Here, we set out the big questions about the new NHSX contact tracing app and explain what we know so far.
We think the Health Secretary’s choice of a state-controlled, centralised app is wrong and leaves lots of unanswered questions. Our director explains some of the reasons here.
In 2-3 weeks time, we’ll all be faced with the choice of whether to download and use the app or not. It’s a personal choice and there is no right or wrong answer. Here we try to give you the information you need, in as simple terms as possible, to help you make an informed choice.
If you have any further questions or want to share your thoughts or contributions on this set of questions, email us at email@example.com
Contact tracing helps prevent the spread of a virus by proactively finding people at higher risk of infection than others due to potential exposure. It’s a method by which public health professionals aim to identify infected people and those who exposed to a risk of infection through close contact with them, so they can be advised on appropriate action.Collapse
The NHSX contact tracing app aims to let you know if you’ve been near to the phone of someone who may have coronavirus for long enough that you could be at risk of infection.
As the NHS states, “Its goal is to reduce the transmission of the virus by alerting people who may have been exposed to the infection so they can take action to protect themselves.”1
The app works by Bluetooth “proximity tracing”, picking up on Bluetooth signals from phones running the app that come near you, and recording how long and how far away you are from those phones. This is so that, should an app user develop coronavirus symptoms and report this via their app to the central system, other app users who may be at risk of infection can be alerted.
If you receive such an alert, you’ll be advised on what to do (e.g. self isolate). If you've been alerted, you may also be provided with a 'token' to apply for a test if these are available.Collapse
Whether app users can be re-identified relies on trust in the organisations — NHSX and the National Cyber Security Centre (NCSC) — who operate the system.
The data held by the centralised system is “personal data” under data protection law, not “anonymous data”.
When you register with the app, your phone is assigned an 'installation ID' based in part on a 'master key' provided by NCSC. Your installation ID doesn’t change. This allows the NHS to make contact with your phone and to send an app alert if the data reported by others to the central system suggests you’re at risk of infection.
From this installation ID, the app will generate a ‘daily ID’ that changes each day – this is the ID that you’ll exchange with other app users. Only NHSX and NCSC can see how your daily IDs connect back to your installation ID.
Effectively, the app gives you an identification tag and this tag is pseudonymised (i.e. its visible number changes) every day. However, NHSX has the ability to see that each of these daily pseudonyms belong to your tag (installation ID)
At the moment, you won’t be asked for your phone number, name or information other than the first part of your postcode. But ministers and senior NHSX officials have suggested that the app will change over time and updated versions will likely request, or take, more data.Collapse
At the moment, the data collected includes:
When you register your phone with the app, you’ll be asked for the first half of your postcode.
Each time you open the app, you’ll be asked if you have developed a new persistent cough or a temperature.
If you report these symptoms, the app will ask you if you wish to send the last 28 days of your Bluetooth “contact events” - that is, data showing how close and for how long you have been to other app users – from your phone to a central store.
Privacy International’s analysis also shows there are two third-party trackers included in the app (Google Firebase Analytics and Microsoft Appcenter Analytics). Until the code is published, we can't yet know what the purpose of them is and what data, if any, they are collecting or sharing.
(Android only): In order to use your Bluetooth, the app will ask for your permission to use “location data”. Privacy International has warned that, although the app isn’t believed to use location data at this time, this broad permission could allow the Android app to subsequently change the data collection to include location data (GPS).2Collapse
In short, NHSX can access the data.
NHSX can share data for health and research purposes, including with universities, pharmaceutical and tech companies for research.
When you register the app, your installation ID and phone make and model will be held in a central store. The central store belongs to NHSX and is secured by the National Cyber Security Centre, an arm of the UK’s signals intelligence agency GCHQ.
The NHSX app data generated after installation – that is, data showing your encounters with other app users — stays on your phone. Only if you report symptoms will the last 28 days of that data be sent to the central store.
Intelligence agencies can obtain health data if there is a lawful purpose.Collapse
Yes. In the design of the NHSX app, users upload data about each other. As a result, even if you never declare symptoms in the app, anybody who came into contact with you who has declared symptoms will have uploaded your identifier to the central store.
Because of this, a social network involving your relations can be assembled in the central server even though you never opted to upload any data.Collapse
The NHSX app asks for the first part of your postcode to “plan your local NHS response”3. This is likely to do with ensuring healthcare capacity to deal with the rate of infections, but this is unclear. What it means is the app is not only doing contact tracing, but some amount of tracking as well - as the Secretary of State confirmed in his press conference on 4 May. MPs have asked the Health Secretary for more clarity.4Collapse
The NHSX app monitors your contact with other app users, but not (at this point) your phone's location data.
The centralised model means there is the risk that the amount of monitoring could expand over time (see “What are the privacy problems with the NHSX app? What is mission creep?”).
(Android only): In order to use your Bluetooth, the Android app will ask for your permission to use “location data”. Privacy International has warned that, although the app isn’t believed to use location data at this time, this broad permission could allow the Android app to subsequently change the data collection to include location data (GPS).5Collapse
No. At the moment, use of the app is entirely voluntary.
