NHS Coronavirus App Could Give Government Power to 'De-Anonymise' Users

A draft government memo outlining how the recently-announced NHS coronavirus contact-tracing app would function in practice said authorities would have the ability to identify specific users from their smartphones, The Guardian has revealed.

Health Secretary Matt Hancock announced 12th April the UK intended to introduce the app, which enables people who’ve developed coronavirus symptoms to sign up so other users can see if they’ve been in proximity with sufferers. Hancock stressed all data would “be handled according to the highest ethical and security standards”, and “only be used for NHS care and research”.

However, the document seen by the Guardian, produced in March, suggests the NHS privately considered using the technology to identify individual users.

The app will work using Bluetooth LE, a constantly running feature, which lodges “soundings” from other nearby phones in the vicinity throughout the day. People who’ve been in sustained proximity with someone who may have coronavirus will then be warned to self–isolate, without revealing the identity of the infected individual.

​The memo stated “controversially” the app could use device IDs, unique to all smartphones, “to enable de-anonymisation if ministers judge that to be proportionate at some stage”. The obvious questions of why ministers would want to identify app users, or under what circumstances doing so would be proportionate, are unasked and unanswered in the memo. Moreover, this function seemingly contradicts advice given by the Information Commissioner’s Office that identifying individuals from their location data could breach UK privacy laws.

Contact-tracing apps have been much-advocated in recent weeks, on the basis they could prove a vital to governments wanting to emerge from lockdown conditions which currently restricting the activities and movements of millions.

​Oxford University researchers, who have been advising the UK health service on the app, published a paper in March which concluded traditional contact tracing methods were of limited use in battling the spread of coronavirus, in part because it can be spread by those who are both asymptomatic and pre-symptomatic.

Instead, they argued a contact-tracing app could speed up the process by automatically notifying contacts of people diagnosed with Covid-19.

Privacy International has suggested Bluetooth LE system-based contact tracing would be considerably less intrusive than other tracking mediums, such as GPS or WiFi data, as it merely keeps a record of which devices have been near one another rather than their actual locations.

“Bluetooth is arguably one of the more accurate technologies in terms of proximity identification…Arguably, it is also the least intrusive form of tracking given that it is based on proximity to other phones using the app. In this context, it can be understood more so as an interaction tracking tool. Data can be 'localised' and shared in accordance with a policy e.g. the Bluetooth devices you connect to are not shared unless for example you come into contact with someone who believes they have Covid-19 (as testing is still relatively rare). It is unclear whether anonymisation may in reality be possible; Bluetooth technology still has the potential to deanonymise vast swaths of the population and if implemented like Singapore's Trace Together, share sensitive personal data,” the NGO writes.

​However, others are less convinced of contact-tracing apps’ efficacy, due to a variety of reasons not limited to the necessity for vast numbers of people to download the app for it to be a truly trenchant safeguard, an enduring unavailability of reliable testing, and the risk such an open system could be abused. Ross Anderson, professor of security engineering at Cambridge University, is consulting with UK health officials on the app and had grave concerns about its rollout.

For one, he said his 25 years’ experience of the NHS “being incompetent at developing systems and repeatedly breaking their privacy promises when they do manage to collect some data of value to somebody else” made him “uneasy about collecting lots of lightly-anonymised data in a system that becomes integrated into a whole-of-government response to the pandemic”, especially as “we might never get rid of it”.

“The real killer is likely to be the interaction between privacy and economics. If the app’s voluntary, nobody has an incentive to use it, except tinkerers and people who religiously comply with whatever the government asks. If uptake remains at 10-15 percent, as in Singapore, it won’t be much use and we’ll need to hire more contact tracers instead. Apps that involve compulsion, such as those for quarantine geofencing, will face a more adversarial threat model, and the same will be true in spades for any electronic immunity certificate. There the incentive to cheat will be extreme, and we might be better off with paper serology test certificates, like the yellow fever vaccination certificates you needed for the tropics, back in the good old days when you could actually go there,” he cautioned.

Moreover, he speculated the dash for tracing apps was “really just do-something-it is”, as “most” countries were now seemingly past the point where contact tracing was a high priority, especially as “we cannot field an app that will cause more worried well people to phone 999”