Privacy experts express serious concern at NHSX COVID-19 contact tracing app

Stuart Sumner
clock • 4 min read

A letter signed by over a hundred privacy experts and academics following a meeting of the Parliamentary Science and Technology Committee as they debate the app, has been published with almost 200 signatories

Privacy experts and academics have expressed grave concerns about the proposed NHSX COVID-19 contact tracing app, signing a public letter to the government.

The letter was signed by 117 experts, organised in part by Eerke Boiten, professor of cyber security at de Montfort university (pictured). It is reproduced in full, below.

The government's Science and Technology Committee in parliament attended an evidence session on the NHSX Covid contact tracking app today. The academics present at the session pointed out that they were no experts in privacy and security.

The NHS decided to create its own app, and not rely on APIs from Google or Apple, a strategy employed by other European countries.

Here is the letter - it can also be viewed here:

We, the undersigned, are scientists and researchers working in the UK in the fields of information security and privacy. We are concerned about plans by NHSX to deploy a contact tracing application. We urge that the health benefits of a digital solution be analysed in depth by specialists from all relevant academic disciplines, and sufficiently proven to be of value to justify the dangers involved.

A contact tracing application is a mobile phone application which records, using Bluetooth, the contacts between individuals, in order to detect a possible risk of infection. Such applications, by design, come with risks for privacy and medical confidentiality which can be mitigated more or less well, but not completely, depending on the approach taken in their design. We believe that any such application will only be used in the necessary numbers if it gives reason to be trusted by those being asked to install it.

It has been reported that NHSX is discussing an approach which records centrally the de-anonymised ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact. This facility would enable (via mission creep) a form of surveillance. Echoing the letter signed by 300 international leading researchers, we note that it is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance. Thus, solutions which allow reconstructing invasive information about individuals must be fully justified. Such invasive information can include the "social graph" of who someone has physically met over a period of time. With access to the social graph, a bad actor (state, private sector, or hacker) could spy on citizens' real-world activities. We are particularly unnerved by a declaration that such a social graph is indeed aimed for by NHSX.

We understand that the current proposed design is intended to meet the requirements set out by the public health teams, but we have seen conflicting advice from different groups about how much data the public health teams need. We hold that the usual data protection principles should apply: collect the minimum data necessary to achieve the objective of the application. We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a "nice to have", given the dangers involved and invasive nature of the technology.

We welcome the NHSX commitment to transparency, and in particular Matthew Gould's commitment made to the Science & Technology committee on 28 April that the data protection impact assessment (DPIA) for the contact tracing application will be published. We are calling on NHSX to publish the DPIA immediately, rather than just before deployment, to enable (a) public debate about its implications and (b) public scrutiny of the security and privacy safeguards put in place.

We are also asking NHSX to, at a minimum, publicly commit that there will not be a database or databases, regardless of what controls are put in place, that would allow de-anonymization of users of its system, other than those self reporting as infected, to enable the data to be used for building, for example, social graphs.

Finally, we are asking NHSX how it plans to phase out the application after the pandemic has passed to prevent mission creep.

 

You may also like
Regulation has made EU firms less data-hungry

Legislation and Regulation

GDPR has cut storage and processing

clock 21 February 2024 • 2 min read
NHS England challenged over redacted Palantir contract

Privacy

NHS must respond this month

clock 20 February 2024 • 3 min read
Encryption backdoors violate human rights, says EU court

Privacy

Implications for EU's own efforts to regulate encryption

clock 16 February 2024 • 3 min read

More on Privacy

Avast faces fine for tracking and selling user data

Avast faces fine for tracking and selling user data

Claimed to protect data, but collected and sold it instead

clock 25 February 2024 • 2 min read
ICO orders Serco Leisure to stop biometric monitoring of staff

ICO orders Serco Leisure to stop biometric monitoring of staff

'Prioritising business interests over its employees’ privacy'

John Leonard
clock 23 February 2024 • 3 min read
NHS England challenged over redacted Palantir contract

NHS England challenged over redacted Palantir contract

NHS must respond this month

clock 20 February 2024 • 3 min read