The NHS contact tracing app just keeps on running into problems with the majority of people involved with the project highlighting serious flaws and security concerns, but they just keep on keeping on for some unknown reason. And it’s just getting silly now.
Security analysis of the current iteration of the app – which is still being trialled on the Isle of Wight and is already proving itself to be riddled with problems around functionality – points to a number of issues that have already been flagged and generally demonstrates what an absolute joke it is in terms of privacy, and data protection. The report also expresses concern over the government’s insistence on keeping the data once the pandemic is over and the app is no longer needed. Deleting the data that is only being submitted because of the pandemic should make perfect sense, if there’s no nefarious purpose behind collecting it, so refusing to do so should immediately be setting off alarm bells.
So far, the app has been criticised for potentially being in breach of human rights and data protection laws, and has failed basic tests around security and safety. It was leaked internal documents from NHSX that revealed further privacy violations and the intention to keep the data post-pandemic – which can be used to identify individuals. Harriet Harman, chair of the Joint Committee on Human Rights (JCHR) is currently looking into introduce a private member’s bill calling for safeguards and limits on what the government can do with the data, saying:
“We cannot rely on the current failed mishmash of protections that were never envisaged for this situation. We need new legislation.
“Government collection of our movements and physical contacts would have been unconscionable before, but now it is happening. Big powers demand big safeguards. The government should not resist their assurances being put into law. Parliament completed emergency legislation for new powers. It can do it now for new protections.”
The report also calls for new legislation that ensures the data is only used for COVID-19 protection, and stipulates that:
“There should be a legal requirement that at the end of the crisis all data collected by the app is securely deleted, and not just ‘anonymised’ or repurposed.”
“Furthermore, requiring the public to enable Bluetooth on their devices will have an impact on their privacy overall, enabling commercial profiling and tracking as a side-effect. It is understandable that compromises must be made at this time, but suitable legislative protection should have been provided to ensure the public do not suffer a loss of privacy as a side-effect of installing the Contact Tracing app.
“In particular, there should be an absolute ban on use of any application data for purposes other than contact tracing. Australia has drafted some legislation towards some of these goals, although a number of gaps remain [in the]Australia COVIDSafe Exposure Draft. So far the UK has not asserted that similar protections will be forthcoming. Any such legislation should prevent the usage of Bluetooth for profiling or tracking throughout the crisis period to best protect the privacy of users and encourage sign up and utilisation of any Bluetooth Contact Tracing app.”
Another fail then. As you’d expect, the report is also not a fan of the centralised approach NHSX has taken, saying it’s “not convinced that the perceived benefits of centralised tracing outweigh its risks”. Thinking Cybersecurity chief executive and one of the authors of the report, Dr Vanessa Teague, said:
“There can still be bugs and security vulnerabilities in either the decentralised or the centralised models. But the big difference is that a decentralised solution wouldn’t have a central server with the recent face-to-face contacts of every infected person. So there’s a much lower risk of that database being leaked or abused.”
Other issues flagged in the report include the registration process that doesn’t “properly guarantee either the integrity” of encryption keys, which “completely undermines core security goals of the protocol, including its privacy and its resistance to spoofing and manipulation.” Another privacy issue is that location data can be used to track people, revealing “lifestyle attribute about the uploader” – which is a polite way to say that if you’re fucking about having an affair or sneaking around in the middle of the night for some other reason, it can tell whoever is looking at the data where and with whom you’re meeting. Dr Chris Culnane, the second author of the report, added:
“The risks overall are varied. In terms of the registration issues, it’s fairly low risk because it would require an attack against a well protected server, which we don’t think is particularly likely.
“But the risk about the unencrypted data is higher, because if someone was to get access to your phone, then they might be able to learn some additional information because of what is stored on that.”
Culnane said he has confidence that NHSX will fix the technical issues, but shares the opinion of Harriet Harman in that new legislation is needed in this unprecedented scenario:
“I have confidence that they will fix the technical issues. But there are broader issues around the lack of legislation protecting use of this data [including the fact]there’s no strict limit on when the data has to be deleted.
“That’s in contrast to Australia, which has very strict limits about deleting its app data at the end of the crisis.”
It seems Harman might not be as concerned as previously indicated, with the admission that she’d download the app even though she has no idea what the data would be used for, and knowing that there’s no legislation in place to protect it, as well as the myriad of security and privacy problems, so thank fuck for the people in the committee that have half a brain between them:
“I personally would download the app myself, even if I’m apprehensive about what the data would be used for. But the view of my committee was that this app should not go ahead unless [the government]is willing to put in place the privacy protections.”
If an MP is so ready to toss their privacy out of the window with gay abandon, I’d question their place on a committee on human rights, but it’s somewhat reassuring that there is enough pushback against the app that new legislation is being proposed.
Matt Hancock, whom you may recognise from his comments on a pandemic not being the time to talk about nurses’ salaries, or his spewing inaccuracies on the topic of this very app, doesn’t think there’s an issue which is no surprise. Earlier this week, Hancock said that actually, we don’t need any new legislation at all “because the Data Protection Act will do the job”. Clearly it fucking won’t you pillock, if it allows the government to keep all of this data and do whatever the hell it likes with it. We advise that you read the news coverage of the app to date so far, because it paints a pretty grim picture, and if you still want to download it, perhaps you could also furnish me with a picture of the front and back of your bank card – for research purposes. [BBC News]
Photo by Tim Mossholder on Unsplash