I've sent out. Here's all the names I've shouted into the void. The NHS gets that and then sends that to every phone saying if you've heard any of these names, you've probably been exposed. Go seek a test. The difference is that in the latter version, the NHS has no way of knowing whether anyone has actually been exposed to me. It doesn't have any information other than me sending them the list of what I've been yelling into the void for the last two weeks. That difference is the nudge of what the controversy today is about. If I've got this right, the NHS, they're saying we want to use a centralized system and the reason we want to use a centralized system is because all of this information, all of this data is incredibly useful. One of the reasons why the response to COVID-19 has been somewhat lacking is because the government have felt under informed. They don't know how many people have the app or how many people are even in contact with each other. If they get an app which passes them all the data, that's an absolute treasure trove which could be used to do amazing things with public health. The other argument is that that's giving the government way too much information and it's better to have a decentralized system which does nothing other than tell people if they've been in contact with someone who's had COVID-19 and it's very difficult for the government to infer anything else from that. Absolutely. That's like the principles-based disagreement here. The question of how much information about the pandemic do we want the government to have and to really see this, you can go for sort of the stark extremes. At one end, the extreme of an untrustworthy government having this data, you could well imagine a situation in which the government goes okay, well, this contact trace we can see resulted in 170 exposures over the last two weeks. That means this person has almost certainly been breaking the social distancing guidelines and so we should not only send out the contact alert, we should also refer this to the police because this is evidence of a crime under the lockdown legislation. That would obviously be a wild breach of the social contract under which these contact tracing apps would be done but it's the sort of thing that privacy activists are concerned about. At the other end, the decentralized model, you could end up with a situation where the NHS knows that there have been 700 exposures through this contact tracing app but doesn't know if that's resulted in 700 other people being potentially exposed to COVID-19 or 70,000 and it has no idea at what stage in the infection curve we're at, it gains no extra information and we are at the situation we're at now except we're trying to operate a fully open or at least reduced levels of social distancing without any extra data. It's easy to buy both of those arguments which is why actually the argument in the press hasn't really been about that complex principles-based difference. It's been much more down to brass tax will these apps work because there is a quirk to all of this which is that the decentralized model is backed by Apple and Google, the makers of the two main smartphone operating systems. They've built extra tools into their operating systems which will be launched in mid-May which will support the decentralized model which will make any app, any healthcare service around the world who builds a decentralized model work better, work smoother, fail less often and have effectively more and more accurate exposure notifications. By picking a centralized model the NHS has decided to go it alone. It's foregone the help of Apple and Google in building this app and it's opened itself up to potential problems, the worst-case scenario being what Singapore had when it built its equivalent app last month which was an app that simply didn't work if it wasn't unlocked on your phone and open on the screen. In other words, if you were playing Candy Crush no contact tracing, if your screen was locked no contact tracing, if you ran a battery no contact tracing but that's true for everyone but because your screen had to be on all the time your battery ran down faster. That's not a very good app even if you managed to get people to install it, if it doesn't do contact tracing it doesn't help. So there's the principle space layer but then way below that it's just does this stuff work? Can we build an app which actually gets these contacts and notifies people of potential exposure? And the issue there, so there's these sort of grand issues about decentralized versus centralized app but then there's this it's almost banal but probably the most important one which is about battery life right? So the Apple, the Apple and Google system they're going to allow it to work in the background so you're not using the app but it's still pinging out this Bluetooth information all the time but they're quite reluctant to let any app on a different centralized system have that same privilege. So if the NHS make their own centralized app, Google and Apple won't give them permission to constantly ping out Bluetooth information in the background so it will only really work if people are constantly on this app having it open which seems quite unrealistic. Exactly, to the NHS's credit based on what we've seen from the app that they're trialing in the Isle of Wight right now they've done a much much better job than a lot of other countries have in overcoming this burden. It looks likely that the NHS has built an app which does successfully run in the background for quite some time after it loses focus and manages through some nice you know coding basically to avoid being shut down to preserve battery life