NHS COVID-19 Contact Tracing App is Potentially Both Useless and Breaking the Law

By Shabana Arif on at

The NHSX contact tracing app has looked as shady as it does useless for some time now, but it appears that some of the claims made about it - from health secretary Matt Hancock himself - are false, and it could also be in breach of the law.

Just yesterday we learned that the app can keep user data once the pandemic is over and it's no longer needed, with Matt Hancock explaining how it functions and getting it completely wrong, as it turns out. The app is being trialled in the Isle of Wight this week, and Hancock stressed the importance of using it to 'save the NHS' because we can just stick that on the end of a sentence now to make people comply with what we want. This is the same man who decided that "now is not the time to discuss a pay rise for nurses," but uses the NHS to guilt people into using a shitty, possibly illegal app. Details of the contact tracing app were shared on the National Cyber Security Centre blog, which is trying very hard to make it sound like something it's not, listing the following:

  • [The NHSX app] uses only software development tools and mechanisms that are supported by Apple and Google (as part of iOS and Android development)
  • won’t drain your battery or stop other apps working properly
  • strongly protects your privacy and security
  • provides the insights the public health professionals need to better manage the virus in the UK

The first point suggests the app uses Apple/Google API, which it doesn't. All that's saying is that it runs on iOS and Android. It also says it won't drain your battery, something Hancock echoed in one of his appearances this week, saying the Bluetooth it uses "conserves power". It seems that's a load of bollocks as well. Apple's iOS doesn't usually allow apps to broadcast Bluetooth signals in the background, so you'd have to leave such an app open all the time and make sure your phone doesn't go to sleep.

NHSX has a workaround for this with a special mode (via The Register) so that it can detect the Bluetooth signal coming from the app on iPhones and iPads but Apple has stated that this workaround is only for iOS devices, not Android. If Bluetooth is being used for some other purpose, the app's functionality could be affected as it reportedly only has 10 seconds to spring into action and respond to other devices in close proximity that are also running it, or it will be throttled or killed.

Over on Android, version 8 or later allows contact-tracing apps to work for a few minutes after they're no longer running in the foreground, but that's not exactly useful. The app could run in the foreground all the time with a little icon letting you know it's doing its thing while you run other apps, but it will suck the life out of your battery with such voracity that running it like this would go against Google's recommendations. So even with these workarounds, the efficacy of the app is questionable, and it's not mandatory, so it's not going to provide enough accurate information for these "insights".

And we already know it won't protect your privacy and security because NHSX has opted for a centralised approach, but the plot thickens with user location data. The blog post states:

"The app doesn’t have any personal information about you, it doesn't collect your location and the design works hard to ensure that you can’t work out who has become symptomatic."

If you're looking at that sentence and are just seeing a load of testicles rolling around, congrats on your fantastic powers of perception. As The Register points out, the first thing the app does is ask for the user's postcode and logs the "exact make of your phone" to generate a 128-bit ID. Any of this information being collected could be used to identify an individual and their cohorts. Apple and Google's decentralised system would generate a new ID every day and omits location tracking.

And if you decide you're symptomatic and report it - as the app encourages you to do with no verification necessary from a medical professional - 28 days worth of data is sent to the central server and can't be undone because you agreed to that when you mashed the button, you silly goose! That data includes the ID numbers of everyone you came into contact with during that period, your proximity to them, etc. You cannot request to have those details removed because they no longer belong to you. The issue of using a centralised system is also being criticised by legal professionals, with one law firm weighing in to suggest it could be violating both human rights and data protection laws:

"A de-centralised smartphone contact tracing system – the type contemplated by 'DP-3T' and being considered by governments across Europe and also Apple and Google – would be likely to comply with both human rights and data protection laws. In contrast, a centralised smartphone system – which is the current UK Government proposal – is a greater interference with fundamental rights and would require significantly greater justification to be lawful. That justification has not yet been forthcoming."

The app is opt-in as well, so there's no way in hell it's going to provide the government with data of any real use at the scale it requires, and honestly, it's shady as fuck. I'm still betting on a promise of less stringent lockdown rules on the proviso that people use the app in order to increase adoption, as I don't think making it mandatory is feasible or would go down well here in the UK, but clearly, it should be avoided. There's even suggestions that an app is pointless anyway, especially when data privacy is at risk. In short, the app sucks, and if you care about your privacy at all, you should steer clear and simply continue to self-isolate as you've already been doing. [The Register via 9to5Mac]

Feature image credit: Unsplash