Everything you need to know about the new NHS contact tracing app

The app behind the NHS Test and Trace project failed. A second NHS Covid-19 app was released on September 24. Here's how it works
NHS / WIRED

Test, track and trace. That’s been England’s mantra for fighting coronavirus since the first peak. But things haven’t exactly gone to plan.

As coronavirus cases have surged in the autumn the country’s testing regime has been thrown into disarray. This all happened after the first attempt at an NHS Covid-19 contact tracing app was scrapped.

Now, after months of delay, England is finally getting a Bluetooth-based contact tracing app. It aims to alert people when they have been near someone who has tested positive for coronavirus, allow people to check their symptoms, try to book a test and ‘check-in’ to places they visit using a QR code system.

The contact tracing app is due to launch in England and Wales on September 24 after being trialled in Newham, London and on the Isle of Wight. Scotland and Northern Ireland previously launched their own contact tracing apps.

How to download the NHS contact tracing app

The NHS Covid-19 contact tracing app for England and Wales is available to download now for Android and iPhone. It's free to download from Google Play and the App Store. But how does the app work and what data does it collect? Our in-depth guide has everything you need to know.

So what is contact tracing and how does it work?

Contact tracing is a well-established method for controlling the transmission of diseases – for instance, it's used with sexually transmitted infections, including HIV. The process involves a person who is infected recounting their movements and activities to build up a picture of who else might have been exposed.

This is crucial with Covid-19. The virus is highly infectious, symptoms can take several days to appear and people may also be asymptomatic, passing the virus on without knowing they are carrying it.

Contact tracing done by humans involves an interviewer asking a person who is infected with Covid-19 where they have been and who they have been in contact with. From here it’s possible to get in touch with those people who potentially have the virus and ask them to self-isolate and take a test.

In England, if you test positive for coronavirus you will be contacted by the NHS Test and Trace service – this will be done via text message, email or phone. When contacted by text or email, people are sent a link to the NHS Test and Trace website to enter details of recent contacts. These details can also be shared over the phone. As well as names, contact tracers will also ask for the email addresses, home address and phone numbers of those who may have been exposed to Covid-19.

The contact tracing system will then get in touch with people who may be at risk of contracting the virus to tell them they are required to isolate for 14 days. People should isolate whether they are ill or not. From September 28 it will be illegal for people not to self-isolate once they been contacted by Test and Trace and the government can issue £10,000 fines to people who break the rules.

How does the NHS contact tracing app work?

Contact tracing apps aim to automate the human process by using your smartphone. If successful, an app can alert people about their exposure to people infected with Covid-19 faster than human contact tracers. In theory apps could be a useful tool to quickly get people to self-isolate and limit the spread of the virus. The main issue? Contact tracing apps are new and their effectiveness is largely unproven.

The NHS contact tracing app – like other similar apps around the world – uses a form of low energy Bluetooth to identify phones nearby (these are referred to as encounters). The app uses Bluetooth signal strength between different devices to estimate the distance between people. When someone tests positive for Covid-19 the system can send out alerts to people they have had encounters with. These alerts tell people that they should self-isolate.

Not everyone will be alerted to self-isolate. Only people who have been assessed as being involved in “high-risk” encounters will be notified. High-risk contacts are determined by a few pieces of data that are fed into the app’s risk algorithm – however, generally someone is likely to be at increased risk of contracting the virus if they’ve been within two metres of someone who has tested positive for more than 15 minutes.

For calculating people’s risk scores the app uses distance (via Bluetooth strength), time around a person and details about when their symptoms started. The last of these is based on information that can be inputted into the NHS app. The distances used for calculating risk scores fall into three categories: close (within 0-2 metres), medium (2-4m) or far (further than 4m). These distances are not precise as the actual measurements may vary depending on where you are and where your phone is placed.

The NHS has detailed how its algorithm works and says the distance is measured between people every five minutes. The risk levels are calculated by how long you spend near a person across an entire day. The team behind the app is also able to change the threshold of the risk score – this threshold is based on the R number, the desire to reduce false positives, testing, and “the importance of building public trust in the value of the app”.

Very little personal information is collected by the NHS contact tracing app – it’s free to download from both Apple and Google’s app stores and people don’t need to create an account to use it. There’s no way, or need, for people to provide their name, email address, or telephone number when using the app. The app does not collect people’s location data through GPS.

When the app is opened for the first time it will ask people for a small amount of data and for permission to use a couple of a phone’s features. It asks for the first part of your postcode (SW16, for example) so NHS officials can analyse where the app is being downloaded and provide risk updates for where people live. “This data will be used to understand where the virus is spreading, and how fast it is spreading in different locations,” the NHS says.

The app will also ask for permission to use Bluetooth, so the contact tracing tech can work, and for permission to access a phone’s camera, so people can scan QR codes.

