The much anticipated coronavirus contact tracing app has failed cyber security, performance and clinical safety tests.
The Health Service Journal has reported that the government’s coronavirus contact tracing app has failed crucial tests needed for it to gain approval to be included in the NHS app library, HSJ says.
It is understood that concerns regarding the app’s privacy and information governance have been discussed nationally.
“Senior NHS sources told HSJ it had thus far failed all of the tests required for inclusion in the app library, including cyber security, performance and clinical safety. There are also concerns at high levels about how users’ privacy will be protected once they log that they have coronavirus symptoms, and become ‘traceable’, and how this information will be used.”
A senior NHS source was quoted in the HSJ as saying:
“The real problem is the government initially initially started saying it was a ‘privacy preserving highly anonymous app’, but it quite clearly isn’t going to be. When you use the app and you’re not positive in the early stages, you’re just exchanging signals between two machines. But the second you say, ‘actually I’m positive’, that has to go back up to the government server where it starts to track you versus other people.”
The app will work by letting users report if they’re experiencing symptoms and the app will then notify other users if they’ve been in contact with an infected user. If a user tests positive then this will trigger an alert to others informing them that they were in close proximity to someone with COVID-19.
According to the NHS, the app will give the public a simple way to make a difference and to help keep themselves and their families safe. The technology is based on research evidence developed by epidemiologists, mathematical modellers and ethicists at Oxford University’s Nuffield Departments of Medicine and Population Health.
“Once you install the app, it will start logging the distance between your phone and other phones nearby that also have the app installed using Bluetooth Low Energy. This anonymous log of how close you are to others will be stored securely on your phone.”
In future releases of the app, people will be able to choose to provide the NHS with extra information about themselves to help identify hotspots and trends.
UKDJ – be really careful when you start quoting senior un-named sources.
You have various factions with ego’s engaged in a bitter battle.
Words like “government server” and “tracking” should give you an idea of what the real agenda is.
We live a in world where people are happy to let Google and Apple track everything they do, put government in to the sentence and suddenly your civil rights are being attacked and removed.
Remember one thing as well, all the data that you do share with Apple, Google and any other provider of mainstream online services (Netflix, Amazon etc) all end up in one place – a place where they have laws that allow that government to see that data when ever they want.
Have a great day guys, stay safe – more importantly download the app when it comes out.
Saving lives and getting the country back to work is pretty important – sometimes it’s the bigger things in life that override the damaged ego’s of those not involved in saving them.
Couldn’t agree with this more. Let’s put it into perspective.
Anonymous sharing of data is feasible with tokenisation, much like your contactless card, you never share the card number but the issuer knows who you are and what you’ve spent. If you swap that around and turn your phone into the thing that knows the secret, then you could broadcast out “if you are xyz123 then it looks like you need to get tested” once you choose to upload your tracking data. Obviously then using the same token to say “hello my name is” would impact secrecy, but at the end of the day the NHS will know who you are some point whether its 111 or 999.
Also you are inaccurate, data needs to reside within the EU unless otherwise stated/agreed by the data subject, and if the US wants to gain access to EU data they have to go through the courts. It is possible that some data goes there, but to say it is being wholeheartedly shipped off to Utah is likely incorrect, due to cost. I presume metadata on linkage between users, e.g. X talks to Z is sent.
Commercially it would be inadvisable to just ship data to the US for nefarious purposes, as you would soon loose market share as I doubt even the special relationship is welcoming of hostile industrial espionage or citizen monitoring.
I believe that the main issue is that the proposed Government app reports to a central node whereas the offerings from Google and Apple are localised to the user’s phone. It is more than reasonable to be sceptical about the motives of Google and Apple given their record with information use but the Government app is specifically designed to gather information centrally. A similar app that reports in this way was rejected by the Germans for this reason.
Give me strength. We need to do this. Suggest this anonymous person gets back in his or her hole.
Yes there does seem to be a common, I will let all the insecure cameras, mics and other devices into my home and happily give all my most personal thoughts and data to a load of shopping apps and commercial companies that have only the interest of profit as a driver….but never will I allow the nhs, public health etc share a bit of data around my health needs even if that may just save lives (including my own).
i find it really funny because the NHS drives most other government or state organisations a bit potty as its the most obsessive organisation imaginable when it comes to protecting people’s data. Individual nhs organisations have stand up on going battles about sharing personal data even with other nhs organisations.
