London - Paris

NHSX Contact Tracing App

NHSX Contact Tracing App

In UK, like in many countries, the contact tracing app is presented as the solution to get out of lockdown. Is technology really the right solution?

Much has been written and the debate is still ongoing. We have published an article on the French government project of STOPCOVID.

The UK NHSX project is another centralised contact tracing App. A first tryout has started on the Isle of Wight since Tuesday May 2nd.

I – Analysing the data protection compliance aspects of the project, from Chris Pounder of Amber-walk has published his views

COVID-19: how the GDPR applies to trace and track.

1- Emphasis is put in the voluntary adoption of the measure as requested by most EU Data Protection Authorties.

As Chris Pounder develops, ‘NHSX claim that every operation related to the APP is voluntary (e.g. to download, to communicate to a central database if need be). Users can choose to delete the APP at any time; this would also delete the data on the phone but not any data previously uploaded to NHSX’s central database.’

The data is pseudonymised more than anonymised as it can be re-identifiable, therefore it will be the GDPR and not the ePrivacy Directive that will apply

In the absence of a published DPIA, Chris reminds the government promise that ‘The APP does not use any identifier already on the phone (e.g. phone number, SIM card identifier) or location details.’ The APP generates a random ID number exchanged with other phones that have also downloaded the APP. This record will remain on both phones for 14 days. When someone is COVID+ this record will trace back the contacts with a warning message for the user .

2- The APP should not keep any personal information and no location data. Only the first half of the postcode is collected from APP users to alert local hospitals.

However, for Laurie Clarke reporter, remains :

Uncertainty over who could access NHSX contact tracing app data as Isle of White pilot goes live’. ‘The NHSX coronavirus contact tracing app is being rolled out on the Isle of Wight this week, but major question marks still hang over the app. Matthew Gould, CEO of NHSX, told parliament today that the data collected by the app would be accessible to unspecified organisations as long as it was used for public health purposes. ‘

3- For Chris Pounder, ‘there are three definitional issues:

  • (a) is personal data processed?
  • b) if so, who is the controller processing personal data? and
  • (c) if there is a controller, does the voluntary nature of the APP equate to “data subject consent”?

The data subject is identifiable and the data related to medical health. He is therefore ‘pretty sure the APP is processing personal data and special category of personal data’, subject to the Article 6 lawful basis and a condition that overcomes the prohibition in Article 9(1) from processing health personal data.

As for the Controller, there would be joint controllers as he points to the NHSX website stating that “NHS England and NHS Improvement and the Department of Health and Social Care are delivering NHSX together” This bring to the Article 26 that requires any processing of personal data “shall in a transparent manner determine their respective responsibilities”.

As the emphasis is on the voluntary adoption of the App, the next question is on ”data subject consent”. Chris points out that ‘the NHS text on the website is very careful to avoid the use of the “C word” and it is easy to see why’.

Recital 43 states that with respect to consent: “consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller” This will be the case where the controller is a public authority or an employer. It will be unlikely for that consent to be considered as ‘freely given’. Therefore voluntary adoption does not refer the character of legitimate basis on consent.

The limit of the ‘voluntary’ adoption he sees is that it could lead to a denial of a service as previously for the ‘ID Card holders refused to “volunteer” making it a requirement to interact with any public service.

The first comment is that any interference by a public authority (NHSX) is unlikely to infringe Article 8(1) [_GDPR08_] of the European Convention on Human Rights; This is because Article 8(2) permits legislation to be enacted by a Parliament process (e.g. in the Coronavirus 2 which sets aside the A.8(1) right in limited circumstances (e.g. any interference deemed necessary  “for the protection of health”).  It all hangs on the word “necessary”; it is either necessary or it isn’t. If there is reliance on data subject consent (which we think is unreliable), then there is also no A.8 breach (so long consent is properly formed).

Based on the GDPR/DPA2018, ‘if the processing is “necessary” it will have Article 6 lawful basis (e.g. candidates are A.6(1)(c) or A.6(1)(e); A.6(1)(d) could be used in a case-by-case emergency). If there is need for an A.9 condition that lifts the prohibition on processing of health personal data the candidates are A.9(2)(c), A.9(2)(g), A.9(1)(i), Schedule 1, paragraphs2, 3 or 6 of the DPA2018.’

If there is reliance on consent or necessary or public task (or even necessary legitimate interests of controller/Third Party), the controller has to specify publicly (A.13; A.14) what happens to the personal data if there withdrawal of consent or exercise of the exercise of the right to object to the processing.’

Therefore, in he concludes ‘the ICO should take up Article 8 ECHR cases on the grounds that necessary as used in the GDPR has the same meaning as in Article 8.

