Why did the UK get their Covid-19 tracing app so wrong and Finland get it so right?

Koronavilkku.fi — The Finnish Covid-19 tracing app

England and Wales are launching their “NHS Covid-19” app today. The UK government has so far been utterly incompetent at creating a reliable national contact tracing app and getting people to support it. The contrast is especially galling after I witnessed how Finland launched theirs in August with a million downloads in one day. I wanted to get to the bottom of why this is, so I did a quick layman’s comparison in terms of technological execution, political process, budget, and communication strategy.

🇬🇧 United Kingdom:

The UK government has been working on an app since February 2020. From the beginning, the process was politicised. There were major doubts as to whether the app would be done by the book and there were serious privacy concerns.

THE PROCESS WAS SET UP AS A SHORTCUT TO POLITICAL VICTORY

• The app turned into a political pissing contest: The NHS Test and Trace project was seen as a test for the Conservative government and criticism towards the project seemed to be split entirely along party lines. The existing political rift led to the app being talked about either as a massive success by the Tories or a dismal failure by everyone else.
• Experts and facts were ignored: In April, the information commissioner revealed she had not received a data protection impact assessment from the government, a legally required step for any “high risk” data processing. 177 UK computer security and privacy experts signed an open letter raising transparency and mission creep concerns about the app.
• The pilot was a failure but offered no learnings: A goal was set at 60% of the nation’s population downloading the app for it to be an effective tracing tool. In May, Matt Hancock, the Health Secretary, started a 3-week pilot on the Isle of Wight in May (43% downloaded the app), promising very optimistically that the UK would have an app by the end of May. The Isle of Wight version of the app did not have the feature to allow people to enter Covid-19 test results, positive or negative, so their contacts couldn’t know whether they had been in contact or not. The results were ignored.
• Contracts were murky and not put up for competition: Contracts were awarded to technology companies without being put out to competitive tender. Two untendered companies were linked to Cambridge Analytica and the Vote Leave campaign — Faculty and Palantir, who were tasked with building the government’s centralised ‘COVID-19 datastore’.

THE WHOLE THING LOOKED LIKE A SPYING APPARATUS

• They were going to collect everyone’s data in a centralised database: In April, Matthew Gould, the head of NHSX, confirmed that the UK’s app will collect information centrally — and without necessarily anonymising users’ data. This was because they wanted to possibly use the information for public health research in the future. It was evident at this point that this wouldn’t work on Apple’s and Google’s devices. Simply put, they do not give apps permission to broadcast Bluetooth signals in the background if that data is going to be shared with others.
• There were serious concerns the personal data would leak: Some of the UK’s most prominent security and privacy experts warn the app could be used for surveillance once users logged symptoms and became traceable. It would expand government access to the ‘social graph’ — data about you, your relationships, and your links with others. In the eyes of the public, a massive data leak or the government spying on citizens is not so outlandish after recent scandals.
• Communication strategy — obfuscating and scaring the users: The app was talked about in the media, in several shows and newspapers. The conversation mostly revolved around the government not revealing enough information, security concerns, and whether professionals have been consulted enough. The government could not justify why they needed to collect people’s location data and what they would do with it, which raised suspicions. PM Boris Johnson announces the NHS Test and Trace program on 27 May without a functioning app and says that if the app requires that you quarantine yourself, you could get fined £1,000. If you were on the fence on what to think of this app, you were definitely not going to voluntarily download something that could get you fined.

IMMENSE COSTS WITH LITTLE IN RETURN

• The app was badly designed technologically: According to the UK Health Service Journal, the app was not fit for inclusion in the NHS’s own app library, had not passed basic cybersecurity tests, and was still “wobbly”. The app also used much more battery because it needed to be woken up every time another app user comes close. Every user’s device would have constantly sent data back to NHS servers.
• An expensive army of human tracers required: If you are identified as having been in contact with someone who’s tested positive, you would get a call every couple of days from the NHS Test and Trace service: 18K contact tracers recruited by Serco and Sitel (15K callers + 3K public health staff) costing around £200M. Immediately in April, the government missed the opportunity to hire 5K experienced tracers employed by the UK councils (municipalities).

This poll was conducted between Aug 4–24, 2020, and received 850 votes by The Engineer.

