Today the long-awaited NHS Covid-19 contact tracing app has been launched in England and Wales.
The app, which was originally scheduled to be launched earlier this year, is designed to inform users if they have been near other app users who have tested positive for Covid-19. It also shows if they have visited a venue where they may have come into contact with the virus, and offers a way to order a coronavirus test and check symptoms.
The NHS Covid-19 app, which uses a framework developed by Apple and Google following the decision to abandon NHSX’s centralised contact tracing model, has already been downloaded by over one million people.
Although many with previous privacy fears have been reassured by the decentralised nature of the app, with the app’s developers stating that it is designed so “nobody will know who or where you are” with users able to delete data at any time, this has not stopped some from voicing concerns.
Today, privacy organisations the Open Rights Group and Big Brother Watch called for the UK government to “clarify how people’s private data will be kept safe and secure under the new Test and Trace regulations”.
Apple and Google’s app means that data is stored on an individual’s device rather than in a centralised database, with the two companies ensuring that GPS location data cannot be connected and that “privacy, transparency, and consent are of utmost importance in this effort”.
The UK’s Information Commissioners Elizabeth Denham has voiced support for the app:
“I am pleased that the app being launched this month is supported by the necessary consideration of people’s data protection rights.
“The Department for Health and Social Care has engaged with my office from the start of this project, answering our questions on transparency, legality and fairness, making changes in response to our feedback, and appreciating the value of data protection in encouraging public trust and support.”
Expect NHS Covid-19 app to be around for “long term”
Attila Tomaschek, digital privacy expert at ProPrivacy, said the use of QR codes to check into locations could prove problematic.
“Not only can QR code check-ins paint an intricately detailed picture of a user’s location history (precisely what proximity tracking via Bluetooth is designed to prevent), but it can also be an extremely attractive attack vector for scammers to exploit,” he said.
“Fake QR codes can easily be posted by scammers that can be designed to compromise user data in various ways. Among other things, a fake, malicious QR code can lead a user to a malicious website designed to infect the user’s device with malware, create a new contact listing on the user’s device that is capable of executing exploits on the device or even steal money from the user by facilitating a payment.
“What’s more, employing QR codes as a ‘feature’ of the app is effectively following in the footsteps of the Chinese government, whose contact tracing app uses QR code technology to track residents.”
Data privacy lawyer Whitney Lee said that lack of trust in government could prove a challenge.
“The fact that the app was created by the government heightens some of those concerns because the government’s collection of such a large quantity of personal health information raises the spectre of government surveillance and overreach into the private spheres of individuals’ private lives,” she said.
“The government has attempted to allay those concerns by moving to a decentralised contact tracing framework and using Apple and Google’s API. Now whether this transition is enough to convince people that the app is safe and okay to use remains to be seen.”
Phil Bridge, president of data recovery company Ontrack, said:
“Whilst there is little doubt that the intention is honourable, this new app will be a real test of trust in the UK government. Will they be able to keep our personal data safe from those that wish to cause us harm in the future and can we really trust that our personal data won’t be used without our permission further down the line?”