II – The UK like France has opted for the centralised model

1- The App is encountering technical issues

The UK ICO like the French CNIL have expressed their preference for the decentralised model for a decentralised model. Chris Pounder sees further vulnerability of the centralised approach with a ‘future legislative mood of Government’. He believes ‘It could be tempting (e.g. to reduce the pressures on the public purse) for Government to enact legislation that makes certain processing of personal data compulsory. For instance, to prove entitlement to a COVID related benefit.

‘Considering to revert to a decentralised model to resolve their Bluetooth issues. ‘Covidsafe app is not working properly on iPhones, authorities admit’ ‘Australians running the Covidsafe contact tracing app on iPhones may not be recording all the data required if they don’t have the app running in the foreground or they are using an older model phone, the government has admitted.’

France is struggling to find an agreement with Apple and Google.

Australia who has already deployed the App has been struggling technically

The Register wrote: ‘UK finds itself almost alone with centralized virus contact-tracing app that probably won’t work well, asks for your location, may be illegal’. ‘On Monday, the UK government explained in depth and in clearly written language how its iOS and Android smartphone application – undergoing trials in the Isle of Wight – will work, and why it is a better solution to the one by Apple and Google that other nations have decided to adopt. It has also released a more technical explanation.’

Running the Bluetooth connection in the back has several inconvenience such as draining the battery and opening security vulnerabilities.

Furthermore, the Bluetooth distance measurement is unreliable according to its own inventor. Bluetooth signals can pierce obstacles the virus hopefully cannot such as a wall or vehicle bodies.

The margin of error has caused a return to lock down in Singapore, one of the first nations after China to deploy TraceTogether App. Less than 20% of the population actually downloaded the App It is suspected that Bluetooth works through glass and even some walls and may even be triggered by reflection in windows in buildings. Jason Bay Senior Director (Government Digital Services) at the Government Technology Agency, Singapore wrote :

If you ask me whether any Bluetooth contact tracing system deployed or under development, anywhere in the world, is ready to replace manual contact tracing, I will say without qualification that the answer is, No. Not now and, even with the benefit of AI/ML and — God forbid — blockchain ? (throw whatever buzzword you want), not for the foreseeable future.

The amount of false alerts will cause major distress and reduce trust on the App. When someone receives the warning SMS that they have been in contact with someone COVID+, that doesn’t mean the NHS can test them immediately. They might be asked to self isolate themselves which is not always technically possibly. It has been suggested in France that they would be hotels dedicated to quarantine. That means 14 days of accommodation, food and entertainment. During which time the person and his family or network will be under distress, maybe unnecessarily isolated causing loss of revenues. Should the government be liable for all that ?

2- These Apps are source of security issues

The well known and security expert Bruce Schneier has expressed his concerns about the issues of using Bluetooth Technology here.

“My problem with contact tracing apps is that they have absolutely no value,” Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet & Society at Harvard University, told BuzzFeed News. “I’m not even talking about the privacy concerns, I mean the efficacy. Does anybody think this will do something useful? … This is just something governments want to do for the hell of it. To me, it’s just techies doing techie things because they don’t know what else to do.”

SecurityWeek reporter Kevin Townsend wroteThese apps could easily become subject to a high number of false positives – and false positives always lead to a rejection by users. ‘ que faire du stresse, isolation et perte de revenus consécutives au faux positives alertes? Le BT transverse les murs et un automobiliste à proximité pourrait être décelé conne en ‘contact’ .

As contact tracing gains attention, a researcher pokes a hole in Bluetooth technology

  • If someone is reluctant to self quarantine, will they ignore the warning messages ?
  • The most at risk populations are the over 60x, will they be willing to download the app ?
  • What are going the security issues of opening the Bluetooth connection be?

Any data base creates security issues. New NHS contact-tracing app vulnerable to ‘malicious false alerts’, warn experts.

Additionaly, ‘The new NHS contact-tracing app could be used to send malicious alerts causing people to isolate unnecessarily, it has been warned.

The app, which is being trialled in the Isle of Wight, tells users if someone they have been in proximity with may be suffering from coronavirus, meaning they could be exposed.

But because users can set off the warnings themselves by reporting symptoms – rather than positive Covid-19 test results – it could be used to send out false alerts.’

‘Dr Michael Veale, a lecturer in digital rights and regulation at University College London who this week gave evidence to MPs on the technology, told The Independent that Britain’s tracing app had nothing to stop individuals “maliciously triggering notifications” using its normal functionality.

“People can deliberately put others into quarantine or report large areas,” he said. “A child could try to get a day off school by reporting symptoms from a parent’s phone to trigger a quarantine.’