• £12 million in sunk costs: On 18 June, Matt Hancock announces that they are ditching the app they had been building for months. and starting with a new one that would use the Exposure Notification system supported by Apple and Google, where personal data is decentralised i.e. saved on your phone. His official reason was that “the app doesn’t work well with Apple”. The unofficial reason, as someone online put it, was: “Apple and Google refused to give us your location data, and we made a bollocks of gathering it ourselves. So reluctantly we’ve had to make do with a system which doesn’t tell us who you are or where you’ve been.” £12 million was spent on the scrapped app made by VMWare Pivotal Labs. Faculty’s centralised ‘COVID-19 datastore’ was never put to use. Meanwhile, as a temporary solution, there’s a QR-code system, where you have to log in to every place you visit.
• The second app launches today: The new app, which doesn’t collect personal data, is to be launched today, September 24th, in England and Wales. The Google/Apple exposure notification system is better for privacy, better for battery life, and better for sitting in the background and not having to keep the app open. Scotland and Northern Ireland have their own apps. The technology should be fine in the new app, but there is still the issue of public trust. Using the app, signalling your location, sharing your test results — it’s all voluntary. Getting sufficient numbers of people to use the new app will be a challenge. After this hot mess, it’s hard to see people volunteering their information.

🇫🇮 Finland

Generally, Finnish people trust their institutions much more than almost anywhere else. They trust the media to be (mostly) impartial and tech literacy is high. That said, if the Finnish government had handled the publishing of their tracing app as poorly as the UK, the result would have been a failure. Instead, the app, which was catchily branded as Koronavilkku (‘Corona blinker’) was a massive success even by pedantic Nordic standards.

THE APP WAS TREATED AS A TECHNOLOGY PROJECT

• The process was transparent and not politicised: It was announced by the social and health ministry of Finland in June that a tracing app is going to be made. There was no political disagreement on the main issues. Regarding details, politicians and legislators had been consulted on the legal issues surrounding a tracking app in April.
• An honest tender: The tender ended in July; won by Solita. The favourite to win, an app by Reaktor and Futurice, which had a successful pilot, and had been in development since the start of the year, was deemed as less financially viable. A date was set for the app to be launched in August.

SOMEONE ASKED WHAT THE USERS WERE WORRIED ABOUT

• Individual privacy was prioritised: Rather than government data centers, Finland chose a decentralised approach. The app was created using the internationally validated Google/Apple exposure notification system. It was made clear in the media at the start of June that the app will not collect personal data, location dates or social graph information.
• An open-source app: The app’s source code was published before the launch to facilitate the independent evaluation of the application. The app was assessed by the National Cyber Security Centre and independent cybersecurity companies like F-Secure and Nixu.
• Communication strategy — alleviating fears: Getting a critical amount of the population to download the app (50%) was crucial. The main messaging around the app was around dissipating any fears that people might have. The Finnish Institute for Health and Welfare (THL), Solita, and the National Cyber Security Centre went into detail publicly to explain how the app works and how it’s built. If the app alerts you of contact with an infected person, you would not be put in quarantine automatically. It would be your choice to inform healthcare via a completely different reporting site (omaolo.fi) that you are experiencing symptoms, which would lead you to book an appointment with a doctor. It would be up to a doctor to tell you to self-isolate. By the end of August, the whole country was talking about the app with the silly name and looking forward to downloading it.

BANG FOR YOUR EURO

• €147,000 — astounding value for money: The trial use of the Koronavilkku app began on the 4th of August. The app officially launched on the 31st of August. 20% of the population (1M) downloaded the app in a day. Officials had hoped to reach that level in a month. The app has now surpassed 2 million users, which would be about 50% of smartphone-using adults. In the first half of September, 35% of people diagnosed with Covid had reported it via the app. The estimated budget for the app was €3.2M, Solita built it for €147,000.

Downloads of the Finnish COVID-19 tracing app and as a percentage of the population.

• Europe-wide contact tracing in the future: Kirsi Varhila of the Finnish Ministry of Social Affairs and Health said a second phase of the app may include integration with similar tracing apps running in other EU states. This would make it possible to see if you have been in contact with people using the other European tracing apps. Czechia, Denmark, Germany, Ireland, Italy and Latvia are testing the integration. Hopefully managing travel between countries in the EU will be made easier soon.

–Erik Mashkilleyson