Cianan Brennan: Ireland gets it right for the wrong reason

The Government U-turn on its Covid-19 tracing app happened because the tech giants forced them to, rather than any nod towards best practice, writes Cianan Brennan.

Cianan Brennan: Ireland gets it right for the wrong reason

With the production and implementation of a coronavirus tracking application for the Irish public close to implosion, one has to ask why the State insists on making things so very difficult for itself.

The search for an app to bring Covid-19 to heel here is being frustrated at every turn by modern day privacy principles — not least because if there is a wrong decision to be made, you could bet the farm on us making it.

Covid-19 tracker apps were all the rage internationally during the first phases of the coronavirus pandemic.

The thinking is simple — with a virus for which there is no vaccine, a solution has to be found to get people back to work before the economy implodes entirely.

We weren’t long getting in on the act, with the HSE confirming at the end of March that a new app would be available “within 10 days”.

That was more than a month ago. The latest we’re hearing is that the app will now be available by the end of this month, but you should take that particular morsel with a full cellar’s worth of salt.

The reason for that is the goalposts with these apps are moving on an almost daily basis, and until we start paying attention to best practice we won’t be able to produce something that has even the slightest chance of working.

The initial format the app was expected to take — one in which all data would be stored in a centralised database, presumably with the HSE as data controller — has been labelled as a passport to “privacy hell”.

As is so often the case in such matters the data protection experts of Ireland cried foul, loudly and at length.

As is pretty much always the case, no one listened.

Then Google and Apple got involved, as well they might given that the two companies’’ entire business model for phones is predicated on users trusting their devices and appsto guard their personal lives effectively.

The two American giants took one look at the centralised model, and opted to instead endorse the alternative DP3T (Decentralized Privacy-Preserving Proximity Tracing) format — which likewise emerged in recent weeks and which sees any data gathered stored locally on a user’s device.

Straight away Ireland had plumped for the losing team. To be fair, the State (finally) reversed course last week courtesy of an 11-page memo on the subject delivered to Minister for Health Simon Harris.

Just two countries in Europe continue to persevere with the centralised system — Britain and France. You only have to look across the Irish Sea to see the utter hames that the British Government has made of its own application to see what we’ve managed to avoid.

The latest leak from Westminster on the subject concerned the idea that Her Majesty’s Government had convinced Apple to “relax” its own application rules in order that the NHS app could run in the background of people’s iPhones — something centralised apps have not been able to do. Apple quashed that story in double quick time, saying it was “wrong”.

But if you thought all this meant that Ireland was done making silly decisions, well, you haven’t been paying attention.

We are now developing the app on the back of a decentralised approach, with those using it exchanging contact data with other users via bluetooth handshakes. Unfortunately that’s not all we’re doing.

The new app, known in its initial guise as CovidTracker Ireland, has retained a suggestion first put forward by the HSE in early April that it would collect the symptom data of its users. To do so, it’ll be asking for access to the location settings of the devices it’s installed on — a privacy red flag of the first rank.

Again the various privacy experts around the country called foul.

The Government insists that it has no interest in that location data for anything to do with contact tracing. But this is irrelevant.

What happened on Monday was of more significance though — Apple and Google issued updated policies regarding their own tracking framework, which Ireland is set to follow.

One of those policies states that any app seeking to track a user’s location, or even to ask for permission to do so, will be banned from the companies’ app stores.

The Irish Examiner asked both the HSE and the Department of Health if this development would not surely kill the Irish app stone dead in its current guise. No direct answer was forthcoming.

So why has the State decided to create this ’’Swiss army knife app’’ when the direction of the European Data Protection Board (of which our own Data Protection Commission is a member) is that these apps should be used for contact tracing and nothing else?

To answer this you need to look at the situation from a different perspective — rather than apportioning credit, the decision to adapt a decentralised approach was forced upon the Government in no uncertain terms by the actions of Google and Apple. If we don’t follow their lead the resultant product simply won’t work. We had no choice.

Meanwhile, the decision to give the application features that it doesn’t need, and that will probably reduce its effectiveness if anything, is straight out of the Public Services Card playbook. The Office of the Government Chief Information Officer, a subsidiary of the Department of Public Expenditure and Reform which ran the ill-fated PSC expansion project, is heavily involved in the production of our tracker app.

Depending on who you talk to, this Office has for some time been calling the shots on this, not the HSE or Department of Health. It’s an entity addicted to secrecy, and not one that changes its mind easily. But as we have seen once already, with Apple and Google involved, it may have little choice but to abandon location tracking.

Minister for Health Simon Harris’ 11-page memo on the app stated that consultation with “GDPR experts” had led to the decision to adopt a decentralised approach. No one knows who they are. The DPC is not mentioned once in that document.

Despite incessant calls for same, the State has yet to commit to publishing the data protection impact assessment(s) concerning the app, or its source code so that we may all see what the application actually does.

The memo stated that just 25% of uptake may be necessary among smartphone users to make the app work, an estimate about 35 percentage points below what all the experts believe is the optimum level.

Little of the espoused rationale behind the app makes sense, and transparency is nil, despite the Government’s acknowledgement that public trust is key in order for the app to function in any way.

More on this topic

Coronavirus wrap: Premier League testing boost as Djokovic shares US Open doubtsCoronavirus wrap: Premier League testing boost as Djokovic shares US Open doubts

Places of worship set to reopen in the UK for private prayer from June 15Places of worship set to reopen in the UK for private prayer from June 15

Higgins pays tribute to 'remarkable' nurses' response to Covid-19 crisisHiggins pays tribute to 'remarkable' nurses' response to Covid-19 crisis

Nine further Covid-19 deaths and 24 new cases - NPHETNine further Covid-19 deaths and 24 new cases - NPHET