So how does the app work if it doesn’t collect personal data? The system works by using two different codes. Each day it creates a new code for your device which is stored on your phone. Then every 15 minutes it produces another random code that is shared and stored on the devices it communicates with via Bluetooth. All of these codes are deleted after 14 days.

When someone tests positive they can allow their phone to share the daily codes with other app users. The app does this by sharing the codes related to your phone with a central Department for Health and Social Care (DHSC) server that pushes the codes to every other phone with the app installed. Any codes sent to the DHSC server are deleted after 14 days. If there are matches and the risk score is high enough, people will get an alert saying they’ve been in touch with someone who tested positive.

If you book a test via the app it will generate a code that lets people link their test results with the app automatically. These test codes are deleted 24 to 48 hours after they’re created.

The app isn’t just about Bluetooth contact tracing though – this is where it differs from other apps around the world. It also allows people to check their symptoms against a list of current Covid-19 indicators provided by England’s chief medical officer. These include high temperatures, a new continuous cough, changes to sense of smell and taste, and more. Entering symptoms will result in an indication of whether someone will need to self-isolate.

The app also allows people to order a test through the NHS Test and Trace website, offers a countdown of how long people need to self-isolate for if they are doing so, and can provide risk levels in people’s local area (based on the first part of their postcode).

The way the app deviates most from others around the world is through its use of QR codes. Through an in-app camera function, which you will need to give permission to use, it is able to scan QR codes at venues and log where you have been. The government has made it possible for pubs, restaurants and other venues to create their own QR codes through a generator on its site.

Like the rest of the app, QR codes don’t send any information to a central server and they don’t store people’s personal information. They exist as a way for people to remember where they have been, in case they need to tell contact tracers their activities. The QR code function can be turned on and off in the app and it’s possible to delete the records they create.

QR code check-ins are stored on a phone for 21 days – this allows for 14 days for the virus to appear and seven days when people are most likely to be infectious.

Why does the app send multiple notifications?

The app should only sent notifications to people when someone they have come into contact with for more than 15 minutes and at a distance of under two metres, tests positive. This is the threshold the app has set for alerting people about possible Covid-19 exposure. In these cases people will be asked to self-isolate.

However, there is also an issue with the NHS app that sends notifications to people when they do not need to self-isolate. The Apple and Google-led system can send exposure logging or exposure notifications that say people may have been exposed. The NHS says these are default message from the Apple and Google technology. Nothing happens when they are clicked.

These phantom notifications have caused some confusion about people’s exposure to people with Covid-19. However, the NHS app has introduced a second notification that is sent at the same time. This says: “Don't worry, we have assessed your risk and there is no need to take action at this time”. The Department of Health says that people only need to self-isolate if they are told to do so within the app.

What happened to the original NHS contact tracing app?

The NHS contact tracing app released in September is the second version of the app. After months of development and trials in the Isle of Wight the first iteration of the app was scrapped because it didn’t work properly. England decided to go its own way with developing its contact tracing app and initially shunned technology from Apple and Google in favour of its own method.

NHS officials decided to build a centralised system whereby data from phone interactions where symptoms were reported was sent to a central database. But by trying to create its own implementation of Bluetooth contact tracing, the NHS could not get the same accuracy as if it was using Apple and Google’s software.

Through testing, it was found the original app struggled to detect iPhones. Apple’s iOS pushed the app to the phone’s background and as a result it could only detect four per cent of iPhones it came into contact with, compared with 75 per cent of Android devices. In tests conducted in the UK, the Apple and Google system spotted 99 per cent of handsets.

The second version of England’s app uses Apple and Google’s technology and favours a decentralised approach, where data isn’t stored in a central server. All data about people’s interactions is stored on individual phones instead.

How are Apple and Google involved?

The ecosystems of Apple and Google are fundamental to the NHS app. The app uses the Apple and Google exposure notification system to conduct Bluetooth contact tracing. This is done through an API and requires some of the latest versions of the Android and iOS operating systems to run.

Apple and Google created the API in the early months of the pandemic and did so to ensure that as little data was collected as possible. The companies have favoured a method that puts people’s privacy at the forefront of the system. This is, in part, to stop Bluetooth contact tracing technology from being used maliciously.

The exposure notification system is built into Android and iOS and can only be turned on when it has an app from a government or health service installed. It’s this system that generates the codes linked to phones and interactions with other devices.

“The functionality of the Google/Apple API was assessed alongside rigorous testing of the original app,” the NHS says. “The government decided that the Google/Apple approach had the highest likelihood of achieving the stated goals, while collecting the minimum data necessary.”

Will the app be compulsory?

Downloading the NHS contact tracing app is not compulsory. Within the app there is an option to turn off the contact tracing setting, which is advised for people working in healthcare scenarios.

You can also delete the app if you decide you do not want to use it any more. Once the app is deleted from a phone no notifications will be received from it and the data stored on the app will be deleted.

Who built it and what happens to my data?

No, not Dominic Cummings. The app has been developed by the NHS and NHSX, the innovation arm of the health service, under the direction of the DHSC. There have been a number of other groups involved in the development of the app.

