Ep. 9: Where research transforms Covid and privacy
Host and Producer
- Dr Rosie Anderson, Research Fellow, Public Health Policy team, UCL
Dr Michael Veale, Associate Professor in Digital Rights and Regulation, UCL Faculty of Laws
Lord Tim Clement-Jones, Liberal Democrat spokesperson for Digital in the House of Lords
Natasha Lomas, Senior Reporter at Techcrunch
Hello, and welcome or welcome back to the podcast where research transforms lives. I'm Dr. Rosie Anderson. And every Thursday the summer, I'm inviting you to take a deep dive with me into the UCL research that has changed the world around you. In this episode, we're talking about one of the less obvious threats posed by the COVID pandemic, this time, not from the virus itself. This threat came from our human responses to it. And since we aren't just animals, but highly social animals, we're going to be talking about how our culture and our political institutions struggle to make sense of COVID, unbalanced democracy, privacy and individual dignity was protecting everyone's physical health. And if you're feeling a bit glum about public debate and politics right now, and who can blame you, and stay tuned. This is an example of Parliament working for the better, and that how crucial robust knowledge is to making good decisions in the public interest.
I've got a personal interest in this as my own PhD was in politics, and specifically looked at how appeals or emotional or more technical selves shaped the decisions we make as a society. In social research, moments of great change and moments of great potential for good Oriole. Think of it as standing on an underground station platform, watching trains go by for ages, and then one of them slows to a halt. Its doors perfectly aligned with where you happen to be standing by open and lots of possible futures step out, and you have to pick one quickly and shake it by the hand. While we were living through it, it was actually quite hard to think of the staff of COVID pandemic is more than just a threat to our physical well being. We were all quite rightly focused on surviving and staying well. But Dr. Michael Veale in UCL is Faculty of Laws, and his colleagues in universities across Europe could also see have a need to track how the virus has been passed from person to person had opened one of those dangerous doors, they could see how the government's interest in monitoring COVID spreading and technology companies interest and making bigger profits, could forever damage our individual right to privacy. That said, I put it to Michael, that the law lecturer is maybe not the first expert people would expect to be on that team.
Yeah, interesting question. So my research is around a mix of computer science, law and policy. So a lot of it's around privacy enhancing technologies, privacy platforms and power. What smartphones do don't do should do shouldn't do, for example, and how that intersects in the space between law policy and technology. And I'd be working for quite a while with different collaborators on privacy enhancing technologies, which are really just smart ways, in a way to have your cake and eat it to ensure that that data isn't unnecessarily shared or analysed beyond what you need to analyse it for. Yet, you can still make interesting uses of it. In the beginning of the pandemic, there was this really big fever for technological solutions, because we live in the 21st century, and people are attracted to technical solutions, particularly for intractable social and technical problems. And in the in that context, we saw different governments sort of looking, eyeing up different solutions, they were often doing it behind the scenes. So it wasn't always visible to the public at that time, and sort of March 2020, we were getting a bit concerned because the technology didn't really exist. And if they were going to make them in a really hasty way, they were going to have a really big impact upon upon privacy and power and do a lot more in the world than just contact tracing and Pandemic support, they could really, they could really do some harm. And so really through a series of, of your messaging groups, and so on, just on people's phones, we were all at home, myself and colleagues, banded together in very informal ways, just picking up a few people along the way to make a team that could develop a technology very, very fast that if it failed, wouldn't leave the kind of harmful residue behind. So it's an uncertain technology, we thought, let's make something that can use smartphones for contact tracing. But if this unproven technology doesn't function very well, and doesn't actually help the pandemic very well, then we're not going to leave behind a network of who saw who and who knows who in every single country that can be abused, particularly by regimes have poor human rights records. And so that's kind of how it came about. I was working with a mix of existing and new collaborators, which is important. If you're gonna deliver something at speed, you have to really know the people you're working with. That's quite important. And it sort of went from there. We developed this very, very rapidly as an idea and deployed it in a white paper and then in code and yeah, we'll talk about what happened after that.
As researchers, we are always thinking about how to balance our public mission to understand and acts law without participants right to privacy and dignity. But taking that debate to the court of public opinion right at a moment of crisis and danger, requires some bravery and great rigour plus a willingness to work politically and academically at the same time. Because of course, it wasn't just Michael and the DP three at universities vying for policymakers attention. Private software developers were already lobbying hard for their technology to be adopted by governments around the world. And as Natasha Lomas, a senior reporter with tech business website, TechCrunch explained to me, their interest in personal privacy is secondary to their mission to make money.
