Is the new COVID app safe to use?

October 2020

The UK government had originally opted to independently develop a contact tracing app which relied on creating a centralised database of individuals to trace who had been near to anyone who turned out to be suffering from Covid 19.

Notwithstanding the doubts about the wisdom of going it alone and building an app from first principles rather than using the template models provided by Google and Apple, there were some significant concerns raised about the viability of this app from a privacy perspective.

The DPIA was delivered late and there were concerns about the collection of individual data as well as a non-specific retention period which could open the door to mass surveillance of individuals’ activity. The wider NHS Test and Trace programme was going to be kept by Public Health England for 20 years so maybe the app data would be kept that long too?

Any privacy concerns were further compounded by the production of a DPIA which was muddled, incomplete and confusing. It wasn’t just the activists and conspiracy theorists who were not impressed.

So, now we have the newly minted app modelled on the Google and Apple templates. Should we be trusting this app?

Here are 10 facts about the app which might help reassure you from a privacy perspective:

  1. This is an example of more privacy friendly edge computing – the data stays on your device and records the Bluetooth IDs of anyone who has been nearby for anything from 5-30 mins.
  2. This tracking works using the Exposure Notification System developed by Google and Apple. Exposure Notifications do not collect or use the location of your device. It works using Bluetooth, which can be used to detect if two devices are near each other, without revealing where the devices are.
  3. Each device is assigned a short-term random ID which changes frequently and is deleted after 14 days. Whilst communicating, phones can only see these random ID’s which makes it very hard to identify a real user.
  4. There is no longer a centralised database and there is no scraping of data from your device
  5. Individuals have to make an explicit choice to turn on the technology and it can be turned off by the user at any time
  6. There are some further safeguards in that access to the technology will only be granted to apps from public health authorities
  7. Given the core framework has been built by Apple and Google – we can probably assume that they are more skilled/experienced at creating an app which doesn’t leak personal data than a group of developers who were unlikely to have attempted something like this before.
  8. QR code – the government is still trying to collect useful data to identify trends by asking users to use the app to check in to venues by using a QR code in each place which records the random phone ID. However, this data should only be kept for 21 days. It should not be mandatory to use the app to check in – venues should be offering an alternative means of checking in, although I’ve heard reports to the contrary.
  9. What if someone tests positive for Covid 19? If someone tests positive, they can consent for their phone to upload the last 14 days of keys for their Bluetooth beacons to the server. Meanwhile, for everyone else, your phone is periodically downloading the Bluetooth beacons of everyone who has tested positive in your region. If you have been in the close vicinity of someone who has tested positive the Bluetooth beacons will match and you will be sent a notification that you’ve been near a confirmed Covid sufferer.
  10. Does it drain your battery? Having looked at my phone it seems like Exposure Notifications took up 8% of my battery life in the last 24 hours. That feels like a small price to pay.

So, will people trust the app and download it?

The false start and associated negative press coverage with the first app were extremely unhelpful. Levels of trust aren’t high. However, we are in the middle of a health crisis and anything that might help halt the progress of this disease should be welcomed. I have downloaded it and I urge you to do so too.

By the way, I’ve also downloaded the Zoe Covid app which is a symptom study run by scientists at Kings College London. They have 4.2m registered users.

Interestingly, I trust them more with my personal data and have shared a fair amount of health-related information over the last few months. It’s run by scientists who are very familiar with the necessary protocols around protecting privacy. Perhaps it’s because they were entirely open and transparent with their purpose and reasons for collecting data?

You can read the helpful Google/Apple FAQ document
And details of the Kings College Covid Symptom study