Just how anonymous is the NHS Covid-19 contact tracing app?

On the Isle of Wight, the NHS contact tracing app is making a difference. Around 25 people per day are being tested for coronavirus after reporting it through their phones and more than 50,000 people have downloaded the software, England’s chief data officer has said.

But cracks are emerging. Facebook groups for the island are filled with people questioning whether the app is working correctly and if it’ll ever work on their ageing smartphone. People are paranoid about data privacy. There are also questions around the algorithm that automatically assigns everyone a risk score and the wider purpose of the app.

As a result, the UK government has not ruled out moving away from its centralised app to the decentralised model proposed by Apple and Google. “If we need to change our app we will do so,” communities secretary Robert Jenrick has said. Work has already begun on a second contact tracing app.

Initial technical questions about the app have, mostly, been answered. NHSX, the health service’s new technology arm, published the source code for both the iOS and Android versions of the app on May 7. So far this only includes the frontend with the backend information about what happens on NHS servers has yet to be published. However, this has largely cleared up some concerns that suggested the app would not work properly on iPhones.

Analysis from software company Reincubate has shown developers at the NHS have employed some clever engineering to make sure the app works. Before the source code was published Apple said the technique employed by the NHS was new and unproven but crucially didn’t break any of the firm’s terms of service. (Australia, which also shunned Apple and Google, has struggled to get iOS devices functioning correctly).

For people to use the app, there needs to be trust. One of the biggest risks of the UK’s centralised contact tracing app – where Bluetooth data about how close users were is combined with some postcode information in one database – is the risk of people, and who they have been around, being identified. But how realistic are such concerns?

The app itself doesn’t collect information that would obviously reveal someone’s identity: there’s no need to provide your email address or name, GPS data isn’t collected, nor does the app ask for access to much data on your phone. Health secretary Matt Hancock has said the app will “anonymously” alert people when they’ve been near those who report coronavirus symptoms. And the legal document, the data protection impact assessment (DPIA), outlining how the app handles people’s data also refers to the system as anonymous.

But under data protection laws the app isn’t anonymous. GDPR and the UK’s data protection rules define ‘personal data’ as something that can identify an individual. Under GDPR, an identifier assigned to a phone can be considered personal data. (In the past a person’s IP address has been ruled to be personal data). While the Bluetooth logging system in the NHS app doesn’t collect location information, or other types of data, it does create an identifier (known as InstallationID) for every phone that uses the app. This counts as something that could lead to the identification of an individual.

“The NHSX app does not preserve the anonymity of users, as it primarily processes pseudonymous, not anonymous, personal data,” Michael Veale, a lecturer in digital rights and regulation at University College London, wrote in an analysis of the NHS app. “Anonymous information is only that which is not personal data”.

The analysis has not been peer reviewed but a number of data protection experts who have read the document agree that the use of anonymous is incorrect. The app’s DPIA admits the data isn’t anonymous – at least in a legal sense. Under a section asking whether pseudonymised personal data will be used, its creators write a process of “individuation” is used and the IDs given to phones would require extra data to reveal the identity of people. The DPIA asks whether fully identifiable personal data will be used. “No,” the NHS writes. “The data will not be processed in away that will allow users to be directly identified.”

“The significance is really in the function creep,” Veale says. He is involved in the DP-3T contact tracing project, which is creating an alternative decentralised system. “A centralised system is always a tiny step away from identification – even without an app update, by putting a sensor at a point where you identify yourself such as a passport booth, Oyster card reader or CCTV camera. A decentralised app isn’t.”

Within Veale’s analysis he highlights three potential ways someone could be identified through the InstallationID the NHS app creates. The first involves using additional sensors, such as Oyster card readers, that can match a person’s identity to the app that’s being used on their phone. The second involves a person travelling and encountering lots of individuals who use the app with different postcodes attached to their accounts. A person can be found in the NHS database based on their interactions with people in those areas. Third, Veale writes, the installation ID given by the NHS could be extracted by police using forensic tools to remove information from a phone.

