Last night the Health Department came back to Guido about our Ten Problems With the New NHS App story with a list of rebuttals, which Guido is happy to publish in full. To discuss them properly, Guido compiled his own team of expert geeks who went through the Government’s points and responded to them one by one overnight. You could say this rebuttal response is from our own very independent SAGE…
Read the ten responses in full below – Guido’s original points are in bold, followed by the Government’s rebuttal. The geeks’ responses are in italics…
This is a deliberate piece of scaremongering not based on how the app will work in practice. The minimal data collected will be anonymised and only for the purpose of helping the NHS protect public health.
Security and privacy has been the priority in all stages of the NHS COVID-19 App’s development. Experts in preventing online criminal activity from government and industry including the Information Commissioner’s Office, the National Data Guardian and the National Cyber Security Centre have been involved from day one.
This is simply a description of how the app will work. Supposedly ‘anonymised’ data can always be interlinked in a ‘social graph’: linking databases is why Facebook and Google are worth billions. Once the data exists in a central database it can be exploited. It is never ‘anonymous’. It is rich enough to be relinked to individuals trivially. Device specific IDs are linked to individual accounts. There are no legal barriers to access by security services, police, or for further extension or use. It is a known risk that this data can be reidentified and used to map individual contacts. That risk is precisely why Google and Apple refuse to allow governments to collect this data through their contact matching system.
This is more than a bit far-fetched. Firstly, our current systems are based on self-reporting, including our online referral system and our online sick note system. The latest science suggests a proportion of infections are transmitted by people who are not yet showing any symptoms (pre-symptomatic), which is why the app uses self-reporting.
The app will spot patterns of unusual behaviour in order to stop malicious activity but people’s identity will be protected. Our risk-based model means not everyone that has been in contact with an individual with symptoms receives an alert. This model will be continually updated to handle potential misuse.
This response is nonsensical. Firstly, if people are pre-symptomatic they won’t be self-reporting because they won’t know. You likely mean that you want people to report symptoms. That makes sense for online referral and a sick note. An app that anonymously asks strangers to isolate without strict evidence is a recipe for disaster. Anonymous denunciations do not have a great history. Perhaps if you sorted out the testing infrastructure you wouldn’t feel a need to take this absurd approach?
It will be very difficult to isolate malicious behaviour from real reporting. If a student wants to get her Sixth Form College closed down for the week, or a worker fall out with my boss: what exactly is different about the data, that looks suspicious? And if a “mistake” is made about my symptoms, who will ever know? The Independent picked up on this problem on their front page today. You might ask why other governments are not trying this approach. It could be that the UK is ahead of the game. Or maybe not. NHS worries about the lack of testing could have pushed the app in this novel direction.
It is mis-leading to say this. The UK’s approach is similar to that followed by Australia, France, Italy, Norway, Iceland and Singapore among others and we will continue to exchange ideas and learning with other countries.
Other countries are working rapidly on solutions that best support their local health and care systems in fighting the pandemic. We are working to understand how apps, both already in development or yet to be developed, will interoperate cross-border.
We have simply stated a fact here. The NHS has developed a proprietary app. It will not, as it stands, work with any app developed overseas. Even if some other countries have chosen a centralised approach doesn’t mean the apps will work together, they all operate differently. Notably, you missed that China also uses a centralised approach. Australia are migrating to decentralisation, and so is Singapore, so that’s how they’ll make sure they can work across borders. France is still deciding. Norway’s app is eating all the batteries so maybe it won’t be long…
Centralised systems are going to struggle to talk to each other, as they will all be different, and it is hard to know what data needs to be passed on. On the other hand, the decentralised models need minimal data to be pushed on belonging to the person who travels. They’ve already worked out how to handle this.
It’s so much easier to just use the Apple-Google method that we can expect most countries will just go with it. A handful of others will end up struggling with their own systems. And will you be OK passing vast amounts of UK people’s contact data back to China’s government? We hope not.
The UK, like other countries from across the world including Ireland, is working on a solution that best supports the public health of its citizens. We are working with other countries to understand how apps will interoperate cross-border.
You don’t even try to deny this point because you can’t. The truth is pretty simple: decentralised apps using the Apple-Google framework will interoperate across borders. The UK’s app will not. In Northern Ireland, that will have immediate consequences and risks turning the Northern Irish border into a hard border for the foreseeable future.
This is wrong – the NHS COVID-19 App will also run in the background, using Bluetooth Low Energy, so the battery used will be minimal.
Modern smartphones tightly control what apps can do with Bluetooth, blocking third party apps from tracking users in the background. Apple and Google’s new API does lets developers code apps with special access to Bluetooth, but strictly limits the information that can be gathered. It forbids asking a phone from gathering a list of every other phone it has been in contact with while the app is not open, something the NHS app says it will do.
See more in answer to Point 8. If it this isn’t true, please show us how you’re likely planning to break Apple and Google’s rules.
This is nonsense. The app is not breaking privacy laws and the proposal is not stuck in the courts. The NHS will always comply with the law and the NHS COVID-19 App’s function and purpose have been developed under existing legal powers and are consistent with the powers of, and duties imposed on, the Secretary of State at a time of national crisis in the interests of protecting public health.
