OLI SCARFF/AFP via Getty Images
show image

Laurie Clarke

Reporter

UK infosec experts flag concern over NHSX contact tracing app

A group of UK privacy and security experts have signed an open letter setting out a number of concerns over the NHSX coronavirus contact-tracing app that is due to be released in the UK within the next few weeks.

The concerns centre on the risk that data collected by the app might be put to less health-conscious surveillance purposes at a later date. “We urge that the health benefits of a digital solution be analysed in depth by specialists from all relevant academic disciplines, and sufficiently proven to be of value to justify the dangers involved,” the letter reads.

“It has been reported that NHSX is discussing an approach which records centrally the de-anonymised ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact. This facility would enable (via mission creep) a form of surveillance.”

The letter goes on to say “…we note that it is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance.”

Particular concern is expressed over the creation of a social graph tracking people’s interactions with others. This is something that the CEO of NHSX, Matthew Gould, has indicated would be of interest to the body.

The letter welcomes Gould’s commitment to publish the data protection impact assessment (DPIA) for the contact-tracing app, but warn against delays in doing so. “We are calling on NHSX to publish the DPIA immediately, rather than just before deployment, to enable (a) public debate about its implications and (b) public scrutiny of the security and privacy safeguards put in place,” it says.

It asks for the NHSX to publicly commit to not creating a “database of databases”, where users other than those who report themselves as infected are mapped on social graphs. The letter finally calls for an exit strategy – a plan for how to phase out the app to prevent mission creep once the pandemic is under control.

Speaking to parliament’s science and technology committee on Tuesday, Gould said that future iterations of the app will likely ask people to offer up additional information to contact data. For example, he said that “it would be very useful, epidemiologically, if people were willing to offer us not just the anonymous proximity contacts but also the location of where those contacts took place — because that would allow us to know that certain places or certain sectors or whatever were a particular source of proximity contacts that subsequently became problematic.”

Privacy concerns have been raised over the app’s centralised design, that will allow the NHS to de-anonymise users that report themselves as infected. In Europe, there has been a heated debate over whether countries should adopt decentralised or centralised architecture. More than 300 academics signed a letter arguing against centralised contact-tracing apps, and earlier this week, Germany back-pedalled on its commitment to a centralised app, and instead opted for a decentralised infrastructure.

There are also some concerns over the role of GCHQ subsidiary, the National Cyber Security Centre (NCSC), in the development of the NHSX app. The BBC reported that the NCSC was involved with the development of the NHSX app in an advisory role and had “aided the effort” to find a workaround for the the functioning of the centralised app.

Separately, the Health Service Journal reported today that health secretary Matt Hancock authorised the handing over of information about NHS IT systems to NCSC, apparently in an attempt to strengthen the health service’s cyber defences. A spokesperson told the publication that the directions “do not seek to authorise” NCSC to receive patient data, adding: “We have no desire to receive any patient data.”

A statement for medical privacy campaign group Medconfidential reads: “Given NHSX has chosen to build an unnecessary massive pool of sensitive data, it must ensure that the data is well protected. With combined effort, GCHQ and NHS Digital will likely be good at defending the big pool of sensitive data. But there is no need to have that data. The best way to make sure data doesn’t leak, is to have chosen the method that never collected it.”

While it’s apparently the cyber security expertise of these bodies that the NHS has sought, for an app that is the focus of surveillance concerns, association with one of the most powerful spying organisations on the globe is undoubtedly bad optics.