We believe it should stay this way – and that possession of the app should never be used as a gateway to grant more work and travel rights than those who do not or cannot use the app.Collapse
The National Cyber Security Centre (NCSC) is part of GCHQ, the UK’s signals intelligence agency. NCSC has been involved in the design of the NHSX app and provides cybersecurity expertise. It's also tasked with protecting the security of critical national infrastructure, including parts of the NHS, which will include the app's central data store.
A directive issued in early April gave GCHQ the power to access any and all NHS information systems.6Collapse
The centralised store of NHSX app data will be protected by NCSC.
The fact that there is a centralised data store at all creates a risk that it could be attacked, hacked or compromised. A recently issued security directive requires NHS bodies to give GCHQ "any information relating to the security of any network and information system held by or on behalf of the NHS or a public health body" in order to protect their security. This is reportedly in light of a growing threat of “state actors” hacking large stores of sensitive data about the pandemic in the UK, but would also be necessary for GCHQ to identify "bad actors" attempting to disrupt the system from within the UK.Collapse
All of the contact tracing app designs give app users an anonymous installation ID (a random number) upon registration and then regular pseudonymised IDs (a different number each day that connects back to the installation ID), so that encounters with other app users do not directly identify anyone personally. We'll call these daily IDs, as they are in the NHS app, although in many systems they change more regularly (e.g. every 15 minutes) to stop persistent tracking.
Here’s a (pretty crude) analogy – imagine you’re an actor. The ‘installation ID’ is like your permanent stage name, and the daily IDs are the different characters you play each day. One main difference between centralised and decentralised apps is how these IDs are given out.
In the centralised model, it's effectively the state who issues and stores the installation IDs. It’s also the state who issues the daily IDs, and they can (if they want to) connect them to the installation ID. And if you report symptoms, the last 28 days of your data including your installation ID, daily IDs and encounters with other app users, goes to the state’s central store.
In the decentralised model, the software issues installation IDs and daily IDs without a central authority, so no authority can connect the two. The data stays on your phone and if you report symptoms, the software automatically tells the other app users you came into close contact with, without needing to go through a central authority.Collapse
“DP3T” stands for Decentralised Privacy-Preserving Proximity Tracing. It refers to a model for a decentralised contact tracing app that minimises privacy and security risks. It was developed by technologists, epidemiologists, engineers and legal experts who wanted to design an approach that minimises the risk of governments using contact tracing apps for surveillance.
Apple and Google provided system support for a form of decentralised contact tracing model based in part on DP3T, meaning it can work well on iPhones and Android phones (which usually limit Bluetooth use of this type to stop commercial tracking).
However, the UK government and NHSX rejected this model and have, for now, opted for a centralised app. (NHSX is "exploring" the possibility of using Apple and Google's systems support, but no details are yet available.)Collapse
This remains to be seen as the app is still being trialled (currently on the Isle of Wight). There are reports that the NHSX app will likely drain the battery on some smart phones.
The app uses a range of workarounds on iPhones to attempt to keep the Bluetooth functionality working when the phone is locked. These workarounds rely on other nearby phones, particularly Android phones, to regularly 'nudge' iPhones to stop their apps 'falling asleep' when they're not on the screen or when the phone is locked.
If the app is allowed to 'fall asleep' whilst not on the screen, iPhones will not recognise each other, and will not register each other as having generated a contact event - meaning that users may not be alerted of a risky encounter. This appears to be more likely for people who are isolated, or in rural areas.
It was initially reported that Apple was providing a particular UK fix for this issue, but Apple have since denied providing any special treatment or arrangement.7
Privacy International reports that the app did not install successfully on some older Android devices.8 This could exclude more users – disproportionately those on low incomes, which may include key workers and the elderly who are also at the greatest risk.Collapse
The main privacy issues with the NHSX app stem from the fact it is state-managed and has a central authority. With the government in control of the app, the app’s functions could expand beyond the initial purpose. This is known as “mission creep”.
The centralised data collection and use of a 'master key' to generate the installation IDs increases the risk that app users could be re-identified to the device or person.
This could happen through expanding the data collection. Further updates and more data collection could be added to the app. NHSX has already expressed a clear interest in doing this. The data is not currently stored next to a name or phone number, but this would be much easier to do with the centralised system than the decentralised one. For example, app users could be asked for more data in an update of an app; even if this were stored in a separate database, this data could later be linked. Alternatively, if a Bluetooth sensor installed by the state was covertly placed next to a point of identification, such as a passport booth or an Oyster card reader, those databases could also be easily combined to identify you and track you from there onwards.
But even without re-identification, there’s a considerable risk of privacy intrusion arising from the state management of installation IDs alone. The state could build lists of infectious IDs, recovered IDs, non-infected IDs, and IDs that have been instructed to isolate. Bluetooth sensors could pick up on where these IDs go and what they do. Many sensors already exist that could be repurposed. In this way, lockdown or isolation instructions could be closely policed.