As an example an NHS commissioner ( the planning and purchasing bit) could know a provider ( say an nhs foundation hospital) that it’s buying care from is not doing what it should. if it wants to get hold of the patient level information it has to go to the patient and get written consent to allow it to act on the patients behalf and get the information. Even then the provider will review all data shared on only share that which is proportional and relates to the case.
It’s this obsession with patient confidentiality that often gets NHS organisations in hot water for opacity or hiding when often it simple refuses to discus events that could be tracked to individuals ( profiling is not that difficult for a good investigator even if you don’t give out patients names and date of births).
It’s the main reason the single standardised national Health record failed, the government asked a load of computer software companies if you could have a shared national record, they said yes technically. The problem is no one asked the 1 million data protection obsessive clinical and managerial staff who work for the 1000s of individual legal organisations that make up the NHS, all of which have to assess and agree every bit of personal data they share with any other NHS organisation and all record the data in different ways to suit their patients needs.
Decisions made when in a state of fear are often bad decisions. By the time this piece of software gets to the point where it can actually be fielded without massive cyber security issues, ect the pandemic will be over. These things take years to develop and that’s in perfect conditions unlike the current conditions where many of the coders are probably working from home. Not too mention beta testing new software before the general public gets their hands on it.
Programs like this cause more problems than they address.
The world should be holding the Chicoms feet to the fire for this outbreak. Not only did they at the very least lie to the world about the severity of the outbreak they are now cashing in on it by supplying most of the medical gear like masks, ect.
What a load of old nonsense. Just get on with your lives people. This whole thing has been massively hyped up.
The number of people dying from this is tiny compared to the population. The overall death rate in the UK is no bigger than it’s been the past 10 years.
You’re all just feeding the the media and the hyperbolic way it’s been reported. Sweden has managed just fine without a total over reaction.
I for one will not download this on sheer principle.
Dan this is not rocket science. Most projects related to big organisations go wrong because people are overthinking it. The APP will be relatively straight forward. If you want things to work you keep it simple.
I have to say this if they applied the “Keep it Simple” philosophy to NHS systems over the years they would not still have paper records lurking around.
In a time of national crisis you apply some common sense and change the rules. If we had not done that in WW2 half our troops would still be on the Dunkirk beaches!
The functionality of the app sounds simple. Ensuring you can never be geotraced or accurately identified as a individual is likely harder. It depends if they want reporting or if it’s just a pager type system.
If they then depended on the user contacting the NHS it may work but you sacrifice any remediation steps, such as sending around the cleanup crew.
People who are being really cautious about their privacy probably wouldn’t have a smart phone in the first place. Personally I doubt there would be any personally identifiable information coming off your phone just anonymous swapping of tokens which would be meaningless to anything other than the APP on the phone that generated it.
The French have retested a pneumonia case from December 2019 and found Covid. Existing theories of the epidemic assume the virus was confined to China at that time.
A mass test of an Italian town found 50% of its population either had Covid with no symptoms or had had Covid and recovered. There is a fair amount of herd immunity out there already. We won’t know how much without testing. The NHS App relies on self reporting of key symptoms. The German inspired App (I believe they will ensure data protection somehow) relies on test results to identify cases. You will need the European App if you want to enter travel in Europe. Another case of there is fog in the Channel the Continent is isolated perhaps?
There is no single European app. The French are currently taking the same approach as the U.K. in deciding to go their own way and build a centralised system, presumably with the same issues as the U.K. is having, rather than building their app on top of the Google-Apple “Exposure Notification” API which implement much of what is needed in the OS and is a distributed system with better privacy but less flexibility than a centralised system. Germany was originally in the U.K./French centralised-system camp but recently switched its policy over to building its app on top of the Google/Apple API.
There’s very probably some devil in the detail but I wish the U.K could go with a compromise, an app that uses the Google/Apple API by default but has an option in the app for a user to enable the centralised data collection if they are willing to share their encounter trails with the government. That might well give more international compatibility and also get more people using it at least in the less invasive distributed mode.
Hi Julian, thanks for the info. For this App it just seemed an obvious no brainer to do with a European scope. Given French nationalism and suspicion of Google I suppose their decision is no surprise. No doubt our App will be ‘better’; golf plated probably. A BetaMax solution when VHS would have been fine. Or should I say a Type 26 when a Type 31 would be ok. As a responsible member of the community I will use it
Cyber security exists for a reason. Government digital offerings need to meet NCSC standards.