The NHS has published a list of all the organisations involved in the app: Accenture, the Alan Turing Institute, NHS Digital, NHSx, Oxford University, VMware Pivotal Lab and Zuhlke Engineering. The UK's National Cybersecurity Centre (NCSC) has also provided technical advice to those working on the app. The app’s development is being led by Gaby Appleton, a former director at academic publisher Elsevier. Appleton took over the management of the app in October and replaced former Apple executive Simon Thompson.

As fact-checking organisation Full Fact has pointed out, Serco is not involved in the app. The outsourcing firm has been involved in other parts of the test and trace programme but not in the creation of the app.

All the source code behind the app has been made open source and is available on GitHub. There’s also a privacy notice and data protection impact assessment on the government’s website. These detail how the app handles information and the methods used to create it. For the first version of the app, these documents were not published until the app had already been tested.

Four types of information provided to the app can be considered personal data – something that can lead to the identification of an individual – under data protection laws. These are: the postcode district entered when installing the app, symptom information, QR code data and the two codes generated for the contact tracing system to work. “The App has been designed to use as little personal data and information as possible,” the NHS says in its privacy documentation. “All the data that could directly identify you is held on your phone and not shared anywhere else.”

The NHS says that its central system is being hosted by Amazon Web Services and The Health Informatics Service (THIS), which is based at the Calderdale and Huddersfield NHS Foundation Trust to provide test results to the app. It also adds that no third-party trackers that can gather people’s personal information have been added to the app.

In addition, no information is being passed from app users to any of the human-led contact tracing efforts around England. The app’s privacy policy, however, says: “An option being considered is to allow app users the choice to send data held on their phone to contact tracers”.

Will the NHS contact tracing app work?

Whether the contact tracing app will work or not is the big unanswered question. Contact tracing conducted via Bluetooth has only been introduced during the pandemic and is largely unproven.

There are a number of risks with the app. The rate of false positives is important – these are cases when the app believes people should self-isolate but the prediction is incorrect. The first version of the app planned to use self-diagnosis for people who were “positive” with coronavirus, but the second version relies on test results. This reduces the chance of malicious activity, although the risk of false positives is still real. Self-reporting is still used for symptom checking features in the app.

As Bluetooth wasn’t built for contact tracing there’s a chance that measurements may be incorrect. No evidence has published on how the system works when objects are in the way of Bluetooth signals – meaning that people could be asked to self-isolate due to close contact despite the fact that they were standing on the other side of a wall from someone with Covid-19. There is also no consideration of if risk scores should be calculated differently when people are outside, where the risk of virus transmission is lower.

But for the app to stand a chance of being effective it needs to be downloaded and used by as many people as possible. Trust in the government will play a big part in this. At the start of the pandemic modelling from the University of Oxford found that if 60 per cent of smartphone users downloaded and used a contact tracing app then it would be possible to “stop the epidemic”.

The latest modelling from the Oxford researchers, alongside those from Google and Stanford University, says that downloads may not need to be that high for an app to be useful. “In a model in which 15 per cent of the population participated, we found that digital exposure notification systems could reduce infections and deaths by approximately eight per cent and six per cent,” the researchers write. The study was based on contact tracing technology used in Washington state in the US. When combined with human-led contact tracing the overall system could be even more effective, the researchers said.

“Our results suggest that both interventions are helpful in counterbalancing the effect of reopening, but are not totally sufficient to offset new cases except at very high levels of adoption and manual tracing staffing,” the research paper concludes. “As a result we believe that continued social distancing and limiting person-to-person interactions is essential.”

Contact tracing apps may be one small way of reducing Covid-19 spread. Equally important are robust testing and human-led contact tracing systems. All of these elements need to be functioning correctly to control the spread of the virus.

AFP has crunched some of the data on the success of other contact tracing apps. At the start of September, the German app had been downloaded 17.8 million times from a population of around 83 million and sent several hundred alerts in July.

France’s app was downloaded just over two million times by mid-August and sent out 72 possible contact alerts; Switzerland’s app is being used by 1.6 million people (out of a population of 8.5 million) and is said to be “signalling” 56 infections every day; Italy has also had some success with 5.4 million downloads and 155 positive declarations from June to August; 20 per cent of people in Finland downloaded its app in one day.

The country with the highest download rate is Singapore, which was the first nation to introduce a contact tracing app. The TraceTogether system has been downloaded 2.4 million times as of September 9. This accounts for around 40 per cent of Singapore's population. The country has also moved beyond the contact tracing apps by trialling a Bluetooth ’token,’ a wearable device, that people can use for contact tracing purposes.

Updated October 22, 2020 11:45 BST: This article is regularly being updated with the latest information about contact tracing in the UK. It was originally published at 10:30 GMT on May 5, 2020

Matt Burgess is WIRED's deputy digital editor. He tweets from @mattburgess1

This article was originally published by WIRED UK