Constant Bluetooth signals in the back will drain the phone battery eventually causing over heating. Will be see a new epidemic of ‘pockets in fire’ ?

ICAR, the Association of experts in Cryptologic research has issued a statement against mass surveillance ‘The Copenhagen Resolution’ :

  • The membership of the IACR repudiates mass surveillance and the undermining of cryptographic solutions and standards. Population-wide surveillance threatens democracy and human dignity. We call for expediting research and deployment of effective techniques to protect personal privacy against governmental and corporate overreach.

A technical deep-dive into the NHS COVID-19 contact tracing app : Since ‘the contact tracing beta is now open source for both iOS and Android, along with some documentation. As a follow-up to our “Staying alive” post, we’ve taken a deep-dive into the source code. It’s pleasantly surprising to find it licensed under MIT, indicating an NHSX commitment to transparency and quality… There have been claims that the Android app accesses location data, as the prompt for Bluetooth API access on Android devices appears to ask for location permissions. However, we debunked this yesterday: this is a consequence of how Android manages requests for Bluetooth permissions.

Reincubate’s CEO, Aidan Fitzpatrick, says:

Yes, it is the case that the coming Apple ExposureNotification framework in iOS 13.5 obviates the need for these keepalives. However, it’s worth noting that:

  • iOS 13.5 has not been released, and may not be for some weeks
  • Prior to yesterday, the last iOS 13.5 beta had a major security flaw, suggesting heavy lifting is going on in Apple’s engineering teams
  • Once it is released, it will likely take months for a majority of iOS users to install it (unusually, the equivalent Android adoption may be more rapid)
  • Older iOS devices — such as the iPhone 6 — cannot run iOS 13, and will not be able to use the Apple technique
  • There’s no reason why the NHS COVID-19 app won’t be able to automatically transition in future to using Apple’s framework — or even dual-running both mechanisms

The app will become increasingly effective as more people use it, and the benefit of mass adoption will create a flywheel effect in this sense. The Australian COVIDSafe app struggled as it didn’t support detecting backgrounded iOS devices from an Android device, and it didn’t have this clever iOS-to-iOS keepalive mechanism.

It’s important to reflect on which circumstances make use of technology like this appropriate. If contact tracing is successful in saving lives, which criteria should be assessed as to whether it’s applied for future diseases? Once the precedent is set, is there an argument that this technology might be used to combat pre-existing infectious diseases? It’s foreseeable that different societies will evaluate the trade-offs differently.

III – The balance of Proportionality requires a three party test :

Fundamental rights, enshrined in the Charter of Fundamental Rights of the European Union constitute the core values of the European Union . These rights must be respected whenever the EU institutions and bodies design and implement new policies or adopt any new legislative measure and in the ECHR.

EU law which requires that “the content and form of Union action shall not exceed what is necessary to achieve the objectives of the treaties”.

the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives” . It therefore “restricts the authorities in the exercise of their powers by requiring a balance to be struck between the means used and the intended aim (or Under Article 52(1) of the Charter, “subject to the principle of proportionality, limitations onresult reached)” the exercise of fundamental rights may be made only if they are necessary (…)”.

1- The necessity, Something needs to be done to end this national confinement killing the country’s economy.

See the Data Protection Impact Assessment published by the Forum InformatikerInnen für Frieden und gesellschaftliche Verantwortung (FIfF) e. V. . They recommend that :

  • An appropriate legal basis must be established and in this respect responsibilities have to be defined.
  • Reinforcing the measures of pseudonymisation ‘when creating the TempIDs in the app, it must be ensured that there is no connection between TempIDs and it must never be possible to make one. …The server(s)’ operator must employ an effective separation method…’
  • Accompanying the publication of the app it must be ensured in law and in fact that users have to disclose neither the status of the app nor the mere existence on a device to third parties.
  • Before the app gets published, a comprehensive investigation of the software and the overall system must be conducted and published by an independent body.

2- Could the same result be achieved in a less intrusive way?

I would argue providing tests,, masks, ventilators and resources to over loaded NHS staff will bring a serious improvement with any inconvenient.

The cost of the deployment of the NHSX App is unknown. The Australian Government would have allegedly spend 700.000 AUD just to host the data in Amazon AWS clouds. This is how much less resource the NHS will receive.h

A letter, signed by 177 scientists and researchers working in the UK in the fields of information security and privacy, reads:

Echoing the letter signed by 300 international leading researchers, we note that it is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance. Thus, solutions which allow reconstructing invasive information about individuals must be fully justified.1 Such invasive information can include the ‘social graph’ of who someone has physically met over a period of time. With access to the social graph, a bad actor (state, private sector, or hacker) could spy on citizens’ real-world activities.