And governments seem to be very quick to sort of iron up the the technology companies as the great saviours and potentially the way to fix it. And they perhaps weren't necessarily front of mind on the privacy side. So it also that can also be true from the technology companies side, they're very keen to kind of show off what they they say they can do with these, you know, powerful technologies that they have. So I don't think it was necessarily that clear cut, release, especially that early on, because as I remember this, this sort of sequence unfolding, everything seemed to happen very quickly.
Well, it's not so surprising that private software and mobile tech companies would be offering COVID, tracing products to customers, which also handily harvest lots of valuable personal data is maybe less obvious why governments would be attracted to that. Their reasons are a bit more nuanced, and shine a light on the prevailing culture of governance and policy innovation in political life. According to Lord Tim Clement Jones, or Lib Dem, Pierre in the House of Lords, there was an implicit faith in big data as a technical solution to the profoundly social problem of disease transmission,
Lord Tim Clement Jones
they would have had no choice but to send our personal NHS. All that, you know, any details accumulated to a central point, and then, you know, this would have meant that they were on a single central database, which would have been been populated by the NHS, you know, for their own purposes. I mean, you know, I'm a great believer in using health data, but you've got to use it in a way that people have consented to and understand, you know, whereas this would have been completely it would have been just automatic.
If all of this talk of privacy and individual rights and governance harnessing health data from centralised apps to control people's behaviour sounds a bit abstract and paranoid. If it all seems a bit decadent when faced with a deadly infectious disease, then frankly, that's probably a sign you've had the privilege of not worrying about this before. And that privilege can be taken away. Anyone who's been trying to permanently delete their centralised menstruation tracking data in the wake of Roe versus Wade being overturned in the states will tell you, these abstract things can become very real once it's your body, your behaviour being policed. Fortunately, there were plenty of people in Parliament who shared those concerns with Michael and his colleagues, and Lord Clement Jones was one of them. In the early days of the pandemic, he and his fellow peers were watching NHS X. The UK's National Centre for digital and Data Innovation and health at the time, and the government's attempt to develop a tracing app with growing concern.
I'm not part of the health team in the Lord's, but I am a digital spokesperson. And so Michael contacted me about a bill that he wanted to promote, which is about safeguarding data and rights under from sort of undue action by government, as regards the new announced COVID app, the tracker app. And so it was really rather important that, you know, he clearly thought it's important that government should be, you know, conforming to this. And I said, Well, why? Why is that? And so then he got into, you know, briefing me really entirely about what I had no idea about, which was the difference between a centralised and a decentralised Tracker app. And the work that he had been doing with continental colleagues on what was called DP three t. And so I then agreed to ask a parliamentary oral question. And in the meantime, because written questions come, the answers to written questions come back rather quicker. I also asked quite a range of written questions about the whole thing. And then really, that led to government being extremely defensive, but I think they felt that there was you know, there was quite a lot of press Share on them. I mean, I got the answers back to my written questions sometime around the 20th. of May. So a bit of time was taken. And we had the, the oral question through, I think it's sort of early ish. In. Yes, we had the contact tracing app question on the sixth of May. So I think what must have happened was the oral or written questions, were follow up questions to the oral question, because we didn't think we'd had a particularly good answer. I mean, Bethel said in reply, in response to my question about what action they are taking to protect the privacy of users, and provide oversight of the NHS COVID-19 contact tracing app, and whether it met the web, the application met Apple's privacy standards for Bluetooth? Because I knew the answer to that, which was it, it didn't, and that they would ultimately fail with a centralised app if they continued down that road. But of course, the way the government answered the question, and it was to totally obfuscate VSU and say that they would been in contact with the Information Commissioner's Office, they're holding discussions with Apple and Google, etc, etc. But actually, I mean, he, this this, this was pretty misleading, because he said, the app uses this is Lord Bethel, the app uses only software development tools, and mechanisms that are supported by Apple and Google. Well, of course, at that time, we knew that wasn't the case.
How important was the research that Michael and his colleagues had been doing? I know, they've been working really intensively and rapidly on developing these protocols and, and building this case, but from a, from a political point of view, how important is that? Was that research to building the political case?
