Experts from the National Cyber Security Centre have been supporting the development of the NHS COVID-19 contact tracing app, which will be launched on the Isle of Wight this week.
The app forms part of the government’s wider test and trace programme to tackle the coronavirus pandemic and pave the way to safely reducing current social distancing measures.
The privacy and security of app users’ data is a priority and the NCSC has been advising on best practice throughout the app’s development.
The NCSC has today published three documents relating to its work on the app:
- A technical paper, ‘High level privacy and security design for NHSX Covid-19 Contact Tracing App,’ written by NCSC Technical Director Dr Ian Levy.
- A blog post, ‘The security behind the NHS contact tracing app,’ also written by Dr Levy.
- An explainer setting out how the app will help slow the spread of coronavirus whilst protecting your privacy.
Head to GOV.UK for the latest government advice on the coronavirus.
There’s been a few reports, the first one I saw being in the FT earlier this week, saying that the UK is now investigating using the Google/Apple APIs for its tracking app. Here’s an article from yesterday that isn’t behind a paywall.. https://techcrunch.com/2020/05/07/uk-eyeing-switch-to-apple-google-api-for-coronavirus-contacts-tracing-report/ which says… “Yesterday the FT reported that NHSX, the digital transformation branch of UK’s National Health Service, has awarded a £3.8M contract to the London office of Zuhlke Engineering, a Switzerland-based IT development firm which was involved in developing the initial version of the NHS COVID-19 app. The contract includes a requirement to “investigate the complexity, performance… Read more »
Thanks, Juilan. ” Zuhlke Engineering, a Switzerland-based IT development firm which was involved in developing the initial version of the NHS COVID-19 app”…”The contract includes a requirement to “investigate the complexity, performance and feasibility of…” etc. I’m no computer scientist so it’s all a bit complex for me but isn’t this a bit poacher turned gamekeeper? Also… a bit concerned, as you are, that HMG haven’t contracted a UK firm to do the work. Also… as this is basically a national security issue, shouldn’t GCHQ do the job? They would be more than competent and would be totally neutral. And… Read more »
I don’t understand how these apps will work. How does the app’s “positive” for Covid-19 get activated? Is that done at a doctor’s office, government testing facility, ect with a code or something?
Some of the other contact notification systems seem to have the owner of the phone themselves activate a positive Covid-19 response. If that is so then what stops prankersters, idiots, people with mental problems, ect from turning on their phone’s Covid-19 positive notification and going around people, crowds to mess with people?
The apps “positive for Covid-19” trigger gets activated by the user of the app who declares him or herself positive. For apps based on the Apple/Google API (which the currently in-testing NHS app isn’t) there is the option to not allow that to happen unless the user enters a valid one-time unique passcode. The idea is that a valid passcode is only issued by test centres when they report a positive test result to someone who has been tested. The idea is to stop idiots hitting the “I’m positive” button after one too many beers or whatever. I’ve heard rumours… Read more »
So with these passcodes the government would be aware of exactly who is infected and who’s not and store them in a database that can be accessed by other agencies, ect. Well there goes one’s privacy.
Complex programs like this can take a very long time to develop and even given proper testing time can still have many security holes. Rushing something like these apps out is a recipe for disaster. If they ever make these things mandatory I will put away my iPhone and go back to using my old BB or even older flip phone.
Well no, not “there goes one’s privacy” because of the app. If you go to a testing centre, get swabbed, and give a name and address for your results to be sent to then obviously you are known to the government. People being tested in hospital or at the drive-in centres have had no privacy ever since the crisis started. Complaining about that seems no different to me to saying “I went to my GP yesterday to have a cholesterol check – there goes my privacy”. There was never, and has never been, any privacy around the positive tests in… Read more »