If you’ve read our recent news article on the use of smartphone apps and coronavirus map trackers in South Korea, you’ll already be aware of potential privacy, human rights, and mental health discussions surrounding this type of surveillance activity (https://www.1stcalldetectives.com/blog/2020-04-16-ways-smartphone-apps-and-travel-history-trackers-helped-south-korea-handle-its-initial-outbreak-of-covid-19).

In all fairness, it comes as no surprise that the UK government is planning to launch a coronavirus tracking app to help combat the spread of the virus, and many people will consider this a wise move. However, media sources are already flagging some of the privacy abuses UK citizens will experience once this app is in place, and questioning what will happen with the data collected and how long surveillance of this nature will go on.

Is it legal to track UK mobiles due to worries about coronavirus?

The Information Commissioner’s Office (ICO), which is the privacy watchdog for the entire UK, says it is legal for the government to use the personal data on individual mobile phones for tracking and monitoring if this is deemed helpful to fighting the spread of Covid-19. There is a lot of information about this and other coronavirus issues on the ICO website (https://ico.org.uk/). This mobile tracking will be combined with contact tracing in attempts to pinpoint locations in which the virus is more prevalent. The government halted their contact tracing initiative on 12 March, due to the accelerating numbers of people reporting coronavirus symptoms (https://www.theguardian.com/world/2020/apr/17/uk-to-start-coronavirus-contact-tracing-again).

So, yes, it is legal for the government to start tracking UK mobiles, and it was announced this will shortly be active at the daily coronavirus briefing on 12 April. The app was produced by NHSX, which is the digital innovations arm of the NHS. It is currently in beta mode, and being trialled out with selected user groups. The app should provide registered individuals with an alert if they have been in contact with anyone reporting coronavirus symptoms or in any nearby localities.

How does the app work?

Once the app is up a running, anyone with coronavirus-like symptoms can declare this via the app. This triggers an anonymised “yellow alert” to all other app users that the individual has been close to for a lengthy period of time in the days leading up to displaying symptoms. If the individual then tests positive for Covid-19 an additional “red alert” is set out to all appropriate smart device users, with a message telling them to go into self-quarantine.

The NHSX app will be based on a new API (application program interface) platform which is being created by a team of Apple and Google designers. This combined API uses Bluetooth signal trackers to calculate the exact length of time device users were in close proximity (https://www.theguardian.com/world/2020/apr/10/apple-google-coronavirus-us-app-privacy). The Google and Apple partnership was triggered by worries about privacy issues for iOS and Android users, and both companies say it will cut out any need for official notifications when alerts are triggered (https://www.bbc.co.uk/news/technology-52263244).

This sounds great! What’s the catch?

There are bound to be a few security issues or problems with any new tech, and just some of the tricky factors already identified about the new app include:

- The NHS has already stated at least 50% of the UK population will need to be registered with the app for it to provide efficient contact tracing. This 50% estimate is based on evidence of apps used in Singapore and South Korea, in Germany a similar type of app to NHSX is under development and it’s estimated that around 60% of the population will need to register to provide an effective service (https://www.ft.com/content/32b6a360-3e22-47a3-ace5-60f42cc6b42d)

- Professor Ross Anderson from the University of Cambridge doubts whether the app will be effective without regular coronavirus tests for all UK citizens. He adds that trolling the system could cause overloads and system abuse, as individuals can report symptoms and cause “yellow alerts” without any requirement for official test confirmations

- Bluetooth is not renowned for 100% accuracy, so it’s possible that false alerts will be sent to individuals on a regular basis

- Researchers based at Oxford University also raised concerns that the app would be of limited use, as it would not identify contacts of people who are either asymptomatic or pre-symptomatic.

Professor Anderson is a cybersecurity expert based at the University of Cambridge, and he also pointed out that the NHS is not renowned for maintaining the privacy of individual user data. He said: “I recognise the overwhelming force of the public-health arguments for a centralised system, but I also have 25 years’ experience of the NHS being incompetent at developing systems and repeatedly breaking their privacy promises when they do manage to collect some data of value to somebody else,” added the professor of security engineering.I’m really uneasy about collecting lots of lightly-anonymised data in a system that becomes integrated into a whole-of-government response to the pandemic. We might never get rid of it.” This issue of data privacy is causing even greater concern in Germany, due to its history of mass surveillance under previous regimes. The German people have an inherent distrust of mass surveillance, so any potential tracker app will need to tick lots of boxes before being adopted on a widespread basis (https://www.ft.com/content/32b6a360-3e22-47a3-ace5-60f42cc6b42d)

Other concerning data security and surveillance issues in the UK

And just in case you missed some of the other news on smartphone location and usage tracking, here’s our round-up of the most concerning issues:

The Guardian announced at the end of March that the UK government was in talks with all the national mobile phone companies to discuss anonymised use and location data in order to build movement maps and discover more about compliance with the national lockdown initiative (https://www.theguardian.com/world/2020/mar/27/watchdog-approves-use-uk-phone-data-if-helps-fight-coronavirus). The ICO confirmed that this would not be in breach of GDPR.

A more chilling investigation from The Guardian published on 13 April highlighted that the UK government and NHS did consider de-anonymisation of the NHSX app for official use. If this goes ahead, what it means is that all the anonymous alerts to contacts of potential coronavirus sufferers could be de-anonymised at a later date using the unique IDs of all smartphones (https://www.theguardian.com/world/2020/apr/13/nhs-coronavirus-app-memo-discussed-giving-ministers-power-to-de-anonymise-users). This is particularly concerning, and actually seems to fly against ICO recommendations, meaning it could potentially break privacy laws.

Check the 1st Call Detectives blog for more posts on the privacy, surveillance, and tracking issues that could impact you!