Oh, absolutely vital, because, you know, I'm having a, an alternative is the crucial thing. I mean, a, it made us understand that it was possible to have a decentralised app. And be. It demonstrated that, you know, that, of course, secondly, it demonstrated that Apple and Google were not going to go down the centralised route. Because it was clear that that was, you know, the case from the protocols. The expert opinion from people like Michael was that it wouldn't meet the protocols, and it turns out to be entirely correct. And, you know, that having the alternative and having if you'd like the, I suppose, the the sort of points in the bill to make, that we needed to make sure that citizens we're not, we're, in a sense, protected from the misuse of this app, I think was really important. And it you know, the government may not have listened at the time, but I think they came to realise that this was the only game in town, quite honestly. And it enabled the opposition by myself, Lord Scriven and a number of others, to raise the issue. If Michael hadn't raised it, we wouldn't have had a clue about DEP treaty, we wouldn't have had a clue about the incompatibility with Google and Apple, we wouldn't have had any understanding of the sort of real flaws in the centralised system. And the very practical application of the of the app that Michael had already developed. I mean, you know, that was the thing.
As Lord Clement Jones says there, it's not unusual for academics to raise concern about government policy. It often isn't enough though. Government is about finding solutions, and it's always hungry for them and needs them yesterday. So what was that alternative that Michael and his colleagues were building in parallel with NHS X's ill fated app? Michael spoke with Vivian Perry for an episode of UCL Coronavirus, the whole story about the process of designing the DP 3d protocol. And about finding a solution that only stored contact information locally on the user's phones.
Could we build a kind of system that would would help contact traces but which would would put privacy and Human Rights First, and we did this quite early on with with researchers, we effectively built something that public health authorities could use in apps for for Bluetooth connections between phones to see your phone and be near each other. But it would have the quality that no data would about you would be leaving your phone. So it can be done without creating a large central database of Who saw who the worry with that central database, I think was exacerbated during COVID. Because because of the great uncertainty, nobody really knew if technical interventions will work, or many of the qualities of this disease, and you could anticipate that if governments had access to really large sort of social graphs and networks of who saw who in society, that could, in many in the wrong hands become quite a coercive tool to allow a government to send certain people home, or allow certain people out of their houses in a very orchestrated way that could really have effects on on, on many groups, persecution and the like. So we were very concerned about that. It was very specifically aimed at times when individuals may have have spent time with somebody they don't remember or they might not know the name of. And, and it was designed to do so to alert these people rapidly. So we were still at that time, we still are learning about the exact dynamics of the disease, how quickly it spreads for how long it's contagious, how long it can be incubated the effects of asymptomatic individuals on the entire modelling of the system. So going back to the question of can AI save us one of the things that AI has done is it's really blinded a lot of people in computing to any alternative that isn't collecting a huge amount of data, and putting it all in one place. And seeing later on what you want to do with it. AI has not is not necessarily very good at predicting dynamics we haven't seen before. It's a pattern recognition system, it can't go beyond what it's seen in training data. And what we'd found really, as an alternative is to say, do you need to collect all this data? Or can you focus on a particular purpose, if you can make contact tracing happen effectively, and you want to do that technologically, you might not need to have data all centralised in one place, it can be kept on everybody's individual phones, there doesn't have to be a privacy or human rights trade off. We don't have to set aside human rights for the risk of COVID. We can actually have both. But that requires us to think about the problem we're facing really carefully. Say what are we trying to achieve with this technological intervention for contact tracing? And and how would we get there in a proportionate way, and that's where, where law, human rights data protection law can really be a pretty guiding force.
So to recap, DB three t, like other tracing protocols uses bluetooth to perform a handshake with other nearby mobile phones to track when we come into contact with COVID positive people. Unlike those competing protocols, the data about who we've been close to was never transferred to a third party. So it can never be tracked back to an individual. The DP three T universities had shown that it could be done and that it could be done better than the alternatives. But as we'll hear from law, Clement Jones in a moment, there were two other big elements that allowed him to use the DP 3d consortium of universities work to get a decentralised tracking app on Parliament's agenda. The first was that it was done with a commitment to transparency that no one else was showing at the time, whether for commercial or other reasons, the precise nature of the protocols and the data processing used and other contact tracing apps was not available for discussion and public scrutiny. By contrast, the emerging DP 3d protocol and all its code was up on GitHub for discussion and revision in real time. And in the light of day, this completely changed the policy landscape in those early weeks, as everyone scrambled for a contract tracing solution. The world could see that DP 3d worked, and most importantly, how it worked. The other thing that Michael did pretty much immediately was draft a parliamentary bill and begin showing it to his contacts. And that is how we approached him, Clement Jones, and if that sounds like an unusual initial step and research projects, it is, but time was of the essence.
