Leaked NHS Docs Reveal Roadmap, Concerns Around Contact-Tracing App

Future features include plenty of self-reporting options, and officials’ fears the data could be misused.

A COVID-19 contact-tracing app to be rolled out by the UK’s National Health Service (NHS) has been thrust into the spotlight thanks to sensitive documents being leaked via a public Google Drive link.

Contact tracing has emerged as a top idea for dealing with the coronavirus pandemic and is considered by many to be an important step towards reopening economies worldwide. However, with several initiatives underway to use mobile phone apps to carry it out, privacy concerns have come to the forefront.

The NHS app is no exception, with detractors concerned about how the information it collects could be used. The leaked NHS documents, reported by Wired, show that the officials behind the initiative are also concerned — specifically about how unverified information could be used.

The docs show that roadmap features for the app include the ability for people to upload their health “status” on a self-reporting basis, with options that could include: quarantine, self-isolating, social distancing, shielding and none. Future plans also indicate the integration of granular location data; and, future versions of the app could also “collect self-reported data from the public like post code, demographic information and co-location status to enable more effective resource planning for NHS,” the documents reveal.

Because the information would be self-reported, the data collected by the app could include unverified diagnoses – and could be open to abuse or lead to unjustified “public panic,” according to the documents reviewed by Wired.

“The fundamental issues for me that need to be addressed are transparency and building in privacy to any technology solution or approach from the outset. In other words, privacy by design,” Steve Durbin, managing director of the Information Security Forum, told Threatpost. “The notion of only storing data for as long as you need it and protecting it at all stages of the information life-cycle will strike a chord with information security professionals around the world who for many years have been adopting this mantra to safeguard private data.”

The documents were laid bare thanks to a public link to a Google Drive. The NHS moved to rectify the misconfiguration after being alerted by Wired.

Contact-tracing apps continue to spur controversy. Thomas Hatch, CTO and co-founder at SaltStack, said that he feels that governments can easily take advantage of the pandemic as an excuse to implement surveillance.

“We have spent a considerable amount of effort in recent years to fight privacy issues, however, traction has been difficult,” he said. “Recent events have created new reasoning to increase surveillance, an excuse that governments and businesses are taking advantage of. When all is said and done, this damages privacy and I don’t see a rollback without an aggressive push after COVID-19.”

Chris Hauk, consumer privacy champion with Pixel Privacy, said that any privacy assessment comes down to individual implementations. For instance, the conversation around privacy has been fomented by Apple and Google’s announcement that they would work on a tracking app that would work across Android and iOS platforms.

“While the ongoing COVID-19 pandemic has much of the world’s population willing to possibly give up some information as to their movements about their own region, users should still keep in mind the privacy risks involved in governments gleaning such information,” he told Threatpost. “Unless the apps are based on privacy-respecting APIs, such as the API being offered by Apple and Google, users run the risk of unknowingly exposing more of their personal movements and other information than they might like to.”

Paul Bischoff, privacy advocate with Comparitech, told Threatpost that the devil is, as always, in the technical details.

“Contact-tracing apps can be categorized by two broad criteria: Whether they are centralized or decentralized, and whether they use GPS or Bluetooth,” he said. “The most private method combines a decentralized model that keeps users’ identities anonymous with Bluetooth for proximity checking. This is the model used by Google and Apple. Bluetooth offers more accurate real-time proximity tracking than GPS and the data is easier to anonymize, though…it’s more prone to trolling, and a well-resourced adversary could track users with linkage attacks.”

He added, “The decentralized model uses anonymous, rotating identifiers in lieu of identifying information, and users only upload confirm diagnoses. Although this is more private and less prone to developer abuse and data breaches, it’s more difficult to verify diagnoses without users’ identities.”

Suggested articles