Experts Say UK’s Pilot COVID-19 App Has Privacy, Security Flaws

By Robert Bateman

The U.K. is developing a contract-tracing app designed to help slow the spread of COVID-19.

But privacy experts have identified vulnerabilities that could leave users’ privacy at risk.

A pilot version of the app was released in April by the digital arm of the National Health Service (NHS), known as NHSX. The app originally was due for general release this month, but this has been delayed until June, according news reports Wednesday.

Announcing the pilot in a blog post on the NHSX website, Matthew Gould, the unit’s chief executive, explained how the app worked:

“(An) anonymous log of how close you are to others will be stored securely on your phone,” Gould wrote. “Just as the NHS strives at all times to keep your health records confidential, so it will keep the app data secure.”

But Glyn Moody, author and technology writer, disagreed with Gould’s account of how the app treats user data. 

“One of the flaws in this system is that it uses a fixed ID,” Moody told Digital Privacy News, referring to the unique identification number that the app assigns to each user’s device. “This data is not anonymous.”

Moody fears these unique IDs, combined with other data about a user’s interactions, could be used to build a “social graph,” which could ultimately disclose the identification of the user and members of their household and workplace.

But despite his concerns about the app, Moody commended NHSX for releasing the device on an “open source” license, allowing software developers to scrutinize the app’s source code.

“One of the flaws in this system is that it uses a fixed ID.”

Glyn Moody, author and technology writer.

Google Analytics Issue

One individual looking closely at the code is Rob Dyke, who previously worked as a software engineer for the NHS and is currently chief platform engineer at U.K. consultancy Capgemini. 

Dyke told Digital Privacy News about a security issue that occurred when a user followed a link provided in the app to the app’s privacy notice. The notice is hosted on the NHSX website, which uses Google Analytics to track visitors. 

Dyke noticed that when a user visited the privacy notice page via the link within the app, highly sensitive information is shared with Google, including the individual’s COVID-19 infection status and symptoms.

He said Google or other actors could possibly identify a user by collecting additional data, such as cookies, from their cellphone.

“Analytics tracking could allow individuals to be re-identified across NHS digital services,” Dyke told Digital Privacy News. 

“An individual using the app, then accessing NHS 111 (the NHS non-emergency service) or using the NHS app to book an appointment, could be re-identified by IP address.”

Upon raising this issue with the app’s development team, Dyke said he was directed to a May 8 blog post by Terence Eden, NHS’ head of open technology.

“Analytics tracking could allow individuals to be re-identified across NHS digital services.”

Rob Dyke, chief platform engineer, Capgemini.

“Our closed beta will collect some volunteers’ data for performance analytics and A/B testing,” Eden said. “The libraries required for these analytics may still be present — but deactivated — in the public version of the app.” 

However, Dyke noted that the sharing of data with Google Analytics was not disclosed in the app’s privacy notice. 

Dyke told Digital Privacy News that this sharing of health data had undermined confidence in the app’s design among tech and data-protection experts. 

He believes that, for practical reasons, the NHS likely will change course and create a new app based on the decentralized framework developed by Apple and Google.

“It’s strange to think that we’d trust Big Tech with a COVID-19 tracking app more than the NHS,” Dyke said.” Yet Apple and Google have a share price to protect.

“I’d trust them more.”

Robert Bateman is a writer in Brighton, U.K.

Sources (external links):