I thought it I think it stimulated discussion in trouble is with bills is it's incredibly difficult in the laws to get a slot, the only way to do it is a private member's bill. It's not like in the commons, where you have a 10 minute rule bill, for instance, process where you can just simply table something pretty short notice, we can't do that. All we have is House of Lords Private Member's bills. So for my purposes, in terms of highlighting it, it was helpful to know exactly, you know, what Michael intended? And I remember reading the bill with interest. But, you know, is a question of really asking whether the safeguards were going to be enshrined in regulations, basically. And I think we did that with our written questions subsequently. Because, you know, for instance, as Michael explained when he first wrote to me, you know, the whole idea of the bill was to make sure that no one is penalised for having a phone or another device that Even house without the phone, failing to charge phone or whatever, no one's compelled to instal a symptom and contact tracing app, etc, etc. So, you know, it was trying to make sure that that we weren't going to be living in our surveillance state, really, it was open source, it appeared on the description appeared on GitHub, I think, pretty early for the DP 3g app. In contrast, to NHS X's work, which, you know, although we asked many times, when they were going to put it up on GitHub, I think it only came out very late in the day, if at all, I mean, the September, details came out on GitHub. But I'm I'm not sure that the centralised that details, developed, at first by NHS X ever came out. Actually, I think this is all about pennies dropping basically, of course, Michael, has brilliant contacts in the scientific field, and the tech field, I think the penny was dropping in the NHS X, that this was not a goer quite early in May, they wouldn't have started looking for somebody to develop a new app. Actually, if this hadn't been possible. And around June, late May, early June, there must have been finding somebody to do that. But you know, our pennies have to drop in all directions. So I think the scientists and tax tech guys were a penny was dropping there. But it had to drop amongst the politicians. And I think, you know, if you're a sensible politician, you you may Stonewall when you answer, but unless you it takes a you know, take on board what people are saying you're going to fall on your face if you're not careful because there are people out there who know what they're talking about. And it may be that Lord Bethel, despite the fact that he denied it vehemently, actually was taking some notice.
While Michael and his colleagues work was a truly global effort with global impacts. Here in the UK, it demonstrably changed the way we learn to live with the virus. I began this episode by saying that times of great upheaval or windows that open briefly, where long standing beliefs or habits can be changed, and societies can rewrite their rules. I finished my conversation with law Clement Jones by asking what the legacy of Parliament's fight for a decentralised COVID tracing app would be longer term.
During the health bill, we've had a whole debate with Lord Kamal, who is the new tech Minister taking over from Bethel earlier this year, or maybe even last year, about the governance of NHS data, because, of course, what's happening is NHS x, which is meant to be the safe harbour for health data is being amalgamated within NHS England. Well, we were pretty aggressive during the passage. This is Lord Philip hunt. And myself, we were fairly aggressive about this and said, Look, you know, you've got to safeguard NHS data, it isn't good enough just to roll the safe harbour, which is meant to be a separate, independent legal entity into NHS England because NHS England can mark its own homework. And, you know, we don't believe that is the way forward? Well, Lord Kemal was very cognizant of that. But two reasons I think, first of all, the COVID, Tracker fiasco and B, the whole question of the GP opt out last year, I mean, you know, there are other reasons, you could go back further and talk about care dot data, which was another problem with GP data a couple of years ago, you know, where lessons weren't really learned. But I think the things that would stay in the civil servants minds and Lord commands mind. And he was extremely good at engaging, I may say, Were those two incidents. And so I do believe that the COVID Tracker fiasco was really, you know, something that persuaded the the people in the in, in the Department of Health in particular, that they needed to do something about data governance, where it was much, much clearer. I mean, it's an absolute thicket of permissions and bodies requiring to give permission and so on. And it's very, very confusing for researchers. It's very confusing. For patients, it's very consuming for doctors as to know when they can release data. So, you know, I'm hoping and it's imminent, Lord to come out and gave evidence only on Wednesday to the Science and Technology Committee about this. That the new governance framework proposals are coming out very shortly.
That's all for now. I hope to see you next time when I'll be talking to Professor Kate Jones about how her research is helping to predict when diseases jump from animals to humans, and about how protecting the health of the planet is the key to protecting human health as well. If you can't wait until then, and want to hear more about the impact of UCL for search on society in the world, then why not take a listen to me at UCL presented and produced by our students. Finally, I'd like to thank our guests Dr. Michael veal, Natasha Lomas and Lord Tim Clement Jones, and of course you our listeners
- end -