but there is still this fundamental problem that it doesn't have that get out of jail free card that Apple and Google are giving around. Now if we want to bring a principles led thing to that level there is the real question of who the hell are Apple and Google to tell the NHS what the best way to run a COVID tracing app is. Apple and Google are not epidemiologists, Apple and Google do not really have the authority to overrule a national health service on the best way to tackle an outbreak. Apple and Google have made a policy decision which is the decision that they do not feel comfortable supporting centralized apps and they're enforcing that through an engineering control which is that they get to build the APIs and they don't want to build this API. It's not some people have compared this to the question of whether they sort of break encryption for governments but it's not that simple because this isn't about asking them to build something that they haven't built this is about asking them to hand over a key that they've already got to the NHS and they're saying no but it's a questionable decision whether that is the right thing to do. And so in principle the government could say unless you let our centralized app run in the background on your phones we'll stop you operating in the UK. I mean obviously that'd be a really enormous game of chicken there because the government wouldn't be particularly popular if everyone's iOS or Android device suddenly stopped working. You can imagine a strange standoff going on. Yeah and to the UK government isn't the only government which is in this position. The UK government is reluctantly accepting its position as best I understand it. They have talked about potentially switching if it becomes clear that the Apple and Google approach is better but they accept that if they don't build with the Apple and Google approach they don't get help from Apple and Google. France's government is being much more fighty. France's digital minister has taken to the press multiple times to shout at Apple and Google basically and to go it is outrageous that you are not helping us with this. We need this who are you to say no which is a legitimate question who are they to say no. This is a healthcare decision at its heart and it's a decision of healthcare policy and it's not entirely clear why Apple and Google should have a veto over it. I suppose my final question of what are the sort of ideological dividing lines here because on one level this is a very technical question but at the same time I suppose if you ask most of our audience who do you side with in a fight you'd say let's go for the centralized NHS system versus the completely unaccountable Apple and Google system but at the same time this idea of a decentralized system with no central control is often quite attractive to our audience as well. I mean I've seen Guido forks coming out very strongly in favor of this decentralized Apple Android system. Is there an ideological question here or do you think the government are being overwhelmingly pragmatic? The government are being like Lord help me I don't like giving this government credit but they're being pragmatic. There's a few ideological schisms. There's the sort of privacy activist wedge which is where you get that unlikely alliance between Guido forks and a lot of the sort of libertarian left. The idea that generally speaking government collecting huge batches of data about every citizen might be a bad thing that can be abused. You don't have to look very far to see why that's the case. We're still going through the after effects of the hostile environment policy which has never formally been repealed or abused. But then there's another more interesting schism which is basically around how much you see this as an NHS policy versus a government policy versus very specifically a Dominic Cummings policy. People who view it as an NHS app and an NHS policy by and large bring positive attitudes to the NHS with them on that and view it in the narrative that the government wants it to be viewed at as a stay at home, install the app, protect the NHS, save lives. And that's a really compelling frame. Less trust comes if you view this as a government app. If you look at this as a very Matt Hancock sort of thing, the man who moved from the Department for Digital, Culture, Media and Sport over to the Department for Health and Social Care who loves building apps so much he built an app called Matt Hancock MP who set up NHSX originally as a sort of Matt Hancock skunkworks project and then gave it the app to build. If you view it as that, there's a little bit more doubt. And then if you hang out on FODP Twitter too much, the really hardcore Romaine Twitter, there's a view that actually all of this is linked very strongly to Dominic Cummings. That Dominic Cummings is the man who weaseled his way under sage that Dominic Cummings has weird links with the data community through his Brexit fiddling and that Dominic Cummings is now going to get his hands on the NHS COVID app data and what he'll do with that doesn't bear thinking about. Perhaps being unfair, but I don't think that's a particularly reasonable view. The evidence that I've seen doesn't suggest that Dominic Cummings actually is particularly linked to this but he's a fearsome bogeyman and people who hate him really hate him. And I think it does speak at the very least to a failure of government comms that they've not managed to push this app as a politically neutral NHS led thing that will be used exclusively and only for fighting this pandemic and saving lives because that's the message they need to be putting out because that's what they need to be doing.