Academics demand answers from NHS over potential data timebomb ticking inside new UK contact-tracing app

Slurp everyone's details and you create a hugely valuable hacker target

Got Tips? 120 Reg comments
An illustration of a contact tracing app

A group of nearly 175 UK academics has criticised the NHS's planned COVID-19 contact-tracing app for a design choice they say could endanger users by creating a centralised store of sensitive health and travel data about them.

In the open letter published this afternoon, the 173 scholars called on NHSX, the state-run health service's app-developing and digital policy quango, to "publicly commit that there will not be a database or databases, regardless of what controls are put in place, that would allow de-anonymization of users of its system."

Due for release in the coming weeks, NHSX's contact-tracing app will be the official way that everyone's contacts with COVID-19-positive people will be tracked. The app will emit an electronic ID from your phone and receive the IDs of other phones with the app installed. If someone develops the coronavirus, everyone who came into contact with that person (i.e. their app came close enough for their ID to be logged by others) will receive an alert.

Controversially, the NHSX app will beam that contact data back to government-controlled servers. The academics who signed today's open letter fear that this data stockpile will become "a tool that enables data collection on the population, or on targeted sections of society, for surveillance."

As we reported yesterday, Britain has abandoned the international consensus on how much data should be collected to fight the COVID-19 pandemic.

The letter said:

We hold that the usual data protection principles should apply: collect the minimum data necessary to achieve the objective of the application. We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a "nice to have", given the dangers involved and invasive nature of the technology.

So far little is publicly known about the all-important details of the NHSX contact-tracing app. Once its creators publish more information about its architecture and implementation, the public will be able to scrutinise it.

privacy

Academics: We hate to ask, but could governments kindly refrain from building giant data-slurping, contact-tracing coronavirus monsters?

READ MORE

Apple and Google previously published specifications for the creation of decentralised contact-tracking apps.

Critically, adopting a centralised model may risk losing public trust. In turn, people may simply not install the app for fear that their identities and sensitive health data, as well details of exactly who they met, where and when, might be stolen by thieves or otherwise sold or misused for new purposes by government agencies.

The NHS has been asked for comment.

Separately, the Privacy International campaign group, along with most of Britain's leading privacy campaigners, sent 10 questions to shadowy US data analytics company Palantir about what it would be doing with data gathered from the NHS during the pandemic. ®

Sponsored: Webcast: Ransomware has gone nuclear

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020