RogerBW's Blog

NHS App? 26 September 2020

There is at long last an "official NHS contact-tracing app". Should one use it?

Not, presumably, "NHS App" but rather "NHS COVID-19". (Not of course written by the NHS; Serco and Deloitte are the responsible parties, but those names are associated with (absolutely not criminal in any way) fraud and incompetence so they're pretending not to be involved.) For me there are some strong reasons not to.

The merely technical. I'm running LineageOS and I'm reasonably sure that this thing will want enough of Google Play Services (aka the privacy invasion layer on top of base Android, whatever it's being called this month) that it simply won't work.

The higher-order technical. While the app itself is now open-source, we don't know anything about the internals of the data processing except that Hays Travel is involved and they aren't allowed to talk about it. But we can speculate: we know the original system didn't use the facilities that Google and Apple offered for low-impact tracking, and that there are two significant differences between those and what it did do: they would have lower impact on battery life, and the data would be kept decentralised. (So you could send a command from central to "alert every phone that was near this other phone at this time", but not "tell me who was there".) But this system wouldn't do that; in other words it was an even finer-grained location tracker than IMEI pings, since even if this thing weren't doing it chances are that one of the phones you're "near" would be leaking GPS data. Now it's claimed that this has all been fixed; but nobody involved in the process has any incentive to preserve the privacy of the users, only to make them think that that's the case, and lying is not only much cheaper but something that this government and its contractors have repeatedly proved themselves willing to do.

There's a perfectly good privacy-preserving protocol in use in Germany, Belgium, Italy, Poland, the Netherlands, Spain… but no. They want to know where you are and whom you're associating with.

(In terms of visible levels of competence as opposed to proud boasts, they know less about QR codes than I do, or the chap who runs my ISP. They also admit, in between the boasts, that they haven't yet used secure key storage or proper validation because they had to get it out NOW NOW NOW. And similarly gosh-aren't-we-wonderful things were said about the previous version).

The ethical. Given the number of free systems that were already available, the government refused to implement one until it could find an excuse to hand over lots of money to one of its friends. I don't want to support that.

The practical. If you are to get an alert when you've been near a person who turns out to have been infected (which is a fairly small number of people), before you get symptoms yourself, they need to have been running this thing and so do you. The uptake numbers needed to make this at all reliable are probably over 50% of the population. This is not going to happen, so the chance of a false negative (you don't get an alert when you should) is very high – and therefore you should still take all the other precautions you'd be taking anyway. (Given that you'll get an alert if you've been "near" an infected person if they were also running the thing, the chance of a false positive also seems quite high. For example, if a car or bus with an infected person goes past while you're standing on the pavement…)

The social. The socialising I'm doing at the moment involves going to the pub (who are, as required, keeping a record of my presence), sometimes having friends over (who would tell me if they came down with it), and very occasionally going to a restaurant (see pub). This system is aimed much more at people who go from group to group that they don't particularly know. Whether that applies to you will depend on your work/school/etc. pattern.

I think this is the key point: having my associations tracked would generally not be of benefit either to me or to the people I meet. The only exception to this pattern is my fortnightly shopping trips, and that's where there's room for argument. But adding on the other stuff I still think the balance of privacy risk (when the data are inevitably abused or leaked because all personal data are eventually abused or leaked) outweighs the rather small potential benefit to myself and to others.


  1. Posted by John Dallman at 11:27am on 26 September 2020

    I'm with you on this. PLus it presumably wants Bluetooth turned on.

  2. Posted by Zen D at 11:29am on 26 September 2020

    For extra facepalming, there's also the fact that only the Serco test results will be linked to the app, not NHS test results past or present.

    "If your test took place in a Public Health England lab or NHS hospital, or as part of national surveillance testing conducted by the Office for National Statistics, test results cannot currently be linked with the app whether they’re positive or negative."

    https://twitter.com/NHSCOVID19app/status/1309446092057202689?s=20

  3. Posted by Chris Suslowicz at 12:05pm on 26 September 2020

    Plus it won't apparently run on my ancient (but perfectly functional for my needs) iPhone 6.

    It's just another way of diverting money (and personal data) into the pockets of their donors and backers.

  4. Posted by Chris at 06:29pm on 26 September 2020

    There is also this:

    "I checked in to a local museum yesterday at 2pm scanning the QR code on my app. Found it’s not possible to check out on exit, therefore app thinks I was there till closing time. I could potentially receive an alert and have to isolate even though I was there for just 20 minutes."

    Or as someone else put it: "Seems the app should be renamed Hotel California. Many locations have a check in qr code but not a check out. So there you will remain until you check in elsewhere. Hence it seems possible possible that people with the virus can check in after you have left, and you will subsequently be requested to self isolate, or get tested or fly to the moon. Back to the drawing board with this for your mates Cummings."

