NHS COVID-19 App Extends Trial as It Reveals It Can Keep Your Data Once the Pandemic is Over

By Shabana Arif on at

The NHS is trialling its shady little app in the Isle of Wight this week, with Matt 'now's not the time to talk about NHS salaries' Hancock telling everyone they should use it, or they're not protecting the NHS. If only he actually cared about the NHS as much as he's telling everyone else to.

The app, developed by the tech arm of the NHS, NHSX, trialled an alpha version at an RAF base a couple of weeks ago, and it's now being rolled out in the Isle of Wight for a test. At this time, the app is voluntary, and is available on iOS and Android, but residents will be directed on how to go about downloading it, as it's hidden for the purposes of a controlled test.

The NHSX app uses a centralised approach, making it a security risk already - something echoed by Google and Apple, who are making their own decentralised COVID-19 app. Privacy concerns have been raised all around, and what's even more alarming is that user data could be kept after the pandemic when there's no need for the app (arguably, there's not a need now). If you hand over your info in the app, it's no longer yours and you can't ask for the NHS not to use it.

NHSX chief Matthew Gould shared this titbit with MPs (via The Register):

"The data can be deleted for as long as it's on your own device. Once uploaded all the data will be deleted or fully anonymised with the law, so it can be used for research purposes...

"If data has been shared by choice with the NHS, then it can be retained for research in the public interest or by the NHS for planning and delivering services, obviously in line with the law and on the basis of the necessary approvals by law."

Information Commissioner Elizabeth Denham said she won't be signing off on the app, saying "the starting point for contact tracing should be decentralised systems," and that if enough of a fuss is kicked up, the Information Commissioner's Office (ICO) will be able to "perform a voluntary audit on the app and systems – when appropriate to do so." She added, "the functionality of the app is up to government to decide… it's not for me to decide, it's for me to advise on how to mitigate some of these potential risks."

Further concerns have been raised that hackers or whoever else has access to the data i.e. the government, can actually re-identify anonymised users, so this bullshit claim about everything being safe and anonymous is just that. But for the government, your privacy isn't the end game, so why would that be a priority in an app its developing. The fact the app relies on people self-diagnosing is just asking for trouble as well. Hypochondriacs and people playing silly buggers can fudge that with ease, as no further verification is required. Gould claims that wouldn't happen because NHSX would identify "anomalous patterns of activity" but Professor Michael Veale of the DP3T group says:

"I have not seen any evidence that this would do anything but spot very large-scale and quite clumsy attacks. The only way to make sure that people can be held to account for submitting false reports is to identify them [which takes you down] a slippery slope."

So to conclude, it's a shitty app that makes your data vulnerable - data which NHSX intends to keep long after it's needed - and it's entirely possible you can be identified from the data. And there's nothing to say the app is that effective, it can be easily manipulated, and it would need to be mandatory in order to be of any good. Which it probably will be, or we'll see some kind of incentive to download it that will have people clamouring to give up their privacy because we're all sick of lockdown. Alternatively, you can look into the app and its multitude if problems and kick up a stink, as advised by ICO's Elizabeth Denham. [BBC News]

Feature image credit: Unsplash