Protect Scotland is the name given to our nation’s new COVID-19 contact tracing application. I’ve researched this pretty thoroughly and as far as I can tell, from a data security, technical and privacy perspective the app gets a clean bill of health. I’ve downloaded the app myself and encourage everyone who can to do so.

You can download the app from the Protect Scotland website which has links for both iPhones and Androids.

How does it work?

The contact tracing app being recommended by our First Minister is based on a collaboration by Apple and Google. This collaboration was necessary to ensure a reliable notification service is tied to the Bluetooth hardware on your phone in a way that allows it to consistently poll for the people around you. This lets it build a picture of who you’ve come into contact with. It uses BLE (Bluetooth Low Energy) to ensure minimum impact on battery.

Now, assuming for simplicity that everyone has downloaded the app on a compatible device, the idea is that as you walk along the road and pass people, your phones are broadcasting an anonymous key, and collecting the keys of everyone else. This is all done locally, and nothing is sent over the internet.

If the app sees any given key for more than 15 consecutive minutes, it tallies that up as a “contact”, and stores the key on your phone for two weeks. After two weeks, it ages out and is deleted. If a key disappears before hitting that 15 minute mark, it’s never stored in the first place.

Assuming you later test positive for C19, the NHS give you a code to enter to your phone. When you do this, your phone notifies the NHS server, and uploads its “contacts” – the list of keys it’s stored as a result of the above process. The NHS will then send a notification to those devices. These people should then self isolate, or book a test themselves if they show symptoms.

Issues

Like all complex subjects, there are some nuances worth highlighting.

1. While Protect Scotland’s app is currently free from security and privacy issues (as far as I can tell), this is of course only true of the actual Protect Scotland app. I can’t vouch for how the Welsh or English apps will pan out.
2. Similarly, other countries might use the Google/Apple framework in vastly different ways that do introduce security or privacy issues. Please bear that in mind when thinking of other apps already out there. This isn’t a blanket recommendation
3. The Apple/Google framework allows for more than just the bare minimum contact tracing and there’s already been some discussion around whether future iterations of the app might include new functionality, such as location tracking for verifying self isolation or symptom tracking. Of course, features like those might well break the privacy-first model I’m discussing here.
4. I cover this in greater detail in the FAQ (see below), but the Bluetooth signals that contact tracing relies on are certainly not 100% reliable, so there’s a realistic chance of false positives, or worse, false negatives.
5. With point #4 in mind, please remember that contact tracing is just one extra element of our defence against COVID-19. Don’t over rely on this technical solution – continue to practice social distancing, wear a mask, wash your hands, adhere to the official advice on groups and so on.

Frequently Asked Questions

Is it private?

Yes. Nothing the NHS stores is identifiable. Also, there’s no location data sent or associated with a key. So when the NHS notifies your “contacts” after you test positive, it doesn’t know who it’s notifying, or where they are. So yes, it’s written with privacy front and centre.

Why would I trust a government-built app on my phone!?

There’s a number of really positive factors which will really help you overcome your inherent seditionist, insurrectional impulses here, never fear!

1. The app is open source. This means that you can read and review the source code that underpins the app, to see what it does and doesn’t do. Here’s the link: https://github.com/NES-Digital-Service/protect-scotland. If, like me, you can’t read or understand React Native and Typescript (which is how the app is written), then at least we can put some trust in the fact that others can and they will no doubt call out any bad behaviour they see.

2. The app is decentralised. This means that nothing is stored by NHS servers by default. In fact, only if you enter an NHS-provided “tested positive” code to your app is anything sent at all. Even then, only the encrypted keys of your “tracked contacts” are sent.

3. This is almost the same app that Northern Ireland deployed back in August. In fact, it’s written by the same company (Nearform), who have deployed variations of this decentralised app for Ireland, Northern Ireland and Gibraltar. So it’s had plenty of time to address criticism and incorporate improvements before the NHS brought them in for Protect Scotland.

So you can retire the tinfoil hat! There’s no evidence here of shenanigans.

Does it actually work?

There are mixed reports on this. An Oxford study showed that, assuming that the contact tracing mechanism is reasonably accurate (more on that below), we need around 60% of the population to use a contact tracing app before we stop the pandemic completely. However, that same report notes that even if only as few as 15% use it, it still has a positive effect on reducing cases.

A few days after its launch, during the First Minister’s COVID-19 briefing, Nicola Sturgeon reported that the app has been downloaded 900,000 times. With Scotland’s population estimated around 5.5M, that puts us at nearly 17%, which is pretty encouraging for an app which at that point had only been available for just over 4 days. That’s already over the threshold that the Oxford researchers suggest will make a difference.

However, critics for contact tracing include the ICCL (Irish Council for Civil Liberties), who created a fairly damning report card of the Ireland government’s version of Protect.scot. They challenge some of Ireland’s assertions around the use of the app, but at least give it a (mostly) thumbs up from a technical and privacy perspective.

The app that Protect Scotland delivered appears to be a fork of Ireland’s app, which is good, but even better, without the problematic symptom-tracking features which the ICCL so heavily criticised. Additionally, the Scottish government haven’t made unsubstantiated claims about the efficacy of this app, which was another criticism levelled at Ireland’s HSE.

My phone is too old!

Possibly: you have to be running IOS 13.7, or at least Android 6 (Marshmallow) to use the app. In practical terms, that’s an iPhone 6s or above, or pretty much any Android phone that isn’t more than five years old. Google are (for once!) ahead of the game here, since that Android 6 release was the first version to incorporate the Google Play Services framework that the new notification system is using. So it’s just an app update, rather than needing a whole new feature being baked into the O/S which was the case for IOS.

Note: Some articles suggest that IOS 13.5 is enough to support the app, but I suspect that this was before the Apple/Google API was updated to its current version (1.5). Your mileage may vary, but recent reports do suggest that 13.7 will be required.

Will my use of Bluetooth earbuds/headphones/speakers interfere with the app?

Definitely not. Even classic Bluetooth could support up to 7 simultaneous connections, but BLE supports up to 20. You can read more about how BLE beacons work here.

But it’s otherwise a perfect system?

Ha, good god no. If only that were true. Or even possible.

The First Minister is coming under fire because the NHS chose to use Amazon Web Services to host the servers which perform the notifications for Protect Scotland. Since Amazon are commonly criticised for not paying taxes in the UK, this has caused some outcry. It’s a ten year deal too, which might give you an indication of how long the Scottish government expects to need contact tracing!

Also, while the app is open source, the notification API that Google and Apple created is still closed-source, so there’s some secret sauce going into the mix there. That might affect, for example, how the notifications are encrypted, or how the random keys which denote your phone are generated. We can still observe the end results of that encryption or key generation, but if the API were open source, the entire process could be audited for mathematical integrity. Apple and Google have so far announced no plans to open source their joint API.

Finally, there’s some doubt as to whether those Bluetooth Low Energy broadcasts are accurate enough to paint a consistent picture of who you are in proximity to. Technically BLE can work at up to 30 metres away, although most uses revolve around reducing the broadcast emission to just 15cm for things like pairing headphones or earbuds. In the worst case scenario here, you might be notified incorrectly that you’ve “been in contact” with someone who tested positive, when in fact you were just waiting for a bus and someone on the other side of the road (who later tests positive for COVID-19) was also waiting for a bus!

While that scenario is inconvenient, at least it’s not life threatening. Because of course, the other worst-case scenario is not being notified, which is. So while I agree that there are technical challenges to this solution, it’s still better than nothing and I believe it increases our chances of containing the threat.