Trials have begun this week on the Isle of Wight for a Coronavirus tracing app, ahead of country-wide roll-out, and while participation is voluntary, it needs significant take-up to be effective (60 percent of the adult population, thus 80 percent of smartphone owners targeted).
Both the NHS and NCSC have made strenuous efforts to demonstrate that the policies surrounding implementation, subsequent use of the data, and the technical approach adopted will ensure maximum privacy - as explained below.
No doubt the strength of the privacy lobby is ensuring privacy concerns are being taken into account by western governments. And while the utility of a getting the public on board for a functioning secure technological solution are clear, and concerns are often over-stated, they are not entirely without foundation, particularly given how China now uses health status to restrict movement, and the news of a security breach in the symptom checker developed by Indian telco Jio which exposed test results.
According to TechCrunch, security researcher Anurag Sen found one of its databases exposed online without a password, with Jio pulling the system offline as soon as it was reported. Each profile’s data included answers to questions asked by the symptom checker plus the precise geolocation data where users gave permission: TechCrunch says it was able to use this to identify people’s homes.
The government’s launch statement recognises these concerns, and in his blog, Dr Ian Dr Ian Levy, Technical Director, NCSC in his blog, Technical Director, NCSC, says: “To some, a ‘government-provided contact tracing app’ may sound scary, but the advantage of using technology for this is that it can be done at scale while preserving privacy and security.”
Levy adds that the NHSX app development team have ensured that the app strongly protects user privacy and security. It has opted for the centralised model for its version as the health authority can then use risk modelling to decide which contacts are most at risk, and then notify them to take some action. Also it provides the public health authority with anonymous data to help it understand how the disease appears to be spreading, and it has the anonymous contact graphs to carry out some analysis. So it could identify a highly contagious user, while not knowing who they were, but warn that, encounters with them could be more risky, and adjust the risk of someone being infected by a particular encounter appropriately.
For Samuel_Woodhams, digital rights lead at Top10VPN both the Jio leak and the NHS' centralised approach are cause for concern. He told SC Media UK: "The exposure of sensitive data by Jio's coronavirus self-test symptom checker aptly demonstrates why the security of these apps is so significant. The leak may have allowed third-parties to access users' precise geolocation, which could have dramatic repercussions for users' privacy and safety."
To reassure the public about the privacy and security meansures taken, Levy explains that the NHS app:
Doesn’t have any personal information about users, it doesn't collect their location and is designed to ensure that others can’t work out who has become symptomatic.
NHSX systems don’t build a social graph in the traditional sense, although they do have pairwise proximity events for anonymous identities.
The design makes sure that it’s hard to use the app to track users by being physically close - although it adds there are balances to be struck.
The back end is built to be as secure as is practical, and holds only anonymous data and communicates out to other NHS systems through privacy preserving gateways, so data in the app data can't be linked to other data the NHS holds.
His blog acknowledges there are some problematic edge-case situations and gives the example of an elderly couple who are shielding and so don’t go out. They only see one other person who visits them a few times a week. If one of their apps notifies them they’ve been in contact with someone who’s symptomatic, it’s obviously their only visitor.
Ultimately, the whole point of the app is about protecting the public, and given the epidemiological model the NHS is using to manage the coronavirus spread in the UK, Levy says, “the fully decentralised model just doesn’t seem to work,” hence the user decision is whether the balance between utility and security/privacy is achieved. And unlike some countries, such as India, it is not compulsory, but a decision the user must make.
Levy concludes: “The NCSC has had a small part to play in the development of the app and I hope this blog has explained some of the decisions that have been made. The most important thing we can all do it install and use the app when it’s released. I will be, and I’ll be asking my family, friends and colleagues to do the same. It’s only by working together that we can beat the virus.”