Britons will not be able to ask NHS admins to delete their COVID-19 contact-tracking data from government servers, digital arm NHSX's chief exec Matthew Gould admitted to MPs this afternoon.
Gould also told Parliament's Human Rights Committee that data harvested from Britons through NHSX's COVID-19 contact tracing app would be "pseudonymised" - and appeared to leave the door open for that data to be sold on for "research".
The government's contact-tracing app will be rolled out in Britain this week. A demo seen by The Register showed its basic consumer-facing functions. Key to those is a big green button that the user presses to send 28 days' worth of contact data to the NHS.
Written by tech arm NHSX, Britain's contact-tracing app breaks with international convention by opting for a centralised model of data collection: all the contact-tracing data is kept under one roof in one central government database.
In response to questions from Scottish Nationalist MP Joanna Cherry this afternoon, Gould told MPs: "The data can be deleted for as long as it's on your own device. Once uploaded all the data will be deleted or fully anonymised with the law, so it can be used for research purposes."
De-anonymising such data was successfully demonstrated in 2015, as we reported at the time.
Although Gould said the NHSX app would auto-delete contact data that isn't uploaded to government servers, he did explain:
If data has been shared by choice with the NHS, then it can be retained for research in the public interest or by the NHS for planning and delivering services, obviously in line with the law and on the basis of the necessary approvals by law.
The Register understands the app has been completed and function tested, with the previously announced Isle of Wight trial to begin in the latter part of this week.
Addressing the same committee, Information Commissioner Elizabeth Denham repeated to MPs that her office "was not signing off on an app." Despite being closely questioned on her reverse-ferret from earlier declarations that "the starting point for contact tracing should be decentralised systems", she said this afternoon that she wanted the ICO to be a "critical friend" to NHSX.
Denham added that if enough people complained about the app, NHSX had given the Information Commissioner's Office its permission to "perform a voluntary audit on the app and systems – when appropriate to do so." She shrugged: "The functionality of the app is up to government to decide… it's not for me to decide, it's for me to advise on how to mitigate some of these potential risks."
It looks all right to us, says GCHQ offshoot
The National Cyber Security Centre was also wheeled out to defend NHSX, with top techie Ian Levy telling the world in a blog post late this afternoon that there's nothing to worry about because smart folk have put the hours in to ensure it's reasonably secure.
He went into a full description of how the pseudonymisation in the app works, starting with the 128-bit unique user ID generated after installation:
Every day, your device generates a random elliptic curve key pair and encrypts your installation ID (and some other administrative stuff like time periods) with it in a way that only the NHS server can recover, giving you a daily, random-looking, encrypted 'blob'. Now, your phone advertises a contact service over Bluetooth Low Energy (BLE) – the same mechanism that your phone uses to talk to your step tracker or smart watch. When another app user comes close enough to be seen over BLE, the devices connect to each other's contact service and exchange a package containing their current encrypted blobs, the time and the transmission power used for the BLE connection, all signed using the device authentication key.
Whenever your phone comes near another app user's phone, "date and time, package received over BLE, sampled signal strength, total duration of encounter" are "securely stored" on your own mobile device. You then donk the big green button to send all that data to the NHS for research.
Should you fall victim to COVID-19, and tell the app you're ill, "the app will upload the anonymous record of your proximity events to the NHS server. From each of the encrypted blobs recorded, the server can recover the fixed but anonymous installation ID for each device you were near."
Thanks to the large output variations between different Bluetooth Low Energy chipsets in different handsets, that data is used – along with the phone model identifier collected by the app – to work out a rough proxy for distance.
Levy ended his very readable blog post (available on the NCSC website) by exhorting Britons to "please install the app, and use it". El Reg suspects, quite aside from the public health questions, that its go-live date will be a key moment for seeing just how much trust the public has in the government and civil service of the day. ®