Privacy and Security Provisions Must Improve If the COVID-19 Contact Tracing App Is to Succeed
As the UK's lockdown measures ease, the government is looking to restart its contact tracing efforts – but the app they're built on seems far from ready for release.
The government has had to react at speed to combat the coronavirus pandemic. With the Prime Minister slightly easing restrictions after eight weeks of lockdown, the government is turning to technology to help return the country back to normality. Aman Johal, lawyer and director of Your Lawyers, discusses the concerns surrounding the UK government’s new contact tracing app.
Contact tracing was initially used to try and stem the rise in coronavirus cases within the UK, but after the rate of infection continued to rise, its focus moved to keeping the NHS afloat. Now that the initial peak of the virus appears to have passed, the government has looked to re-introduce contact tracing for the whole country.
The Health Secretary, Matt Hancock, announced at the start of May that a new contact tracing app would be used to help monitor and control coronavirus cases around the country. This app would initially be tested in the Isle of Wight and, if successful, later rolled out across the UK.
This has brought about concerns around how the app is storing data, to what extent users with the app will have their privacy curtailed, and how secure the software is. Each of these concerns has its own unique challenges to overcome and, if not successfully managed, the government could find itself with huge legal issues.
Now that the initial peak of the virus appears to have passed, the government has looked to re-introduce contact tracing for the whole country.
What do people consent to and how does the app work?
Presently, the government is not forcing anyone to download the contact tracing app; it is hoping that, through advertising and collective effort, the British public will be persuaded to download and use it. The app works by using a phone’s Bluetooth signal to send alerts and trace the steps of an individual who may have come into contact with someone with coronavirus symptoms or who has tested positive. The government will ask all users to input the first three characters of their postcode on the app so they can understand roughly where people live and understand the spread of the virus.
There are concerns around how the data will be stored and for how long it will be used. Apple and Google have been pushing for decentralised systems, while the government has decided to go with a central database system. The NHS can use this centralised system to learn about people’s behaviour, including who they have been close to and the time certain events have occurred. The argument from the government is that this system will help in making more straightforward and quick decisions, with an anonymised data set used and AI and machine learning implemented to obtain valuable insights.
One of the main concerns comes around how long the NHS keeps the data as there is currently no time limit. The NHS could, in principle, keep it forever and use it on future research projects years after the coronavirus pandemic has receded. Even though consent is requested, some people may not consider or fully understand their rights and the extent to which their data may be stored and used in the future.
The primary issue around consent comes down to whether a user downloads the app and signs up or not. Even if the government did move to compulsory download measures, it would likely need to rely on Public Health/Public Interest justification. As long as data gathering is kept to a minimum and is secure, the public health crisis could be used as justification to try to force the population to have this app on their phone.
Protecting the data from cybercriminals
Unfortunately, with all data being digitally obtained, there will be malicious threat actors who want to abuse the system and gain access to sensitive data. The government needs to be clear and transparent around how it will maintain a secure network that will not be compromised by an outside source. Ian Levy, technical director of the National Cyber Security Centre, has said there are a number of ways the app’s system could be undermined. The clear indication is that the app will store data that is incredibly personal and sensitive – a gold mine for cybercriminals.
The government has responded to data protection concerns by announcing plans to appoint an ethics board to ‘improve oversight’. It has also yet to rule out a clause agreeing to delete all collected data once normality resumes. The vital task is to prevent the centralised database from being compromised as the government could find itself having to pay a monumental data breach fine as well as the cost of litigation. Taking a recent example that shows how easy it is for information to be exposed, Virgin Media experienced a data breach involving the personal details of 900,000 people due to an incorrectly configured database. With customers potentially eligible for up to an estimated £5,000 in compensation each, this entirely avoidable incident could cost Virgin Media a total pay-out of £4.5bn. The government is expecting and hoping that well over 900,000 users will download the contact tracing app, which may open the door to a considerably larger financial cost if it were to experience a similarly catastrophic data breach.
The vital task is to prevent the centralised database from being compromised as the government could find itself having to pay a monumental data breach fine as well as the cost of litigation.
Hopefully, important lessons have been learned in the wake of serious government and public sector breaches, such as the NHS Digital configuration breach; the Conservative Party app breach that arose from a lack of security protocols; and the 2017 WannaCry incident where weak systems were targeted and compromised.
The successful rollout of the NHS contact tracing app could be key to ending the UK lockdown and ushering in a return to normal life. There are legitimate concerns around the app’s usage and how the data it collects is stored. Even though the government has created this at remarkable speed, it must be wary that much of the public needs and deserves assurance in terms of the app’s security first and foremost. Questions must be answered before the app is rolled out across the UK. The concern remains that we could have a large uptake of the app and see information stolen from the centralised database, which could leave the government with a substantial bill at a time of economic uncertainty, whilst also stemming progress in combatting coronavirus and worsening the anxieties of the public whose data could be exposed.