Campaign groups warn GCHQ can re-identify UK's phones from COVID-19 contact-tracing app data
Yes, the app that's not quite working yet
Updated Campaign groups have written to the UK Prime Minister warning GCHQ and its digital arm, the National Cyber Security Centre (NCSC), will have the capacity to re-identify the phones of people who have installed the nation's coronavirus contact-tracing app.
In an open letter to Prime Minister Boris Johnson [PDF], the groups say the proposed phone app risks a drift toward a surveillance state. Groups who signed the missive include tech justice nonprofit Foxglove and digital rights campaigners Access Now.
NHS contact tracing app isn't really anonymous, is riddled with bugs, and is open to abuse. Good thing we're not in the middle of a pandemic, eh?READ MORE
The legal framework for the software, currently being trialled on the Isle of Wight, is inadequate to protect people from misuse of their data, as noted by the Joint Committee on Human Rights.
“Parliament has to quickly issue an adequate legal framework that guarantees users’ human rights protection,” argued the letter, also signed by Paul Bernal, associate professor of IT, IP and media Law at UEA Law School and Andy Phippen, Professor of Digital Rights at Bournemouth University.
The groups echo warnings about the use of a centralised model for the collection, processing and storage of users’ data. “The centralised recording of data could facilitate mission creep; there is no guarantee that the Government will not add additional tracking features or later use the data for purposes other than COVID-19 tracking. Of particular concern is the fact that the National Cyber Security Centre and GCHQ will have the capacity to (re)identify the phones of people who have installed the app. Based on the UK Government’s track record on surveillance, we consider these risks to be real,” the letter said.
Meanwhile, the campaigners warn of over-reach in another government plan: to combat COVID-19 fake-news. In March, Department for Digital, Culture, Media and Sport launched a "Counter Disinformation Cell" aimed at combating "false and misleading narratives."
The campaigners' letter claims the Rapid Response Unit, which operated from within the Cabinet Office and No10 since April 2018, is currently supporting the work of the Counter Disinformation Cell. That includes work with social media platforms to remove "harmful content."
It might not be a good idea for tinfoil hat wearing conspiracy theorists spouting nonsense about links between 5G and COVID-19 to gain access to a huge audience. But there is a balance to strike, the campaigners said.
We need to ensure that freedom of expression is not disproportionately restricted during this time. The sharing of information, analysis and ideas is vital for public engagement and trust. The Government must be transparent about any initiatives in this respect and ensure that any restrictions on freedom of expression are narrowly drawn and strictly necessary and proportionate to [the] legitimate aim of protecting public health.
The problem is, it seems, that opportunities to scrutinise government use of contact-tracing app data and the behaviour of the anti-fake-news team are being limited.
In April, the Information Commissioner's Office (ICO) said it would be "flexible around enforcing Freedom of Information obligations and has told requesters that they might experience delays when making information requests during the pandemic," according to the letter.
The impact on transparency is already clear, it goes on to claim. The groups mentioned an FoI request made on April 3 for more information about patient data-sharing deals between the UK Government and tech companies that had not yet received a substantive reply.
Concerns in the campaigners' letter are supported by news that a unit of the MoD, called jHub, would be "facilitating the secure transfer of relevant symptom and epidemiology data from the third party COVID-19 apps to the NHSx datastore."
Meanwhile, evidence mounts that the contact tracing app is riddled with bugs and fails to anonymise data.
Updated to add at 10:08 on 26 May
A government spokesperson has been in touch to tell The Reg: “It is simply wrong to suggest that the app has been designed for any purpose other than helping people to stay safe, protect others and protect the NHS. We have been clear from the outset that this app will be used solely for coronavirus tracing purposes, and that it has been developed with privacy and security at its heart.
“Neither NCSC nor GCHQ have access to user data and no GCHQ data, infrastructure or capabilities have been used in the app’s development.”
Also, an ICO spokesperson responded to us, saying: "Organisations should recognise the public interest in transparency and seek as far as possible to continue to comply with their obligations for particularly high-risk or high profile matters. However, should they wish to apply an exemption, public authorities should give due consideration to the relevant factors and may wish to refer to the ICO's guidance.
“We also recognise that the reduction in organisations’ resources could impact their ability to respond to access requests or address backlogs, where they need to prioritise other work due to the current crisis.”