News

The UK's Coronavirus Contact Tracing App Is a Complete Mess

It doesn't really work, has serious privacy issues, and might be illegal. Other than that, five stars!
05 May 2020, 12:27pm
uk coronavirus tracing app
AP Photo/Frank Augstein

This article originally appeared on VICE US.

The U.K. has developed its own coronavirus contact tracing app that will alert users when they come within six feet of someone known to be infected.

There are just a few problems: the app doesn’t really work, it has serious privacy issues, and it might, in fact, be illegal.

The U.K. decided to build its own app rather than use the one being jointly developed by Apple and Google, primarily because the latter option would be a decentralized application, meaning all personal information would remain on users’ phones, rather than being sent to a central server controlled by the government.

Apple and Google’s version uses Bluetooth to detect nearby carriers, but because the government’s version doesn’t, it’s going to be much less effective.

Instead, the U.K. app relies on the user’s phone to broadcast a unique ID number at all times in order to detect other nearby devices running the app. But Apple’s iOS software expressly forbids any app from doing this while the app is running in the background.

The result is that unless a user has their iPhone open and running the software, the U.K. app will not record many possible encounters.

“By choosing not to use the Apple-Google API, which does not permit the type of centralized data collection the U.K. is seeking, it means that two or more users of iPhones who are meeting with their devices locked in their pocket will not trigger each other as contacts,” Michael Veale, a technology policy researcher at University College London, told VICE News.

It means that iPhone users will not be alerted to possible encounters with infected people, possibly creating a false sense of security.

“This bizarre quirk will leave iPhone users at significant risks of not being alerted when they have been exposed, or not alerting others when they were possibly infectious,” Veale added.

On Android, the app will only continue to broadcast the ID number while the app is running the background for a few minutes, before shutting it off like the iPhone.

But the app not working very well is just one of the problems the government is facing. There are also serious privacy concerns.

READ: The FDA Is Now Admitting It Let Fake Coronavirus Antibody Tests Into the U.S.

Ian Levy, technical director of the National Cyber Security Centre (NCSC), which developed the app, tried to reassure those worried about privacy concerns on Monday, saying the app “doesn’t have any personal information about you, it doesn't collect your location and the design works hard to ensure that you can’t work out who has become symptomatic,” and that “it holds only anonymous data and communicates out to other NHS systems through privacy-preserving gateways.”

But the first thing the app asks users to do is enter their zip code, before giving them a unique ID that is directly linked to their phones. It also logs the exact make and model of the phone.

If a user reports symptoms of COVID-19, they will also be asked to upload their contacts to a centralized server controlled by the government.

“The government has regularly been saying that the server only holds anonymous data,” Veale said. “This is legally untrue. The data in the server is unambiguously not anonymous under U.K. law, and indeed, every single broadcast every phone makes can be [easily] decrypted to link back uniquely to a single device.”

On Monday, the NCSC chief executive Matthew Gould was forced to admit to lawmakers that data will not be deleted and U.K. citizens will not have the right to demand it is deleted. It can also be used for “research” in the future.

The first trials of the app began on the Isle of Wight, off the south coast of England, on Monday, but National Health Service (NHS) insiders say the app’s codebase is a mess and the government makes it much more difficult to produce a working version.

“[The government is going about it in a kind of a hamfisted way. They haven’t got clear versions, so it’s been impossible to get a fixed code base from them for NHS Digital to test. They keep changing it all over the place,” a senior NHS official told the Health Service Journal, describing the app in its current form as “a bit wobbly.”

Another issue flagged by Veale is that Northern Irish users of the app who live along the border with the Republic of Ireland, which is developing an app based on Apple and Google’s solution, will also be more likely to miss out on knowing if they have met someone who was infected.

“It is unclear what will happen to anyone on the Irish border, as the Republic is siding with most other countries in using a decentralized application, and the two are not compatible, meaning that individuals cannot travel or talk to visitors while enabling notifications of risks either of them may pose to each other,” Veale said.

Listen and subscribe: Via Apple Podcasts | Via Spotify | Via Stitcher or anywhere else you get your podcasts.

Cover: A man wearing gloves and face mask used his phone as he stands in front of closed shops during the coronavirus lockdown in London, Tuesday, May 5, 2020. Whilst a few European countries relax the COVID-19 lockdown, Britain remains under lockdown without an exit strategy yet.(AP Photo/Frank Augstein)