Users of the NHS contact-tracing app could be re-identified due to the code including Google Analytics tracking, a coder has said.

The app’s code was made available on GitHub on 7 May, four days after its trial on the Isle of Wight was announced.

NHSX has always maintained the code would be made publicly available, but currently only the front-end code has been published.

The team behind the app have done a “really good job” within a short space of time “particularly given some of the technology constraints”, but there were some issues with the code, open source advocate Rob Dyke told Digital Health News.

Namely, the developer’s decision to use Google Analytics tracking to trace users.

“For all of the ‘this is supposed to be anonymous’, the cut of the code that was released did include Google Analytics tracking, and a few other trackers that were in there,” Dyke said.

“Some of them you couldn’t really get around because you need to have a degree of tracking otherwise it’s not a track and trace app. But the sort of tracking I would expect would be wholly within the architecture of the application.”

Using Google Analytics tracking could enable a user to be reidentified, Dyke said, although it’s not a “huge risk” but more of an “annoyance and a disappointment”.

The tracker could be used by people within the NHS who had access to the system to reidentify the device and possibly the user, but was unlikely to be used by malicious attackers.

“In particular, if a user clicked on the privacy policy, ironically, it would use tracking identifiers including some status notifications, such as if the individual had had a notification from the back end,” he told Digital Health News.

“So it seemed to me that it would pass the tracking ID, plus some status information, to Google Analytics which would have included the exact device, type, the IP address the user was calling from – the usual stuff that Google Analytics gives you.

“And it would have allowed you to be linked from your app to the privacy policy and if you went anywhere else on the NHS estate, that tracking cookie would have followed you all the way through.”

Not-so-open source

Dykes biggest concern with the app’s code was that it was not developed in the open, despite NHSX committing to being open and transparent in its development of the contact-tracer.

The organisation has been an advocate for, and previously committed to, open sourcing its work.

“This is an organisation that says they’re going to develop in the open and this was not developed in the open,” Dyke said.

“We had an army of volunteers for the NHS to do things like shopping and delivering, but you could have had an army of people contributing to this code as well.

“It shows, for me, that they missed an opportunity to actually live their behaviours and values around open source.”

Instead, NHSX “dumped” 950 files on GitHub rather than showing it’s incremental development.

By 11 May more than 700 people were actively watching the iOS and Android code respectively and eight developers had contributed new code to fix bugs in the original system.

“Because it’s a dump of code it doesn’t have the things that would make it easier for developers to engage with, like automated testing. We don’t even have a back-end yet to test against,” Dyke added.

“There are a lot of expertise and a lot of really good willed people who would love to be getting involved, but because it wasn’t open from the beginning it’s going to be harder for them.”

Apple and Google or NHSX

NHSX has faced fierce criticism on its decision to differ from Apple and Google’s approach to contact tracing.

Choosing a ‘centralised’ approach poses a greater risk to privacy through mission creep, potential reidentification and malicious use, experts have warned.

Reports have surfaced that NHSX is working on a second app based on Apple and Google’s technology, with privacy concerns being sourced as a reason the organisation changed its stance.

Dyke predicts NHSX would have to switch to Apple and Google’s approach to reduce privacy concerns and encourage uptake.

“At the moment the app is not available in the app stores, the only way to install it is manually which requires you to change a setting on your phone to say ‘allow installs from non-trusted sources’,” he told Digital Health News.

“A leaflet comes through your door and you scan a QR code or you visit a URL and that has a webpage where you can download the app.”

It will only be available on the app store if Apple and Google accept it, he added.