The British government has revealed details of the UK contact tracing app – which doesn’t use the Apple/Google API – and it doesn’t make for good reading. While it’s full of reassuring-sounding statements, these soon start to unravel …
Details have been shared in a National Cyber Security Centre blog post, and a more detailed technical paper.
The blog post about the coronavirus app includes a rather misleading claim:
The NHSX app […] uses only software development tools and mechanisms that are supported by Apple and Google (as part of iOS and Android development)
That could easily be taken to mean that it uses the Apple/Google API, but that is not the case. The statement is, in fact, a completely meaningless one: it basically says that it runs on iOS and Android because it runs code that runs on iOS and Android devices. Still, I guess the government gets credit for not trying to run Windows Phone code on iPhones …
The post also claims the app ‘won’t drain your battery’ when it will, in fact, use more power than apps that use the Apple/Google API.
The Register’s Kieren McCarthy does a good job of further separating myth from reality.
Despite what the NCSC has continued to imply, the app will not, as it stands, work all the time on iOS nor Android since version 8. The operating systems won’t allow the tracing application to broadcast its ID via Bluetooth to surrounding devices when it’s running in the background and not in active use. Apple’s iOS forbids it, and newer Google Android versions limit it to a few minutes after the app falls into the background.
That means that unless people have the NHS app running in the foreground and their phones awake most of the time, the fundamental principle underpinning the entire system – that phones detect each other – won’t work.
It will work if people open the app and leave it open and the phone unlocked. But if you close it and forget to reopen it, or the phone falls asleep, the app will not broadcast its ID and no other phones around you will register that you’ve been close by […]
The NHS has insisted its engineers have worked around this problem “sufficiently well” by waking the app after it detects itself running on a nearby phone emitting an ID: the software is blocked from sending out its ID when in the background but it can passively listen for IDs of apps still allowed to broadcast. However, this assumes there are a sufficient number of phones running the tracing app nearby still broadcasting to keep enough people’s apps awake: there needs to be a critical mass of users while we’re all supposed to be socially distancing. If two or more people pass each other and their apps have stopped broadcasting, the software will never know they came in contact.
McCarthy also addresses a big location contradiction in the blog post.
Levy repeatedly tried to square this circle, leading to some ludicrous assertions. He stated boldly in bullet points that the app “doesn’t have any personal information about you, it doesn’t collect your location and the design works hard to ensure that you can’t work out who has become symptomatic” and that “it holds only anonymous data and communicates out to other NHS systems through privacy preserving gateways.”
But what is literally the first thing the app does when you install and open it? It asks for your postcode [zip code].
A postcode typically identifies one street, and in the case of larger apartment blocks, the specific building. The government claims only the first part of the postcode will be used at first, but there is no guarantee that won’t change.
One firm of lawyers has even said the centralized approach taken by the British app may break the law.
A centralised smartphone system – which is the current UK Government proposal – is a greater interference with fundamental rights and would require significantly greater justification to be lawful. That justification has not yet been forthcoming.
The UK Government’s announcements in March and April for sharing health data between the private and public sector appear to be flawed. This means such data sharing is potentially not in compliance with legal requirements.
France is also taking the same approach as the UK contact tracing app, while Germany is using the Apple/Google API, and it’s likely that other European countries will do the same.