This is an update to my blog Location Tracking, Your Privacy & COVID 19 Contact Tracing to bring this up to date with the recent developments in the UK.
The UK were going to develop a COVID 19 Contact Tracing App using a hybdrid technology that was centralised and in which they owned the data coming from the app. This was recently trialled on the Isle of White and was found not fit for purpose since there were restrictions on Bluetooth with IoS (see our conclusion for links to articles on this). As a result this app has been ditched for an approach using the technology developed by Google and Apple. This revised app is currently thought to be available by the end of 2020.
What does this mean?
When you have a test you provide contact details (e.g. your mobile number, an email address) so that the NHS can get back to you with your result. When you test positive a contact tracer will contact you and ask you where you have been in the last 14 days and people you have come into contact with. If you have had limited contact with others then it may be easy enough to answer, but if you have been to a shopping centre then you have no idea who you have come into contact with.
This is where the app comes in since if you are in the vicinity of someone for 15 minutes, or more, the app will exchange a secure token with the other contact over bluetooth. When you test positive and register this in the app, the people you have come into contact with will receive an alert to get tested. This data will be erased after 14 days.
The way the Google/Apple technology works is that the app will retain 14 days of exchanges privately in the phone. It will not be sent to Google/Apple or to the NHS. The app will download an anonymised database of results and then do the matching against positive contacts you have come into contact with on the device. It will then send alerts to others you have been in contact with.
If you look on your Android phone, particularly if you have had a recent system update, and go to the Google section of Settings then you will see the following:
You will see the new option in the Google services called ‘COVID-19 exposure notifications (first image above). Tap on that and you will see the second image which shows you if the service has been switched on. When you install the new NHS App it will switch on this feature. You will have to allow the app access to Bluetooth and Location Services and for the app to work these services will need to be switched on permanently to provide you with protection.
More guidance on Android contact tracing features can be found in this article.
If you have an Apple device then you can go to this article for similar guidance.
If your device does not get security updates then you may not have these features installed.
In my original blog I pointed put that there were vulnerabilities with Bluetooth that have not been patched on all devices. Also, keeping location services on all the time means that any app you have give permission to access location services will be able to track your location.
Here are a few precautions you can take before you install this app:
- Review your apps permissions – if any of them require Bluetooth and/or location services and you don’t think they need this permission, switch it off.
- Remove any apps that you don’t use, or have not used in a few months.
- You can switch off Bluetooth and Location Services while at home, but if people in your household are meeting others, or you are having people visit your home, then best keep it on.
How to review App Permissions
How this is done depends on your version of Android/IoS as these features change over different versions. The following articles will provide some general guidance:
These articles may be a little out of date, but if you do a web search for your specific version of Android/IoS then you should find the guidance you need.
It is good practice to periodically check the permissions on your devices and remove any that you are unhappy with.
Google and Apple have stated that these features can only be used by national health organisations like the NHS in the UK. A recent instance of this is where the Japanese government tried to use a third party to run their contact tracing app, which was immediately blocked. In the end Microsoft were called in to build the app which was then run by the Japanese health authority.
Being decentralised, the data does not get logged in a central database and remains on device at all times. This means (to the best of my knowledge and contrary to my previous understanding) Google/Apple and the NHS do not have access to the raw data and therefore only a limited amount anonymised data is available. You can read all about this in this guidance from Apple and Google, just be warned that this becomes technical.
I still have some doubts as to how much data will be retained by Google and Apple, but at this point I guess we just have to take a leap of faith and hope they don’t abuse their position of power.
As with any app, you take it on trust that the app is genuine and will abide by the terms and conditions of the platform it is running on. This is not always the case.
There are already warnings that fake contract tracing apps are being pushed by cyber criminals to gather personal information, credentials and access to banking details to name a few. If you receive an email/SMS/IM/etc. offering you a free contact tracing app, even with NHS logo on it (or your local health authority) then don’t install it. For the UK go to the NHS Test and Trace website to find the direct link to the Google Playstore and Apple App Store when the app goes live. This will be announced on all media services.
If you receive a message from someone saying you have been in contact with someone who has tested positive, then check the details:
- You will be asked to login to the NHS Tracing website at https://contact-tracing.phe.gov.uk/
- You will receive a phone call from 0300 013 5000
- You will receive a text from NHStracing.
If any of the above details are not evident on the message you receive then it is FAKE! Don’t act on it!!
It is not beyond the capabilities of hackers to spoof these details. Take a look at my blog on Domain Typo Squatting for guidance on how they can spoof the website.
My recommendation here is for the following:
- In your browser, go to the NHS website above and take a bookmark which you will use if you are required to register
- Put the phone number in your phone contacts and mark it as NHS Contact Tracing – this will then show up if they call you.
If you receive a phone call/SMS/IM/Email offering you a test, or home testing kit, and charge you for it then this is a SCAM!! Testing in the UK is free. Under no circumstances provide any personal information unless you can confirm it is the NHS (or your local test/tracing service) calling you.
I found the following infographic on Twitter which you may find useful to save to your phone.
Bad actors are always out to make a profit out of a crisis. The COVID-19 pandemic is no different. The general advice is to head the governments advice and ‘Stay Alert’, but in this case this refers to phishing and scam attempts rather than controlling the virus.
Having the app on your phone won’t stop you getting the COVID-19 virus, but if you install an unofficial app you may get a dose of malware that could be dangerous to your privacy and financial status.
The only way to not get the virus is to not meet anyone from outside your home and to avoid public places and mass gatherings. When the app goes live at least you will be able to detect if you might have been exposed to the virus. The NHS will be able to detect hotspots in order to impose selected and limited lockdowns rather than the nationwide lockdown we have all experienced in the last few months.
If you don’t have the latest update on your phone to allow the feature, or your device does not have Bluetooth Low Energy installed, then the contact tracing app may not work on your device and you may fall back to manual tracing – more on this if/when I get a validated source.
Two articles I found that go into the recent announcements in more details than I have above are:
The BBC News article goes into the differences between the centralised and de-centralised approaches.
I hope the above has been of some help in navigating this minefield. If I have quoted anything inaccurately please let me now via the contact form and I will update the blog.