NHS contact tracing app isn't really anonymous, is riddled with bugs, and is open to abuse. Good thing we're not in the middle of a pandemic, eh?

Plus: There are some worrying data protection implications

Got Tips? 188 Reg comments

Analysis The current wisdom states that the sole path from COVID-19 lockdown involves vigorous testing of the population to identify new cases, paired with contact-tracing to limit the spread of infections. Smartphones make that easier, and the UK's National Health Service, like many other national governments, is working on an app to make it simpler.

But the implementation and design of this app (created by the NHS's digital arm, NHSX, in conjunction with VMWare Inc and Zuhlke Engineering) has raised concerns about privacy and efficacy, culminating with allegations that users are not actually anonymous.

Anonymity has a very precise definition under the prevailing legislation, including the European General Data Protection Regulations, and it’s unclear whether the current implementation meets that standard. This is due to the app’s practice of pinpointing phones with specific identifiers.

Recital 30 of Europe's GDPR states that: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols."

It provides a few examples, including IP addresses, cookie identifiers, and RFID tags. The concern is that these identifiers — which are linked to actual people in a one-to-one relationship — can be used to create profiles of the individuals they belong to.

By contrast, the approach taken by Google and Apple, sees phones generate completely distinct and random identifiers for each interaction. The random nature of these identifiers makes it more difficult to profile an individual from a key. Moreover, since only 14 days’ worth of keys are retained, it’s harder to trace the movements of an individual beyond the limits of what would be considered necessary for effective containment of COVID-19.

It's worth mentioning the head of NHSX has previously suggested user data could be kept indefinitely for further research.

Another concern, raised by data protection expert Chris Pounder weeks ago, is that "because the UK has Brexit, powers in the European Withdrawal Act 2018 could be used to modify any UK_GDPR provision without recourse to Parliamentary scrutiny."

He added, in a fascinating look at the implications last week, that it "could be tempting (e.g. to reduce the pressures on the public purse) for government to enact legislation that makes certain processing of personal data compulsory. For instance, to prove entitlement to a COVID related benefit, there is a requirement to show that you have downloaded the APP and have received the COVID warning message."

Self-reporting

Another curiosity in the NHS's contact-tracing app is the decision to allow users to self-report their symptoms without a formal diagnosis. While this could potentially shorten the amount of time it takes to warn those who may have had contact with a sufferer, it also presents the very real possibility of abuse. False reports could see individuals self-isolate when they don’t need to, thereby placing an extra burden on the already-strained NHS capacity for testing.

Just yesterday, as revealed by Wired, secret NHS plans to that effect were left hanging in the open via public Google Drive links. The leaked slides also referred to a COVID-19 "status feature" potentially to be pulled into a later version of the app, listing five options: "quarantine, self-isolating, social distancing, shielding and none" – which would also be selected by the user themselves.

Map of UK with Coronavirus pin stuck in London

Fancy some post-weekend reading? How's this for a potboiler: The source code for UK, Australia's coronavirus contact-tracing apps

READ MORE

This is in stark contrast to Germany’s application, called Corona Warn App, which relies on confirmed medical tests to send warnings. The implementation here will see users scan a QR code provided by their physician, or otherwise manually type in a verification code, which links their account to their test results.

It doesn’t help that the NHS app, which was tested in the Isle of Wight earlier this month, suffers from endemic operational woes. The Github issue tracker for the NHS iOS and Android contact tracing app is particularly damning.

In some cases, iPhones are unable to exchange handshakes with other iPhones when the app is running in the background. Meanwhile, on some Android phones, the Bluetooth functionality required for the app to work fails when it has been exposed to too many connections. The NHSX has also identified problems with iPhones connecting to Android devices.

With a formal release expected in the coming weeks, NHSX is under pressure to resolve these issues quickly, and ensure the final product works properly. Lives could depend on it.

But the question remains: can it be fixed? Or is the app so grotesquely riddled with design flaws, it's simply not fixable in a way that guarantees user privacy while performing its critical task? ®

Sponsored: How to simplify data protection on Amazon Web Services

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020