And if app updates ask for location data, users could be tracked without their permission too. NHSX has already indicated that in future it might invite people to send their location data about where they had contact with other individuals. A major privacy problem with this would be that while NHSX might have the consent of the person donating the data, it wouldn't necessarily have the consent of everyone whose location data would be revealed.Collapse
It is important to consider the social impact of contact tracing apps too. This is somewhat of a social experiment. Nothing like this has been done before. Will the app give people a false sense of security? Will those who don’t use the app be socially shamed? Will the app lead to contact tracing for other contagious illnesses or influenza – a new norm? There are lots of questions to consider, and little evidence to suggest the social impact has been accounted for.Collapse
It's possible that contact tracing apps could help to control the spread of the virus by alerting people who have been exposed to a risk of infection and advising them to self-isolate. That’s certainly the aim.
Success relies on several factors, including mass uptake, reliability of alerts, usability of the app, and overall, trust.
The Government needs roughly the same number of people to use the NHSX app as those who use WhatsApp for it to have an impact; around 60% of the population. This is a truly huge number of people to recruit to an app in a short timeframe. But mass uptake will only happen if the public trusts the app and has evidence that it will work.
That’s why the questions about why the Government has opted for centralised system that’s prone to mission creep, and could even break data laws, must be answered. The app has no chance of success if the public can’t trust it.
Reliability is key for continued use of the app too. At the moment, alerts to self-isolate can be sent on the basis of someone’s self-diagnosis. If you’re repeatedly told to self-isolate on the basis of false alarms – which will cause disruption to your family and social life, work and ability to earn, ability to seek healthcare, and more – you may decide to stop using the app.
And if the app does drain battery life as expected, this is likely to make some people stop using it.Collapse
It’s highly unlikely. But there are two possible ways this could happen – and this can happen with either a centralised or decentralised app.
First, if someone has very limited social contact and then receives an alert to isolate, they may be able to infer who the symptomatic person is that they’ve been in contact with.
Another way this could happen is if someone registered afresh with the app every time they are in a social situation. Then any subsequent alert to self-isolate could be linked back to the app registration associated with that social encounter.Collapse
Because the NHS app uses a different model to many other countries – like Germany, Italy, Austria, Estonia, Switzerland, Canada, Latvia and Ireland which have all opted for a decentralised model – it’s unclear whether the apps will be ‘interoperable’ (i.e. be able to communicate with one another). So, we don’t yet know whether people will be able to benefit from using the app when they travel outside of England. And of course this will also affect visitors or others coming to England who may be using other apps.Collapse
This remains an unanswered question. However, NHSX has been clear that it envisages adding more features and collecting more data in future versions.Collapse
No. Any data that is sent to the central store cannot be deleted. You can only delete the data that is stored locally on your phone.Collapse
It has been suggested that employers could ask or even require staff to use the contact tracing app in order to come back to work, or that the app could be a travel requirement.
Fundamental rights should never, and can never, be contingent on the possession of an app. There should be no digital divide for our freedom. We would campaign against any such moves.Collapse
This question remains unanswered. MPs have written to the Health Secretary to ask this question.Collapse
Our phones, and state agencies, already collect a huge amount of information about us. Some of it is more intrusive than the data collected via the NHSX app, including location data.
However, a number of of the data and privacy concerns associated with the NHSX app are unique. In particular, the ability of the state to create lists of infectious, possibly infectious and non-infectious IDs which can then be flagged by Bluetooth sensors in public places is a risk. The social impact of such apps is also completely new.Collapse
The Health Secretary has told us that it’s our “duty” to use the NHSX app and that it will help get “our liberties back”. This is at best jingoism and, at worst, could be actively dangerous if this experimental app turns out to provide false hope or sense of security.
Uptake of an app is not a suitable or lawful test for the public to be afforded basic rights. The test for lifting restrictions on our fundamental rights must be a test of the strict necessity and proportionality of the restrictions in place and must be based on evidence, not assertion.Collapse
An expert legal opinion has already been issued which casts doubt on the lawfulness of the NHS app’s centralised model.10 In order for the level of data collected by the app to be justified, it must be proven that such data collection is necessary for the app to be effective and that it provides real benefits to public health.
The app must comply with data protection laws, and clearly engages our right to privacy, protected by Article 8 ECHR, as well as our right not to be discriminated against, protected by Article 14.
The Joint Committee on Human Rights has warned:11
“It is not clear that the current legal and regulatory arrangements provide satisfactory, indeed the necessary, legal oversight required. State-controlled apps that enable the mass surveillance of personal data, and that could then enable the (proportionate or otherwise) violation of fundamental rights are novel.”
and urged the Government to bring plans to parliament, which can decide democratically whether to implement a centralised or decentralised app and provide oversight. The Committee said:
“The Government’s assurances about intended privacy protections do not carry any weight unless the Government is prepared to enshrine these protections in law.”
We agree that the app's plans should be put to Parliament, and that primary legislation - as well as the proper enforcement of existing legislation - is needed to ensure vital safeguards and protect our rights.Collapse
Many thanks to Dr Michael Veale (University College London, DP3T) and Phil Booth (medConfidential) for contributing their expertise to this FAQ.