NHS Covid-19 app ‘more privacy-centric than original model’

A privacy expert who spoke out against the initial operating model of the NHS Covid-19 App has praised the privacy-centric design of the newly launched app – and even downloaded it himself.

Professor Eerke Boiten, professor in cyber security at De Montfort University in Leicester, was among hundreds of UK academics to sign a letter in warning against NHSX’s original centralised approach.

“It is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance. Thus, solutions which allow reconstructing invasive information about individuals must be fully justified,” the letter said.

It followed an open letter signed by hundreds of academics globally warning contact-tracing apps could “catastrophically hamper trust” if they become a tool for “large scale data collection on the population”.

But, five months on and a government U-turn to a decentralised operating model, Boiten said he is reassured the app is more privacy friendly.

“Five months ago I was working with colleagues to draw up a letter from privacy and security experts from academia in the UK to say this is not on, we don’t know what the risks are,” he said.

“200 of us signed that letter, a couple of us spoke to a minister about it, but now we’re five months on and I’ve actually installed the app on my phone as well.”

Boiten’s initial concern with the app revolved around the government’s decision to build a centralised operating model, meaning data collected from the app would be sent back to a central NHS data base.

Hundreds of academics and privacy experts warned against this model, with many saying it posed too much risk of reidentification and mission creep – meaning the original purpose of data collection can change.

Boiten also flagged concerns with the data protection impact assessment (DPIA) on the original version of the app. In June he told Digital Health News he was concerned the DPIA wasn’t clear on how the data collected by the app and data store would be used.

A DPIA on the NHS Covid-19 Data Store, run by controversial firm Palantir, also revealed data from the app would be fed into the store raising questions about transparency around the apps purpose.

After months of stark warnings against a centralised system the government abandoned its original app to work with Apple and Google on a decentralised version, which was launched across England and Wales on 24 September.

Speaking to Digital Health News following the launch of the revamped app, Boiten said: “We’ve got an app that’s much more privacy sensible than what was on the table in May.

“The previous DPIA had some careless language around calling things anonymous or talking about not personally identifiable data. This one is much more precise and talks about pseudonymous data where it matters.

He said the Data Store is not “explicitly” mentioned in the DPIA but that any data being fed back is “truly anonymous data, or mostly anonymous”.

“Some of the data is just data that indicates whether the app is operating properly. We can’t go very far on just the knowledge of how many people have downloaded the app, that doesn’t tell us how the app is being used, if people are actually running it,” he added

“It shows the number of encounters and gives a responsible level of mostly or completely anonymous data about the use per postcode area.

“It’s a two-way street because the app also tells you what the risk level in your area is and potentially it will work quite well with the idea of people checking into locations.”

The ability for users to check-in to venues using a QR code to aid NHS Test and Trace is an improvement on the “fraught scenario” of pubs and restaurants having to note down visitors names and contact details, Boiten added.

He said data protection obligation for venues having to collect information for NHS Test and Trace were “vague” and often confusing for businesses owners.

“Having a record of which places they’ve [users] checked into on their phones, and that they can release if they want to, is a much more secure and responsible way of dealing with that sort of information.”

Testing

But Boiten warned the idea of the app is not a silver bullet solution, adding that its effectiveness depends on public take-up.

Official figures suggest the app had been downloaded more than 10 million times in the first three days since its launch.

Boiten said testing capacity is essential for the app to be successful, as it only sends an exposure notification alert if a user has tested positive.

“For the previous app, having lots of testing about was essential because that stopped the risk of false positives, of too many people being locked down because of what the app said. This app can only alert people on the basis of confirmed test results,” he said.

“The gap between what the app knows and what is the reality on the ground is potentially massive if we can’t do much testing.”

Upon its launch, the app was unable to log test results booked through a service other than NHS Test and Trace. The Department of Health and Social Care has since confirmed the glitch has been fixed.