A privacy group has issued a warning over ‘tracker’ warnings in the NHS coronavirus-tracing app, which is currently being tested on the Isle of Wight.
Privacy International said in a detailed blog post, “Our analysis of the NHSX app reveals that there is no mechanism to opt-in or opt-out of third-party trackers which are included with the app.”
The group also claimed that the application has flaws including the fact that a permission granted to the app allows it to prevent phones from going to sleep – which could drain batteries.
Latest coronavirus news, updates and advice
NHSX has admitted Huawei devices and some older mobile phones cannot run the NHS contact tracing app being trialled on the Isle of Wight.
Privacy International wrote: “Within the app’s workflow there is no method to opt-in (or opt-out) to analytics or third party tracking – this means if any personal data such as unique identifiers (e.g. your phone’s Google Advertising ID) are being sent to third parties without consent for non-healthcare-related purposes, this could be a breach of the General Data Protection Regulation (GDPR).”
📣New tech blog 📣— NHSX (@NHSX) May 8, 2020
The code behind the NHS Covid-19 App.
We have Open Sourced the code behind the new NHS COVID-19 app. Our Head of Open Tech @edent discusses the open source offer behind the beta version of the app.https://t.co/Po6nmidg8X pic.twitter.com/5GuUm2UzuX
The NHS says that the design of the app puts privacy first.
Dr Ian Levy, technical director of the National Cyber Security Centre, wrote in a blog post this month that “the NHS team have worked hard to properly protect privacy and security”.
“The app doesn’t have any personal information about you, it doesn't collect your location and the design works hard to ensure that you can’t work out who has become symptomatic,” he added.
“The design makes sure that it’s hard to use the app to track you by being physically close to you – although again there are balances to be struck.
“The backend is built to be as secure as is practical, but remember it holds only anonymous data and communicates out to other NHS systems through privacy preserving gateways, so data in the app data can't be linked to other data the NHS holds.”
In Privacy International’s testing, the group found the app would only run on new Android devices.
“The cursory testing we have completed of this latest app seems to suggest that only those with modern smartphones will be eligible to run it,” the group said.
“This means it is likely to exclude those who can only afford cheaper phones, and most likely people on lower incomes.”
“It is of note that those who are on the lowest incomes are disproportionately likely to be key/essential workers and the elderly, who are at most risk/exposure.’
Speaking to BBC Radio Solent, Dr Geraint Lewis, who is in charge of the development of the NHS COVID-19 app, said phones needed to have the capability of running Bluetooth Low Energy and to be running either Apple ios 11 upwards or Android 8 upwards.
Several listeners had contacted the radio station to say that the app, which is being piloted on the island before being rolled out nationwide, was not working on older devices.
Dr Lewis said: “There are three reasons why the app might not work on a particular smartphone, it’s either the development team has not got around to supporting that particular phone.
“The second reason is if the phone itself doesn’t have this thing called Bluetooth Low Energy in it, certain older phones don’t have BLE and that’s the piece of technology we use to measure distance between phones.
“The third reason is the operating system, we currently support ios version 11 and upwards and Android version 8 and upwards, so if you can update the operating system that should hopefully help.”
Read more: Will summer stop coronavirus?
Another listener complained that the app drained the battery on their phone but Dr Lewis said that it had been designed to be low energy and only used 1% of battery on his phone and asked for people with problems to give their feedback to NHSX.
He added: “It is not a tracking app, it doesn’t know geographically where you are, all it is measuring is the distance between your phone and somebody else’s.”
Explaining how the app works, he said: “If you download the app, it starts taking anonymous measurements of how far away you are from other app users and it stores that information anonymously on your phone.
“If later on you develop symptoms of coronavirus, either fever or continuous new cough, then you can choose to send that information to the NHS, then we will notify anonymously those people you have been in close contact with and then arrange for a virology swab test delivered to your door in a few hours.
“The system is there to protect the whole community, so if sufficient numbers of people download and use the app everyone will be protected regardless of whether they themselves have a phone that is compatible.”
He added: “The huge advantage of an app over more traditional forms of contact tracing, is that you can almost industrialise the process, it’s able to send notifications very rapidly to people very soon after they have developed these symptoms which is the time when they are at their most infectious.”
Dr Lewis said that 55,000 people had downloaded the app so far but it was not possible to say that all of those were on the Isle of Wight.