Actually, early testing can give far better results as epidemiologists are saying it is during the first 24 hours that the COVID+ are most contagious. ‘Coronavirus: Send virus alerts within 24 hours or risk second wave, scientist warns

IV – Coronavirus contact tracing apps were meant to save us. They won’t. ‘With little evidence to show how effective such apps are and growing privacy concerns, there’s a risk they could do more harm than good‘

From Iceland to Israel, more than 30 systems are being developed by governments and health authorities. They promise to automate the laborious process of tracking down the contacts of infected individuals, helping to slow the spread of coronavirus through the population and save lives.

False alerts might loose users trust. An Oxford research said that the probability of seeing any result from the tracing Apps requires that at least 60% of the population use the App. Will the most vulnerable population of over 60% be willing to download and use it ? Will the government be liable for the false alters causing distress, unnecessary isolation and loss of revenues? France is talking of self isolating in hotels, where and how feed and entertain these people?

Elsewhere projects using personal data to combat SARS-CoV-2

Singapour’s TraceTogether App moved to the The Apple and Google collaboration on digital contact tracing solutions, is a game-changer, as we said previously. It will significantly improve the contact tracing capability available to governments and public health authorities over what is available through public APIs on either Android or iOS platforms. We are glad that Apple and Google are engaging governments and public health authorities around the world, including us, to incorporate feedback as the specifications for their contract tracing protocol and private APIs.

In Poland, Although initially voluntary in nature, it has become mandatory for all those under obligatory quarantine or epidemiological surveillance, as a tool to confirm compliance with quarantine obligations (e.g. whether the ban on leaving the quarantine location is observed).

Contact tracing apps in Austria: a Red Cross initiative |Has been launched In March 2020 in co-operation with Accenture.

The first published version of the Stopp Corona app required users to log their contacts via a ‘manual’ handshake. In the current version, however, the app already allows contacts to be traced automatically, depending on the device and its configuration. 

The automatic handshake functionality is based on the discovery and messaging functionality of the p2pkit developed by the Swiss company Uepaa, which uses Bluetooth and Wifi-direct techniques to determine the distance between the users. 


Switzerland: “WeTrace” app (Private)

This project is ready to be deployed. It is open source. All data remains locally on the devices. Packaged information encrypted asymmetrically. The sole information a potential malfeasor on the central server would see is the fact _that_ an infected person has actually pushed a status update, but on the core server it is not visible “what” the person has broadcasted. The broadcasting user can determine the details of what should be broadcasted aside from status (location of contact, time of contact, etc.). Packages will be sent not to everyone but only to those that need to know.

Spain: “Open Coronavirus” app (Private)

The Spanish medical investigator Aurelia Bustos has released Open Coronavirus, an open-source app with the aim to copy the advantages of the South-Korean app: in the end, serving as an individual-validation-method in order to allow free movement of the citizens. This tool can be used by any public institution as a basis for its own apps on tracking citizens due to the coronavirus emergency, and it offers a modular design: three levels of management (mobile phone, central management of data by the competent authority and checking of the control points by the competent authority too) with different options of geolocation (GPS, bluetooth, positioning by mobile operators cells) that could be implemented or not by the corresponding institution. Its use would be voluntary for the citizen (although, in words of the medical investigator, “it would be probably very advantageous for the user, as it would allow him/her to have the possibility to finish an eventually longer quarantine”), and it would necessarily depend on the realization of any kind of coronavirus detection tests.

As this is an open-source app, that it will not be officially published in its current status, and any use of the same by any institutons must be always in line with GDPR.

Sadly, it can be said of the NHSX Tracing App, similar to the French STOPCOVID, that « StopCovid est un projet désastreux piloté par des apprentis sorciers »

UPDATE 8th May, The Financial Times reveals ‘UK starts to build second contact tracing app‘ going for a decentralised model in collaboration with Apple and Google.

The different existing systems :

Liste of Projects using personal data to combat SARS-CoV-2

MIT – A flood of coronavirus apps are tracking us. Now it’s time to keep track of them. MIT have documented 25 individual, significant automated contact tracing efforts globally, including details on what they are, how they work, and what policies and processes have been put in place around them.

EDRI COVID-19 & Digital Rights: Document Pool

Techdispatch ‘Contact Tracing with Mobile Applications’

Privacy International : A technical deep-dive into the NHS COVID-19 contact tracing app

UK government Covid tracking app: what you need to know!

Guide to Coronavirus Offences. Help for the public, police and lawyers by the Doughty Street Chambers.

Computer model that locked down the world turns out to be sh*tcode.

A SPECIAL THANK YOU TO GRAEME McGOWAN for allowing me to use his beautiful photography.

This work is licensed under a  Creative Commons Attribution 4.0 International License .