“Yes, some of the reidentification risks posed by Dr Veale appear plausible,” says Jon Baines, data protection advisor at law firm Mishcon de Reya. “In particular, Dr Veale’s analysis raises some specific concerns, some of which, particularly around the imprecise and potentially misleading use of the term ‘anonymous’, I feel it is incumbent on the secretary of state to address.” One cybersecurity expert, who says the NHS legal document should be using pseudonymous rather than anonymous throughout, adds that some of the identification issues mentioned would require significant developments and investment in infrastructure and would raise separate legal issues. They add that the NHS has largely delivered on what it said it would do, despite taking longer than is ideal to publish some of the documentation and source code of the app.

“The data in the NHSX app is ‘capable’ of revealing an individual’s identity,” Veale writes. “Whether NHSX intend to do this is not a relevant question from a legal standpoint, the question is whether it reasonably could.” The analysis also says there is not a “valid lawful basis” for how the system sends notifications to individuals who have been around those self-reporting coronavirus symptoms. The status of individuals who receive notifications within the app changes to amber or red, based on how likely it is they have they have the virus. This is determined automatically through “automated processing” – a machine making decisions about people. The NHS DPIA includes a reference to its NHS risk scoring algorithm, details of which have not yet been published.

The Department for Health did not respond to a request for comment asking whether it would clarify the language used around the app ahead of a nationwide rollout. In his analysis of the app, Ian Levy, the technical director of the UK’s National Cyber Security Centre, claimed the word “anonymous” can be used in a security perspective but not under GDPR. However, Levy has also dismissed the risk of being identified from the information the system currently corrects.

“There is insufficient data here to attract any reidentification risk,” Levy wrote. “The risk comes as more data is added to the graph, or commingled with it.” At present the UK’s app doesn’t link data to any other systems. However, this could change in the future. Those developing the app have said they plan to incorporate more features over time. This could include location data, Matthew Gould, the head of NHSX has said, although people would have to opt-in to allow this to happen.

There are plans to use the app in its current form for identifying where coronavirus outbreaks may occur. This is only possible using the centralised system the UK government has picked, rather than the model chosen by Apple and Google. Gould has said that postcode data provided by people using the app will help officials identify Covid-19 “hotspots” and then use this data to adapt their response. A detailed plan on how this will work or the potential benefits of looking at regional trends has not been published by the government or NHS.

Gus Hosein, the executive director at civil liberties group Privacy International and who also sits on the NHS app’s ethics board, has tweeted that debates about the app are not “privacy vs pandemic”. He says: “It’s that tech is hard. And hard choices were made in the design and deployment. Were they the right ones and if not can we change course? Or will we just herald our brilliance and benevolence?”

“The DPIA clearly states that the data is valuable for research, and may be linked to other datasets at some point in future,” says Rowenna Fielding, a privacy and data protection expert at Protecture, a consultancy. “Although there are assurances in the DPIA that any such linkage or secondary uses of the data will be carried out with appropriate governance and controls, this claim cannot be taken at face value and must be backed up with clear lines of accountability, processes for evaluating linkage or export requests, and strong assurance monitoring.”

Fielding adds that one of the biggest risks to people being reidentified from the app is a “human one” rather than a purely technical one. “Pressure from this, or future governments to extend the purpose and functionality of the app, employers making use of the app mandatory as a condition of ongoing employment, inadequate control over the various third parties involved in the app’s functioning,” Fielding says. “The use of a centralised architecture – despite the privacy problems with this approach – would seem to indicate that there is intent (if not actual plans) to leverage the app for wider purposes than Covid-19 contact tracing.”

Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1

Coronavirus coverage from WIRED

🏘️ Failing care homes are the real coronavirus scandal

🔒 The UK’s coronavirus lockdown, explained

❓ The UK’s job retention furlough scheme, explained

💲 Can Universal Basic Income help fight coronavirus?

👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn

Like this article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest

Leave a comment

Why You Need A Website