    It does seem as though this app were a trifle rushed and un-thought-through, really. Which since they've had several months to do it in seems a bit, well, careless of them.

  5. Posted by John P at 12:42am on 28 September 2020

    Whether you use it or not is obviously up to you. However, just to comment on some of the points you raise.

    As far as I can see, it was developed by Pivotal Software, which is part of VMware (https://en.wikipedia.org/wiki/NHS_COVID-19 and https://www.bbc.co.uk/news/technology-54296410) and the data is being handled by AWS. According to Wired, no info is passed from the app to the human side of test & trace (https://www.wired.co.uk/article/nhs-covid-19-tracking-app-contact-tracing) although there may be the option for a user to do that in the future. That is confirmed by the privacy notice (https://www.gov.uk/government/publications/nhs-covid-19-app-privacy-information/nhs-test-and-trace-app-early-adopter-trial-august-2020-privacy-notice) which has a link to details about how the data is kept anonymous (https://www.gov.uk/government/publications/nhs-covid-19-app-privacy-information/anonymisation-definitions-and-user-data-journeys). So Serco & Deloitte shouldn't get anything from you.

    The countries you list are all using the Apple-Google EN API (https://www.xda-developers.com/google-apple-covid-19-contact-tracing-exposure-notifications-api-app-list-countries/) and now so are we. Confirmed by the data protection impact assessment (https://www.gov.uk/government/publications/nhs-covid-19-app-privacy-information/the-nhs-test-and-trace-app-early-adopter-trial-august-2020-data-protection-impact-assessment#rationale-for-adopting-the-apple-google-exposure-notification-api). There's also the ICO opinion on the technology (https://ico.org.uk/media/about-the-ico/documents/2617653/apple-google-api-opinion-final-april-2020.pdf)

    Regarding the key storage, the NCSC article you quote is six weeks old and the latest one (https://www.ncsc.gov.uk/blog-post/nhs-test-and-trace-securing-the-nhs-covid-19-app) says that there have been security fixes since then so it may have been addressed by now. Apparently there will be another blog on the subject this week. There's also a link to another NCSC article confirming the use of the Apple-Google API (https://www.ncsc.gov.uk/information/nhs-covid-19-app-explainer).

    As I understand it, the app scores encounters based on both proximity & duration. It disregards encounters that are not close or of short duration. So even if a entire bus load of coronavirus sufferers drove past you, although they might be near, the duration would be fleeting and therefore be disregarded.

    I haven't installed the app myself yet - although I may do. Not that I have any friends to go out and socialise with anyway! And any shopping trip encounters are not long enough to trigger.

  6. Posted by RogerBW at 04:19am on 28 September 2020

    Thanks for the details, particularly the information about duration - that will certainly help. (Of course when the power of a test is low you're mostly playing with the balance between Type I and Type II errors.)

    Yes, this app (as opposed to the original one) does use ENAPI, but still as a matter of policy it uses the centralised PEPP-PT approach for processing it, rather than the privacy-preserving DP-3T that's being used across Europe.

    There remains the basic problem that we've already had statements full of lies about the previous thing from the same sources that we're now asked to believe again. I do try not to be paranoid but I also try not to be blindly trusting.

Comments on this post are now closed. If you have particular grounds for adding a late comment, comment on a more recent post quoting the URL of this one.

Search
Archive
Tags 1920s 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s 3d printing action aeronautics aikakirja anecdote animation anime army astronomy audio audio tech base commerce battletech beer boardgaming book of the week bookmonth chain of command children chris chronicle church of no redeeming virtues cold war comedy computing contemporary cornish smuggler cosmic encounter coup covid-19 cycling dead of winter doctor who documentary drama driving drone ecchi economics espionage essen 2015 essen 2016 essen 2017 essen 2018 essen 2019 existential risk falklands war fandom fanfic fantasy feminism film firefly first world war flash point flight simulation food garmin drive gazebo genesys geodata gin gkp gurps gurps 101 harpoon historical history horror hugo 2014 hugo 2015 hugo 2016 hugo 2017 hugo 2018 hugo 2019 hugo 2020 hugo-nebula reread in brief avoid instrumented life kickstarter learn to play leaving earth linux liquor lovecraftiana mecha men with beards museum mystery naval non-fiction one for the brow opera parody perl perl weekly challenge photography podcast politics powers prediction privacy project woolsack pyracantha python quantum rail raku ranting raspberry pi reading reading boardgames social real life restaurant reviews romance rpg a day rpgs ruby rust science fiction scythe second world war security shipwreck simutrans smartphone south atlantic war squaddies stationery steampunk stuarts suburbia superheroes suspense television the resistance thirsty meeples thriller tin soldier torg toys trailers travel type 26 type 31 type 45 vietnam war war wargaming weather wives and sweethearts writing about writing x-wing young adult
Special All book reviews, All film reviews
Produced by aikakirja v0.1