Operation of the App will be regulated in accordance with strong existing legislation regulating data protection, human rights and equalities and we have been consulting on our plans with the Information Commissioner, the National Data Guardian’s Panel and the Centre for Data Ethics and Innovation, as well as with representatives from Understanding Patient Data and volunteers who provided a patient and public perspective.
Independent lawyers have pointed out that the Government needs to choose the least intrusive scheme for its needs. The decentralised systems, because they collect little data, would have no trouble making a justification, but if you are building a database of millions of contact events, then profiling them for bad actors and health status … well you really do have a job on your hands. This is a load of taxpayers’ money wasting court cases waiting to happen.
By the way, how come NHSX haven’t published their Data Protection Impact Assessment yet? And how come NHSX hadn’t talked to the ICO about their outstanding “high risk” processing risks as required by GDPR A36? You say you “consulted on plans” with the ICO but then not actually on the important stuff as required by law.
This is not true. Operation of the App will be regulated in accordance with strong existing legislation regulating data protection, human rights and equalities.
A Data Protection Impact Assessment (DPIA) for the NHS COVID-19 App, meeting the best practice guidance set out by the ICO, will be produced, where necessary, for every stage of the rollout. This sets out the legal basis for collecting data, what data is collected, how it is stored securely and how long it is intended to be retained. A Privacy Notice, to provide clear lines to the public, will also be iterated with any significant updates to the app.
This is not true. There are no specific safeguards. How do we know the data will not be used to back up Immunity Passports? How do you guarantee against mission creep? By using a decentralised system where you simply can’t because you never have the data. We prefer to trust in physics rather than politician’s promises, thanks.
Australia at least put a law in place which states how the data will be used and later destroyed. In contrast, Gould of NHSX says he wants to keep his hands on the data indefinitely. Australians are also able to request their data be deleted from the central database. Brits will have no such right
Also by the way, the Data Protection Impact Assessment for the Isle of Wight stage of the rollout isn’t public.
This is not true. The NHS COVID-19 App will work alongside all other Bluetooth features in the background. It currently supports Apple iOS versions 11 and higher, and Android versions 8 and higher.
If this really isn’t true you should actually publish the source code as you’ve been promising for months. Modern smartphones are designed to stop this behaviour, because of the privacy risk of constantly broadcasting your presence. Australian authorities have also admitted overnight that their app is not working well with locked iPhones.
The Register have reported:
Despite what the NCSC has continued to imply, the app will not, as it stands, work as you may expect all the time on iOS, nor Android since version 8, because the operating systems won’t allow the tracing application to broadcast its ID via Bluetooth to surrounding devices when it’s running in the background and not in active use.
That means that unless people have the NHS app running in the foreground and their phones awake most of the time, the fundamental principle underpinning the entire system – that phones detect each other – won’t work.
It will work if people open the app and leave it open and the phone unlocked. But if you close it and forget to reopen it, or the phone falls asleep, the app will not broadcast its ID and no other phones around you will register that you’ve been close by.
The Government still hasn’t explained how the app gets around Google and Apple’s privacy protections without constantly running in the foreground. So far we just have your assertion.
The app is part of a very broad approach to tackle COVID-19. We are using other measures that can help protect vulnerable groups and those people who cannot or do not want to access digital tools.
People will always have a choice of whether to download or delete the NHS app and we firmly believe that our evidence-based approach is the best solution for protecting the NHS and saving lives.
This is again deflecting from the criticism not answering it. There is no evidence that the NHS’s app will work better. In fact, practically every expert in the field has damned your approach. If you really cared about the evidence, rather than some creepy fetish with gathering our data, you would change approach.
Fact: with the decentralised system users can change their minds when they get infected, and usefully notify others who may be at risk. Fact: the NHSX app will not be able to do this.
That is just unfounded and ill-informed speculation. We need the public to help beat COVID-19. The app can play a crucial part in this and help save lives.
The app’s software is being built by VMware Pivotal Labs and other organisations are actively helping the NHS to develop and test the app including Zuhlke Engineering, Microsoft, Amazon Web Services, the University of Oxford, the BBC, the RAF and collaborators in countries including Singapore, Norway, Ireland, New Zealand and Germany. The NHS is extremely grateful for all of this support.
We will be closely studying this first phase of the rollout (on the Isle of Wight), and like any high-quality app, will continually refine and improve it over the coming weeks.
More organisations involved does not necessarily mean more coherent coding, it often just means more buck-passing. It’s welcome that the NHS has engaged outside expertise and private sector players, though we have noticed that the two largest mobile phone operating systems companies are missing from that list: Apple and Google. These companies have offered help, have offered an alternative system, and a system that protects privacy while actually being effective. Microsoft Windows XP, still common in the NHS, was the root cause of one of the biggest ransomware outages in Britain ever, knocking out several hospitals. The NHS IT system (late, 500% over budget, scrapped) and the (earlier) NHS app (unusable, put on ice) does not fill informed observers with confidence.
Question: why is the NHS trying to develop its own entire infrastructure and app rather than use a system developed by some of the world’s best software engineers at Apple and Google? Why do you think you know better than the people who literally wrote the operating system?
We hope the Government has not got it wrong on this IT project this time…
UPDATE: The NHS app has implicitly revealed some of what DHSC tried to obscure in their rebuttal…