Luke Potter, Senior Director of Cybersecurity at SureCloud, looks at the UK Government’s Track and Trace app from a cyber and privacy perspective to understand the concerns raised. 

Please note, this blog was written prior to the British Government announcing the switch from the NHS app to using Apple and Google’s model on the 19th of June 2020. 

As governments around the world work to respond to the challenges of the COVID-19 outbreak, technology firms globally have been developing new track and trace technology solutions, including digital contact tracing via mobile apps to help in the fight against the pandemic.

More than 30 countries are building tracing apps, and the UK is no different. Its tracing software – the NHS Covid-19 app – has been trialled on the Isle of Wight since May 7th and is expected to be rolled out to the rest of the UK later this month.

Countries such as South Korea have successfully employed digital contact tracing technology taking it from one of the worst hit countries outside of China, to having the outbreak effectively under control by using its three guiding principles: test, trace and contain. Yet the UK NHS app has already raised some security and privacy concerns and doubts over its effectiveness.

Why the support of the general public is vital

Back in May, Senior NHS sources revealed that the app had actually failed all of the tests required for inclusion in the NHS app library, including cyber security, performance and clinical safety. This was attributed to the fact that the app was in the early development stages. The source described the app as “a bit wobbly” but added that it was not a “big disaster.”

Even NHSX themselves aren’t exactly convinced. Giving evidence to parliament’s Joint Committee on Human Rights last week, the head of the unit developing the app warned of “unintended consequences.” Matthew Gould, chief executive of NHSX, said officials do not know “exactly how it will work.”

This rhetoric doesn’t seem to have gained the support of the general public. In fact, a recent survey of 1,000 U.K. citizens revealed that nearly half of the public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep their information safe from hackers. And over a third of respondents are concerned that the app might allow the government to collect their data.

The problem is that for the app to be effective in containing the spread of COVID-19 after lockdown is eased, at least 60% of the UK public need to download it. Since downloading the app isn’t compulsory, the government needs to urgently address some of the main security and privacy concerns surrounding the app to convince the population to part with their personal data.

A centralised database raises concerns about data misuse

 The NHSX COVID-19 Track and Trace app uses a centralised database, rather than a decentralised app like in other countries. This central database will contain anonymised records of those reporting symptoms, as well as who their phone has come into contact with. Other countries, including Ireland, are using a decentralised model, where personal data is stored on devices rather than government databases.

Privacy campaign groups have raised concerns that this centralised database model could be extended to monitor individuals’ movements and contacts. It’s also impossible to ignore the fact that a large database containing the general public’s personal information will be a prime target for hackers with malicious intents.

In May, a security flaw in Qatar’s coronavirus contact-tracing app put the sensitive personal details of more than a million people at risk, according to an investigation by Amnesty International. Hackers gained access to highly sensitive personal information, including names, national ID, health status and location data of users.

In order to gain the trust and support of the public, the government needs to issue concrete assurances about the security of the data stored and how it will be used, for example by issuing a “sunset clause” agreeing to delete all data collected once the country returns to normal.

Another option would be to adopt a model similar to Switzerland. The Swiss government’s Covid contact-tracing app, SwissCovid, is the first in the world to be built around privacy-first technology developed by Apple and Google. SwissCovid operates in a decentralised manner, with Swiss health authorities receiving no personal information.

In fact, the government revealed this week that they are pausing trials of the second version of the UK Track and Trace App – which were due to begin on the Isle of Wight on Tuesday 16^th June – as they reconsider their initial decision to deploy a go-it-alone UK app and consider switching over to tech developed by Apple and Google.

Please note: On the 19th June the UK Government announced they will be switching to the Google and Apple model.

Self-reported symptoms open the door for app misuse

 The UK is thought to be the only country in the world, allowing people to self-report symptoms, rather than using COVID-19 test results. In other nations, such as Australia, positive tests are confirmed by officials before those who have come into contact with sufferers are alerted.

Self-diagnosis of symptoms opens up a wealth of security challenges since app users reporting symptoms maliciously are indistinguishable from legitimate users. Dr Michael Veale, a lecturer in digital rights and regulation at University College London, has said that the tracing app has nothing to stop individuals maliciously triggering notifications using its normal functionality.

A malicious user could, for example, deliberately put others into quarantine or report large areas by creating fake but realistic-looking proximity events for everyone in the area and then report themselves as sick, or a child could try to get a day off school by reporting symptoms from a parent’s phone to trigger a quarantine.

The only way to prevent malicious misuse of symptom reporting would be to introduce verification measures before an alert is triggered.

A field day for COVID related fraud

At the moment, there is no clear guidance from the NHS on where to download the app or what a legitimate alert looks like. The public is therefore likely to be faced with floods of emails with bogus links to convincing looking domains offering a fake app download.

This is more than just speculation. In India, cybersecurity experts found fake versions of the government’s contact tracing app, Aarogya Setu, carrying spyware capable of making phone calls, recording audio, sending texts, taking pictures and recording videos from the camera.

Several public health directors have called for all forms of communication from contact tracers to involve two-step verification to eradicate the risk of scammers gaining confidential information. Awareness campaigns which educate the general public about where to download the app and what a legitimate alert looks like would also greatly reduce the chances of scam apps and alerts being successful.

Is Bluetooth technology secure enough for this kind of track and trace operation?

Finally, digital contact tracing apps operate using Bluetooth technology. Bluetooth has had several vulnerabilities in the past, including as recently as February, when a critical vulnerability named BlueFrag affected multiple Android and Apple iOS devices.

Bluetooth is less widely used in app technology, and developers might have less experience with Bluetooth compared to online platforms, potentially leading them to overlook certain elements that might result in a bug or vulnerability. To gain public trust, there is a need for government assurance that the app will be regularly tested for vulnerabilities and that patches will be swiftly released to plug potential holes.

Is there a place for the NHS COVID-19 app? 

Contact tracing technology is not new – it’s been around and has served as an effective way to contain public health pandemics, such as HIV, for decades. The COVID-19 pandemic is no exception, and other countries around the world have already proven the effectiveness of track and trace apps in the fight against the outbreak.

For the app to be successful in the UK, it needs to gain the support of the public. Before this can happen, government cybersecurity experts need to issue solid assurances that public data is safe, Bluetooth technology is secure, and clearly educate users about the app to prevent people from accidentally downloading fake apps or being scammed by fake alerts.