A group of 177 cybersecurity experts have signed a joint open letter calling on the UK government voicing concerns about the NHS’ plan to roll out a contact tracing app designed to tell people when they’ve come into contact with suspected coronavirus patients.
NHSX, the NHS’ digital experimental arm, says the app will be rolled out in Britain in the next two to three weeks. The way it works is when people sign up to the app, their phone sends out Bluetooth signals to determine what other phones are in its vicinity. If a user develops symptoms they’ll be able to report themselves in the app, and their phone will then send out an alert to all the phones it’s been nearby over the previous two weeks.
The UK has taken the decision to eschew the contact tracing API being built by Apple and Google for use by governments. This decision is partly down to the fact that the UK has decided it wants to centralize users’ data on an external server, making it easier to analyze, rather than keeping processing limited to people’s devices. Apple and Google’s API stipulates that apps use the decentralized method, which is more privacy-conscious.
“It has been reported that NHSX is discussing an approach which records centrally the de-anonymized ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact,” the joint letter reads. The experts argue that this data hoard could facilitate “mission creep,” i.e. the government could later use the data for purposes other than tracking COVID-19.
“It is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance.”
They noted that “invasive information” about users could be exploited.
“Such invasive information can include the ‘social graph’ of who someone has physically met over a period of time. With access to the social graph, a bad actor (state, private sector, or hacker) could spy on citizens’ real-world activities. We are particularly unnerved by a declaration that such a social graph is indeed aimed for by NHSX,” the experts write.
The experts ask in their letter that NHSX minimize the data it extracts from users to build trust in the app so it can be effectively deployed. Experts say 80% of smartphone users the UK would need to install the app for it to be effective in combatting the spread of coronavirus, and privacy concerns could mean falling short of that percentage.
They also ask that NHSX not build databases that could de-anonymize users, and that they lay out how the app will be phased out after the coronavirus crisis subsides.